CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

rework so-firewall to work with pillar files

Browse Source
This commit is contained in:
m0duspwnens
2023-05-01 16:49:06 -04:00
parent 9a4ae2b832
commit 1f6463a9bb
4 changed files with 142 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

224
salt/common/tools/sbin/so-firewall
View File

@@ -1,104 +1,148 @@
#!/usr/bin/bash #!/usr/bin/env python3
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright 2014-2023 Security Onion Solutions, LLC
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at #
# https://securityonion.net/license; you may not use this file except in compliance with the # This program is free software: you can redistribute it and/or modify
# Elastic License 2.0. # it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common import os
import re
import subprocess
import sys
import time
import yaml
if [[ $# -lt 1 ]]; then lockFile = "/tmp/so-firewall.lock"
echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>" hostgroupsFilename = "/opt/so/saltstack/local/pillar/firewall/soc_firewall.sls"
echo "" defaultsFilename = "/opt/so/saltstack/default/salt/firewall/defaults.yaml"
echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
echo ""
exit 1
fi
for i in "$@"; do def showUsage(options, args):
case $i in print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
-r=*|--role=*) print(' Options:')
ROLE="${i#*=}" print(' --apply - After updating the firewall configuration files, apply the new firewall state')
shift print('')
;; print(' General commands:')
-i=*|--ip=*) print(' help - Prints this usage information.')
IP="${i#*=}" print(' apply - Apply the firewall state.')
shift print('')
;; print(' Host commands:')
-a=*|--apply*) print(' includehost - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
APPLY="${i#*=}" print(' addhostgroup - Adds a new, custom host group. Args: <GROUP_NAME>')
shift print('')
;; print(' Where:')
-*|--*) print(' GROUP_NAME - The name of an alias group (Ex: analyst)')
echo "Unknown option $i" print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
exit 1 sys.exit(1)
;;
*)
;;
esac
done
ROLE=${ROLE,,} def checkApplyOption(options):
APPLY=${APPLY,,} if "--apply" in options:
return apply(None, None)
function rolecall() { def loadYaml(filename):
THEROLE=$1 file = open(filename, "r")
THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog" content = file.read()
return yaml.safe_load(content)
for AROLE in $THEROLES; do def writeYaml(filename, content):
if [ "$AROLE" = "$THEROLE" ]; then file = open(filename, "w")
return 0 return yaml.dump(content, file)
fi
done
return 1
}
# Make sure the required options are specified def addIp(name, ip):
if [ -z "$ROLE" ]; then content = loadYaml(hostgroupsFilename)
echo "Please specify a role with --role=" defaults = loadYaml(defaultsFilename)
exit 1 allowedHostgroups = defaults['firewall']['hostgroups']
fi unallowedHostgroups = ['anywhere', 'dockernet', 'localhost', 'self']
if [ -z "$IP" ]; then for hg in unallowedHostgroups:
echo "Please specify an IP address with --ip=" allowedHostgroups.pop(hg)
exit 1 if not content:
fi content = {'firewall': {'hostgroups': {name: []}}}
if name in allowedHostgroups:
if name not in content['firewall']['hostgroups']:
hostgroup = content['firewall']['hostgroups'].update({name: [ip]})
else:
hostgroup = content['firewall']['hostgroups'][name]
else:
print('Host group not defined in salt/firewall/defaults.yaml or hostgroup name is unallowed.', file=sys.stderr)
return 4
ips = hostgroup
if ips is None:
ips = []
hostgroup = ips
if ip not in ips:
ips.append(ip)
else:
print('Already exists', file=sys.stderr)
return 3
writeYaml(hostgroupsFilename, content)
return 0
# Are we dealing with a role that this script supports? def includehost(options, args):
if rolecall "$ROLE"; then if len(args) != 2:
echo "$ROLE is a supported role" print('Missing host group name or ip argument', file=sys.stderr)
else showUsage(options, args)
echo "This is not a supported role" result = addIp(args[0], args[1])
exit 1 code = result
fi if code == 0:
code = checkApplyOption(options)
return code
# Are we dealing with an IP? def apply(options, args):
if verify_ip4 "$IP"; then proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
echo "$IP is a valid IP or CIDR" return proc.returncode
else
echo "$IP is not a valid IP or CIDR"
exit 1
fi
local_salt_dir=/opt/so/saltstack/local/salt/firewall def main():
options = []
args = sys.argv[1:]
for option in args:
if option.startswith("--"):
options.append(option)
args.remove(option)
# Let's see if the file exists and if it does, let's see if the IP exists. if len(args) == 0:
if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then showUsage(options, None)
if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
echo "Host already exists"
exit 0
fi
fi
# If you have reached this part of your quest then let's add the IP commands = {
echo "Adding $IP to the $ROLE role" "help": showUsage,
echo "$IP" >> $local_salt_dir/hostgroups/$ROLE "includehost": includehost,
"apply": apply
}
# Check to see if we are applying this right away. code=1
if [ "$APPLY" = "true" ]; then
echo "Applying the firewall rules" try:
salt-call state.apply firewall queue=True lockAttempts = 0
echo "Firewall rules have been applied... Review logs further if there were errors." maxAttempts = 30
echo "" while lockAttempts < maxAttempts:
else lockAttempts = lockAttempts + 1
echo "Firewall rules will be applied next salt run" try:
fi f = open(lockFile, "x")
f.close()
break
except:
time.sleep(2)
if lockAttempts == maxAttempts:
print("Lock file (" + lockFile + ") could not be created; proceeding without lock.")
cmd = commands.get(args[0], showUsage)
code = cmd(options, args[1:])
finally:
try:
os.remove(lockFile)
except:
print("Lock file (" + lockFile + ") already removed")
sys.exit(code)
if __name__ == "__main__":
main()

2
salt/firewall/defaults.yaml
View File

@@ -13,9 +13,11 @@ firewall:
fleet: [] fleet: []
heavynodes: [] heavynodes: []
idh: [] idh: []
import: []
localhost: localhost:
- 127.0.0.1 - 127.0.0.1
manager: [] manager: []
managersearch: []
receivers: [] receivers: []
searchnodes: [] searchnodes: []
securityonion_desktops: [] securityonion_desktops: []

2
salt/firewall/soc_firewall.yaml
View File

@@ -33,8 +33,10 @@ firewall:
fleet: *hostgroupsettings fleet: *hostgroupsettings
heavynodes: *hostgroupsettings heavynodes: *hostgroupsettings
idh: *hostgroupsettings idh: *hostgroupsettings
import: *hostgroupsettings
localhost: *ROhostgroupsettingsadv localhost: *ROhostgroupsettingsadv
manager: *hostgroupsettings manager: *hostgroupsettings
managersearch: *hostgroupsettings
receivers: *hostgroupsettings receivers: *hostgroupsettings
searchnodes: *hostgroupsettings searchnodes: *hostgroupsettings
securityonion_desktops: *hostgroupsettings securityonion_desktops: *hostgroupsettings

8
setup/so-functions
View File

@@ -2291,18 +2291,18 @@ set_initial_firewall_policy() {
case "$install_type" in case "$install_type" in
'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') 'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall includehost $minion_type $MAINIP --apply
;; ;;
esac esac
} }
set_initial_firewall_access() { set_initial_firewall_access() {
if [[ ! -z "$ALLOW_CIDR" ]]; then if [[ ! -z "$ALLOW_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall includehost analyst $ALLOW_CIDR --apply
fi fi
if [[ ! -z "$MINION_CIDR" ]]; then if [[ ! -z "$MINION_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensors $MINION_CIDR
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=searchnodes --ip=$MINION_CIDR --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall includehost searchnodes $MINION_CIDR --apply
fi fi
} }