Merge pull request #9717 from Security-Onion-Solutions/2.4/firewall

2.4/firewall

salt/_modules/so.py

@@ -5,6 +5,8 @@ import logging
 def status():
     return __salt__['cmd.run']('/usr/sbin/so-status')
 
+def version():
+    return __salt__['cp.get_file_str']('/etc/soversion')
 
 def mysql_conn(retry):
     log = logging.getLogger(__name__)
@@ -61,4 +63,4 @@ def mysql_conn(retry):
         for addr in ip_arr:
             log.debug(f'  - {addr}')
 
-    return mysql_up
+    return mysql_up

salt/common/tools/sbin/so-firewall

@@ -43,7 +43,7 @@ APPLY=${APPLY,,}
 
 function rolecall() {
 	THEROLE=$1
-	THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager receivers searchnodes sensors standalone strelka_frontend syslog"
+	THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog"
 
 	for AROLE in $THEROLES; do
 		if [ "$AROLE" = "$THEROLE" ]; then

salt/curator/init.sls

@@ -130,7 +130,7 @@ so-curator:
     - name: so-curator
     - user: curator
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
     - interactive: True
     - tty: True

salt/docker/defaults.yaml

@@ -1,8 +1,8 @@
 docker:
   bip: '172.17.0.1'
   range: '172.17.0.0/24'
-  sosrange: '172.17.1.0/24'
+  sorange: '172.17.1.0/24'
-  sosbip: '172.17.1.1'
+  sobip: '172.17.1.1'
   containers:
     'so-dockerregistry':
       final_octet: 20

salt/docker/docker.map.jinja

@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sosrange.split('.') %}
+{% set RANGESPLIT = DOCKER.sorange.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 
 {% for container, vals in DOCKER.containers.items() %}

salt/docker/init.sls

@@ -79,13 +79,13 @@ dockerreserveports:
 
 sos_docker_net:
   docker_network.present:
-    - name: sosbridge
+    - name: sobridge
-    - subnet: {{ DOCKER.sosrange }}
+    - subnet: {{ DOCKER.sorange }}
-    - gateway: {{ DOCKER.sosbip }}
+    - gateway: {{ DOCKER.sobip }}
     - options:
-        com.docker.network.bridge.name: 'sosbridge'
+        com.docker.network.bridge.name: 'sobridge'
         com.docker.network.driver.mtu: '1500'
         com.docker.network.bridge.enable_ip_masquerade: 'true'
         com.docker.network.bridge.enable_icc: 'true'
         com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
-    - unless: 'docker network ls | grep sosbridge'
+    - unless: 'docker network ls | grep sobridge'

salt/elastalert/init.sls

@@ -88,7 +88,7 @@ so-elastalert:
     - name: so-elastalert
     - user: so-elastalert
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
     - detach: True
     - binds:

salt/elastic-fleet-package-registry/init.sls

@@ -29,7 +29,7 @@ so-elastic-fleet-package-registry:
     - detach: True
     - user: 948
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
     - extra_hosts:
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}

salt/elastic-fleet/init.sls

@@ -49,7 +49,7 @@ so-elastic-fleet:
     - detach: True
     - user: 947
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
     - extra_hosts:
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}

salt/elasticsearch/init.sls

@@ -291,7 +291,7 @@ so-elasticsearch:
     - name: so-elasticsearch
     - user: elasticsearch
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
     - extra_hosts:  {{ LOGSTASH_NODES }}
     - environment:

salt/filebeat/init.sls

@@ -99,7 +99,7 @@ so-filebeat:
     - hostname: so-filebeat
     - user: root
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }}
     - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }}
     - binds:

salt/firewall/assigned_hostgroups.map.yaml

@@ -164,7 +164,7 @@ role:
     chain:
       DOCKER-USER:
         hostgroups:
-          manager:
+          managersearch:
             portgroups:
               - {{ portgroups.playbook }}
               - {{ portgroups.mysql }}

salt/firewall/hostgroups.yaml

@@ -10,7 +10,7 @@ firewall:
       ips:
         delete:
         insert:
-          - {{ DOCKER.sosrange }}
+          - {{ DOCKER.sorange }}
     localhost:
       ips:
         delete:

salt/firewall/iptables.jinja

@@ -33,11 +33,11 @@
 {%-         endif %}
 {%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -50,11 +50,11 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKER.sorange}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--A DOCKER -i sosbridge -j RETURN
+-A DOCKER -i sobridge -j RETURN
 {%- for rule in D1 %}
 {{ rule }}
 {%- endfor %}
@@ -98,10 +98,10 @@ COMMIT
 -A INPUT -j LOGGING
 -A FORWARD -j DOCKER-USER
 -A FORWARD -j DOCKER-ISOLATION-STAGE-1
--A FORWARD -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o sobridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A FORWARD -o sosbridge -j DOCKER
+-A FORWARD -o sobridge -j DOCKER
--A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT
+-A FORWARD -i sobridge ! -o sobridge -j ACCEPT
--A FORWARD -i sosbridge -o sosbridge -j ACCEPT
+-A FORWARD -i sobridge -o sobridge -j ACCEPT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i lo -j ACCEPT
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
@@ -113,12 +113,12 @@ COMMIT
 {{ rule }}
 {%- endfor %}
 
--A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -i sobridge ! -o sobridge -j DOCKER-ISOLATION-STAGE-2
 -A DOCKER-ISOLATION-STAGE-1 -j RETURN
--A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -o sobridge -j DROP
 -A DOCKER-ISOLATION-STAGE-2 -j RETURN
--A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-USER ! -i sobridge -o sobridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING
+-A DOCKER-USER ! -i sobridge -o sobridge -j LOGGING
 -A DOCKER-USER -j RETURN
 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
 -A LOGGING -j DROP

salt/firewall/map.jinja

@@ -22,6 +22,7 @@
          'heavynodes',
          'idh',
          'manager',
+         'managersearch',
          'receivers',
          'searchnodes',
          'sensors',

salt/grafana/init.sls

@@ -126,7 +126,7 @@ so-grafana:
     - hostname: grafana
     - user: socore
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }}
     - extra_hosts:
       - {{GLOBALS.influxdb_host}}:{{pillar.node_data[GLOBALS.influxdb_host].ip}}

salt/idstools/init.sls

@@ -33,7 +33,7 @@ so-idstools:
     - hostname: so-idstools
     - user: socore
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
     {% if proxy %}
     - environment:

salt/influxdb/init.sls

@@ -49,7 +49,7 @@ so-influxdb:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
     - hostname: influxdb
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false

salt/kibana/init.sls

@@ -83,7 +83,7 @@ so-kibana:
     - hostname: kibana
     - user: kibana
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
     - environment:
       - ELASTICSEARCH_HOST={{ GLOBALS.manager }}

salt/kratos/init.sls

@@ -69,7 +69,7 @@ so-kratos:
     - hostname: kratos
     - name: so-kratos
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
     - binds:
       - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro    

salt/logstash/init.sls

@@ -140,7 +140,7 @@ so-logstash:
     - hostname: so-logstash
     - name: so-logstash
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
     - user: logstash
     - extra_hosts: {{ REDIS_NODES }}

salt/mysql/init.sls

@@ -85,7 +85,7 @@ so-mysql:
     - hostname: so-mysql
     - user: socore
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %}

salt/nginx/init.sls

@@ -85,7 +85,7 @@ so-nginx:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
     - hostname: so-nginx
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }}
     - binds:
       - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro

salt/playbook/init.sls

@@ -18,7 +18,7 @@ create_playbookdbuser:
   mysql_user.present:
     - name: playbookdbuser
     - password: {{ PLAYBOOKPASS }}
-    - host: "{{ DOCKER.sosrange.split('/')[0] }}/255.255.255.0"
+    - host: "{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0"
     - connection_host: {{ GLOBALS.manager_ip }}
     - connection_port: 3306
     - connection_user: root
@@ -27,7 +27,7 @@ create_playbookdbuser:
 query_playbookdbuser_grants:
   mysql_query.run:
     - database: playbook
-    - query:    "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sosrange.split('/')[0] }}/255.255.255.0';"
+    - query:    "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0';"
     - connection_host: {{ GLOBALS.manager_ip }}
     - connection_port: 3306
     - connection_user: root
@@ -81,7 +81,7 @@ so-playbook:
     - hostname: playbook
     - name: so-playbook
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }}
     - binds:
       - /opt/so/log/playbook:/playbook/log:rw

salt/redis/init.sls

@@ -47,7 +47,7 @@ so-redis:
     - hostname: so-redis
     - user: socore
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}

salt/registry/init.sls

@@ -39,7 +39,7 @@ so-dockerregistry:
     - image: ghcr.io/security-onion-solutions/registry:latest
     - hostname: so-registry
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
     - restart_policy: always
     - port_bindings:

salt/soc/defaults.map.jinja

@@ -19,7 +19,7 @@
 {%   do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
 {% endif %}
 
-{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sosrange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
 
 {% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.minion_id}) %}
 

salt/soc/init.sls

@@ -97,7 +97,7 @@ so-soc:
     - hostname: soc
     - name: so-soc
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
     - binds:
       - /nsm/soc/jobs:/opt/sensoroni/jobs:rw

salt/soctopus/init.sls

@@ -64,7 +64,7 @@ so-soctopus:
     - hostname: soctopus
     - name: so-soctopus
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }}
     - binds:
       - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro

salt/strelka/init.sls

@@ -169,7 +169,7 @@ strelka_coordinator:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
     - name: so-strelka-coordinator
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
     - entrypoint: redis-server --save "" --appendonly no
     - port_bindings:
@@ -187,7 +187,7 @@ strelka_gatekeeper:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
     - name: so-strelka-gatekeeper
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
     - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
     - port_bindings:
@@ -209,7 +209,7 @@ strelka_frontend:
     - privileged: True
     - name: so-strelka-frontend
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
     - command: strelka-frontend
     - port_bindings:
@@ -230,7 +230,7 @@ strelka_backend:
       - /opt/so/conf/strelka/rules/:/etc/yara/:ro
     - name: so-strelka-backend
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
     - command: strelka-backend
     - restart_policy: on-failure
@@ -247,7 +247,7 @@ strelka_manager:
       - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
     - name: so-strelka-manager
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
     - command: strelka-manager
 
@@ -264,7 +264,7 @@ strelka_filestream:
       - /nsm/strelka:/nsm/strelka
     - name: so-strelka-filestream
     - networks:
-      - sosbridge:
+      - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
     - command: strelka-filestream
 

salt/vars/managersearch.map.jinja

@@ -0,0 +1,15 @@
+{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
+{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
+
+{% set ROLE_GLOBALS = {} %}
+
+{% set MANAGERSEARCH_GLOBALS =
+   [
+     ELASTICSEARCH_GLOBALS,
+     LOGSTASH_GLOBALS
+   ]
+%}
+
+{% for sg in MANAGERSEARCH_GLOBALS %}
+{%   do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
+{% endfor %}

salt/vars/searchnode.map.jinja

@@ -3,13 +3,13 @@
 
 {% set ROLE_GLOBALS = {} %}
 
-{% set STANDALONE_GLOBALS =
+{% set SEARCHNODE_GLOBALS =
    [
      ELASTICSEARCH_GLOBALS,
      LOGSTASH_GLOBALS
    ]
 %}
 
-{% for sg in STANDALONE_GLOBALS %}
+{% for sg in SEARCHNODE_GLOBALS %}
 {%   do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %}
 {% endfor %}

setup/so-functions

@@ -1179,9 +1179,10 @@ firewall_generate_templates() {
    
 	logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/"
 
-	for i in analyst beats_endpoint endgame sensor manager minion elastic_agent_endpoint search_node; do
+    # i think this can be commented out for 2.4
-		$default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1
+	#for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do
-	done
+	#	$default_salt_dir/salt/common/tools/sbin/so-firewall --role="$i" --ip=127.0.0.1
+	#done
 
 }
 
@@ -1490,8 +1491,8 @@ docker_pillar() {
 	touch $adv_docker_pillar_file
 	printf '%s\n'\
 		"docker:"\
-		"  sosrange: '$DOCKERNET2/24'"\
+		"  sorange: '$DOCKERNET2/24'"\
-		"  sosbip: '$DOCKER2BIP'"\
+		"  sobip: '$DOCKER2BIP'"\
 		"  range: '$DOCKERNET/24'"\
 		"  bip: '$DOCKERBIP'" > $docker_pillar_file
 }