diff --git a/salt/firewall/hostgroups/analyst_workstations b/salt/firewall/hostgroups/analyst_workstation similarity index 100% rename from salt/firewall/hostgroups/analyst_workstations rename to salt/firewall/hostgroups/analyst_workstation diff --git a/salt/firewall/hostgroups/heavynodes b/salt/firewall/hostgroups/heavynode similarity index 100% rename from salt/firewall/hostgroups/heavynodes rename to salt/firewall/hostgroups/heavynode diff --git a/salt/firewall/hostgroups/receivers b/salt/firewall/hostgroups/receiver similarity index 100% rename from salt/firewall/hostgroups/receivers rename to salt/firewall/hostgroups/receiver diff --git a/salt/firewall/hostgroups/searchnodes b/salt/firewall/hostgroups/searchnode similarity index 100% rename from salt/firewall/hostgroups/searchnodes rename to salt/firewall/hostgroups/searchnode diff --git a/salt/firewall/portgroups/analyst b/salt/firewall/portgroups/analyst deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/analyst_workstations b/salt/firewall/portgroups/analyst_workstations deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/eval b/salt/firewall/portgroups/eval deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/heavynodes b/salt/firewall/portgroups/heavynodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/idh b/salt/firewall/portgroups/idh deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/manager b/salt/firewall/portgroups/manager deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml new file mode 100644 index 000000000..490d74d36 --- /dev/null +++ b/salt/firewall/portgroups/portgroups.yaml @@ -0,0 +1,611 @@ +firewall: + portgroups: + role: + eval: + ports: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - docker_registry + - influxdb + - sensoroni + - beats_5044 + - beats_5644 + - redis + - syslog + - strelka_frontend + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + manager: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - wazuh_api + - wazuh_authd + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - fleet_api + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + self: + portgroups: + - syslog}} + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + osquery_endpoint: + portgroups: + - fleet_api + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + managersearch: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - wazuh_api + - wazuh_authd + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - fleet_api + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + osquery_endpoint: + portgroups: + - fleet_api + syslog: + portgroups: + - syslog + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + standalone: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - wazuh_api + - wazuh_authd + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - fleet_api + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + osquery_endpoint: + portgroups: + - fleet_api + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + helixsensor: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - playbook + - mysql + - kibana + - redis + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + osquery_endpoint: + portgroups: + - fleet_api + wazuh_agent: + portgroups: + - wazuh_agent + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + searchnode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + search_node: + portgroups: + - elasticsearch_node + self: + portgroups: + - syslog}} + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + sensor: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + heavynode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + self: + portgroups: + - syslog}} + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + fleet: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - redis + - mysql + - osquery_8080 + localhost: + portgroups: + - mysql + - osquery_8080 + analyst: + portgroups: + - fleet_webui + minion: + portgroups: + - fleet_api + osquery_endpoint: + portgroups: + - fleet_api}} + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + import: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + minion: + portgroups: + - docker_registry + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + + receiver: + chain: + DOCKER-USER: + hostgroups: + sensor: + portgroups: + - beats_5644 + search_node: + portgroups: + - redis + - beats_5644 + self: + portgroups: + - redis + - syslog}} + - beats_5644 + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + endgame: + portgroups: + - endgame + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + idh: + chain: + INPUT: + hostgroups: + anywhere: + portgroups: + - idh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + manager: + portgroups: + - ssh \ No newline at end of file diff --git a/salt/firewall/portgroups/receivers b/salt/firewall/portgroups/receivers deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/searchnodes b/salt/firewall/portgroups/searchnodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/sensors b/salt/firewall/portgroups/sensors deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/standalone b/salt/firewall/portgroups/standalone deleted file mode 100644 index ea8f495f9..000000000 --- a/salt/firewall/portgroups/standalone +++ /dev/null @@ -1,19 +0,0 @@ -playbook -mysql -kibana -redis -influxdb -elasticsearch_rest -elasticsearch_node -docker_registry -yum -sensoroni -beats_5044 -beats_5644 -elastic_agent_control -elastic_agent_data -elasticsearch_rest -endgame -strelka_frontend -syslog -nginx \ No newline at end of file diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 02199bc79..923ce4dd9 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,15 +1,15 @@ firewall: hostgroups: - analyst_workstations: + analyst_workstation: description: List of IP Addresses or CIDR blocks to allow analyst workstations. file: True global: True - title: Analyst Workstations + title: Analyst Workstation analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. file: True global: True - title: Analysts + title: Analyst standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True @@ -26,7 +26,7 @@ firewall: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True global: True - title: IDH Nodes + title: IDHNode manager: description: List of IP Addresses or CIDR blocks to allow manager connections. file: True @@ -37,22 +37,22 @@ firewall: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True global: True - title: Heavy Nodes + title: HeavyNode searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True - title: Search Nodes + title: SearchNode sensors: description: List of IP Addresses or CIDR blocks to allow Sensor connections. file: True global: True - title: Sensors + title: Sensor receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True - title: Receivers + title: Receiver portgroups: analyst: description: List of ports for use with Analyst connections.