CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Change Firewall Pillar Structure

Browse Source
This commit is contained in:
Mike Reeves
2022-09-20 13:20:16 -04:00
parent 678d5c5c9c
commit 27a9edbef7
16 changed files with 619 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
salt/firewall/hostgroups/analyst_workstations → salt/firewall/hostgroups/analyst_workstation
View File

0
salt/firewall/hostgroups/heavynodes → salt/firewall/hostgroups/heavynode
View File

0
salt/firewall/hostgroups/receivers → salt/firewall/hostgroups/receiver
View File

0
salt/firewall/hostgroups/searchnodes → salt/firewall/hostgroups/searchnode
View File

0
salt/firewall/portgroups/analyst
View File

0
salt/firewall/portgroups/analyst_workstations
View File

0
salt/firewall/portgroups/eval
View File

0
salt/firewall/portgroups/heavynodes
View File

0
salt/firewall/portgroups/idh
View File

0
salt/firewall/portgroups/manager
View File

611
salt/firewall/portgroups/portgroups.yaml Normal file
View File

@@ -0,0 +1,611 @@
firewall:
portgroups:
role:
eval:
ports:
- playbook
- mysql
- kibana
- redis
- influxdb
- elasticsearch_rest
- elasticsearch_node
- docker_registry
- influxdb
- sensoroni
- beats_5044
- beats_5644
- redis
- syslog
- strelka_frontend
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- wazuh_agent
- wazuh_api
- wazuh_authd
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- fleet_api
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- osquery_8080
- influxdb
- wazuh_api
- fleet_api
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
- beats_5644
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
- beats_5644
self:
portgroups:
- syslog}}
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
endgame:
portgroups:
- endgame
osquery_endpoint:
portgroups:
- fleet_api
wazuh_agent:
portgroups:
- wazuh_agent
wazuh_api:
portgroups:
- wazuh_api
wazuh_authd:
portgroups:
- wazuh_authd
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
managersearch:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- wazuh_agent
- wazuh_api
- wazuh_authd
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- fleet_api
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- osquery_8080
- influxdb
- wazuh_api
- fleet_api
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
endgame:
portgroups:
- endgame
osquery_endpoint:
portgroups:
- fleet_api
syslog:
portgroups:
- syslog
wazuh_agent:
portgroups:
- wazuh_agent
wazuh_api:
portgroups:
- wazuh_api
wazuh_authd:
portgroups:
- wazuh_authd
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
standalone:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- wazuh_agent
- wazuh_api
- wazuh_authd
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- fleet_api
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- osquery_8080
- influxdb
- wazuh_api
- fleet_api
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
endgame:
portgroups:
- endgame
osquery_endpoint:
portgroups:
- fleet_api
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
wazuh_agent:
portgroups:
- wazuh_agent
wazuh_api:
portgroups:
- wazuh_api
wazuh_authd:
portgroups:
- wazuh_authd
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- wazuh_agent
- playbook
- mysql
- kibana
- redis
- influxdb
- fleet_api
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- osquery_8080
- influxdb
- wazuh_api
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
osquery_endpoint:
portgroups:
- fleet_api
wazuh_agent:
portgroups:
- wazuh_agent
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
- elasticsearch_rest
elasticsearch_rest:
portgroups:
- elasticsearch_rest
search_node:
portgroups:
- elasticsearch_node
self:
portgroups:
- syslog}}
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- syslog
strelka_frontend:
portgroups:
- strelka_frontend
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
- elasticsearch_rest
elasticsearch_rest:
portgroups:
- elasticsearch_rest
self:
portgroups:
- syslog}}
strelka_frontend:
portgroups:
- strelka_frontend
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
fleet:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- redis
- mysql
- osquery_8080
localhost:
portgroups:
- mysql
- osquery_8080
analyst:
portgroups:
- fleet_webui
minion:
portgroups:
- fleet_api
osquery_endpoint:
portgroups:
- fleet_api}}
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- kibana
- redis
- influxdb
- elasticsearch_rest
- elasticsearch_node
minion:
portgroups:
- docker_registry
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- elasticsearch_node
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
receiver:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups:
- beats_5644
search_node:
portgroups:
- redis
- beats_5644
self:
portgroups:
- redis
- syslog}}
- beats_5644
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
endgame:
portgroups:
- endgame
wazuh_agent:
portgroups:
- wazuh_agent
wazuh_api:
portgroups:
- wazuh_api
wazuh_authd:
portgroups:
- wazuh_authd
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
- idh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
manager:
portgroups:
- ssh

0
salt/firewall/portgroups/receivers
View File

0
salt/firewall/portgroups/searchnodes
View File

0
salt/firewall/portgroups/sensors
View File

19
salt/firewall/portgroups/standalone
View File

@@ -1,19 +0,0 @@
playbook
mysql
kibana
redis
influxdb
elasticsearch_rest
elasticsearch_node
docker_registry
yum
sensoroni
beats_5044
beats_5644
elastic_agent_control
elastic_agent_data
elasticsearch_rest
endgame
strelka_frontend
syslog
nginx

16
salt/firewall/soc_firewall.yaml
View File

@@ -1,15 +1,15 @@
firewall: firewall:
hostgroups: hostgroups:
analyst_workstations: analyst_workstation:
description: List of IP Addresses or CIDR blocks to allow analyst workstations. description: List of IP Addresses or CIDR blocks to allow analyst workstations.
file: True file: True
global: True global: True
title: Analyst Workstations title: Analyst Workstation
analyst: analyst:
description: List of IP Addresses or CIDR blocks to allow analyst connections. description: List of IP Addresses or CIDR blocks to allow analyst connections.
file: True file: True
global: True global: True
title: Analysts title: Analyst
standalone: standalone:
description: List of IP Addresses or CIDR blocks to allow standalone connections. description: List of IP Addresses or CIDR blocks to allow standalone connections.
file: True file: True
@@ -26,7 +26,7 @@ firewall:
description: List of IP Addresses or CIDR blocks to allow idh connections. description: List of IP Addresses or CIDR blocks to allow idh connections.
file: True file: True
global: True global: True
title: IDH Nodes title: IDHNode
manager: manager:
description: List of IP Addresses or CIDR blocks to allow manager connections. description: List of IP Addresses or CIDR blocks to allow manager connections.
file: True file: True
@@ -37,22 +37,22 @@ firewall:
description: List of IP Addresses or CIDR blocks to allow heavynode connections. description: List of IP Addresses or CIDR blocks to allow heavynode connections.
file: True file: True
global: True global: True
title: Heavy Nodes title: HeavyNode
searchnodes: searchnodes:
description: List of IP Addresses or CIDR blocks to allow searchnode connections. description: List of IP Addresses or CIDR blocks to allow searchnode connections.
file: True file: True
global: True global: True
title: Search Nodes title: SearchNode
sensors: sensors:
description: List of IP Addresses or CIDR blocks to allow Sensor connections. description: List of IP Addresses or CIDR blocks to allow Sensor connections.
file: True file: True
global: True global: True
title: Sensors title: Sensor
receivers: receivers:
description: List of IP Addresses or CIDR blocks to allow receiver connections. description: List of IP Addresses or CIDR blocks to allow receiver connections.
file: True file: True
global: True global: True
title: Receivers title: Receiver
portgroups: portgroups:
analyst: analyst:
description: List of ports for use with Analyst connections. description: List of ports for use with Analyst connections.