From 2995ae32bd300acfc5e9f4727a64cdace33811e8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Sep 2022 10:49:26 -0400 Subject: [PATCH] 2.4 fw changes --- files/firewall/portgroups.local.yaml | 3 +- salt/firewall/assigned_hostgroups.map.yaml | 40 +++--- salt/firewall/hostgroups/beats_endpoint | 0 salt/firewall/hostgroups/beats_endpoint_ssl | 0 .../hostgroups/elastic_agent_endpoint | 0 salt/firewall/hostgroups/elasticsearch_rest | 0 salt/firewall/hostgroups/endgame | 0 salt/firewall/hostgroups/minion | 0 salt/firewall/hostgroups/strelka_frontend | 0 salt/firewall/hostgroups/syslog | 0 salt/firewall/init.sls | 2 +- salt/firewall/map.jinja | 33 ++++- salt/firewall/portgroups.yaml | 116 ------------------ 13 files changed, 52 insertions(+), 142 deletions(-) create mode 100644 salt/firewall/hostgroups/beats_endpoint create mode 100644 salt/firewall/hostgroups/beats_endpoint_ssl create mode 100644 salt/firewall/hostgroups/elastic_agent_endpoint create mode 100644 salt/firewall/hostgroups/elasticsearch_rest create mode 100644 salt/firewall/hostgroups/endgame create mode 100644 salt/firewall/hostgroups/minion create mode 100644 salt/firewall/hostgroups/strelka_frontend create mode 100644 salt/firewall/hostgroups/syslog delete mode 100644 salt/firewall/portgroups.yaml diff --git a/files/firewall/portgroups.local.yaml b/files/firewall/portgroups.local.yaml index 300d2ecda..8b37ee951 100644 --- a/files/firewall/portgroups.local.yaml +++ b/files/firewall/portgroups.local.yaml @@ -1,3 +1,2 @@ firewall: - aliases: - ports: \ No newline at end of file + ports: diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 7f8c01910..a25265c77 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -27,16 +27,16 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -109,17 +109,17 @@ role: {% if ISAIRGAP is sameas true %} - {{ portgroups.yum }} {% endif %} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -184,16 +184,16 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -260,17 +260,17 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: + - {{ portgroups.yum }} + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -339,11 +339,11 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} @@ -386,7 +386,7 @@ role: portgroups: - {{ portgroups.elasticsearch_rest }} {% if TRUE_CLUSTER %} - search_node: + searchnodes: portgroups: - {{ portgroups.elasticsearch_node }} {% endif %} @@ -472,11 +472,11 @@ role: portgroups: - {{ portgroups.docker_registry }} - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} @@ -511,10 +511,10 @@ role: chain: DOCKER-USER: hostgroups: - sensor: + sensors: portgroups: - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.beats_5644 }} diff --git a/salt/firewall/hostgroups/beats_endpoint b/salt/firewall/hostgroups/beats_endpoint new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/beats_endpoint_ssl b/salt/firewall/hostgroups/beats_endpoint_ssl new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/elastic_agent_endpoint b/salt/firewall/hostgroups/elastic_agent_endpoint new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/elasticsearch_rest b/salt/firewall/hostgroups/elasticsearch_rest new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/endgame b/salt/firewall/hostgroups/endgame new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/minion b/salt/firewall/hostgroups/minion new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/strelka_frontend b/salt/firewall/hostgroups/strelka_frontend new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/syslog b/salt/firewall/hostgroups/syslog new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 1d6ba350f..42aad75c6 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -144,4 +144,4 @@ iptables_drop_all_the_things: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2c7d03225..45e2989e2 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,8 +1,8 @@ {% set role = grains.id.split('_') | last %} {% set translated_pillar_assigned_hostgroups = {} %} -{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.aliases.ports %} +{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} +{% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} {% if local_portgroups.firewall.aliases.ports %} {% set local_portgroups = local_portgroups.firewall.aliases.ports %} @@ -13,7 +13,34 @@ {% set defined_portgroups = portgroups %} {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} -{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %} +{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} +{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} +{% set hostgroup_list = [ + 'analyst', + 'analyst_workstations', + 'eval', + 'heavynodes', + 'idh', + 'manager', + 'minion', + 'receivers', + 'searchnodes', + 'sensors', + 'standalone', + 'beats_endpoint', + 'beats_endpoint_ssl', + 'elasticsearch_rest', + 'elastic_agent_endpoint', + 'endgame', + 'strelka_frontend', + 'syslog' + ] +%} +{% for hg in hostgroup_list %} +{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %} +{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} +{% endfor %} + {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml deleted file mode 100644 index a2780270d..000000000 --- a/salt/firewall/portgroups.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{% if grains.role == 'so-idh' %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% from 'idh/openssh/map.jinja' import openssh_map %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% set ssh_port = openssh_map.config.port %} -{% else %} - {% set ssh_port = 22 %} -{% endif %} - -firewall: - aliases: - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - acng: - tcp: - - 3142 - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - cortex: - tcp: - - 9001 - cortex_es_node: - tcp: - - 9500 - cortex_es_rest: - tcp: - - 9400 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - minio: - tcp: - - 9595 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - {{ ssh_port }} - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 - -{% if idh_services is defined %} - {% for service in idh_services %} - {% if service in ["smnp","ntp", "tftp"] %} - {% set proto = 'udp' %} - {% else %} - {% set proto = 'tcp' %} - {% endif %} - idh_{{service}}: - {{proto}}: - - {{ OPENCANARYCONFIG[service~'.port'] }} - {% endfor %} -{% endif %}