CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

2.4 fw changes

Browse Source
This commit is contained in:
m0duspwnens
2022-09-22 10:49:26 -04:00
parent e35c77be62
commit 2995ae32bd
13 changed files with 52 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
files/firewall/portgroups.local.yaml
View File

@@ -1,3 +1,2 @@
firewall:
aliases:
ports:
ports:

40
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -27,16 +27,16 @@ role:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
@@ -109,17 +109,17 @@ role:
{% if ISAIRGAP is sameas true %}
- {{ portgroups.yum }}
{% endif %}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
@@ -184,16 +184,16 @@ role:
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
@@ -260,17 +260,17 @@ role:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
sensor:
- {{ portgroups.yum }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
- {{ portgroups.elasticsearch_node }}
heavy_node:
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.minio }}
@@ -339,11 +339,11 @@ role:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
@@ -386,7 +386,7 @@ role:
portgroups:
- {{ portgroups.elasticsearch_rest }}
{% if TRUE_CLUSTER %}
search_node:
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
{% endif %}
@@ -472,11 +472,11 @@ role:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
@@ -511,10 +511,10 @@ role:
chain:
DOCKER-USER:
hostgroups:
sensor:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
search_node:
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}

0
salt/firewall/hostgroups/beats_endpoint Normal file
View File

0
salt/firewall/hostgroups/beats_endpoint_ssl Normal file
View File

0
salt/firewall/hostgroups/elastic_agent_endpoint Normal file
View File

0
salt/firewall/hostgroups/elasticsearch_rest Normal file
View File

0
salt/firewall/hostgroups/endgame Normal file
View File

0
salt/firewall/hostgroups/minion Normal file
View File

0
salt/firewall/hostgroups/strelka_frontend Normal file
View File

0
salt/firewall/hostgroups/syslog Normal file
View File

2
salt/firewall/init.sls
View File

@@ -144,4 +144,4 @@ iptables_drop_all_the_things:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}
{% endif %}

33
salt/firewall/map.jinja
View File

@@ -1,8 +1,8 @@
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.aliases.ports %}
{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
@@ -13,7 +13,34 @@
{% set defined_portgroups = portgroups %}
{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = [
'analyst',
'analyst_workstations',
'eval',
'heavynodes',
'idh',
'manager',
'minion',
'receivers',
'searchnodes',
'sensors',
'standalone',
'beats_endpoint',
'beats_endpoint_ssl',
'elasticsearch_rest',
'elastic_agent_endpoint',
'endgame',
'strelka_frontend',
'syslog'
]
%}
{% for hg in hostgroup_list %}
{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}

116
salt/firewall/portgroups.yaml
View File

@@ -1,116 +0,0 @@
{% if grains.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
{% from 'idh/openssh/map.jinja' import openssh_map %}
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% set ssh_port = openssh_map.config.port %}
{% else %}
{% set ssh_port = 22 %}
{% endif %}
firewall:
aliases:
ports:
all:
tcp:
- '0:65535'
udp:
- '0:65535'
acng:
tcp:
- 3142
agrules:
tcp:
- 7788
beats_5044:
tcp:
- 5044
beats_5644:
tcp:
- 5644
beats_5066:
tcp:
- 5066
cortex:
tcp:
- 9001
cortex_es_node:
tcp:
- 9500
cortex_es_rest:
tcp:
- 9400
docker_registry:
tcp:
- 5000
elasticsearch_node:
tcp:
- 9300
elasticsearch_rest:
tcp:
- 9200
elastic_agent_control:
tcp:
- 8220
elastic_agent_data:
tcp:
- 5055
endgame:
tcp:
- 3765
influxdb:
tcp:
- 8086
kibana:
tcp:
- 5601
minio:
tcp:
- 9595
mysql:
tcp:
- 3306
nginx:
tcp:
- 80
- 443
playbook:
tcp:
- 3200
redis:
tcp:
- 6379
- 9696
salt_manager:
tcp:
- 4505
- 4506
sensoroni:
tcp:
- 443
ssh:
tcp:
- {{ ssh_port }}
strelka_frontend:
tcp:
- 57314
syslog:
tcp:
- 514
udp:
- 514
yum:
tcp:
- 443
{% if idh_services is defined %}
{% for service in idh_services %}
{% if service in ["smnp","ntp", "tftp"] %}
{% set proto = 'udp' %}
{% else %}
{% set proto = 'tcp' %}
{% endif %}
idh_{{service}}:
{{proto}}:
- {{ OPENCANARYCONFIG[service~'.port'] }}
{% endfor %}
{% endif %}