From 462b2b23b91fb1f74ac67f5e80c81fabb6e0bc08 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Mar 2023 13:52:21 -0400 Subject: [PATCH] rework idh for web ui --- salt/firewall/assigned_hostgroups.map.yaml | 7 +- salt/idh/defaults.yaml | 125 +++++++++++---------- salt/idh/idh.conf.jinja | 2 +- salt/idh/init.sls | 9 +- salt/idh/opencanary_config.map.jinja | 18 +-- salt/idh/soc_idh.yaml | 116 +++++++++---------- 6 files changed, 139 insertions(+), 138 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 2e54a5e9f..c5f4d89c9 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -575,9 +575,10 @@ role: hostgroups: anywhere: portgroups: - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% for service in idh_services %} - - {{ IDH_PORTGROUPS['idh_'~service] }} + {% for service in IDH_PORTGROUPS.keys() %} + {% if service != 'openssh' %} + - {{ IDH_PORTGROUPS[service] }} + {% endif %} {% endfor %} dockernet: portgroups: diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index 39e8a6074..b0c4d6904 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -1,4 +1,9 @@ idh: + restrict_management_ip: false + openssh: + enable: true + config: + port: 2222 opencanary: config: logger: @@ -14,77 +19,73 @@ idh: file: class: logging.FileHandler filename: /var/tmp/opencanary.log - portscan.enabled: false - portscan.logfile: /var/log/kern.log - portscan.synrate: 5 - portscan.nmaposrate: 5 - portscan.lorate: 3 - tcpbanner.maxnum: 10 - tcpbanner.enabled: false - tcpbanner_1.enabled: false - tcpbanner_1.port: 8001 - tcpbanner_1.datareceivedbanner: '' - tcpbanner_1.initbanner: '' - tcpbanner_1.alertstring.enabled: false - tcpbanner_1.keep_alive.enabled: false - tcpbanner_1.keep_alive_secret: '' - tcpbanner_1.keep_alive_probes: 11 - tcpbanner_1.keep_alive_interval: 300 - tcpbanner_1.keep_alive_idle: 300 - ftp.enabled: false - ftp.port: 21 - ftp.banner: FTP server ready - git.enabled: false - git.port: 9418 - http.banner: Apache/2.2.34 (Ubuntu) - http.enabled: false - http.port: 80 - http.skin: nasLogin - http.skinlist: + portscan_x_enabled: false + portscan_x_logfile: /var/log/kern.log + portscan_x_synrate: 5 + portscan_x_nmaposrate: 5 + portscan_x_lorate: 3 + tcpbanner_x_maxnum: 10 + tcpbanner_x_enabled: false + tcpbanner_1_x_enabled: false + tcpbanner_1_x_port: 8001 + tcpbanner_1_x_datareceivedbanner: '' + tcpbanner_1_x_initbanner: '' + tcpbanner_1_x_alertstring_x_enabled: false + tcpbanner_1_x_keep_alive_x_enabled: false + tcpbanner_1_x_keep_alive_secret: '' + tcpbanner_1_x_keep_alive_probes: 11 + tcpbanner_1_x_keep_alive_interval: 300 + tcpbanner_1_x_keep_alive_idle: 300 + ftp_x_enabled: false + ftp_x_port: 21 + ftp_x_banner: FTP server ready + git_x_enabled: false + git_x_port: 9418 + http_x_banner: Apache/2.2.34 (Ubuntu) + http_x_enabled: false + http_x_port: 80 + http_x_skin: nasLogin + http_x_skinlist: - desc: Plain HTML Login name: basicLogin - desc: Synology NAS Login name: nasLogin - httpproxy.enabled: false - httpproxy.port: 8080 - httpproxy.skin: squid - httpproxy.skinlist: + httpproxy_x_enabled: false + httpproxy_x_port: 8080 + httpproxy_x_skin: squid + httpproxy_x_skinlist: - desc: Squid name: squid - desc: Microsoft ISA Server Web Proxy name: ms-isa - mssql.enabled: false - mssql.version: '2012' - mssql.port: 1433 - mysql.enabled: false - mysql.port: 3306 - mysql.banner: 5.5.43-0ubuntu0.14.04.1 - ntp.enabled: false - ntp.port: 123 - redis.enabled: false - redis.port: 6379 - sip.enabled: false - sip.port: 5060 - smb.auditfile: /var/log/samba-audit.log - smb.enabled: false - snmp.enabled: false - snmp.port: 161 - ssh.enabled: false - ssh.port: 22 - ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 - telnet.enabled: false - telnet.port: 23 - telnet.banner: '' - telnet.honeycreds: + mssql_x_enabled: false + mssql_x_version: '2012' + mssql_x_port: 1433 + mysql_x_enabled: false + mysql_x_port: 3306 + mysql_x_banner: 5.5.43-0ubuntu0.14.04.1 + ntp_x_enabled: false + ntp_x_port: 123 + redis_x_enabled: false + redis_x_port: 6379 + sip_x_enabled: false + sip_x_port: 5060 + smb_x_auditfile: /var/log/samba-audit.log + smb_x_enabled: false + snmp_x_enabled: false + snmp_x_port: 161 + ssh_x_enabled: true + ssh_x_port: 22 + ssh_x_version: SSH-2.0-OpenSSH_5.1p1 Debian-4 + telnet_x_enabled: false + telnet_x_port: 23 + telnet_x_banner: '' + telnet_x_honeycreds: - username: admin password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - username: admin password: admin1 - tftp.enabled: false - tftp.port: 69 - vnc.enabled: false - vnc.port: 5900 - openssh: - enable: true - config: - port: 2222 + tftp_x_enabled: false + tftp_x_port: 69 + vnc_x_enabled: false + vnc_x_port: 5900 diff --git a/salt/idh/idh.conf.jinja b/salt/idh/idh.conf.jinja index fcc000379..f10cdc418 100644 --- a/salt/idh/idh.conf.jinja +++ b/salt/idh/idh.conf.jinja @@ -1 +1 @@ -{{ OPENCANARYCONFIG | tojson(True) }} \ No newline at end of file +{{ OPENCANARYCONFIG | tojson(True) | replace("_x_", ".") }} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 2cf22c358..52c707fa4 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -7,7 +7,8 @@ {% if sls in allowed_states %} {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} +{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %} +{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} include: - idh.openssh.config @@ -15,10 +16,9 @@ include: # If True, block IDH Services from accepting connections on Managment IP {% if RESTRICTIDHSERVICES %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} + {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %} - {% for service in idh_services %} + {% for service in IDH_SERVICES %} {% if service in ["smnp","ntp", "tftp"] %} {% set proto = 'udp' %} {% else %} @@ -52,7 +52,6 @@ configdir: - group: 939 - makedirs: True -{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %} opencanary_config: file.managed: - name: /opt/so/conf/idh/opencanary.conf diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index 6833f3838..a8b85adbf 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,6 +1,6 @@ {# this list of services is used to loop through and add fw rules if the service is enabled #} {# smb is not in this list since it does not need any ports open #} -{% set idh_services = [ +{% set IDH_SERVICES = [ 'ftp', 'git', 'http', @@ -20,24 +20,24 @@ {% set IDH_PORTGROUPS = {} %} {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} - +{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} {# update skinlist to skin.list to avoid issues with SOC UI config #} -{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http.skinlist') %} -{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy.skinlist') %} -{% do OPENCANARYCONFIG.update({'http.skin.list': HTTPSKINLIST}) %} -{% do OPENCANARYCONFIG.update({'httpproxy.skin.list': HTTPPROXYSKINLIST}) %} +{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %} +{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %} +{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %} +{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %} {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} -{% for service in idh_services %} +{% for service in IDH_SERVICES %} {% if service in ["smnp","ntp", "tftp"] %} {% set proto = 'udp' %} {% else %} {% set proto = 'tcp' %} {% endif %} - {% if OPENCANARYCONFIG[service ~ '.enabled'] %} - {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% if OPENCANARYCONFIG[service ~ '_x_enabled'] %} + {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %} {% endif %} {% endfor %} diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 9a49cdfb8..8345ad761 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -19,108 +19,108 @@ idh: file: class: *loggingOptions filename: *loggingOptions - portscan.enabled: &serviceOptions + portscan_x_enabled: &serviceOptions description: To enable this IDH service set this value to true. To disable set to false. helpLink: idh.html - portscan.logfile: *loggingOptions - portscan.synrate: + portscan_x_logfile: *loggingOptions + portscan_x_synrate: description: Needs update advanced: True helpLink: idh.html - portscan.nmaposrate: + portscan_x_nmaposrate: description: Needs update advanced: True helpLink: idh.html - portscan.lorate: + portscan_x_lorate: description: Needs update advanced: True helpLink: idh.html - tcpbanner.maxnum: + tcpbanner_x_maxnum: description: Needs update advanced: True helpLink: idh.html - tcpbanner.enabled: *serviceOptions - tcpbanner_1.enabled: *serviceOptions - tcpbanner_1.port: &portOptions + tcpbanner_x_enabled: *serviceOptions + tcpbanner_1_x_enabled: *serviceOptions + tcpbanner_1_x_port: &portOptions description: Defined port the service should listen on. advanced: True helpLink: idh.html - tcpbanner_1.datareceivedbanner: &bannerOptions + tcpbanner_1_x_datareceivedbanner: &bannerOptions description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.initbanner: *bannerOptions - tcpbanner_1.alertstring.enabled: *serviceOptions - tcpbanner_1.keep_alive.enabled: *serviceOptions - tcpbanner_1.keep_alive_secret: + tcpbanner_1_x_initbanner: *bannerOptions + tcpbanner_1_x_alertstring_x_enabled: *serviceOptions + tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions + tcpbanner_1_x_keep_alive_secret: description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.keep_alive_probes: + tcpbanner_1_x_keep_alive_probes: description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.keep_alive_interval: + tcpbanner_1_x_keep_alive_interval: description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.keep_alive_idle: + tcpbanner_1_x_keep_alive_idle: description: Needs update advanced: True helpLink: idh.html - ftp.enabled: *serviceOptions - ftp.port: *portOptions - ftp.banner: *bannerOptions - git.enabled: *serviceOptions - git.port: *portOptions - http.banner: *bannerOptions - http.enabled: *serviceOptions - http.port: *portOptions - http.skin: &skinOptions + ftp_x_enabled: *serviceOptions + ftp_x_port: *portOptions + ftp_x_banner: *bannerOptions + git_x_enabled: *serviceOptions + git_x_port: *portOptions + http_x_banner: *bannerOptions + http_x_enabled: *serviceOptions + http_x_port: *portOptions + http_x_skin: &skinOptions description: advanced: True helplink: idh.html - http.skinlist: &skinlistOptions + http_x_skinlist: &skinlistOptions description: List of skins to use for the service. advanced: True helpLink: idh.html - httpproxy.enabled: *serviceOptions - httpproxy.port: *portOptions - httpproxy.skin: *skinOptions - httpproxy.skinlist: *skinlistOptions - mssql.enabled: *serviceOptions - mssql.version: &versionOptions + httpproxy_x_enabled: *serviceOptions + httpproxy_x_port: *portOptions + httpproxy_x_skin: *skinOptions + httpproxy_x_skinlist: *skinlistOptions + mssql_x_enabled: *serviceOptions + mssql_x_version: &versionOptions description: Specify the version the service should present. advanced: True helpLink: idh.html - mssql.port: *portOptions - mysql.enabled: *serviceOptions - mysql.port: *portOptions - mysql.banner: *bannerOptions - ntp.enabled: *serviceOptions - ntp.port: *portOptions - redis.enabled: *serviceOptions - redis.port: *portOptions - sip.enabled: *serviceOptions - sip.port: *portOptions - smb.auditfile: *loggingOptions - smb.enabled: *serviceOptions - snmp.enabled: *serviceOptions - snmp.port: *portOptions - ssh.enabled: *serviceOptions - ssh.port: *portOptions - ssh.version: *versionOptions - telnet.enabled: *serviceOptions - telnet.port: *portOptions - telnet.banner: *bannerOptions - telnet.honeycreds: + mssql_x_port: *portOptions + mysql_x_enabled: *serviceOptions + mysql_x_port: *portOptions + mysql_x_banner: *bannerOptions + ntp_x_enabled: *serviceOptions + ntp_x_port: *portOptions + redis_x_enabled: *serviceOptions + redis_x_port: *portOptions + sip_x_enabled: *serviceOptions + sip_x_port: *portOptions + smb_x_auditfile: *loggingOptions + smb_x_enabled: *serviceOptions + snmp_x_enabled: *serviceOptions + snmp_x_port: *portOptions + ssh_x_enabled: *serviceOptions + ssh_x_port: *portOptions + ssh_x_version: *versionOptions + telnet_x_enabled: *serviceOptions + telnet_x_port: *portOptions + telnet_x_banner: *bannerOptions + telnet_x_honeycreds: description: Credentials list for the telnet service. advanced: True helpLink: idh.html - tftp.enabled: *serviceOptions - tftp.port: *portOptions - vnc.enabled: *serviceOptions - vnc.port: *portOptions + tftp_x_enabled: *serviceOptions + tftp_x_port: *portOptions + vnc_x_enabled: *serviceOptions + vnc_x_port: *portOptions openssh: enable: description: This is the other SSH for the host machine. Needs better descirption.