rework idh for web ui

salt/firewall/assigned_hostgroups.map.yaml

@@ -575,9 +575,10 @@ role:
         hostgroups:
           anywhere:
             portgroups:
-            {% set idh_services = salt['pillar.get']('idh:services', []) %}
+            {% for service in IDH_PORTGROUPS.keys() %}
-            {% for service in idh_services %}
+              {% if service != 'openssh' %}
-              - {{ IDH_PORTGROUPS['idh_'~service] }}
+              - {{ IDH_PORTGROUPS[service] }}
+              {% endif %}
             {% endfor %}
           dockernet:
             portgroups:

salt/idh/defaults.yaml

@@ -1,4 +1,9 @@
 idh:
+  restrict_management_ip: false
+  openssh:
+    enable: true
+    config:
+      port: 2222
   opencanary:
     config:
       logger:
@@ -14,77 +19,73 @@ idh:
               file:
                   class: logging.FileHandler
                   filename: /var/tmp/opencanary.log
-      portscan.enabled: false
+      portscan_x_enabled: false
-      portscan.logfile: /var/log/kern.log
+      portscan_x_logfile: /var/log/kern.log
-      portscan.synrate: 5
+      portscan_x_synrate: 5
-      portscan.nmaposrate: 5
+      portscan_x_nmaposrate: 5
-      portscan.lorate: 3
+      portscan_x_lorate: 3
-      tcpbanner.maxnum: 10
+      tcpbanner_x_maxnum: 10
-      tcpbanner.enabled: false
+      tcpbanner_x_enabled: false
-      tcpbanner_1.enabled: false
+      tcpbanner_1_x_enabled: false
-      tcpbanner_1.port: 8001
+      tcpbanner_1_x_port: 8001
-      tcpbanner_1.datareceivedbanner: ''
+      tcpbanner_1_x_datareceivedbanner: ''
-      tcpbanner_1.initbanner: ''
+      tcpbanner_1_x_initbanner: ''
-      tcpbanner_1.alertstring.enabled: false
+      tcpbanner_1_x_alertstring_x_enabled: false
-      tcpbanner_1.keep_alive.enabled: false
+      tcpbanner_1_x_keep_alive_x_enabled: false
-      tcpbanner_1.keep_alive_secret: ''
+      tcpbanner_1_x_keep_alive_secret: ''
-      tcpbanner_1.keep_alive_probes: 11
+      tcpbanner_1_x_keep_alive_probes: 11
-      tcpbanner_1.keep_alive_interval: 300
+      tcpbanner_1_x_keep_alive_interval: 300
-      tcpbanner_1.keep_alive_idle: 300
+      tcpbanner_1_x_keep_alive_idle: 300
-      ftp.enabled: false
+      ftp_x_enabled: false
-      ftp.port: 21
+      ftp_x_port: 21
-      ftp.banner: FTP server ready
+      ftp_x_banner: FTP server ready
-      git.enabled: false
+      git_x_enabled: false
-      git.port: 9418
+      git_x_port: 9418
-      http.banner: Apache/2.2.34 (Ubuntu)
+      http_x_banner: Apache/2.2.34 (Ubuntu)
-      http.enabled: false
+      http_x_enabled: false
-      http.port: 80
+      http_x_port: 80
-      http.skin: nasLogin
+      http_x_skin: nasLogin
-      http.skinlist:
+      http_x_skinlist:
         - desc: Plain HTML Login
           name: basicLogin
         - desc: Synology NAS Login
           name: nasLogin
-      httpproxy.enabled: false
+      httpproxy_x_enabled: false
-      httpproxy.port: 8080
+      httpproxy_x_port: 8080
-      httpproxy.skin: squid
+      httpproxy_x_skin: squid
-      httpproxy.skinlist:
+      httpproxy_x_skinlist:
         - desc: Squid
           name: squid
         - desc: Microsoft ISA Server Web Proxy
           name: ms-isa
-      mssql.enabled: false
+      mssql_x_enabled: false
-      mssql.version: '2012'
+      mssql_x_version: '2012'
-      mssql.port: 1433
+      mssql_x_port: 1433
-      mysql.enabled: false
+      mysql_x_enabled: false
-      mysql.port: 3306
+      mysql_x_port: 3306
-      mysql.banner: 5.5.43-0ubuntu0.14.04.1
+      mysql_x_banner: 5.5.43-0ubuntu0.14.04.1
-      ntp.enabled: false
+      ntp_x_enabled: false
-      ntp.port: 123
+      ntp_x_port: 123
-      redis.enabled: false
+      redis_x_enabled: false
-      redis.port: 6379
+      redis_x_port: 6379
-      sip.enabled: false
+      sip_x_enabled: false
-      sip.port: 5060
+      sip_x_port: 5060
-      smb.auditfile: /var/log/samba-audit.log
+      smb_x_auditfile: /var/log/samba-audit.log
-      smb.enabled: false
+      smb_x_enabled: false
-      snmp.enabled: false
+      snmp_x_enabled: false
-      snmp.port: 161
+      snmp_x_port: 161
-      ssh.enabled: false
+      ssh_x_enabled: true
-      ssh.port: 22
+      ssh_x_port: 22
-      ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4
+      ssh_x_version: SSH-2.0-OpenSSH_5.1p1 Debian-4
-      telnet.enabled: false
+      telnet_x_enabled: false
-      telnet.port: 23
+      telnet_x_port: 23
-      telnet.banner: ''
+      telnet_x_banner: ''
-      telnet.honeycreds:
+      telnet_x_honeycreds:
         - username: admin
           password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA
         - username: admin
           password: admin1
-      tftp.enabled: false
+      tftp_x_enabled: false
-      tftp.port: 69
+      tftp_x_port: 69
-      vnc.enabled: false
+      vnc_x_enabled: false
-      vnc.port: 5900
+      vnc_x_port: 5900
-  openssh:
-    enable: true
-    config:
-      port: 2222

salt/idh/idh.conf.jinja

@@ -1 +1 @@
-{{ OPENCANARYCONFIG | tojson(True) }}
+{{ OPENCANARYCONFIG | tojson(True) | replace("_x_", ".") }}

salt/idh/init.sls

@@ -7,7 +7,8 @@
 {% if sls in allowed_states %}
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %}
+{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %}
+{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
 
 include:
   - idh.openssh.config
@@ -15,10 +16,9 @@ include:
 
 # If True, block IDH Services from accepting connections on Managment IP
 {% if RESTRICTIDHSERVICES %}
-  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %}
-  {% set idh_services = salt['pillar.get']('idh:services', []) %}
 
-  {% for service in idh_services %}
+  {% for service in IDH_SERVICES %}
   {% if service in ["smnp","ntp", "tftp"] %}
     {% set proto = 'udp' %}
   {% else %}
@@ -52,7 +52,6 @@ configdir:
     - group: 939
     - makedirs: True
 
-{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %}
 opencanary_config:
   file.managed:
     - name: /opt/so/conf/idh/opencanary.conf

salt/idh/opencanary_config.map.jinja

@@ -1,6 +1,6 @@
 {# this list of services is used to loop through and add fw rules if the service is enabled #}
 {# smb is not in this list since it does not need any ports open #}
-{% set idh_services = [
+{% set IDH_SERVICES = [
      'ftp',
      'git',
      'http',
@@ -20,24 +20,24 @@
 {% set IDH_PORTGROUPS = {} %}
 
 {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %}
-
+{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %}
 {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
 {# update skinlist to skin.list to avoid issues with SOC UI config #}
-{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http.skinlist') %}
+{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %}
-{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy.skinlist') %}
+{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
-{% do OPENCANARYCONFIG.update({'http.skin.list': HTTPSKINLIST}) %}
+{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
-{% do OPENCANARYCONFIG.update({'httpproxy.skin.list': HTTPPROXYSKINLIST}) %}
+{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}
 
 {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}
 
-{% for service in idh_services %}
+{% for service in IDH_SERVICES %}
   {% if service in ["smnp","ntp", "tftp"] %}
     {% set proto = 'udp' %}
   {% else %}
     {% set proto = 'tcp' %}
   {% endif %}
-  {% if OPENCANARYCONFIG[service ~ '.enabled'] %}
+  {% if OPENCANARYCONFIG[service ~ '_x_enabled'] %}
-    {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %}
+    {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %}
   {% endif %}
 {% endfor %}
 

salt/idh/soc_idh.yaml

@@ -19,108 +19,108 @@ idh:
               file:
                   class: *loggingOptions
                   filename: *loggingOptions
-      portscan.enabled: &serviceOptions
+      portscan_x_enabled: &serviceOptions
         description: To enable this IDH service set this value to true. To disable set to false.
         helpLink: idh.html
-      portscan.logfile: *loggingOptions
+      portscan_x_logfile: *loggingOptions
-      portscan.synrate:
+      portscan_x_synrate:
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      portscan.nmaposrate:
+      portscan_x_nmaposrate:
         description: Needs update
         advanced: True
         helpLink: idh.html  
-      portscan.lorate: 
+      portscan_x_lorate: 
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      tcpbanner.maxnum:
+      tcpbanner_x_maxnum:
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      tcpbanner.enabled: *serviceOptions
+      tcpbanner_x_enabled: *serviceOptions
-      tcpbanner_1.enabled: *serviceOptions
+      tcpbanner_1_x_enabled: *serviceOptions
-      tcpbanner_1.port: &portOptions
+      tcpbanner_1_x_port: &portOptions
         description: Defined port the service should listen on.
         advanced: True
         helpLink: idh.html
-      tcpbanner_1.datareceivedbanner: &bannerOptions
+      tcpbanner_1_x_datareceivedbanner: &bannerOptions
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      tcpbanner_1.initbanner: *bannerOptions
+      tcpbanner_1_x_initbanner: *bannerOptions
-      tcpbanner_1.alertstring.enabled: *serviceOptions
+      tcpbanner_1_x_alertstring_x_enabled: *serviceOptions
-      tcpbanner_1.keep_alive.enabled: *serviceOptions
+      tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions
-      tcpbanner_1.keep_alive_secret:
+      tcpbanner_1_x_keep_alive_secret:
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      tcpbanner_1.keep_alive_probes:
+      tcpbanner_1_x_keep_alive_probes:
         description: Needs update
         advanced: True
         helpLink: idh.html  
-      tcpbanner_1.keep_alive_interval:
+      tcpbanner_1_x_keep_alive_interval:
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      tcpbanner_1.keep_alive_idle:
+      tcpbanner_1_x_keep_alive_idle:
         description: Needs update
         advanced: True
         helpLink: idh.html 
-      ftp.enabled: *serviceOptions
+      ftp_x_enabled: *serviceOptions
-      ftp.port: *portOptions
+      ftp_x_port: *portOptions
-      ftp.banner: *bannerOptions
+      ftp_x_banner: *bannerOptions
-      git.enabled: *serviceOptions
+      git_x_enabled: *serviceOptions
-      git.port: *portOptions
+      git_x_port: *portOptions
-      http.banner: *bannerOptions
+      http_x_banner: *bannerOptions
-      http.enabled: *serviceOptions
+      http_x_enabled: *serviceOptions
-      http.port: *portOptions
+      http_x_port: *portOptions
-      http.skin: &skinOptions
+      http_x_skin: &skinOptions
         description:
         advanced: True
         helplink: idh.html
-      http.skinlist: &skinlistOptions
+      http_x_skinlist: &skinlistOptions
         description: List of skins to use for the service.
         advanced: True
         helpLink: idh.html
-      httpproxy.enabled: *serviceOptions
+      httpproxy_x_enabled: *serviceOptions
-      httpproxy.port: *portOptions
+      httpproxy_x_port: *portOptions
-      httpproxy.skin: *skinOptions
+      httpproxy_x_skin: *skinOptions
-      httpproxy.skinlist: *skinlistOptions
+      httpproxy_x_skinlist: *skinlistOptions
-      mssql.enabled: *serviceOptions
+      mssql_x_enabled: *serviceOptions
-      mssql.version: &versionOptions
+      mssql_x_version: &versionOptions
         description: Specify the version the service should present.
         advanced: True
         helpLink: idh.html
-      mssql.port: *portOptions
+      mssql_x_port: *portOptions
-      mysql.enabled: *serviceOptions
+      mysql_x_enabled: *serviceOptions
-      mysql.port: *portOptions
+      mysql_x_port: *portOptions
-      mysql.banner: *bannerOptions
+      mysql_x_banner: *bannerOptions
-      ntp.enabled: *serviceOptions
+      ntp_x_enabled: *serviceOptions
-      ntp.port: *portOptions
+      ntp_x_port: *portOptions
-      redis.enabled: *serviceOptions
+      redis_x_enabled: *serviceOptions
-      redis.port: *portOptions
+      redis_x_port: *portOptions
-      sip.enabled: *serviceOptions
+      sip_x_enabled: *serviceOptions
-      sip.port: *portOptions
+      sip_x_port: *portOptions
-      smb.auditfile: *loggingOptions
+      smb_x_auditfile: *loggingOptions
-      smb.enabled: *serviceOptions
+      smb_x_enabled: *serviceOptions
-      snmp.enabled: *serviceOptions
+      snmp_x_enabled: *serviceOptions
-      snmp.port: *portOptions
+      snmp_x_port: *portOptions
-      ssh.enabled: *serviceOptions
+      ssh_x_enabled: *serviceOptions
-      ssh.port: *portOptions
+      ssh_x_port: *portOptions
-      ssh.version: *versionOptions
+      ssh_x_version: *versionOptions
-      telnet.enabled: *serviceOptions
+      telnet_x_enabled: *serviceOptions
-      telnet.port: *portOptions
+      telnet_x_port: *portOptions
-      telnet.banner: *bannerOptions
+      telnet_x_banner: *bannerOptions
-      telnet.honeycreds:
+      telnet_x_honeycreds:
         description: Credentials list for the telnet service.
         advanced: True
         helpLink: idh.html
-      tftp.enabled: *serviceOptions
+      tftp_x_enabled: *serviceOptions
-      tftp.port: *portOptions
+      tftp_x_port: *portOptions
-      vnc.enabled: *serviceOptions
+      vnc_x_enabled: *serviceOptions
-      vnc.port: *portOptions
+      vnc_x_port: *portOptions
   openssh:
     enable: 
       description: This is the other SSH for the host machine. Needs better descirption.