Merge branch '2.4/dev' into kilo

2025-12-06 09:12:45 +01:00 · 2023-02-08 13:49:07 -05:00
parent a1ac1785d3 3b9bdecab8
commit 4c42671a21
11 changed files with 15 additions and 670 deletions
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -1,6 +1,6 @@
 {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
 {% set default_portgroups = default_portgroups.firewall.ports %}
-{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %}
 {% if local_portgroups.firewall.ports %}
  {% set local_portgroups = local_portgroups.firewall.ports %}
 {% else %}
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -1,66 +0,0 @@
 firewall:
  hostgroups:
    analyst:
      ips:
        delete:
        insert:
    beats_endpoint:
      ips:
        delete:
        insert:
    beats_endpoint_ssl:
      ips:
        delete:
        insert:
    elasticsearch_rest:
      ips:
        delete:
        insert:
    elastic_agent_endpoint:
      ips:
        delete:
        insert:
    endgame:
      ips:
        delete:
        insert:
    fleet:
      ips:
        delete:
        insert:
    heavy_node:
      ips:
        delete:
        insert:
    idh:
      ips:
        delete:
        insert: 
    manager:
      ips:
        delete:
        insert:
    node:
      ips:
        delete:
        insert:
    receiver:
      ips:
        delete:
        insert:
    search_node:
      ips:
        delete:
        insert:
    sensor:
      ips:
        delete:
        insert:
    strelka_frontend:
      ips:
        delete:
        insert:
    syslog:
      ips:
        delete:
        insert:
--- a/files/firewall/ports/ports.local.yaml
+++ b/files/firewall/ports/ports.local.yaml
--- a/salt/firewall/hostgroups.yaml
+++ b/salt/firewall/hostgroups.yaml
@@ -1,23 +0,0 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 firewall:
  hostgroups:
    anywhere:
      ips:
        delete:
        insert:
          - 0.0.0.0/0
    dockernet:
      ips:
        delete:
        insert:
          - {{ DOCKER.sorange }}
    localhost:
      ips:
        delete:
        insert:
          - 127.0.0.1
    self:
      ips:
        delete:
        insert:
          - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
--- a/salt/firewall/hostgroups/anywhere
+++ b/salt/firewall/hostgroups/anywhere
@@ -0,0 +1 @@
 0.0.0.0/0
--- a/salt/firewall/hostgroups/dockernet
+++ b/salt/firewall/hostgroups/dockernet
@@ -0,0 +1,2 @@
 {% from 'docker/docker.map.jinja' import DOCKER -%}
 {{ DOCKER.sorange }}
--- a/salt/firewall/hostgroups/localhost
+++ b/salt/firewall/hostgroups/localhost
@@ -0,0 +1 @@
 127.0.0.1
--- a/salt/firewall/hostgroups/self
+++ b/salt/firewall/hostgroups/self
@@ -0,0 +1,2 @@
 {% from 'vars/globals.map.jinja' import GLOBALS -%}
 {{ GLOBALS.node_ip }}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -3,7 +3,7 @@
 {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
 {% set default_portgroups = default_portgroups.firewall.ports %}
-{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %}
 {% if local_portgroups.firewall.ports %}
  {% set local_portgroups = local_portgroups.firewall.ports %}
 {% else %}
@@ -12,36 +12,16 @@
 {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
 {% set defined_portgroups = portgroups %}
 {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
 {#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#}
 {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
-{% set hostgroup_list = [
+
-         'analyst',
+{% set hostgroup_list =  salt['cp.list_master'](prefix='firewall/hostgroups') %}
-         'analyst_workstations',
+
         'eval',
         'heavynodes',
         'idh',
         'manager',
         'managersearch',
         'receivers',
         'searchnodes',
         'sensors',
         'standalone',
         'beats_endpoint',
         'beats_endpoint_ssl',
         'elasticsearch_rest',
         'elastic_agent_endpoint',
         'endgame',
         'strelka_frontend',
         'syslog'
       ]
 %}
 {% for hg in hostgroup_list %}
-{%   import_text 'firewall/hostgroups/' ~ hg as hg_ips %}
+{%   import_text hg as hg_ips %}
-{%   do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
+{%   do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
 {% endfor %}
-{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
+{% set hostgroups = local_hostgroups.firewall.hostgroups %}
 {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
 {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
--- a/salt/firewall/portgroups/portgroups.yaml
+++ b/salt/firewall/portgroups/portgroups.yaml
@@ -1,552 +0,0 @@
 role:
  eval:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - playbook
              - mysql
              - kibana
              - redis
              - minio
              - influxdb
              - cortex
              - elasticsearch_rest
              - elasticsearch_node
              - cortex_es_rest
              - cortex_es_node
          minion:
            portgroups:
              - acng
              - docker_registry
              - influxdb
              - sensoroni
          sensor:
            portgroups:
              - beats_5044
              - beats_5644
          search_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
          heavy_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
          self:
            portgroups:
              - syslog
          beats_endpoint:
            portgroups:
              - beats_5044
          beats_endpoint_ssl:
            portgroups:
              - beats_5644
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          elastic_agent_endpoint:
            portgroups:
              - elastic_agent_control
              - elastic_agent_data
          strelka_frontend:
            portgroups:
              - strelka_frontend
          syslog:
            portgroups:
              - syslog
          analyst:
            portgroups:
              - nginx
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          minion:
            portgroups:
              - salt_manager
  manager:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - playbook
              - mysql
              - kibana
              - redis
              - minio
              - influxdb
              - cortex
              - elasticsearch_rest
              - elasticsearch_node
              - cortex_es_rest
              - cortex_es_node
          minion:
            portgroups:
              - acng
              - docker_registry
              - influxdb
              - sensoroni
              - yum
          sensor:
            portgroups:
              - beats_5044
              - beats_5644
          search_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
              - beats_5644
          heavy_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
              - beats_5644
          self:
            portgroups:
              - syslog
          syslog:
            portgroups:
              - syslog
          beats_endpoint:
            portgroups:
              - beats_5044
          beats_endpoint_ssl:
            portgroups:
              - beats_5644
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          endgame:
            portgroups:
              - endgame
          analyst:
            portgroups:
              - nginx
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          minion:
            portgroups:
              - salt_manager
  managersearch:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - playbook
              - mysql
              - kibana
              - redis
              - minio
              - influxdb
              - cortex
              - elasticsearch_rest
              - elasticsearch_node
              - cortex_es_rest
              - cortex_es_node
          minion:
            portgroups:
              - acng
              - docker_registry
              - influxdb
              - sensoroni
              - yum
          sensor:
            portgroups:
              - beats_5044
              - beats_5644
          search_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
          heavy_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
          self:
            portgroups:
              - syslog}}
          beats_endpoint:
            portgroups:
              - beats_5044
          beats_endpoint_ssl:
            portgroups:
              - beats_5644
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          elastic_agent_endpoint:
            portgroups:
              - elastic_agent_control
              - elastic_agent_data
          endgame:
            portgroups:
              - endgame
          syslog:
            portgroups:
              - syslog
          analyst:
            portgroups:
              - nginx
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          minion:
            portgroups:
              - salt_manager
  standalone:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - playbook
              - mysql
              - kibana
              - redis
              - minio
              - influxdb
              - cortex
              - elasticsearch_rest
              - elasticsearch_node
              - cortex_es_rest
              - cortex_es_node
          minion:
            portgroups:
              - acng
              - docker_registry
              - influxdb
              - sensoroni
              - yum              
          sensor:
            portgroups:
              - beats_5044
              - beats_5644
          search_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
          heavy_node:
            portgroups:
              - redis
              - minio
              - elasticsearch_node
          self:
            portgroups:
              - syslog}}
          beats_endpoint:
            portgroups:
              - beats_5044
          beats_endpoint_ssl:
            portgroups:
              - beats_5644
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          elastic_agent_endpoint:
            portgroups:
              - elastic_agent_control
              - elastic_agent_data
          endgame:
            portgroups:
              - endgame
          strelka_frontend:
            portgroups:
              - strelka_frontend
          syslog:
            portgroups:
              - syslog
          analyst:
            portgroups:
              - nginx
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          minion:
            portgroups:
              - salt_manager
  helixsensor:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - playbook
              - mysql
              - kibana
              - redis
              - influxdb
              - cortex
              - elasticsearch_rest
              - elasticsearch_node
              - cortex_es_rest
              - cortex_es_node
          minion:
            portgroups:
              - acng
              - docker_registry
              - influxdb
              - sensoroni
          sensor:
            portgroups:
              - beats_5044
              - beats_5644
          search_node:
            portgroups:
              - redis
              - elasticsearch_node
          self:
            portgroups:
              - syslog}}
          beats_endpoint:
            portgroups:
              - beats_5044
          analyst:
            portgroups:
              - nginx
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          minion:
            portgroups:
              - salt_manager
  searchnode:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - elasticsearch_node
              - elasticsearch_rest
          dockernet:
            portgroups:
              - elasticsearch_node
              - elasticsearch_rest
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          search_node:
            portgroups:
              - elasticsearch_node
          self:
            portgroups:
              - syslog
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
  sensor:
    chain:
      DOCKER-USER:
        hostgroups:
          self:
            portgroups:
              - syslog
          strelka_frontend:
            portgroups:
              - strelka_frontend
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
  heavynode:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - elasticsearch_node
              - elasticsearch_rest
          dockernet:
            portgroups:
              - elasticsearch_node
              - elasticsearch_rest
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          self:
            portgroups:
              - syslog
          strelka_frontend:
            portgroups:
              - strelka_frontend
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
  import:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - kibana
              - redis
              - influxdb
              - elasticsearch_rest
              - elasticsearch_node
          minion:
            portgroups:
              - docker_registry
              - sensoroni
          sensor:
            portgroups:
              - beats_5044
              - beats_5644
          search_node:
            portgroups:
              - redis
              - elasticsearch_node
          beats_endpoint:
            portgroups:
              - beats_5044
          beats_endpoint_ssl:
            portgroups:
              - beats_5644
          elasticsearch_rest:
            portgroups:
              - elasticsearch_rest
          analyst:
            portgroups:
              - nginx
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          minion:
            portgroups:
              - salt_manager
  receiver:
    chain:
      DOCKER-USER:
        hostgroups:
          sensor:
            portgroups:
              - beats_5644
          search_node:
            portgroups:
              - redis
              - beats_5644
          self:
            portgroups:
              - redis
              - syslog
              - beats_5644
          syslog:
            portgroups:
              - syslog
          beats_endpoint:
            portgroups:
              - beats_5044
          beats_endpoint_ssl:
            portgroups:
              - beats_5644
          endgame:
            portgroups:
              - endgame
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
  idh:
    chain:
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - ssh
          dockernet:
            portgroups:
              - all
          localhost:
            portgroups:
              - all
          manager:
            portgroups:
              - ssh
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1181,7 +1181,7 @@ firewall_generate_templates() {
 	local firewall_pillar_path=$local_salt_dir/salt/firewall
 	logCmd "mkdir -p $firewall_pillar_path"
-	logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/"
+	logCmd "cp -r ../files/firewall/* /opt/so/saltstack/local/salt/firewall/"
    # i think this can be commented out for 2.4
 	#for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do
		`@@ -0,0 +1,2 @@`
							`{% from 'docker/docker.map.jinja' import DOCKER -%}`
							`{{ DOCKER.sorange }}`
		`@@ -0,0 +1,2 @@`
							`{% from 'vars/globals.map.jinja' import GLOBALS -%}`
							`{{ GLOBALS.node_ip }}`