diff --git a/pillar/firewall/ports.sls b/pillar/firewall/ports.sls index 1e0be460b..c10554fce 100644 --- a/pillar/firewall/ports.sls +++ b/pillar/firewall/ports.sls @@ -26,6 +26,7 @@ firewall: - 4200 - 5601 - 6379 + - 7788 - 8086 - 8090 - 9001 diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 0105542ad..4c05f2241 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,3 +1,4 @@ +{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'firewall/portgroups.yaml' as portgroups %} {% set portgroups = portgroups.firewall.aliases.ports %} @@ -109,6 +110,9 @@ role: - {{ portgroups.elasticsearch_node }} - {{ portgroups.cortex_es_rest }} - {{ portgroups.cortex_es_node }} + {% if ISAIRGAP is sameas true %} + - {{ portgroups.agrules }} + {% endif %} minion: portgroups: - {{ portgroups.acng }} @@ -117,7 +121,9 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.wazuh_api }} - {{ portgroups.fleet_api }} + {% if ISAIRGAP is sameas true %} - {{ portgroups.yum }} + {% endif %} sensor: portgroups: - {{ portgroups.sensoroni }} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 177f35fdd..55a09c6bf 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -9,6 +9,9 @@ firewall: acng: tcp: - 3142 + agrules: + tcp: + - 7788 beats_5044: tcp: - 5044 diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index bdea850aa..a7e28afd3 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -2,10 +2,11 @@ {%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} -{% if ISAIRGAP is sameas true %} +{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} +{%- if ISAIRGAP is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules ---local=/opt/so/rules/nids/emerging-all.rules +--url=http://{{ MANAGERIP }}/repo/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf @@ -24,8 +25,8 @@ --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} {%- endif -%} {%- endif -%} -{%- if URLS != None %} -{%- for URL in URLS %} +{%- if URLS != None -%} +{%- for URL in URLS -%} --url={{ URL }} -{%- endfor %} -{%- endif %} +{%- endfor -%} +{%- endif -%} diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager index 76de6de2d..7118c196a 100644 --- a/salt/nginx/etc/nginx.conf.so-manager +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -67,6 +67,22 @@ http { server_name _; return 301 https://$host$request_uri; } + {%- if ISAIRGAP is sameas true %} + server { + listen 7788; + server_name _; + root /opt/socore/html/repo + location /rules/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + } + {%- endif %} {% if FLEET_MANAGER %} server { diff --git a/setup/so-functions b/setup/so-functions index de98543a5..2bcae4a30 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -48,8 +48,8 @@ logCmd() { airgap_rules() { # Copy the rules for suricata if using Airgap - mkdir -p /opt/so/rules/nids - cp -v /root/SecurityOnion/agrules/emerging-all.rules /opt/so/rules/nids/ + mkdir -p /nsm/repo/rules + cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/ } analyze_system() {