Add Firewall Logic

pillar/firewall/ports.sls

@@ -26,6 +26,7 @@ firewall:
         - 4200
         - 5601
         - 6379
+        - 7788
         - 8086
         - 8090
         - 9001

salt/firewall/assigned_hostgroups.map.yaml

@@ -1,3 +1,4 @@
+{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {% import_yaml 'firewall/portgroups.yaml' as portgroups %}
 {% set portgroups = portgroups.firewall.aliases.ports %}
 
@@ -109,6 +110,9 @@ role:
               - {{ portgroups.elasticsearch_node }}
               - {{ portgroups.cortex_es_rest }}
               - {{ portgroups.cortex_es_node }}
+              {% if ISAIRGAP is sameas true %}
+              - {{ portgroups.agrules }}
+              {% endif %}
           minion:
             portgroups:
               - {{ portgroups.acng }}
@@ -117,7 +121,9 @@ role:
               - {{ portgroups.influxdb }}
               - {{ portgroups.wazuh_api }}
               - {{ portgroups.fleet_api }}
+              {% if ISAIRGAP is sameas true %}
               - {{ portgroups.yum }}
+              {% endif %}
           sensor:
             portgroups:
               - {{ portgroups.sensoroni }}

salt/firewall/portgroups.yaml

@@ -9,6 +9,9 @@ firewall:
       acng:
         tcp:
           - 3142
+      agrules:
+        tcp:
+          - 7788
       beats_5044:
         tcp:
           - 5044

salt/idstools/etc/rulecat.conf

@@ -2,10 +2,11 @@
 {%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%}
 {%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%}
 {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%}
-{% if ISAIRGAP is sameas true %}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%}
+{%- if ISAIRGAP is sameas true -%}
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
---local=/opt/so/rules/nids/emerging-all.rules
+--url=http://{{ MANAGERIP }}/repo/rules/emerging-all.rules
 --disable=/opt/so/idstools/etc/disable.conf
 --enable=/opt/so/idstools/etc/enable.conf
 --modify=/opt/so/idstools/etc/modify.conf
@@ -24,8 +25,8 @@
 --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
   {%- endif -%}
 {%- endif -%}
-{%- if URLS != None %}
+{%- if URLS != None -%}
-{%- for URL in URLS %}
+{%- for URL in URLS -%}
 --url={{ URL }}
-{%- endfor %}
+{%- endfor -%}
-{%- endif %}
+{%- endif -%}

salt/nginx/etc/nginx.conf.so-manager

@@ -67,6 +67,22 @@ http {
 			server_name _;
 			return 301 https://$host$request_uri;
 	}
+	{%- if ISAIRGAP is sameas true %}
+	server {
+		    listen 7788;
+			server_name _;
+			root /opt/socore/html/repo
+			location /rules/ {
+                allow all;
+                sendfile on;
+                sendfile_max_chunk 1m;
+                autoindex on;
+                autoindex_exact_size off;
+                autoindex_format html;
+                autoindex_localtime on;
+			}
+	}
+	{%- endif %}
 
 {% if FLEET_MANAGER %}
 	server {

setup/so-functions

@@ -48,8 +48,8 @@ logCmd() {
 
 airgap_rules() {
 	# Copy the rules for suricata if using Airgap
-	mkdir -p /opt/so/rules/nids
+	mkdir -p /nsm/repo/rules
-	cp -v /root/SecurityOnion/agrules/emerging-all.rules /opt/so/rules/nids/
+	cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/
 }
 
 analyze_system() {