CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-03 05:43:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

fw rework for ui, still need to add idh to map

Browse Source
This commit is contained in:
m0duspwnens
2023-04-28 15:30:18 -04:00
parent 288b5ac4d2
commit 725f5414ba
32 changed files with 2070 additions and 927 deletions
Download Patch File Download Diff File Expand all files Collapse all files

607
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -1,607 +0,0 @@
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
fleet:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.endgame }}
- {{ portgroups.strelka_frontend }}
fleet:
portgroups:
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.beats_5056 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
searchnodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
endgame:
portgroups:
- {{ portgroups.endgame }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
syslog:
portgroups:
- {{ portgroups.syslog }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
fleet:
portgroups:
- {{ portgroups.salt_manager }}
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.salt_manager }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- {{ portgroups.syslog}}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
dockernet:
portgroups:
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
self:
portgroups:
- {{ portgroups.syslog}}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elastic_agent_control }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
elastic_agent_endpoint:
portgroups:
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.beats_5644 }}
self:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.syslog}}
- {{ portgroups.beats_5644 }}
syslog:
portgroups:
- {{ portgroups.syslog }}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
beats_endpoint_ssl:
portgroups:
- {{ portgroups.beats_5644 }}
endgame:
portgroups:
- {{ portgroups.endgame }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
{% for service in IDH_PORTGROUPS.keys() %}
{% if service != 'openssh' %}
- {{ IDH_PORTGROUPS[service] }}
{% endif %}
{% endfor %}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
manager:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}
standalone:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}

1143
salt/firewall/defaults.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

0
salt/firewall/hostgroups/analyst
View File

0
salt/firewall/hostgroups/analyst_workstations
View File

1
salt/firewall/hostgroups/anywhere
View File

@@ -1 +0,0 @@
0.0.0.0/0

0
salt/firewall/hostgroups/beats_endpoint
View File

0
salt/firewall/hostgroups/beats_endpoint_ssl
View File

2
salt/firewall/hostgroups/dockernet
View File

@@ -1,2 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{{ DOCKER.sorange }}

0
salt/firewall/hostgroups/elastic_agent_endpoint
View File

0
salt/firewall/hostgroups/elasticsearch_rest
View File

0
salt/firewall/hostgroups/endgame
View File

0
salt/firewall/hostgroups/eval
View File

0
salt/firewall/hostgroups/fleet
View File

0
salt/firewall/hostgroups/heavynodes
View File

0
salt/firewall/hostgroups/idh
View File

1
salt/firewall/hostgroups/localhost
View File

@@ -1 +0,0 @@
127.0.0.1

0
salt/firewall/hostgroups/manager
View File

0
salt/firewall/hostgroups/receivers
View File

0
salt/firewall/hostgroups/searchnodes
View File

2
salt/firewall/hostgroups/self
View File

@@ -1,2 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS -%}
{{ GLOBALS.node_ip }}

0
salt/firewall/hostgroups/sensors
View File

0
salt/firewall/hostgroups/standalone
View File

0
salt/firewall/hostgroups/strelka_frontend
View File

0
salt/firewall/hostgroups/syslog
View File

40
salt/firewall/iptables.jinja
View File

@@ -1,7 +1,9 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
{% from 'firewall/map.jinja' import hostgroups with context -%}
{% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
{%- set PR = [] %}
{%- set D1 = [] %}
{%- set D2 = [] %}
@@ -70,24 +72,18 @@ COMMIT
:DOCKER-USER - [0:0]
:LOGGING - [0:0]
{%- set count = namespace(value=0) %}
{%- for chain, hg in assigned_hostgroups.chain.items() %}
{%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
{%- for action in ['insert', 'delete' ] %}
{%- if hostgroups[hostgroup].ips[action] %}
{%- for ip in hostgroups[hostgroup].ips[action] %}
{%- for portgroup in portgroups.portgroups %}
{%- for proto, ports in portgroup.items() %}
{%- for port in ports %}
{%- set count.value = count.value + 1 %}
-A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- for chn, hostgroups in FIREWALL_MERGED.role[role].chain.items() %}
{%- for hostgroup, portgroups in hostgroups['hostgroups'].items() %}
{%- for ip in FIREWALL_MERGED.hostgroups[hostgroup] %}
{%- for groupname in portgroups['portgroups'] %}
{%- for proto, ports in FIREWALL_MERGED['portgroups'][groupname].items() %}
{%- for port in ports %}
-A {{chn}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

66
salt/firewall/map.jinja
View File

@@ -1,62 +1,10 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.ports %}
{% set local_portgroups = local_portgroups.firewall.ports %}
{% else %}
{% set local_portgroups = {} %}
{% endif %}
{# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
{% set defined_portgroups = portgroups %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %}
{% endif %}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %}
{% for hg in hostgroup_list %}
{% import_text hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = local_hostgroups.firewall.hostgroups %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
{% set translated_pillar_assigned_hostgroups = {'chain': {}} %}
{% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
{% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
{% if translated_pillar_assigned_hostgroups.chain[chain] is defined %}
{% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %}
{% else %}
{% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %}
{% endif %}
{% for pillar_portgroup in pillar_portgroups.portgroups %}
{% set pillar_portgroup = pillar_portgroup.split('.') | last %}
{% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endif %}
{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
{% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
{% if local_assigned_hostgroups.role.get(role, False) %}
{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %}
{% else %}
{% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}
{% endif %}
{% if translated_pillar_assigned_hostgroups %}
{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
{% endif %}
{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}

81
salt/firewall/ports/ports.yaml
View File

@@ -1,81 +0,0 @@
firewall:
ports:
all:
tcp:
- '0:65535'
udp:
- '0:65535'
agrules:
tcp:
- 7788
beats_5044:
tcp:
- 5044
beats_5644:
tcp:
- 5644
beats_5066:
tcp:
- 5066
beats_5056:
tcp:
- 5056
docker_registry:
tcp:
- 5000
elasticsearch_node:
tcp:
- 9300
elasticsearch_rest:
tcp:
- 9200
elastic_agent_control:
tcp:
- 8220
elastic_agent_data:
tcp:
- 5055
endgame:
tcp:
- 3765
influxdb:
tcp:
- 8086
kibana:
tcp:
- 5601
mysql:
tcp:
- 3306
nginx:
tcp:
- 80
- 443
playbook:
tcp:
- 3000
redis:
tcp:
- 6379
- 9696
salt_manager:
tcp:
- 4505
- 4506
sensoroni:
tcp:
- 443
ssh:
tcp:
- 22
strelka_frontend:
tcp:
- 57314
syslog:
tcp:
- 514
udp:
- 514
yum:
tcp:
- 443

136
salt/firewall/soc/defaults_soc_firewall.yaml
View File

@@ -1,136 +0,0 @@
firewall:
custom_groups:
groups:
description: List of group names to create.
multiline: True
forcedType: "[]string"
global: True
title: Custom Firewall Groups
helpLink: firewall.html#host-groups
hostgroups:
analyst_workstations:
description: List of IP addresses or CIDR blocks to allow analyst workstations.
file: True
global: True
title: Analyst Workstations
helpLink: firewall.html#host-groups
analyst:
description: List of IP addresses or CIDR blocks to allow analyst connections.
file: True
global: True
title: Analyst
helpLink: firewall.html#host-groups
beats_endpoint:
description: List of IP addresses or CIDR blocks of standard beats without encryption.
file: True
global: True
title: Beats Endpoints
helpLink: firewall.html#host-groups
beats_endpoint_ssl:
description: List of IP addresses or CIDR blocks of standard beats with encryption.
file: True
global: True
title: Beats Endpoints SSL
helpLink: firewall.html#host-groups
elastic_agent_endpoint:
description: List of IP addresses or CIDR blocks for Elastic Agent connections.
file: True
global: True
title: Elastic Agents
helpLink: firewall.html#host-groups
elasticsearch_rest:
description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
file: True
global: True
title: Elasticsearch Rest
advanced: True
helpLink: firewall.html#host-groups
endgame:
description: List of IP addresses or CIDR blocks to allow Endgame access.
file: True
global: True
title: Endgame
advanced: True
helpLink: firewall.html#host-groups
strelka_frontend:
description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
file: True
global: True
title: Strelka Frontend
advanced: True
helpLink: firewall.html#host-groups
syslog:
description: List of IP addresses or CIDR blocks to allow syslog.
file: True
global: True
title: Syslog Endpoint Traffic
helpLink: firewall.html#host-groups
standalone:
description: List of IP addresses or CIDR blocks to allow standalone connections.
file: True
global: True
title: Standalone
advanced: True
helpLink: firewall.html#host-groups
eval:
description: List of IP addresses or CIDR blocks to allow eval connections.
file: True
global: True
title: Eval
advanced: True
helpLink: firewall.html#host-groups
idh:
description: List of IP addresses or CIDR blocks to allow idh connections.
file: True
global: True
title: IDH Nodes
helpLink: firewall.html#host-groups
manager:
description: List of IP addresses or CIDR blocks to allow manager connections.
file: True
global: True
title: Manager
advanced: True
helpLink: firewall.html#host-groups
heavynodes:
description: List of IP addresses or CIDR blocks to allow heavynode connections.
file: True
global: True
title: Heavy Nodes
helpLink: firewall.html#host-groups
searchnodes:
description: List of IP addresses or CIDR blocks to allow searchnode connections.
file: True
global: True
title: Search Nodes
helpLink: firewall.html#host-groups
sensors:
description: List of IP addresses or CIDR blocks to allow Sensor connections.
file: True
global: True
title: Sensors
helpLink: firewall.html#host-groups
receivers:
description: List of IP addresses or CIDR blocks to allow receiver connections.
file: True
global: True
title: Receivers
helpLink: firewall.html#host-groups
portgroups:
portgroups__yaml:
description: Port Groups
file: True
global: True
advanced: True
title: Port Groups
syntax: yaml
helpLink: firewall.html#function
ports:
ports__yaml:
description: Ports in YAML.
file: True
global: True
advanced: True
title: Ports
syntax: yaml
helpLink: firewall.html#port-groups

5
salt/firewall/soc/init.sls
View File

@@ -1,5 +0,0 @@
soc_firewall_yaml:
file.managed:
- name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml
- source: salt://firewall/soc/soc_firewall.yaml.jinja
- template: jinja

9
salt/firewall/soc/soc.map.jinja
View File

@@ -1,9 +0,0 @@
{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %}
{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %}
{% for group in PILLAR_SOC_FIREWALL_GROUPS %}
{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %}
{% set title = group[0]|upper ~ group[1:] %}
{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %}
{% endfor %}

2
salt/firewall/soc/soc_firewall.yaml.jinja
View File

@@ -1,2 +0,0 @@
{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}
{{ SOC_FIREWALL | yaml(False) }}

902
salt/firewall/soc_firewall.yaml Normal file
View File

@@ -0,0 +1,902 @@
firewall:
hostgroups:
analyst: &hostgroupsettings
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
anywhere: &hostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
advanced: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
beats_endpoint: *hostgroupsettings
beats_endpoint_ssl: *hostgroupsettings
dockernet: &ROhostgroupsettingsadv
description: List of IP or CIDR blocks to allow access to this hostgroup.
forcedType: "[]string"
helplink: firewall.html
multiline: True
advanced: True
readonly: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
elastic_agent_endpoint: *hostgroupsettings
elasticsearch_rest: *hostgroupsettingsadv
endgame: *hostgroupsettingsadv
eval: *hostgroupsettings
fleet: *hostgroupsettings
heavynodes: *hostgroupsettings
idh: *hostgroupsettings
localhost: *ROhostgroupsettingsadv
manager: *hostgroupsettings
receivers: *hostgroupsettings
searchnodes: *hostgroupsettings
securityonion_desktops: *hostgroupsettings
self: *ROhostgroupsettingsadv
sensors: *hostgroupsettings
standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings
customhostgroup1: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string"
helpLink: firewall.html
advanced: True
multiline: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
customhostgroup2: *customhostgroupsettings
customhostgroup3: *customhostgroupsettings
customhostgroup4: *customhostgroupsettings
customhostgroup5: *customhostgroupsettings
customhostgroup6: *customhostgroupsettings
customhostgroup7: *customhostgroupsettings
customhostgroup8: *customhostgroupsettings
customhostgroup9: *customhostgroupsettings
customhostgroup0: *customhostgroupsettings
portgroups:
all:
tcp: &tcpsettings
description: List of TCP ports for this port group.
forcedType: "[]string"
helplink: firewall.html
advanced: True
multiline: True
udp: &udpsettings
description: List of UDP ports for this port group.
forcedType: "[]string"
helplink: firewall.html
advanced: True
multiline: True
agrules:
tcp: *tcpsettings
udp: *udpsettings
beats_5044:
tcp: *tcpsettings
udp: *udpsettings
beats_5644:
tcp: *tcpsettings
udp: *udpsettings
beats_5066:
tcp: *tcpsettings
udp: *udpsettings
beats_5056:
tcp: *tcpsettings
udp: *udpsettings
docker_registry:
tcp: *tcpsettings
udp: *udpsettings
elasticsearch_node:
tcp: *tcpsettings
udp: *udpsettings
elasticsearch_rest:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_control:
tcp: *tcpsettings
udp: *udpsettings
elastic_agent_data:
tcp: *tcpsettings
udp: *udpsettings
endgame:
tcp: *tcpsettings
udp: *udpsettings
influxdb:
tcp: *tcpsettings
udp: *udpsettings
kibana:
tcp: *tcpsettings
udp: *udpsettings
mysql:
tcp: *tcpsettings
udp: *udpsettings
nginx:
tcp: *tcpsettings
udp: *udpsettings
playbook:
tcp: *tcpsettings
udp: *udpsettings
redis:
tcp: *tcpsettings
udp: *udpsettings
salt_manager:
tcp: *tcpsettings
udp: *udpsettings
sensoroni:
tcp: *tcpsettings
udp: *udpsettings
ssh:
tcp: *tcpsettings
udp: *udpsettings
strelka_frontend:
tcp: *tcpsettings
udp: *udpsettings
syslog:
tcp: *tcpsettings
udp: *udpsettings
yum:
tcp: *tcpsettings
udp: *udpsettings
customportgroup0:
tcp: *tcpsettings
udp: *udpsettings
customportgroup1:
tcp: *tcpsettings
udp: *udpsettings
customportgroup2:
tcp: *tcpsettings
udp: *udpsettings
customportgroup3:
tcp: *tcpsettings
udp: *udpsettings
customportgroup4:
tcp: *tcpsettings
udp: *udpsettings
customportgroup5:
tcp: *tcpsettings
udp: *udpsettings
customportgroup6:
tcp: *tcpsettings
udp: *udpsettings
customportgroup7:
tcp: *tcpsettings
udp: *udpsettings
customportgroup8:
tcp: *tcpsettings
udp: *udpsettings
customportgroup9:
tcp: *tcpsettings
udp: *udpsettings
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups: &portgroupsdocker
description: Portgroups to add access to the docker containers for this role.
advanced: True
multiline: True
helpLink: firewall.html
sensors:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
heavynodes:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: &portgroupshost
description: Portgroups to add access to the host.
advanced: True
multiline: True
helpLink: firewall.html
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
fleet:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupsdocker
standalone:
portgroups: *portgroupshost
sensors:
portgroups: *portgroupshost
searchnodes:
portgroups: *portgroupshost
heavynodes:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
sensors:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
heavynodes:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
sensors:
portgroups: *portgroupshost
searchnodes:
portgroups: *portgroupshost
heavynodes:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups: *portgroupsdocker
sensors:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
heavynodes:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
sensors:
portgroups: *portgroupshost
searchnodes:
portgroups: *portgroupshost
heavynodes:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups: *portgroupsdocker
standalone:
portgroups: *portgroupsdocker
fleet:
portgroups: *portgroupsdocker
sensors:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
heavynodes:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
fleet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
standalone:
portgroups: *portgroupshost
sensors:
portgroups: *portgroupshost
searchnodes:
portgroups: *portgroupshost
heavynodes:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
dockernet:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
dockernet:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
strelka_frontend:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups: *portgroupsdocker
sensors:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
elasticsearch_rest:
portgroups: *portgroupsdocker
elastic_agent_endpoint:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups: *portgroupsdocker
searchnodes:
portgroups: *portgroupsdocker
self:
portgroups: *portgroupsdocker
syslog:
portgroups: *portgroupsdocker
beats_endpoint:
portgroups: *portgroupsdocker
beats_endpoint_ssl:
portgroups: *portgroupsdocker
endgame:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
customhostgroup1:
portgroups: *portgroupsdocker
customhostgroup2:
portgroups: *portgroupsdocker
customhostgroup3:
portgroups: *portgroupsdocker
customhostgroup4:
portgroups: *portgroupsdocker
customhostgroup5:
portgroups: *portgroupsdocker
customhostgroup6:
portgroups: *portgroupsdocker
customhostgroup7:
portgroups: *portgroupsdocker
customhostgroup8:
portgroups: *portgroupsdocker
customhostgroup9:
portgroups: *portgroupsdocker
INPUT:
hostgroups:
anywhere:
portgroups: *portgroupshost
dockernet:
portgroups: *portgroupshost
localhost:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
customhostgroup1:
portgroups: *portgroupshost
customhostgroup2:
portgroups: *portgroupshost
customhostgroup3:
portgroups: *portgroupshost
customhostgroup4:
portgroups: *portgroupshost
customhostgroup5:
portgroups: *portgroupshost
customhostgroup6:
portgroups: *portgroupshost
customhostgroup7:
portgroups: *portgroupshost
customhostgroup8:
portgroups: *portgroupshost
customhostgroup9:
portgroups: *portgroupshost