Merge pull request #10004 from Security-Onion-Solutions/guifixes

Guifixes
2025-12-07 09:42:46 +01:00 · 2023-03-24 16:58:19 -04:00
parent 3fed3b3f3e aa66a6471a
commit 80043d154a
25 changed files with 265 additions and 169 deletions
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -536,9 +536,10 @@ role:
        hostgroups:
          anywhere:
            portgroups:
-            {% set idh_services = salt['pillar.get']('idh:services', []) %}
-            {% for service in idh_services %}
-              - {{ IDH_PORTGROUPS['idh_'~service] }}
+            {% for service in IDH_PORTGROUPS.keys() %}
+              {% if service != 'openssh' %}
+              - {{ IDH_PORTGROUPS[service] }}
+              {% endif %}
            {% endfor %}
          dockernet:
            portgroups:
--- a/salt/idh/defaults.yaml
+++ b/salt/idh/defaults.yaml
@@ -0,0 +1,91 @@
+idh:
+  restrict_management_ip: false
+  openssh:
+    enable: true
+    config:
+      port: 2222
+  opencanary:
+    config:
+      logger:
+        class: PyLogger
+        kwargs:
+            formatters:
+              plain:
+                  format: '%(message)s'
+            handlers:
+              console:
+                  class: logging.StreamHandler
+                  stream: ext://sys.stdout
+              file:
+                  class: logging.FileHandler
+                  filename: /var/tmp/opencanary.log
+      portscan_x_enabled: false
+      portscan_x_logfile: /var/log/kern.log
+      portscan_x_synrate: 5
+      portscan_x_nmaposrate: 5
+      portscan_x_lorate: 3
+      tcpbanner_x_maxnum: 10
+      tcpbanner_x_enabled: false
+      tcpbanner_1_x_enabled: false
+      tcpbanner_1_x_port: 8001
+      tcpbanner_1_x_datareceivedbanner: ''
+      tcpbanner_1_x_initbanner: ''
+      tcpbanner_1_x_alertstring_x_enabled: false
+      tcpbanner_1_x_keep_alive_x_enabled: false
+      tcpbanner_1_x_keep_alive_secret: ''
+      tcpbanner_1_x_keep_alive_probes: 11
+      tcpbanner_1_x_keep_alive_interval: 300
+      tcpbanner_1_x_keep_alive_idle: 300
+      ftp_x_enabled: false
+      ftp_x_port: 21
+      ftp_x_banner: FTP server ready
+      git_x_enabled: false
+      git_x_port: 9418
+      http_x_banner: Apache/2.2.34 (Ubuntu)
+      http_x_enabled: false
+      http_x_port: 80
+      http_x_skin: nasLogin
+      http_x_skinlist:
+        - desc: Plain HTML Login
+          name: basicLogin
+        - desc: Synology NAS Login
+          name: nasLogin
+      httpproxy_x_enabled: false
+      httpproxy_x_port: 8080
+      httpproxy_x_skin: squid
+      httpproxy_x_skinlist:
+        - desc: Squid
+          name: squid
+        - desc: Microsoft ISA Server Web Proxy
+          name: ms-isa
+      mssql_x_enabled: false
+      mssql_x_version: '2012'
+      mssql_x_port: 1433
+      mysql_x_enabled: false
+      mysql_x_port: 3306
+      mysql_x_banner: 5.5.43-0ubuntu0.14.04.1
+      ntp_x_enabled: false
+      ntp_x_port: 123
+      redis_x_enabled: false
+      redis_x_port: 6379
+      sip_x_enabled: false
+      sip_x_port: 5060
+      smb_x_auditfile: /var/log/samba-audit.log
+      smb_x_enabled: false
+      snmp_x_enabled: false
+      snmp_x_port: 161
+      ssh_x_enabled: true
+      ssh_x_port: 22
+      ssh_x_version: SSH-2.0-OpenSSH_5.1p1 Debian-4
+      telnet_x_enabled: false
+      telnet_x_port: 23
+      telnet_x_banner: ''
+      telnet_x_honeycreds:
+        - username: admin
+          password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA
+        - username: admin
+          password: admin1
+      tftp_x_enabled: false
+      tftp_x_port: 69
+      vnc_x_enabled: false
+      vnc_x_port: 5900
--- a/salt/idh/defaults/defaults.yaml
+++ b/salt/idh/defaults/defaults.yaml
@@ -1,37 +0,0 @@
-idh:
-  opencanary:
-    config:
-      logger:
-        class: PyLogger
-        kwargs:
-            formatters:
-              plain:
-                  format: '%(message)s'
-            handlers:
-              console:
-                  class: logging.StreamHandler
-                  stream: ext://sys.stdout
-              file:
-                  class: logging.FileHandler
-                  filename: /var/tmp/opencanary.log
-      portscan.enabled: false
-      portscan.logfile: /var/log/kern.log
-      portscan.synrate: 5
-      portscan.nmaposrate: 5
-      portscan.lorate: 3
-      tcpbanner.maxnum: 10
-      tcpbanner.enabled: false
-      tcpbanner_1.enabled: false
-      tcpbanner_1.port: 8001
-      tcpbanner_1.datareceivedbanner: ''
-      tcpbanner_1.initbanner: ''
-      tcpbanner_1.alertstring.enabled: false
-      tcpbanner_1.keep_alive.enabled: false
-      tcpbanner_1.keep_alive_secret: ''
-      tcpbanner_1.keep_alive_probes: 11
-      tcpbanner_1.keep_alive_interval: 300
-      tcpbanner_1.keep_alive_idle: 300
-  openssh:
-    enable: true
-    config:
-      port: 2222
--- a/salt/idh/defaults/ftp.defaults.yaml
+++ b/salt/idh/defaults/ftp.defaults.yaml
@@ -1,6 +0,0 @@
-idh:
-  opencanary:
-    config:
-      ftp.enabled: true
-      ftp.port: 21
-      ftp.banner: FTP server ready
--- a/salt/idh/defaults/git.defaults.yaml
+++ b/salt/idh/defaults/git.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      git.enabled: true
-      git.port: 9418
--- a/salt/idh/defaults/http.defaults.yaml
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -1,12 +0,0 @@
-idh:
-  opencanary:
-    config:
-      http.banner: Apache/2.2.34 (Ubuntu)
-      http.enabled: true
-      http.port: 80
-      http.skin: nasLogin
-      http.skin.list:
-      - desc: Plain HTML Login
-        name: basicLogin
-      - desc: Synology NAS Login
-        name: nasLogin
--- a/salt/idh/defaults/httpproxy.defaults.yaml
+++ b/salt/idh/defaults/httpproxy.defaults.yaml
@@ -1,11 +0,0 @@
-idh:
-  opencanary:
-    config:
-      httpproxy.enabled: true
-      httpproxy.port: 8080
-      httpproxy.skin: squid
-      httproxy.skin.list:
-      - desc: Squid
-        name: squid
-      - desc: Microsoft ISA Server Web Proxy
-        name: ms-isa
--- a/salt/idh/defaults/mssql.defaults.yaml
+++ b/salt/idh/defaults/mssql.defaults.yaml
@@ -1,6 +0,0 @@
-idh:
-  opencanary:
-    config:
-      mssql.enabled: true
-      mssql.version: '2012'
-      mssql.port: 1433
--- a/salt/idh/defaults/mysql.defaults.yaml
+++ b/salt/idh/defaults/mysql.defaults.yaml
@@ -1,6 +0,0 @@
-idh:
-  opencanary:
-    config:
-      mysql.enabled: true
-      mysql.port: 3306
-      mysql.banner: 5.5.43-0ubuntu0.14.04.1
--- a/salt/idh/defaults/ntp.defaults.yaml
+++ b/salt/idh/defaults/ntp.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      ntp.enabled: true
-      ntp.port: '123'
--- a/salt/idh/defaults/redis.defaults.yaml
+++ b/salt/idh/defaults/redis.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      redis.enabled: true
-      redis.port: 6379
--- a/salt/idh/defaults/sip.defaults.yaml
+++ b/salt/idh/defaults/sip.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      sip.enabled: true
-      sip.port: 5060
--- a/salt/idh/defaults/smb.defaults.yaml
+++ b/salt/idh/defaults/smb.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      smb.auditfile: /var/log/samba-audit.log
-      smb.enabled: true
--- a/salt/idh/defaults/snmp.defaults.yaml
+++ b/salt/idh/defaults/snmp.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      snmp.enabled: true
-      snmp.port: 161
--- a/salt/idh/defaults/ssh.defaults.yaml
+++ b/salt/idh/defaults/ssh.defaults.yaml
@@ -1,6 +0,0 @@
-idh:
-  opencanary:
-    config:
-      ssh.enabled: true
-      ssh.port: 22
-      ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4
--- a/salt/idh/defaults/telnet.defaults.yaml
+++ b/salt/idh/defaults/telnet.defaults.yaml
@@ -1,11 +0,0 @@
-idh:
-  opencanary:
-    config:
-      telnet.enabled: true
-      telnet.port: '23'
-      telnet.banner: ''
-      telnet.honeycreds:
-      - username: admin
-        password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA
-      - username: admin
-        password: admin1
--- a/salt/idh/defaults/tftp.defaults.yaml
+++ b/salt/idh/defaults/tftp.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      tftp.enabled: true
-      tftp.port: 69
--- a/salt/idh/defaults/vnc.defaults.yaml
+++ b/salt/idh/defaults/vnc.defaults.yaml
@@ -1,5 +0,0 @@
-idh:
-  opencanary:
-    config:
-      vnc.enabled: true
-      vnc.port: 5900
--- a/salt/idh/idh.conf.jinja
+++ b/salt/idh/idh.conf.jinja
@@ -1 +1 @@
-{{ OPENCANARYCONFIG | tojson(True) }}
+{{ OPENCANARYCONFIG | tojson(True) | replace("_x_", ".") }}
--- a/salt/idh/init.sls
+++ b/salt/idh/init.sls
@@ -7,7 +7,8 @@
 {% if sls in allowed_states %}
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %}
+{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %}
+{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}

 include:
  - idh.openssh.config
@@ -15,23 +16,22 @@ include:

 # If True, block IDH Services from accepting connections on Managment IP
 {% if RESTRICTIDHSERVICES %}
-  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
-  {% set idh_services = salt['pillar.get']('idh:services', []) %}
+  {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %}

-  {% for service in idh_services %}
+  {% for service in IDH_SERVICES %}
  {% if service in ["smnp","ntp", "tftp"] %}
    {% set proto = 'udp' %}
  {% else %}
    {% set proto = 'tcp' %}
  {% endif %}
-block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} :
+block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} :
  iptables.insert:
    - table: filter
    - chain: INPUT
    - jump: DROP
    - position: 1
    - proto:  {{ proto }}
-    - dport: {{ OPENCANARYCONFIG[service~'.port'] }}
+    - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }}
    - destination: {{ GLOBALS.node_ip }}
  {% endfor %}
 {% endif %}
@@ -52,7 +52,6 @@ configdir:
    - group: 939
    - makedirs: True

-{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %}
 opencanary_config:
  file.managed:
    - name: /opt/so/conf/idh/opencanary.conf
--- a/salt/idh/opencanary_config.map.jinja
+++ b/salt/idh/opencanary_config.map.jinja
@@ -1,23 +1,44 @@
-{% set idh_services = salt['pillar.get']('idh:services', []) %}
+{# this list of services is used to loop through and add fw rules if the service is enabled #}
+{# smb is not in this list since it does not need any ports open #}
+{% set IDH_SERVICES = [
+     'ftp',
+     'git',
+     'http',
+     'httpproxy',
+     'mssql',
+     'mysql',
+     'ntp',
+     'redis',
+     'sip',
+     'snmp',
+     'ssh',
+     'telnet',
+     'tftp',
+     'vnc'
+] %}

 {% set IDH_PORTGROUPS = {} %}

-{% import_yaml "idh/defaults/defaults.yaml" as IDHCONFIG with context %}
-{% for service in idh_services %}
-      {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %}
-      {% do salt['defaults.merge'](IDHCONFIG, SERVICECONFIG, in_place=True) %}
-{% endfor %}
-
+{% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %}
+{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %}
 {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
+{# update skinlist to skin.list to avoid issues with SOC UI config #}
+{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %}
+{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
+{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
+{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}
+
 {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}

-{% for service in idh_services %}
+{% for service in IDH_SERVICES %}
  {% if service in ["smnp","ntp", "tftp"] %}
    {% set proto = 'udp' %}
  {% else %}
    {% set proto = 'tcp' %}
  {% endif %}
-  {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %}
+  {% if OPENCANARYCONFIG[service ~ '_x_enabled'] %}
+    {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %}
+  {% endif %}
 {% endfor %}

 {% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %}
--- a/salt/idh/openssh/map.jinja
+++ b/salt/idh/openssh/map.jinja
@@ -1,4 +1,4 @@
-{% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %}
+{% import_yaml "idh/defaults.yaml" as idh_defaults with context %}

 {% set openssh_map = salt['grains.filter_by']({
    'Debian': {
--- a/salt/idh/soc_idh.yaml
+++ b/salt/idh/soc_idh.yaml
@@ -0,0 +1,131 @@
+idh:
+  opencanary:
+    config:
+      logger:
+        class: &loggingOptions
+          description: Logging options for IDH nodes.
+          readonly: True
+          advanced: True
+          global: True
+          helpLink: idh.html
+        kwargs:
+            formatters:
+              plain:
+                  format: *loggingOptions
+            handlers:
+              console:
+                  class: *loggingOptions
+                  stream: *loggingOptions
+              file:
+                  class: *loggingOptions
+                  filename: *loggingOptions
+      portscan_x_enabled: &serviceOptions
+        description: To enable this IDH service set this value to true. To disable set to false.
+        helpLink: idh.html
+      portscan_x_logfile: *loggingOptions
+      portscan_x_synrate:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      portscan_x_nmaposrate:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html  
+      portscan_x_lorate: 
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      tcpbanner_x_maxnum:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      tcpbanner_x_enabled: *serviceOptions
+      tcpbanner_1_x_enabled: *serviceOptions
+      tcpbanner_1_x_port: &portOptions
+        description: Defined port the service should listen on.
+        advanced: True
+        helpLink: idh.html
+      tcpbanner_1_x_datareceivedbanner: &bannerOptions
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      tcpbanner_1_x_initbanner: *bannerOptions
+      tcpbanner_1_x_alertstring_x_enabled: *serviceOptions
+      tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions
+      tcpbanner_1_x_keep_alive_secret:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      tcpbanner_1_x_keep_alive_probes:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html  
+      tcpbanner_1_x_keep_alive_interval:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      tcpbanner_1_x_keep_alive_idle:
+        description: Needs update
+        advanced: True
+        helpLink: idh.html 
+      ftp_x_enabled: *serviceOptions
+      ftp_x_port: *portOptions
+      ftp_x_banner: *bannerOptions
+      git_x_enabled: *serviceOptions
+      git_x_port: *portOptions
+      http_x_banner: *bannerOptions
+      http_x_enabled: *serviceOptions
+      http_x_port: *portOptions
+      http_x_skin: &skinOptions
+        description:
+        advanced: True
+        helplink: idh.html
+      http_x_skinlist: &skinlistOptions
+        description: List of skins to use for the service.
+        advanced: True
+        helpLink: idh.html
+      httpproxy_x_enabled: *serviceOptions
+      httpproxy_x_port: *portOptions
+      httpproxy_x_skin: *skinOptions
+      httpproxy_x_skinlist: *skinlistOptions
+      mssql_x_enabled: *serviceOptions
+      mssql_x_version: &versionOptions
+        description: Specify the version the service should present.
+        advanced: True
+        helpLink: idh.html
+      mssql_x_port: *portOptions
+      mysql_x_enabled: *serviceOptions
+      mysql_x_port: *portOptions
+      mysql_x_banner: *bannerOptions
+      ntp_x_enabled: *serviceOptions
+      ntp_x_port: *portOptions
+      redis_x_enabled: *serviceOptions
+      redis_x_port: *portOptions
+      sip_x_enabled: *serviceOptions
+      sip_x_port: *portOptions
+      smb_x_auditfile: *loggingOptions
+      smb_x_enabled: *serviceOptions
+      snmp_x_enabled: *serviceOptions
+      snmp_x_port: *portOptions
+      ssh_x_enabled: *serviceOptions
+      ssh_x_port: *portOptions
+      ssh_x_version: *versionOptions
+      telnet_x_enabled: *serviceOptions
+      telnet_x_port: *portOptions
+      telnet_x_banner: *bannerOptions
+      telnet_x_honeycreds:
+        description: Credentials list for the telnet service.
+        advanced: True
+        helpLink: idh.html
+      tftp_x_enabled: *serviceOptions
+      tftp_x_port: *portOptions
+      vnc_x_enabled: *serviceOptions
+      vnc_x_port: *portOptions
+  openssh:
+    enable: 
+      description: This is the other SSH for the host machine. Needs better descirption.
+      helpLink: idh.html
+    config:
+      port:
+        description: Port that ssh will listen on and only accessible from the manager.
+        helpLink: idh.html
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1311,18 +1311,6 @@ import_registry_docker() {

 idh_pillar() {
 	touch $adv_idh_pillar_file
-	title "Create the IDH Pillar"
-	printf '%s\n'\
-		"idh:"\
-		"  listen_on_mgnt_int: True"\
-		"  services:"\
-		"    - HTTP"\
-		"    - FTP"\
-		"    - MYSQL"\
-		"    - MSSQL"\
-		"    - VNC"\
-		"    - SSH" > "$idh_pillar_file"
-
 }

 logstash_pillar() {
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -475,7 +475,7 @@ if ! [[ -f $install_opt_file ]]; then
 		collect_mngr_hostname
 		add_mngr_ip_to_hosts
 		check_manager_connection
-		collect_idh_services
+		#collect_idh_services (this may be added back sometime in the future)
 		collect_idh_preferences
 		set_minion_info
 		whiptail_end_settings