diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index fec694541..cb02691f9 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -536,9 +536,10 @@ role: hostgroups: anywhere: portgroups: - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% for service in idh_services %} - - {{ IDH_PORTGROUPS['idh_'~service] }} + {% for service in IDH_PORTGROUPS.keys() %} + {% if service != 'openssh' %} + - {{ IDH_PORTGROUPS[service] }} + {% endif %} {% endfor %} dockernet: portgroups: diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml new file mode 100644 index 000000000..b0c4d6904 --- /dev/null +++ b/salt/idh/defaults.yaml @@ -0,0 +1,91 @@ +idh: + restrict_management_ip: false + openssh: + enable: true + config: + port: 2222 + opencanary: + config: + logger: + class: PyLogger + kwargs: + formatters: + plain: + format: '%(message)s' + handlers: + console: + class: logging.StreamHandler + stream: ext://sys.stdout + file: + class: logging.FileHandler + filename: /var/tmp/opencanary.log + portscan_x_enabled: false + portscan_x_logfile: /var/log/kern.log + portscan_x_synrate: 5 + portscan_x_nmaposrate: 5 + portscan_x_lorate: 3 + tcpbanner_x_maxnum: 10 + tcpbanner_x_enabled: false + tcpbanner_1_x_enabled: false + tcpbanner_1_x_port: 8001 + tcpbanner_1_x_datareceivedbanner: '' + tcpbanner_1_x_initbanner: '' + tcpbanner_1_x_alertstring_x_enabled: false + tcpbanner_1_x_keep_alive_x_enabled: false + tcpbanner_1_x_keep_alive_secret: '' + tcpbanner_1_x_keep_alive_probes: 11 + tcpbanner_1_x_keep_alive_interval: 300 + tcpbanner_1_x_keep_alive_idle: 300 + ftp_x_enabled: false + ftp_x_port: 21 + ftp_x_banner: FTP server ready + git_x_enabled: false + git_x_port: 9418 + http_x_banner: Apache/2.2.34 (Ubuntu) + http_x_enabled: false + http_x_port: 80 + http_x_skin: nasLogin + http_x_skinlist: + - desc: Plain HTML Login + name: basicLogin + - desc: Synology NAS Login + name: nasLogin + httpproxy_x_enabled: false + httpproxy_x_port: 8080 + httpproxy_x_skin: squid + httpproxy_x_skinlist: + - desc: Squid + name: squid + - desc: Microsoft ISA Server Web Proxy + name: ms-isa + mssql_x_enabled: false + mssql_x_version: '2012' + mssql_x_port: 1433 + mysql_x_enabled: false + mysql_x_port: 3306 + mysql_x_banner: 5.5.43-0ubuntu0.14.04.1 + ntp_x_enabled: false + ntp_x_port: 123 + redis_x_enabled: false + redis_x_port: 6379 + sip_x_enabled: false + sip_x_port: 5060 + smb_x_auditfile: /var/log/samba-audit.log + smb_x_enabled: false + snmp_x_enabled: false + snmp_x_port: 161 + ssh_x_enabled: true + ssh_x_port: 22 + ssh_x_version: SSH-2.0-OpenSSH_5.1p1 Debian-4 + telnet_x_enabled: false + telnet_x_port: 23 + telnet_x_banner: '' + telnet_x_honeycreds: + - username: admin + password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA + - username: admin + password: admin1 + tftp_x_enabled: false + tftp_x_port: 69 + vnc_x_enabled: false + vnc_x_port: 5900 diff --git a/salt/idh/defaults/defaults.yaml b/salt/idh/defaults/defaults.yaml deleted file mode 100644 index 4ed6bc3c5..000000000 --- a/salt/idh/defaults/defaults.yaml +++ /dev/null @@ -1,37 +0,0 @@ -idh: - opencanary: - config: - logger: - class: PyLogger - kwargs: - formatters: - plain: - format: '%(message)s' - handlers: - console: - class: logging.StreamHandler - stream: ext://sys.stdout - file: - class: logging.FileHandler - filename: /var/tmp/opencanary.log - portscan.enabled: false - portscan.logfile: /var/log/kern.log - portscan.synrate: 5 - portscan.nmaposrate: 5 - portscan.lorate: 3 - tcpbanner.maxnum: 10 - tcpbanner.enabled: false - tcpbanner_1.enabled: false - tcpbanner_1.port: 8001 - tcpbanner_1.datareceivedbanner: '' - tcpbanner_1.initbanner: '' - tcpbanner_1.alertstring.enabled: false - tcpbanner_1.keep_alive.enabled: false - tcpbanner_1.keep_alive_secret: '' - tcpbanner_1.keep_alive_probes: 11 - tcpbanner_1.keep_alive_interval: 300 - tcpbanner_1.keep_alive_idle: 300 - openssh: - enable: true - config: - port: 2222 diff --git a/salt/idh/defaults/ftp.defaults.yaml b/salt/idh/defaults/ftp.defaults.yaml deleted file mode 100644 index bed8f90dc..000000000 --- a/salt/idh/defaults/ftp.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - ftp.enabled: true - ftp.port: 21 - ftp.banner: FTP server ready \ No newline at end of file diff --git a/salt/idh/defaults/git.defaults.yaml b/salt/idh/defaults/git.defaults.yaml deleted file mode 100644 index d77c4aa1d..000000000 --- a/salt/idh/defaults/git.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - git.enabled: true - git.port: 9418 \ No newline at end of file diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml deleted file mode 100644 index 2b6a9fe8e..000000000 --- a/salt/idh/defaults/http.defaults.yaml +++ /dev/null @@ -1,12 +0,0 @@ -idh: - opencanary: - config: - http.banner: Apache/2.2.34 (Ubuntu) - http.enabled: true - http.port: 80 - http.skin: nasLogin - http.skin.list: - - desc: Plain HTML Login - name: basicLogin - - desc: Synology NAS Login - name: nasLogin \ No newline at end of file diff --git a/salt/idh/defaults/httpproxy.defaults.yaml b/salt/idh/defaults/httpproxy.defaults.yaml deleted file mode 100644 index 32ef4a961..000000000 --- a/salt/idh/defaults/httpproxy.defaults.yaml +++ /dev/null @@ -1,11 +0,0 @@ -idh: - opencanary: - config: - httpproxy.enabled: true - httpproxy.port: 8080 - httpproxy.skin: squid - httproxy.skin.list: - - desc: Squid - name: squid - - desc: Microsoft ISA Server Web Proxy - name: ms-isa \ No newline at end of file diff --git a/salt/idh/defaults/mssql.defaults.yaml b/salt/idh/defaults/mssql.defaults.yaml deleted file mode 100644 index 199640992..000000000 --- a/salt/idh/defaults/mssql.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - mssql.enabled: true - mssql.version: '2012' - mssql.port: 1433 \ No newline at end of file diff --git a/salt/idh/defaults/mysql.defaults.yaml b/salt/idh/defaults/mysql.defaults.yaml deleted file mode 100644 index 98c6d2041..000000000 --- a/salt/idh/defaults/mysql.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - mysql.enabled: true - mysql.port: 3306 - mysql.banner: 5.5.43-0ubuntu0.14.04.1 \ No newline at end of file diff --git a/salt/idh/defaults/ntp.defaults.yaml b/salt/idh/defaults/ntp.defaults.yaml deleted file mode 100644 index a7df2d460..000000000 --- a/salt/idh/defaults/ntp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - ntp.enabled: true - ntp.port: '123' \ No newline at end of file diff --git a/salt/idh/defaults/redis.defaults.yaml b/salt/idh/defaults/redis.defaults.yaml deleted file mode 100644 index 90e190f09..000000000 --- a/salt/idh/defaults/redis.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - redis.enabled: true - redis.port: 6379 \ No newline at end of file diff --git a/salt/idh/defaults/sip.defaults.yaml b/salt/idh/defaults/sip.defaults.yaml deleted file mode 100644 index 740a13234..000000000 --- a/salt/idh/defaults/sip.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - sip.enabled: true - sip.port: 5060 \ No newline at end of file diff --git a/salt/idh/defaults/smb.defaults.yaml b/salt/idh/defaults/smb.defaults.yaml deleted file mode 100644 index e92e0239a..000000000 --- a/salt/idh/defaults/smb.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - smb.auditfile: /var/log/samba-audit.log - smb.enabled: true \ No newline at end of file diff --git a/salt/idh/defaults/snmp.defaults.yaml b/salt/idh/defaults/snmp.defaults.yaml deleted file mode 100644 index 990bf919e..000000000 --- a/salt/idh/defaults/snmp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - snmp.enabled: true - snmp.port: 161 \ No newline at end of file diff --git a/salt/idh/defaults/ssh.defaults.yaml b/salt/idh/defaults/ssh.defaults.yaml deleted file mode 100644 index 00dcfbcf8..000000000 --- a/salt/idh/defaults/ssh.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - ssh.enabled: true - ssh.port: 22 - ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 \ No newline at end of file diff --git a/salt/idh/defaults/telnet.defaults.yaml b/salt/idh/defaults/telnet.defaults.yaml deleted file mode 100644 index 34f1d3190..000000000 --- a/salt/idh/defaults/telnet.defaults.yaml +++ /dev/null @@ -1,11 +0,0 @@ -idh: - opencanary: - config: - telnet.enabled: true - telnet.port: '23' - telnet.banner: '' - telnet.honeycreds: - - username: admin - password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - - username: admin - password: admin1 \ No newline at end of file diff --git a/salt/idh/defaults/tftp.defaults.yaml b/salt/idh/defaults/tftp.defaults.yaml deleted file mode 100644 index 5f275839f..000000000 --- a/salt/idh/defaults/tftp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - tftp.enabled: true - tftp.port: 69 \ No newline at end of file diff --git a/salt/idh/defaults/vnc.defaults.yaml b/salt/idh/defaults/vnc.defaults.yaml deleted file mode 100644 index 1995e5651..000000000 --- a/salt/idh/defaults/vnc.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - vnc.enabled: true - vnc.port: 5900 \ No newline at end of file diff --git a/salt/idh/idh.conf.jinja b/salt/idh/idh.conf.jinja index fcc000379..f10cdc418 100644 --- a/salt/idh/idh.conf.jinja +++ b/salt/idh/idh.conf.jinja @@ -1 +1 @@ -{{ OPENCANARYCONFIG | tojson(True) }} \ No newline at end of file +{{ OPENCANARYCONFIG | tojson(True) | replace("_x_", ".") }} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 2cf22c358..20a6412ce 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -7,7 +7,8 @@ {% if sls in allowed_states %} {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} +{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %} +{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} include: - idh.openssh.config @@ -15,23 +16,22 @@ include: # If True, block IDH Services from accepting connections on Managment IP {% if RESTRICTIDHSERVICES %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} + {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %} - {% for service in idh_services %} + {% for service in IDH_SERVICES %} {% if service in ["smnp","ntp", "tftp"] %} {% set proto = 'udp' %} {% else %} {% set proto = 'tcp' %} {% endif %} -block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} : +block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} : iptables.insert: - table: filter - chain: INPUT - jump: DROP - position: 1 - proto: {{ proto }} - - dport: {{ OPENCANARYCONFIG[service~'.port'] }} + - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }} - destination: {{ GLOBALS.node_ip }} {% endfor %} {% endif %} @@ -52,7 +52,6 @@ configdir: - group: 939 - makedirs: True -{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %} opencanary_config: file.managed: - name: /opt/so/conf/idh/opencanary.conf diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index cb601c163..a8b85adbf 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,23 +1,44 @@ -{% set idh_services = salt['pillar.get']('idh:services', []) %} +{# this list of services is used to loop through and add fw rules if the service is enabled #} +{# smb is not in this list since it does not need any ports open #} +{% set IDH_SERVICES = [ + 'ftp', + 'git', + 'http', + 'httpproxy', + 'mssql', + 'mysql', + 'ntp', + 'redis', + 'sip', + 'snmp', + 'ssh', + 'telnet', + 'tftp', + 'vnc' +] %} {% set IDH_PORTGROUPS = {} %} -{% import_yaml "idh/defaults/defaults.yaml" as IDHCONFIG with context %} -{% for service in idh_services %} - {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %} - {% do salt['defaults.merge'](IDHCONFIG, SERVICECONFIG, in_place=True) %} -{% endfor %} - +{% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} +{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} +{# update skinlist to skin.list to avoid issues with SOC UI config #} +{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %} +{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %} +{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %} +{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %} + {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} -{% for service in idh_services %} +{% for service in IDH_SERVICES %} {% if service in ["smnp","ntp", "tftp"] %} {% set proto = 'udp' %} {% else %} {% set proto = 'tcp' %} {% endif %} - {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% if OPENCANARYCONFIG[service ~ '_x_enabled'] %} + {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %} + {% endif %} {% endfor %} {% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %} diff --git a/salt/idh/openssh/map.jinja b/salt/idh/openssh/map.jinja index 4bb99bc03..bd8fbe316 100644 --- a/salt/idh/openssh/map.jinja +++ b/salt/idh/openssh/map.jinja @@ -1,4 +1,4 @@ -{% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %} +{% import_yaml "idh/defaults.yaml" as idh_defaults with context %} {% set openssh_map = salt['grains.filter_by']({ 'Debian': { diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml new file mode 100644 index 000000000..8345ad761 --- /dev/null +++ b/salt/idh/soc_idh.yaml @@ -0,0 +1,131 @@ +idh: + opencanary: + config: + logger: + class: &loggingOptions + description: Logging options for IDH nodes. + readonly: True + advanced: True + global: True + helpLink: idh.html + kwargs: + formatters: + plain: + format: *loggingOptions + handlers: + console: + class: *loggingOptions + stream: *loggingOptions + file: + class: *loggingOptions + filename: *loggingOptions + portscan_x_enabled: &serviceOptions + description: To enable this IDH service set this value to true. To disable set to false. + helpLink: idh.html + portscan_x_logfile: *loggingOptions + portscan_x_synrate: + description: Needs update + advanced: True + helpLink: idh.html + portscan_x_nmaposrate: + description: Needs update + advanced: True + helpLink: idh.html + portscan_x_lorate: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_x_maxnum: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_x_enabled: *serviceOptions + tcpbanner_1_x_enabled: *serviceOptions + tcpbanner_1_x_port: &portOptions + description: Defined port the service should listen on. + advanced: True + helpLink: idh.html + tcpbanner_1_x_datareceivedbanner: &bannerOptions + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1_x_initbanner: *bannerOptions + tcpbanner_1_x_alertstring_x_enabled: *serviceOptions + tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions + tcpbanner_1_x_keep_alive_secret: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1_x_keep_alive_probes: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1_x_keep_alive_interval: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1_x_keep_alive_idle: + description: Needs update + advanced: True + helpLink: idh.html + ftp_x_enabled: *serviceOptions + ftp_x_port: *portOptions + ftp_x_banner: *bannerOptions + git_x_enabled: *serviceOptions + git_x_port: *portOptions + http_x_banner: *bannerOptions + http_x_enabled: *serviceOptions + http_x_port: *portOptions + http_x_skin: &skinOptions + description: + advanced: True + helplink: idh.html + http_x_skinlist: &skinlistOptions + description: List of skins to use for the service. + advanced: True + helpLink: idh.html + httpproxy_x_enabled: *serviceOptions + httpproxy_x_port: *portOptions + httpproxy_x_skin: *skinOptions + httpproxy_x_skinlist: *skinlistOptions + mssql_x_enabled: *serviceOptions + mssql_x_version: &versionOptions + description: Specify the version the service should present. + advanced: True + helpLink: idh.html + mssql_x_port: *portOptions + mysql_x_enabled: *serviceOptions + mysql_x_port: *portOptions + mysql_x_banner: *bannerOptions + ntp_x_enabled: *serviceOptions + ntp_x_port: *portOptions + redis_x_enabled: *serviceOptions + redis_x_port: *portOptions + sip_x_enabled: *serviceOptions + sip_x_port: *portOptions + smb_x_auditfile: *loggingOptions + smb_x_enabled: *serviceOptions + snmp_x_enabled: *serviceOptions + snmp_x_port: *portOptions + ssh_x_enabled: *serviceOptions + ssh_x_port: *portOptions + ssh_x_version: *versionOptions + telnet_x_enabled: *serviceOptions + telnet_x_port: *portOptions + telnet_x_banner: *bannerOptions + telnet_x_honeycreds: + description: Credentials list for the telnet service. + advanced: True + helpLink: idh.html + tftp_x_enabled: *serviceOptions + tftp_x_port: *portOptions + vnc_x_enabled: *serviceOptions + vnc_x_port: *portOptions + openssh: + enable: + description: This is the other SSH for the host machine. Needs better descirption. + helpLink: idh.html + config: + port: + description: Port that ssh will listen on and only accessible from the manager. + helpLink: idh.html diff --git a/setup/so-functions b/setup/so-functions index de7eaa57f..18db0b7b4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1311,18 +1311,6 @@ import_registry_docker() { idh_pillar() { touch $adv_idh_pillar_file - title "Create the IDH Pillar" - printf '%s\n'\ - "idh:"\ - " listen_on_mgnt_int: True"\ - " services:"\ - " - HTTP"\ - " - FTP"\ - " - MYSQL"\ - " - MSSQL"\ - " - VNC"\ - " - SSH" > "$idh_pillar_file" - } logstash_pillar() { diff --git a/setup/so-setup b/setup/so-setup index 88a2fd045..06c156305 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -475,7 +475,7 @@ if ! [[ -f $install_opt_file ]]; then collect_mngr_hostname add_mngr_ip_to_hosts check_manager_connection - collect_idh_services + #collect_idh_services (this may be added back sometime in the future) collect_idh_preferences set_minion_info whiptail_end_settings