From 725f5414ba399978df74485d6e1c412e584409b4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Apr 2023 15:30:18 -0400 Subject: [PATCH 01/10] fw rework for ui, still need to add idh to map --- salt/firewall/assigned_hostgroups.map.yaml | 607 --------- salt/firewall/defaults.yaml | 1143 +++++++++++++++++ salt/firewall/hostgroups/analyst | 0 salt/firewall/hostgroups/analyst_workstations | 0 salt/firewall/hostgroups/anywhere | 1 - salt/firewall/hostgroups/beats_endpoint | 0 salt/firewall/hostgroups/beats_endpoint_ssl | 0 salt/firewall/hostgroups/dockernet | 2 - .../hostgroups/elastic_agent_endpoint | 0 salt/firewall/hostgroups/elasticsearch_rest | 0 salt/firewall/hostgroups/endgame | 0 salt/firewall/hostgroups/eval | 0 salt/firewall/hostgroups/fleet | 0 salt/firewall/hostgroups/heavynodes | 0 salt/firewall/hostgroups/idh | 0 salt/firewall/hostgroups/localhost | 1 - salt/firewall/hostgroups/manager | 0 salt/firewall/hostgroups/receivers | 0 salt/firewall/hostgroups/searchnodes | 0 salt/firewall/hostgroups/self | 2 - salt/firewall/hostgroups/sensors | 0 salt/firewall/hostgroups/standalone | 0 salt/firewall/hostgroups/strelka_frontend | 0 salt/firewall/hostgroups/syslog | 0 salt/firewall/iptables.jinja | 40 +- salt/firewall/map.jinja | 66 +- salt/firewall/ports/ports.yaml | 81 -- salt/firewall/soc/defaults_soc_firewall.yaml | 136 -- salt/firewall/soc/init.sls | 5 - salt/firewall/soc/soc.map.jinja | 9 - salt/firewall/soc/soc_firewall.yaml.jinja | 2 - salt/firewall/soc_firewall.yaml | 902 +++++++++++++ 32 files changed, 2070 insertions(+), 927 deletions(-) delete mode 100644 salt/firewall/assigned_hostgroups.map.yaml create mode 100644 salt/firewall/defaults.yaml delete mode 100644 salt/firewall/hostgroups/analyst delete mode 100644 salt/firewall/hostgroups/analyst_workstations delete mode 100644 salt/firewall/hostgroups/anywhere delete mode 100644 salt/firewall/hostgroups/beats_endpoint delete mode 100644 salt/firewall/hostgroups/beats_endpoint_ssl delete mode 100644 salt/firewall/hostgroups/dockernet delete mode 100644 salt/firewall/hostgroups/elastic_agent_endpoint delete mode 100644 salt/firewall/hostgroups/elasticsearch_rest delete mode 100644 salt/firewall/hostgroups/endgame delete mode 100644 salt/firewall/hostgroups/eval delete mode 100644 salt/firewall/hostgroups/fleet delete mode 100644 salt/firewall/hostgroups/heavynodes delete mode 100644 salt/firewall/hostgroups/idh delete mode 100644 salt/firewall/hostgroups/localhost delete mode 100644 salt/firewall/hostgroups/manager delete mode 100644 salt/firewall/hostgroups/receivers delete mode 100644 salt/firewall/hostgroups/searchnodes delete mode 100644 salt/firewall/hostgroups/self delete mode 100644 salt/firewall/hostgroups/sensors delete mode 100644 salt/firewall/hostgroups/standalone delete mode 100644 salt/firewall/hostgroups/strelka_frontend delete mode 100644 salt/firewall/hostgroups/syslog delete mode 100644 salt/firewall/ports/ports.yaml delete mode 100644 salt/firewall/soc/defaults_soc_firewall.yaml delete mode 100644 salt/firewall/soc/init.sls delete mode 100644 salt/firewall/soc/soc.map.jinja delete mode 100644 salt/firewall/soc/soc_firewall.yaml.jinja create mode 100644 salt/firewall/soc_firewall.yaml diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml deleted file mode 100644 index b9a8f7fb2..000000000 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ /dev/null @@ -1,607 +0,0 @@ -{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{% import_yaml 'firewall/ports/ports.yaml' as portgroups %} -{% set portgroups = portgroups.firewall.ports %} -{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %} -{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} - -role: - eval: - chain: - DOCKER-USER: - hostgroups: - eval: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - sensors: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - searchnodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - heavynodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - fleet: - chain: - DOCKER-USER: - hostgroups: - sensors: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - standalone: - portgroups: - - {{ portgroups.salt_manager }} - sensors: - portgroups: - - {{ portgroups.salt_manager }} - searchnodes: - portgroups: - - {{ portgroups.salt_manager }} - heavynodes: - portgroups: - - {{ portgroups.salt_manager }} - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.docker_registry }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.agrules }} - {% endif %} - sensors: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - - {{ portgroups.yum }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - searchnodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.yum }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - heavynodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.yum }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - self: - portgroups: - - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - sensors: - portgroups: - - {{ portgroups.salt_manager }} - searchnodes: - portgroups: - - {{ portgroups.salt_manager }} - heavynodes: - portgroups: - - {{ portgroups.salt_manager }} - managersearch: - chain: - DOCKER-USER: - hostgroups: - managersearch: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.docker_registry }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - sensors: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - - {{ portgroups.yum }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - searchnodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.yum }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - heavynodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.yum }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - sensors: - portgroups: - - {{ portgroups.salt_manager }} - searchnodes: - portgroups: - - {{ portgroups.salt_manager }} - heavynodes: - portgroups: - - {{ portgroups.salt_manager }} - standalone: - chain: - DOCKER-USER: - hostgroups: - localhost: - portgroups: - - {{ portgroups.all }} - standalone: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.docker_registry }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.beats_5056 }} - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - - {{ portgroups.endgame }} - - {{ portgroups.strelka_frontend }} - fleet: - portgroups: - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.beats_5056 }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - sensors: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - - {{ portgroups.beats_5056 }} - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - searchnodes: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - heavynodes: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - fleet: - portgroups: - - {{ portgroups.salt_manager }} - localhost: - portgroups: - - {{ portgroups.all }} - standalone: - portgroups: - - {{ portgroups.salt_manager }} - sensors: - portgroups: - - {{ portgroups.salt_manager }} - searchnodes: - portgroups: - - {{ portgroups.salt_manager }} - heavynodes: - portgroups: - - {{ portgroups.salt_manager }} - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - dockernet: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - searchnodes: - portgroups: - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - {{ portgroups.syslog}} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - dockernet: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - self: - portgroups: - - {{ portgroups.syslog}} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elastic_agent_control }} - sensors: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - searchnodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - receiver: - chain: - DOCKER-USER: - hostgroups: - sensors: - portgroups: - - {{ portgroups.beats_5644 }} - searchnodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.beats_5644 }} - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.syslog}} - - {{ portgroups.beats_5644 }} - syslog: - portgroups: - - {{ portgroups.syslog }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - endgame: - portgroups: - - {{ portgroups.endgame }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - {% for service in IDH_PORTGROUPS.keys() %} - {% if service != 'openssh' %} - - {{ IDH_PORTGROUPS[service] }} - {% endif %} - {% endfor %} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - manager: - portgroups: - - {{ IDH_PORTGROUPS.openssh }} - standalone: - portgroups: - - {{ IDH_PORTGROUPS.openssh }} diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml new file mode 100644 index 000000000..0ddf5a7bb --- /dev/null +++ b/salt/firewall/defaults.yaml @@ -0,0 +1,1143 @@ +firewall: + hostgroups: + analyst: [] + anywhere: + - 0.0.0.0/0 + beats_endpoint: [] + beats_endpoint_ssl: [] + dockernet: [] + elastic_agent_endpoint: [] + elasticsearch_rest: [] + endgame: [] + eval: [] + fleet: [] + heavynodes: [] + idh: [] + localhost: + - 127.0.0.1 + manager: [] + receivers: [] + searchnodes: [] + securityonion_desktops: [] + self: [] + sensors: [] + standalone: [] + strelka_frontend: [] + syslog: [] + customhostgroup0: [] + customhostgroup1: [] + customhostgroup2: [] + customhostgroup3: [] + customhostgroup4: [] + customhostgroup5: [] + customhostgroup6: [] + customhostgroup7: [] + customhostgroup8: [] + customhostgroup9: [] + portgroups: + all: + tcp: + - '0:65535' + udp: + - '0:65535' + agrules: + tcp: + - 7788 + udp: [] + beats_5044: + tcp: + - 5044 + udp: [] + beats_5644: + tcp: + - 5644 + udp: [] + beats_5066: + tcp: + - 5066 + udp: [] + beats_5056: + tcp: + - 5056 + udp: [] + docker_registry: + tcp: + - 5000 + udp: [] + elasticsearch_node: + tcp: + - 9300 + udp: [] + elasticsearch_rest: + tcp: + - 9200 + udp: [] + elastic_agent_control: + tcp: + - 8220 + udp: [] + elastic_agent_data: + tcp: + - 5055 + udp: [] + endgame: + tcp: + - 3765 + udp: [] + influxdb: + tcp: + - 8086 + udp: [] + kibana: + tcp: + - 5601 + udp: [] + mysql: + tcp: + - 3306 + udp: [] + nginx: + tcp: + - 80 + - 443 + udp: [] + playbook: + tcp: + - 3000 + udp: [] + redis: + tcp: + - 6379 + - 9696 + salt_manager: + tcp: + - 4505 + - 4506 + udp: [] + sensoroni: + tcp: + - 443 + udp: [] + ssh: + tcp: + - 22 + udp: [] + strelka_frontend: + tcp: + - 57314 + udp: [] + syslog: + tcp: + - 514 + udp: + - 514 + yum: + tcp: + - 443 + udp: [] + customportgroup0: + tcp: [] + udp: [] + customportgroup1: + tcp: [] + udp: [] + customportgroup2: + tcp: [] + udp: [] + customportgroup3: + tcp: [] + udp: [] + customportgroup4: + tcp: [] + udp: [] + customportgroup5: + tcp: [] + udp: [] + customportgroup6: + tcp: [] + udp: [] + customportgroup7: + tcp: [] + udp: [] + customportgroup8: + tcp: [] + udp: [] + customportgroup9: + tcp: [] + udp: [] + role: + eval: + chain: + DOCKER-USER: + hostgroups: + eval: + portgroups: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + sensors: + portgroups: + - beats_5044 + - beats_5644 + searchnodes: + portgroups: + - redis + - elasticsearch_node + heavynodes: + portgroups: + - redis + - elasticsearch_node + self: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + fleet: + chain: + DOCKER-USER: + hostgroups: + sensors: + portgroups: + - elastic_agent_control + - elastic_agent_data + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + standalone: + portgroups: + - salt_manager + sensors: + portgroups: + - salt_manager + searchnodes: + portgroups: + - salt_manager + heavynodes: + portgroups: + - salt_manager + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + manager: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - docker_registry + - elastic_agent_control + - elastic_agent_data + - agrules + sensors: + portgroups: + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - yum + - docker_registry + - influxdb + searchnodes: + portgroups: + - redis + - elasticsearch_rest + - elasticsearch_node + - beats_5644 + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + heavynodes: + portgroups: + - redis + - elasticsearch_rest + - elasticsearch_node + - beats_5644 + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + analyst: + portgroups: + - nginx + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + sensors: + portgroups: + - salt_manager + searchnodes: + portgroups: + - salt_manager + heavynodes: + portgroups: + - salt_manager + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + managersearch: + chain: + DOCKER-USER: + hostgroups: + managersearch: + portgroups: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - docker_registry + - elastic_agent_control + - elastic_agent_data + sensors: + portgroups: + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - yum + - docker_registry + - influxdb + searchnodes: + portgroups: + - redis + - elasticsearch_rest + - elasticsearch_node + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + heavynodes: + portgroups: + - redis + - elasticsearch_rest + - elasticsearch_node + - yum + - docker_registry + - influxdb + - elastic_agent_control + - elastic_agent_data + self: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + sensors: + portgroups: + - salt_manager + searchnodes: + portgroups: + - salt_manager + heavynodes: + portgroups: + - salt_manager + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + standalone: + chain: + DOCKER-USER: + hostgroups: + localhost: + portgroups: + - all + standalone: + portgroups: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - docker_registry + - sensoroni + - yum + - beats_5044 + - beats_5644 + - beats_5056 + - redis + - elasticsearch_node + - elastic_agent_control + - elastic_agent_data + - endgame + - strelka_frontend + fleet: + portgroups: + - elasticsearch_rest + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - beats_5056 + - elastic_agent_control + - elastic_agent_data + sensors: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - beats_5056 + - elastic_agent_control + - elastic_agent_data + searchnodes: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - redis + - elasticsearch_rest + - elasticsearch_node + heavynodes: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - redis + - elasticsearch_rest + - elasticsearch_node + self: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + fleet: + portgroups: + - salt_manager + localhost: + portgroups: + - all + standalone: + portgroups: + - salt_manager + sensors: + portgroups: + - salt_manager + searchnodes: + portgroups: + - salt_manager + heavynodes: + portgroups: + - salt_manager + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + searchnode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + searchnodes: + portgroups: + - elasticsearch_node + self: + portgroups: + - syslog + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + sensor: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + heavynode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + self: + portgroups: + - syslog + - elasticsearch_node + - elasticsearch_rest + strelka_frontend: + portgroups: + - strelka_frontend + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + import: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - elastic_agent_control + sensors: + portgroups: + - beats_5044 + - beats_5644 + searchnodes: + portgroups: + - redis + - elasticsearch_node + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + analyst: + portgroups: + - nginx + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + receiver: + chain: + DOCKER-USER: + hostgroups: + sensors: + portgroups: + - beats_5644 + searchnodes: + portgroups: + - redis + - beats_5644 + self: + portgroups: + - redis + - syslog + - beats_5644 + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + endgame: + portgroups: + - endgame + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] diff --git a/salt/firewall/hostgroups/analyst b/salt/firewall/hostgroups/analyst deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/analyst_workstations b/salt/firewall/hostgroups/analyst_workstations deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/anywhere b/salt/firewall/hostgroups/anywhere deleted file mode 100644 index b04387011..000000000 --- a/salt/firewall/hostgroups/anywhere +++ /dev/null @@ -1 +0,0 @@ -0.0.0.0/0 diff --git a/salt/firewall/hostgroups/beats_endpoint b/salt/firewall/hostgroups/beats_endpoint deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/beats_endpoint_ssl b/salt/firewall/hostgroups/beats_endpoint_ssl deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/dockernet b/salt/firewall/hostgroups/dockernet deleted file mode 100644 index ccbd6e89c..000000000 --- a/salt/firewall/hostgroups/dockernet +++ /dev/null @@ -1,2 +0,0 @@ -{% from 'docker/docker.map.jinja' import DOCKER -%} -{{ DOCKER.sorange }} diff --git a/salt/firewall/hostgroups/elastic_agent_endpoint b/salt/firewall/hostgroups/elastic_agent_endpoint deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/elasticsearch_rest b/salt/firewall/hostgroups/elasticsearch_rest deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/endgame b/salt/firewall/hostgroups/endgame deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/eval b/salt/firewall/hostgroups/eval deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/fleet b/salt/firewall/hostgroups/fleet deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/heavynodes b/salt/firewall/hostgroups/heavynodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/idh b/salt/firewall/hostgroups/idh deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/localhost b/salt/firewall/hostgroups/localhost deleted file mode 100644 index 7b9ad531d..000000000 --- a/salt/firewall/hostgroups/localhost +++ /dev/null @@ -1 +0,0 @@ -127.0.0.1 diff --git a/salt/firewall/hostgroups/manager b/salt/firewall/hostgroups/manager deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/receivers b/salt/firewall/hostgroups/receivers deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/searchnodes b/salt/firewall/hostgroups/searchnodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/self b/salt/firewall/hostgroups/self deleted file mode 100644 index 488f25de4..000000000 --- a/salt/firewall/hostgroups/self +++ /dev/null @@ -1,2 +0,0 @@ -{% from 'vars/globals.map.jinja' import GLOBALS -%} -{{ GLOBALS.node_ip }} diff --git a/salt/firewall/hostgroups/sensors b/salt/firewall/hostgroups/sensors deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/standalone b/salt/firewall/hostgroups/standalone deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/strelka_frontend b/salt/firewall/hostgroups/strelka_frontend deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/hostgroups/syslog b/salt/firewall/hostgroups/syslog deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index ec2a5ae65..6e91a9b93 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -1,7 +1,9 @@ -{% from 'docker/docker.map.jinja' import DOCKER -%} -{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%} -{% from 'firewall/map.jinja' import hostgroups with context -%} -{% from 'firewall/map.jinja' import assigned_hostgroups with context -%} +{%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- from 'docker/docker.map.jinja' import DOCKER %} +{%- from 'firewall/map.jinja' import FIREWALL_MERGED %} +{%- set role = GLOBALS.role.split('-')[1] %} +{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} + {%- set PR = [] %} {%- set D1 = [] %} {%- set D2 = [] %} @@ -70,24 +72,18 @@ COMMIT :DOCKER-USER - [0:0] :LOGGING - [0:0] -{%- set count = namespace(value=0) %} -{%- for chain, hg in assigned_hostgroups.chain.items() %} - {%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %} - {%- for action in ['insert', 'delete' ] %} - {%- if hostgroups[hostgroup].ips[action] %} - {%- for ip in hostgroups[hostgroup].ips[action] %} - {%- for portgroup in portgroups.portgroups %} - {%- for proto, ports in portgroup.items() %} - {%- for port in ports %} - {%- set count.value = count.value + 1 %} --A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT - {%- endfor %} - {%- endfor %} - {%- endfor %} - {%- endfor %} - {%- endif %} - {%- endfor %} - {%- endfor %} +{%- for chn, hostgroups in FIREWALL_MERGED.role[role].chain.items() %} +{%- for hostgroup, portgroups in hostgroups['hostgroups'].items() %} +{%- for ip in FIREWALL_MERGED.hostgroups[hostgroup] %} +{%- for groupname in portgroups['portgroups'] %} +{%- for proto, ports in FIREWALL_MERGED['portgroups'][groupname].items() %} +{%- for port in ports %} +-A {{chn}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT +{%- endfor %} +{%- endfor %} +{%- endfor %} +{%- endfor %} +{%- endfor %} {%- endfor %} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 06586ddf2..7a549d123 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,62 +1,10 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set role = grains.id.split('_') | last %} -{% set translated_pillar_assigned_hostgroups = {} %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} -{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.ports %} -{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.ports %} - {% set local_portgroups = local_portgroups.firewall.ports %} -{% else %} - {% set local_portgroups = {} %} -{% endif %} +{# add our ip to self #} +{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %} +{# add dockernet range #} +{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %} -{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %} -{% set defined_portgroups = portgroups %} - -{% if GLOBALS.role == 'so-idh' %} -{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} -{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %} -{% endif %} - -{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} - -{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} - -{% for hg in hostgroup_list %} -{% import_text hg as hg_ips %} -{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} -{% endfor %} - -{% set hostgroups = local_hostgroups.firewall.hostgroups %} - -{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} -{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %} - {% set translated_pillar_assigned_hostgroups = {'chain': {}} %} - - {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %} - {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %} - {% if translated_pillar_assigned_hostgroups.chain[chain] is defined %} - {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %} - {% else %} - {% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %} - {% endif %} - {% for pillar_portgroup in pillar_portgroups.portgroups %} - {% set pillar_portgroup = pillar_portgroup.split('.') | last %} - {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %} - {% endfor %} - {% endfor %} - {% endfor %} -{% endif %} - -{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %} -{% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %} -{% if local_assigned_hostgroups.role.get(role, False) %} - {% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %} -{% else %} - {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %} -{% endif %} - -{% if translated_pillar_assigned_hostgroups %} - {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %} -{% endif %} +{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %} diff --git a/salt/firewall/ports/ports.yaml b/salt/firewall/ports/ports.yaml deleted file mode 100644 index 79bdf93b4..000000000 --- a/salt/firewall/ports/ports.yaml +++ /dev/null @@ -1,81 +0,0 @@ -firewall: - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - beats_5056: - tcp: - - 5056 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3000 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - 22 - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 diff --git a/salt/firewall/soc/defaults_soc_firewall.yaml b/salt/firewall/soc/defaults_soc_firewall.yaml deleted file mode 100644 index fd72df523..000000000 --- a/salt/firewall/soc/defaults_soc_firewall.yaml +++ /dev/null @@ -1,136 +0,0 @@ -firewall: - custom_groups: - groups: - description: List of group names to create. - multiline: True - forcedType: "[]string" - global: True - title: Custom Firewall Groups - helpLink: firewall.html#host-groups - hostgroups: - analyst_workstations: - description: List of IP addresses or CIDR blocks to allow analyst workstations. - file: True - global: True - title: Analyst Workstations - helpLink: firewall.html#host-groups - analyst: - description: List of IP addresses or CIDR blocks to allow analyst connections. - file: True - global: True - title: Analyst - helpLink: firewall.html#host-groups - beats_endpoint: - description: List of IP addresses or CIDR blocks of standard beats without encryption. - file: True - global: True - title: Beats Endpoints - helpLink: firewall.html#host-groups - beats_endpoint_ssl: - description: List of IP addresses or CIDR blocks of standard beats with encryption. - file: True - global: True - title: Beats Endpoints SSL - helpLink: firewall.html#host-groups - elastic_agent_endpoint: - description: List of IP addresses or CIDR blocks for Elastic Agent connections. - file: True - global: True - title: Elastic Agents - helpLink: firewall.html#host-groups - elasticsearch_rest: - description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch. - file: True - global: True - title: Elasticsearch Rest - advanced: True - helpLink: firewall.html#host-groups - endgame: - description: List of IP addresses or CIDR blocks to allow Endgame access. - file: True - global: True - title: Endgame - advanced: True - helpLink: firewall.html#host-groups - strelka_frontend: - description: List of IP addresses or CIDR blocks to allow access to the Strelka front end. - file: True - global: True - title: Strelka Frontend - advanced: True - helpLink: firewall.html#host-groups - syslog: - description: List of IP addresses or CIDR blocks to allow syslog. - file: True - global: True - title: Syslog Endpoint Traffic - helpLink: firewall.html#host-groups - standalone: - description: List of IP addresses or CIDR blocks to allow standalone connections. - file: True - global: True - title: Standalone - advanced: True - helpLink: firewall.html#host-groups - eval: - description: List of IP addresses or CIDR blocks to allow eval connections. - file: True - global: True - title: Eval - advanced: True - helpLink: firewall.html#host-groups - idh: - description: List of IP addresses or CIDR blocks to allow idh connections. - file: True - global: True - title: IDH Nodes - helpLink: firewall.html#host-groups - manager: - description: List of IP addresses or CIDR blocks to allow manager connections. - file: True - global: True - title: Manager - advanced: True - helpLink: firewall.html#host-groups - heavynodes: - description: List of IP addresses or CIDR blocks to allow heavynode connections. - file: True - global: True - title: Heavy Nodes - helpLink: firewall.html#host-groups - searchnodes: - description: List of IP addresses or CIDR blocks to allow searchnode connections. - file: True - global: True - title: Search Nodes - helpLink: firewall.html#host-groups - sensors: - description: List of IP addresses or CIDR blocks to allow Sensor connections. - file: True - global: True - title: Sensors - helpLink: firewall.html#host-groups - receivers: - description: List of IP addresses or CIDR blocks to allow receiver connections. - file: True - global: True - title: Receivers - helpLink: firewall.html#host-groups - portgroups: - portgroups__yaml: - description: Port Groups - file: True - global: True - advanced: True - title: Port Groups - syntax: yaml - helpLink: firewall.html#function - ports: - ports__yaml: - description: Ports in YAML. - file: True - global: True - advanced: True - title: Ports - syntax: yaml - helpLink: firewall.html#port-groups diff --git a/salt/firewall/soc/init.sls b/salt/firewall/soc/init.sls deleted file mode 100644 index bae1a3048..000000000 --- a/salt/firewall/soc/init.sls +++ /dev/null @@ -1,5 +0,0 @@ -soc_firewall_yaml: - file.managed: - - name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml - - source: salt://firewall/soc/soc_firewall.yaml.jinja - - template: jinja diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja deleted file mode 100644 index 00fc50dd1..000000000 --- a/salt/firewall/soc/soc.map.jinja +++ /dev/null @@ -1,9 +0,0 @@ -{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} -{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %} -{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %} - -{% for group in PILLAR_SOC_FIREWALL_GROUPS %} -{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %} -{% set title = group[0]|upper ~ group[1:] %} -{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %} -{% endfor %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja deleted file mode 100644 index 0502c0246..000000000 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ /dev/null @@ -1,2 +0,0 @@ -{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%} -{{ SOC_FIREWALL | yaml(False) }} diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml new file mode 100644 index 000000000..582c01bba --- /dev/null +++ b/salt/firewall/soc_firewall.yaml @@ -0,0 +1,902 @@ +firewall: + hostgroups: + analyst: &hostgroupsettings + description: List of IP or CIDR blocks to allow access to this hostgroup. + forcedType: "[]string" + helplink: firewall.html + multiline: True + regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ + regexFailureMessage: You must enter a valid IP address or CIDR. + anywhere: &hostgroupsettingsadv + description: List of IP or CIDR blocks to allow access to this hostgroup. + forcedType: "[]string" + helplink: firewall.html + multiline: True + advanced: True + regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ + regexFailureMessage: You must enter a valid IP address or CIDR. + beats_endpoint: *hostgroupsettings + beats_endpoint_ssl: *hostgroupsettings + dockernet: &ROhostgroupsettingsadv + description: List of IP or CIDR blocks to allow access to this hostgroup. + forcedType: "[]string" + helplink: firewall.html + multiline: True + advanced: True + readonly: True + regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ + regexFailureMessage: You must enter a valid IP address or CIDR. + elastic_agent_endpoint: *hostgroupsettings + elasticsearch_rest: *hostgroupsettingsadv + endgame: *hostgroupsettingsadv + eval: *hostgroupsettings + fleet: *hostgroupsettings + heavynodes: *hostgroupsettings + idh: *hostgroupsettings + localhost: *ROhostgroupsettingsadv + manager: *hostgroupsettings + receivers: *hostgroupsettings + searchnodes: *hostgroupsettings + securityonion_desktops: *hostgroupsettings + self: *ROhostgroupsettingsadv + sensors: *hostgroupsettings + standalone: *hostgroupsettings + strelka_frontend: *hostgroupsettings + syslog: *hostgroupsettings + customhostgroup1: &customhostgroupsettings + description: List of IP or CIDR blocks to allow to this hostgroup. + forcedType: "[]string" + helpLink: firewall.html + advanced: True + multiline: True + regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ + regexFailureMessage: You must enter a valid IP address or CIDR. + customhostgroup2: *customhostgroupsettings + customhostgroup3: *customhostgroupsettings + customhostgroup4: *customhostgroupsettings + customhostgroup5: *customhostgroupsettings + customhostgroup6: *customhostgroupsettings + customhostgroup7: *customhostgroupsettings + customhostgroup8: *customhostgroupsettings + customhostgroup9: *customhostgroupsettings + customhostgroup0: *customhostgroupsettings + portgroups: + all: + tcp: &tcpsettings + description: List of TCP ports for this port group. + forcedType: "[]string" + helplink: firewall.html + advanced: True + multiline: True + udp: &udpsettings + description: List of UDP ports for this port group. + forcedType: "[]string" + helplink: firewall.html + advanced: True + multiline: True + agrules: + tcp: *tcpsettings + udp: *udpsettings + beats_5044: + tcp: *tcpsettings + udp: *udpsettings + beats_5644: + tcp: *tcpsettings + udp: *udpsettings + beats_5066: + tcp: *tcpsettings + udp: *udpsettings + beats_5056: + tcp: *tcpsettings + udp: *udpsettings + docker_registry: + tcp: *tcpsettings + udp: *udpsettings + elasticsearch_node: + tcp: *tcpsettings + udp: *udpsettings + elasticsearch_rest: + tcp: *tcpsettings + udp: *udpsettings + elastic_agent_control: + tcp: *tcpsettings + udp: *udpsettings + elastic_agent_data: + tcp: *tcpsettings + udp: *udpsettings + endgame: + tcp: *tcpsettings + udp: *udpsettings + influxdb: + tcp: *tcpsettings + udp: *udpsettings + kibana: + tcp: *tcpsettings + udp: *udpsettings + mysql: + tcp: *tcpsettings + udp: *udpsettings + nginx: + tcp: *tcpsettings + udp: *udpsettings + playbook: + tcp: *tcpsettings + udp: *udpsettings + redis: + tcp: *tcpsettings + udp: *udpsettings + salt_manager: + tcp: *tcpsettings + udp: *udpsettings + sensoroni: + tcp: *tcpsettings + udp: *udpsettings + ssh: + tcp: *tcpsettings + udp: *udpsettings + strelka_frontend: + tcp: *tcpsettings + udp: *udpsettings + syslog: + tcp: *tcpsettings + udp: *udpsettings + yum: + tcp: *tcpsettings + udp: *udpsettings + customportgroup0: + tcp: *tcpsettings + udp: *udpsettings + customportgroup1: + tcp: *tcpsettings + udp: *udpsettings + customportgroup2: + tcp: *tcpsettings + udp: *udpsettings + customportgroup3: + tcp: *tcpsettings + udp: *udpsettings + customportgroup4: + tcp: *tcpsettings + udp: *udpsettings + customportgroup5: + tcp: *tcpsettings + udp: *udpsettings + customportgroup6: + tcp: *tcpsettings + udp: *udpsettings + customportgroup7: + tcp: *tcpsettings + udp: *udpsettings + customportgroup8: + tcp: *tcpsettings + udp: *udpsettings + customportgroup9: + tcp: *tcpsettings + udp: *udpsettings + role: + eval: + chain: + DOCKER-USER: + hostgroups: + eval: + portgroups: &portgroupsdocker + description: Portgroups to add access to the docker containers for this role. + advanced: True + multiline: True + helpLink: firewall.html + sensors: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + heavynodes: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + beats_endpoint: + portgroups: *portgroupsdocker + beats_endpoint_ssl: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + elastic_agent_endpoint: + portgroups: *portgroupsdocker + strelka_frontend: + portgroups: *portgroupsdocker + syslog: + portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: &portgroupshost + description: Portgroups to add access to the host. + advanced: True + multiline: True + helpLink: firewall.html + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + fleet: + chain: + DOCKER-USER: + hostgroups: + sensors: + portgroups: *portgroupsdocker + elastic_agent_endpoint: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupsdocker + standalone: + portgroups: *portgroupshost + sensors: + portgroups: *portgroupshost + searchnodes: + portgroups: *portgroupshost + heavynodes: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + manager: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: *portgroupsdocker + sensors: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + heavynodes: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + syslog: + portgroups: *portgroupsdocker + beats_endpoint: + portgroups: *portgroupsdocker + beats_endpoint_ssl: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + elastic_agent_endpoint: + portgroups: *portgroupsdocker + endgame: + portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + sensors: + portgroups: *portgroupshost + searchnodes: + portgroups: *portgroupshost + heavynodes: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + managersearch: + chain: + DOCKER-USER: + hostgroups: + managersearch: + portgroups: *portgroupsdocker + sensors: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + heavynodes: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + beats_endpoint: + portgroups: *portgroupsdocker + beats_endpoint_ssl: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + elastic_agent_endpoint: + portgroups: *portgroupsdocker + endgame: + portgroups: *portgroupsdocker + syslog: + portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + sensors: + portgroups: *portgroupshost + searchnodes: + portgroups: *portgroupshost + heavynodes: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + standalone: + chain: + DOCKER-USER: + hostgroups: + localhost: + portgroups: *portgroupsdocker + standalone: + portgroups: *portgroupsdocker + fleet: + portgroups: *portgroupsdocker + sensors: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + heavynodes: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + beats_endpoint: + portgroups: *portgroupsdocker + beats_endpoint_ssl: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + elastic_agent_endpoint: + portgroups: *portgroupsdocker + endgame: + portgroups: *portgroupsdocker + strelka_frontend: + portgroups: *portgroupsdocker + syslog: + portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + fleet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + standalone: + portgroups: *portgroupshost + sensors: + portgroups: *portgroupshost + searchnodes: + portgroups: *portgroupshost + heavynodes: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + searchnode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: *portgroupsdocker + dockernet: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + sensor: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: *portgroupsdocker + strelka_frontend: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + heavynode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: *portgroupsdocker + dockernet: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + strelka_frontend: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + import: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: *portgroupsdocker + sensors: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + beats_endpoint: + portgroups: *portgroupsdocker + beats_endpoint_ssl: + portgroups: *portgroupsdocker + elasticsearch_rest: + portgroups: *portgroupsdocker + elastic_agent_endpoint: + portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost + + receiver: + chain: + DOCKER-USER: + hostgroups: + sensors: + portgroups: *portgroupsdocker + searchnodes: + portgroups: *portgroupsdocker + self: + portgroups: *portgroupsdocker + syslog: + portgroups: *portgroupsdocker + beats_endpoint: + portgroups: *portgroupsdocker + beats_endpoint_ssl: + portgroups: *portgroupsdocker + endgame: + portgroups: *portgroupsdocker + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost From 3fdcb92dfe30c22ae817f4e706f92b918004e59e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Apr 2023 15:33:54 -0400 Subject: [PATCH 02/10] dont apply firewall.soc state anymore for manager highstate --- salt/top.sls | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 372c64115..0459a6da4 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -74,7 +74,6 @@ base: - telegraf - influxdb - soc - - firewall.soc - kratos - firewall - idstools @@ -119,7 +118,6 @@ base: - telegraf - influxdb - soc - - firewall.soc - kratos - firewall - manager @@ -162,7 +160,6 @@ base: - telegraf - influxdb - soc - - firewall.soc - kratos - firewall - idstools @@ -226,7 +223,6 @@ base: - telegraf - influxdb - soc - - firewall.soc - kratos - firewall - manager @@ -296,7 +292,6 @@ base: - telegraf - influxdb - soc - - firewall.soc - kratos - firewall - idstools From 9a4ae2b832a7464a3ba5be6251134b7e8251afb9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Apr 2023 16:44:02 -0400 Subject: [PATCH 03/10] start with customhostgroup0 --- salt/firewall/soc_firewall.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 582c01bba..c54d3011e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -43,7 +43,7 @@ firewall: standalone: *hostgroupsettings strelka_frontend: *hostgroupsettings syslog: *hostgroupsettings - customhostgroup1: &customhostgroupsettings + customhostgroup0: &customhostgroupsettings description: List of IP or CIDR blocks to allow to this hostgroup. forcedType: "[]string" helpLink: firewall.html @@ -51,6 +51,7 @@ firewall: multiline: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regexFailureMessage: You must enter a valid IP address or CIDR. + customhostgroup1: *customhostgroupsettings customhostgroup2: *customhostgroupsettings customhostgroup3: *customhostgroupsettings customhostgroup4: *customhostgroupsettings @@ -59,7 +60,6 @@ firewall: customhostgroup7: *customhostgroupsettings customhostgroup8: *customhostgroupsettings customhostgroup9: *customhostgroupsettings - customhostgroup0: *customhostgroupsettings portgroups: all: tcp: &tcpsettings From 1f6463a9bbcf24eec383d6bff95c029fe41ea38a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 May 2023 16:49:06 -0400 Subject: [PATCH 04/10] rework so-firewall to work with pillar files --- salt/common/tools/sbin/so-firewall | 224 +++++++++++++++++------------ salt/firewall/defaults.yaml | 2 + salt/firewall/soc_firewall.yaml | 2 + setup/so-functions | 8 +- 4 files changed, 142 insertions(+), 94 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 32fa84f3c..9275a209e 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -1,104 +1,148 @@ -#!/usr/bin/bash +#!/usr/bin/env python3 -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. +# Copyright 2014-2023 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . -. /usr/sbin/so-common +import os +import re +import subprocess +import sys +import time +import yaml -if [[ $# -lt 1 ]]; then - echo "Usage: $0 --role= --ip= --apply=" - echo "" - echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true" - echo "" - exit 1 -fi +lockFile = "/tmp/so-firewall.lock" +hostgroupsFilename = "/opt/so/saltstack/local/pillar/firewall/soc_firewall.sls" +defaultsFilename = "/opt/so/saltstack/default/salt/firewall/defaults.yaml" -for i in "$@"; do - case $i in - -r=*|--role=*) - ROLE="${i#*=}" - shift - ;; - -i=*|--ip=*) - IP="${i#*=}" - shift - ;; - -a=*|--apply*) - APPLY="${i#*=}" - shift - ;; - -*|--*) - echo "Unknown option $i" - exit 1 - ;; - *) - ;; - esac -done +def showUsage(options, args): + print('Usage: {} [OPTIONS] [ARGS...]'.format(sys.argv[0])) + print(' Options:') + print(' --apply - After updating the firewall configuration files, apply the new firewall state') + print('') + print(' General commands:') + print(' help - Prints this usage information.') + print(' apply - Apply the firewall state.') + print('') + print(' Host commands:') + print(' includehost - Includes the given IP in the given group. Args: ') + print(' addhostgroup - Adds a new, custom host group. Args: ') + print('') + print(' Where:') + print(' GROUP_NAME - The name of an alias group (Ex: analyst)') + print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).') + sys.exit(1) -ROLE=${ROLE,,} -APPLY=${APPLY,,} +def checkApplyOption(options): + if "--apply" in options: + return apply(None, None) -function rolecall() { - THEROLE=$1 - THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog" +def loadYaml(filename): + file = open(filename, "r") + content = file.read() + return yaml.safe_load(content) - for AROLE in $THEROLES; do - if [ "$AROLE" = "$THEROLE" ]; then - return 0 - fi - done - return 1 -} +def writeYaml(filename, content): + file = open(filename, "w") + return yaml.dump(content, file) -# Make sure the required options are specified -if [ -z "$ROLE" ]; then - echo "Please specify a role with --role=" - exit 1 -fi -if [ -z "$IP" ]; then - echo "Please specify an IP address with --ip=" - exit 1 -fi +def addIp(name, ip): + content = loadYaml(hostgroupsFilename) + defaults = loadYaml(defaultsFilename) + allowedHostgroups = defaults['firewall']['hostgroups'] + unallowedHostgroups = ['anywhere', 'dockernet', 'localhost', 'self'] + for hg in unallowedHostgroups: + allowedHostgroups.pop(hg) + if not content: + content = {'firewall': {'hostgroups': {name: []}}} + if name in allowedHostgroups: + if name not in content['firewall']['hostgroups']: + hostgroup = content['firewall']['hostgroups'].update({name: [ip]}) + else: + hostgroup = content['firewall']['hostgroups'][name] + else: + print('Host group not defined in salt/firewall/defaults.yaml or hostgroup name is unallowed.', file=sys.stderr) + return 4 + ips = hostgroup + if ips is None: + ips = [] + hostgroup = ips + if ip not in ips: + ips.append(ip) + else: + print('Already exists', file=sys.stderr) + return 3 + writeYaml(hostgroupsFilename, content) + return 0 -# Are we dealing with a role that this script supports? -if rolecall "$ROLE"; then - echo "$ROLE is a supported role" -else - echo "This is not a supported role" - exit 1 -fi +def includehost(options, args): + if len(args) != 2: + print('Missing host group name or ip argument', file=sys.stderr) + showUsage(options, args) + result = addIp(args[0], args[1]) + code = result + if code == 0: + code = checkApplyOption(options) + return code - # Are we dealing with an IP? -if verify_ip4 "$IP"; then - echo "$IP is a valid IP or CIDR" -else - echo "$IP is not a valid IP or CIDR" - exit 1 -fi +def apply(options, args): + proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True']) + return proc.returncode -local_salt_dir=/opt/so/saltstack/local/salt/firewall +def main(): + options = [] + args = sys.argv[1:] + for option in args: + if option.startswith("--"): + options.append(option) + args.remove(option) -# Let's see if the file exists and if it does, let's see if the IP exists. -if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then - if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then - echo "Host already exists" - exit 0 - fi -fi + if len(args) == 0: + showUsage(options, None) -# If you have reached this part of your quest then let's add the IP -echo "Adding $IP to the $ROLE role" -echo "$IP" >> $local_salt_dir/hostgroups/$ROLE + commands = { + "help": showUsage, + "includehost": includehost, + "apply": apply + } -# Check to see if we are applying this right away. -if [ "$APPLY" = "true" ]; then - echo "Applying the firewall rules" - salt-call state.apply firewall queue=True - echo "Firewall rules have been applied... Review logs further if there were errors." - echo "" -else - echo "Firewall rules will be applied next salt run" -fi + code=1 + + try: + lockAttempts = 0 + maxAttempts = 30 + while lockAttempts < maxAttempts: + lockAttempts = lockAttempts + 1 + try: + f = open(lockFile, "x") + f.close() + break + except: + time.sleep(2) + + if lockAttempts == maxAttempts: + print("Lock file (" + lockFile + ") could not be created; proceeding without lock.") + + cmd = commands.get(args[0], showUsage) + code = cmd(options, args[1:]) + finally: + try: + os.remove(lockFile) + except: + print("Lock file (" + lockFile + ") already removed") + + sys.exit(code) + +if __name__ == "__main__": + main() diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 0ddf5a7bb..0e68add72 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -13,9 +13,11 @@ firewall: fleet: [] heavynodes: [] idh: [] + import: [] localhost: - 127.0.0.1 manager: [] + managersearch: [] receivers: [] searchnodes: [] securityonion_desktops: [] diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index c54d3011e..5b76c581e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -33,8 +33,10 @@ firewall: fleet: *hostgroupsettings heavynodes: *hostgroupsettings idh: *hostgroupsettings + import: *hostgroupsettings localhost: *ROhostgroupsettingsadv manager: *hostgroupsettings + managersearch: *hostgroupsettings receivers: *hostgroupsettings searchnodes: *hostgroupsettings securityonion_desktops: *hostgroupsettings diff --git a/setup/so-functions b/setup/so-functions index 9e45fabb8..942ca4671 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2291,18 +2291,18 @@ set_initial_firewall_policy() { case "$install_type" in 'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost $minion_type $MAINIP --apply ;; esac } set_initial_firewall_access() { if [[ ! -z "$ALLOW_CIDR" ]]; then - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost analyst $ALLOW_CIDR --apply fi if [[ ! -z "$MINION_CIDR" ]]; then - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=searchnodes --ip=$MINION_CIDR --apply=true + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensors $MINION_CIDR + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost searchnodes $MINION_CIDR --apply fi } From 6a501efa7509cf30d3441db42e00adef74a31ebf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 May 2023 16:55:16 -0400 Subject: [PATCH 05/10] remove unneeded imports --- salt/common/tools/sbin/so-firewall | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 9275a209e..94302b5b2 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -16,7 +16,6 @@ # along with this program. If not, see . import os -import re import subprocess import sys import time From 80b40503fbbd69fba76e60c46f3856dd9631f9cc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 May 2023 17:28:16 -0400 Subject: [PATCH 06/10] no more plural roles, update so-firewall-minion --- salt/common/tools/sbin/so-firewall-minion | 54 ++++++++--------- salt/firewall/defaults.yaml | 70 +++++++++++------------ salt/firewall/soc_firewall.yaml | 70 +++++++++++------------ 3 files changed, 97 insertions(+), 97 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion index 0465f0bbb..610d0fc3a 100755 --- a/salt/common/tools/sbin/so-firewall-minion +++ b/salt/common/tools/sbin/so-firewall-minion @@ -49,34 +49,34 @@ fi case "$ROLE" in 'MANAGER') - so-firewall --role=manager --ip="$IP" + so-firewall includehost manager "$IP" ;; - 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - so-firewall --role=manager --ip="$IP" - so-firewall --role=sensors --ip="$IP" - so-firewall --apply=true --role=searchnodes --ip="$IP" + 'MANAGERSEARCH') + so-firewall includehost manager "$IP" + so-firewall includehost searchnode "$IP" --apply ;; - 'FLEET' | 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') - case "$ROLE" in - 'FLEET') - so-firewall --apply=true --role=fleet --ip="$IP" - ;; - 'SENSOR') - so-firewall --apply=true --role=sensors --ip="$IP" - ;; - 'SEARCHNODE') - so-firewall --apply=true --role=searchnodes --ip="$IP" - ;; - 'HEAVYNODE') - so-firewall --role=sensors --ip="$IP" - so-firewall --apply=true --role=heavynodes --ip="$IP" - ;; - 'IDH') - so-firewall --apply=true --role=sensors --ip="$IP" - ;; - 'RECEIVER') - so-firewall --apply=true --role=receivers --ip="$IP" - ;; - esac + 'EVAL' | 'STANDALONE' | 'IMPORT') + so-firewall includehost manager "$IP" + so-firewall includehost sensor "$IP" + so-firewall includehost searchnode "$IP" --apply + ;; + 'FLEET') + so-firewall includehost fleet "$IP" --apply + ;; + 'SENSOR') + so-firewall includehost sensor "$IP" --apply + ;; + 'SEARCHNODE') + so-firewall includehost searchnode "$IP" --apply + ;; + 'HEAVYNODE') + so-firewall includehost sensor "$IP" + so-firewall includehost heavynode "$IP" --apply + ;; + 'IDH') + so-firewall includehost sensor "$IP" --apply + ;; + 'RECEIVER') + so-firewall includehost receiver "$IP" --apply ;; esac diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 0e68add72..fa77aae77 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -11,18 +11,18 @@ firewall: endgame: [] eval: [] fleet: [] - heavynodes: [] + heavynode: [] idh: [] import: [] localhost: - 127.0.0.1 manager: [] managersearch: [] - receivers: [] - searchnodes: [] - securityonion_desktops: [] + receiver: [] + searchnode: [] + securityonion_desktop: [] self: [] - sensors: [] + sensor: [] standalone: [] strelka_frontend: [] syslog: [] @@ -181,15 +181,15 @@ firewall: - influxdb - elasticsearch_rest - elasticsearch_node - sensors: + sensor: portgroups: - beats_5044 - beats_5644 - searchnodes: + searchnode: portgroups: - redis - elasticsearch_node - heavynodes: + heavynode: portgroups: - redis - elasticsearch_node @@ -273,7 +273,7 @@ firewall: chain: DOCKER-USER: hostgroups: - sensors: + sensor: portgroups: - elastic_agent_control - elastic_agent_data @@ -315,13 +315,13 @@ firewall: standalone: portgroups: - salt_manager - sensors: + sensor: portgroups: - salt_manager - searchnodes: + searchnode: portgroups: - salt_manager - heavynodes: + heavynode: portgroups: - salt_manager customhostgroup0: @@ -361,7 +361,7 @@ firewall: - elastic_agent_control - elastic_agent_data - agrules - sensors: + sensor: portgroups: - beats_5044 - beats_5644 @@ -370,7 +370,7 @@ firewall: - yum - docker_registry - influxdb - searchnodes: + searchnode: portgroups: - redis - elasticsearch_rest @@ -381,7 +381,7 @@ firewall: - influxdb - elastic_agent_control - elastic_agent_data - heavynodes: + heavynode: portgroups: - redis - elasticsearch_rest @@ -448,13 +448,13 @@ firewall: localhost: portgroups: - all - sensors: + sensor: portgroups: - salt_manager - searchnodes: + searchnode: portgroups: - salt_manager - heavynodes: + heavynode: portgroups: - salt_manager customhostgroup0: @@ -493,7 +493,7 @@ firewall: - docker_registry - elastic_agent_control - elastic_agent_data - sensors: + sensor: portgroups: - beats_5044 - beats_5644 @@ -502,7 +502,7 @@ firewall: - yum - docker_registry - influxdb - searchnodes: + searchnode: portgroups: - redis - elasticsearch_rest @@ -512,7 +512,7 @@ firewall: - influxdb - elastic_agent_control - elastic_agent_data - heavynodes: + heavynode: portgroups: - redis - elasticsearch_rest @@ -578,13 +578,13 @@ firewall: localhost: portgroups: - all - sensors: + sensor: portgroups: - salt_manager - searchnodes: + searchnode: portgroups: - salt_manager - heavynodes: + heavynode: portgroups: - salt_manager customhostgroup0: @@ -647,7 +647,7 @@ firewall: - beats_5056 - elastic_agent_control - elastic_agent_data - sensors: + sensor: portgroups: - docker_registry - influxdb @@ -658,7 +658,7 @@ firewall: - beats_5056 - elastic_agent_control - elastic_agent_data - searchnodes: + searchnode: portgroups: - docker_registry - influxdb @@ -667,7 +667,7 @@ firewall: - redis - elasticsearch_rest - elasticsearch_node - heavynodes: + heavynode: portgroups: - docker_registry - influxdb @@ -741,13 +741,13 @@ firewall: standalone: portgroups: - salt_manager - sensors: + sensor: portgroups: - salt_manager - searchnodes: + searchnode: portgroups: - salt_manager - heavynodes: + heavynode: portgroups: - salt_manager customhostgroup0: @@ -785,7 +785,7 @@ firewall: elasticsearch_rest: portgroups: - elasticsearch_rest - searchnodes: + searchnode: portgroups: - elasticsearch_node self: @@ -989,11 +989,11 @@ firewall: - elasticsearch_rest - elasticsearch_node - elastic_agent_control - sensors: + sensor: portgroups: - beats_5044 - beats_5644 - searchnodes: + searchnode: portgroups: - redis - elasticsearch_node @@ -1068,10 +1068,10 @@ firewall: chain: DOCKER-USER: hostgroups: - sensors: + sensor: portgroups: - beats_5644 - searchnodes: + searchnode: portgroups: - redis - beats_5644 diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 5b76c581e..cbb4b9f15 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -31,17 +31,17 @@ firewall: endgame: *hostgroupsettingsadv eval: *hostgroupsettings fleet: *hostgroupsettings - heavynodes: *hostgroupsettings + heavynode: *hostgroupsettings idh: *hostgroupsettings import: *hostgroupsettings localhost: *ROhostgroupsettingsadv manager: *hostgroupsettings managersearch: *hostgroupsettings - receivers: *hostgroupsettings - searchnodes: *hostgroupsettings - securityonion_desktops: *hostgroupsettings + receiver: *hostgroupsettings + searchnode: *hostgroupsettings + securityonion_desktop: *hostgroupsettings self: *ROhostgroupsettingsadv - sensors: *hostgroupsettings + sensor: *hostgroupsettings standalone: *hostgroupsettings strelka_frontend: *hostgroupsettings syslog: *hostgroupsettings @@ -186,11 +186,11 @@ firewall: advanced: True multiline: True helpLink: firewall.html - sensors: + sensor: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker - heavynodes: + heavynode: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker @@ -264,7 +264,7 @@ firewall: chain: DOCKER-USER: hostgroups: - sensors: + sensor: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker @@ -298,11 +298,11 @@ firewall: portgroups: *portgroupsdocker standalone: portgroups: *portgroupshost - sensors: + sensor: portgroups: *portgroupshost - searchnodes: + searchnode: portgroups: *portgroupshost - heavynodes: + heavynode: portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost @@ -331,11 +331,11 @@ firewall: hostgroups: manager: portgroups: *portgroupsdocker - sensors: + sensor: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker - heavynodes: + heavynode: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker @@ -381,11 +381,11 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost - sensors: + sensor: portgroups: *portgroupshost - searchnodes: + searchnode: portgroups: *portgroupshost - heavynodes: + heavynode: portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost @@ -414,11 +414,11 @@ firewall: hostgroups: managersearch: portgroups: *portgroupsdocker - sensors: + sensor: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker - heavynodes: + heavynode: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker @@ -464,11 +464,11 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost - sensors: + sensor: portgroups: *portgroupshost - searchnodes: + searchnode: portgroups: *portgroupshost - heavynodes: + heavynode: portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost @@ -501,11 +501,11 @@ firewall: portgroups: *portgroupsdocker fleet: portgroups: *portgroupsdocker - sensors: + sensor: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker - heavynodes: + heavynode: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker @@ -557,11 +557,11 @@ firewall: portgroups: *portgroupshost standalone: portgroups: *portgroupshost - sensors: + sensor: portgroups: *portgroupshost - searchnodes: + searchnode: portgroups: *portgroupshost - heavynodes: + heavynode: portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost @@ -594,7 +594,7 @@ firewall: portgroups: *portgroupsdocker elasticsearch_rest: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker @@ -773,9 +773,9 @@ firewall: hostgroups: manager: portgroups: *portgroupsdocker - sensors: + sensor: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker beats_endpoint: portgroups: *portgroupsdocker @@ -840,9 +840,9 @@ firewall: chain: DOCKER-USER: hostgroups: - sensors: + sensor: portgroups: *portgroupsdocker - searchnodes: + searchnode: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker From c5977663909e0f503d9f56be5e42660eb95031ad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 3 May 2023 10:17:45 -0400 Subject: [PATCH 07/10] assign firewall pillars to * in top --- pillar/top.sls | 10 ++-------- salt/firewall/defaults.yaml | 5 ----- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 9e373be31..ebcd6bbb2 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -6,6 +6,8 @@ base: - logrotate - docker.soc_docker - docker.adv_docker + - firewall.soc_firewall + - firewall.adv_firewall - sensoroni.soc_sensoroni - sensoroni.adv_sensoroni - telegraf.soc_telegraf @@ -68,8 +70,6 @@ base: - elasticsearch.adv_elasticsearch - backup.soc_backup - backup.adv_backup - - firewall.soc_firewall - - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -108,8 +108,6 @@ base: - influxdb.adv_influxdb - backup.soc_backup - backup.adv_backup - - firewall.soc_firewall - - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -145,8 +143,6 @@ base: - soc.soc_soc - backup.soc_backup - backup.adv_backup - - firewall.soc_firewall - - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -223,8 +219,6 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb - - firewall.soc_firewall - - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index fa77aae77..95aae108e 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -42,10 +42,6 @@ firewall: - '0:65535' udp: - '0:65535' - agrules: - tcp: - - 7788 - udp: [] beats_5044: tcp: - 5044 @@ -360,7 +356,6 @@ firewall: - docker_registry - elastic_agent_control - elastic_agent_data - - agrules sensor: portgroups: - beats_5044 From 8359f1983c83af3f7ff4c0e531ebb1167bdb887a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 3 May 2023 10:53:13 -0400 Subject: [PATCH 08/10] idh firewall --- salt/firewall/defaults.yaml | 63 +++++++++++++++++++++++++++++++++++++ salt/firewall/map.jinja | 13 +++++++- 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 95aae108e..e31d9f1ed 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1138,3 +1138,66 @@ firewall: portgroups: [] customhostgroup9: portgroups: [] + idh: + chain: + DOCKER-USER: + hostgroups: + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] + INPUT: + hostgroups: + anywhere: + portgroups: [] + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + manager: + portgroups: + - openssh + managersearch: + portgroups: + - openssh + standalone: + portgroups: + - openssh + customhostgroup0: + portgroups: [] + customhostgroup1: + portgroups: [] + customhostgroup2: + portgroups: [] + customhostgroup3: + portgroups: [] + customhostgroup4: + portgroups: [] + customhostgroup5: + portgroups: [] + customhostgroup6: + portgroups: [] + customhostgroup7: + portgroups: [] + customhostgroup8: + portgroups: [] + customhostgroup9: + portgroups: [] diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 7a549d123..99296e0ab 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -4,7 +4,18 @@ {# add our ip to self #} {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %} -{# add dockernet range #} +{# add dockernet range #} {% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %} +{% if GLOBALS.role == 'so-idh' %} +{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} +{% do salt['defaults.merge'](FIREWALL_DEFAULT.firewall.portgroups, IDH_PORTGROUPS, in_place=True) %} +{% for pg in IDH_PORTGROUPS.keys() %} +{# idh service ports start with _idh. this prevents adding openssh to allow from anywhere #} +{% if pg.split('_')[0] == 'idh' %} +{% do FIREWALL_DEFAULT.firewall.role.idh.chain.INPUT.hostgroups.anywhere.portgroups.append(pg) %} +{% endif %} +{% endfor %} +{% endif %} + {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %} From 1593da4597da0d254e150ea147b37b3722e70839 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 3 May 2023 11:05:21 -0400 Subject: [PATCH 09/10] idh services are no longer selected in setup --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 84e9958ab..30ef8bb4d 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -471,7 +471,7 @@ whiptail_gauge_post_setup() { [ -n "$TESTING" ] && return idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ - "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ + "\nBy default, IDH services will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? From 767c922083ab7fb938ef17be06b8c911adc832cf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 3 May 2023 11:55:29 -0400 Subject: [PATCH 10/10] add idh to firewall annotation --- salt/firewall/soc_firewall.yaml | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index cbb4b9f15..02209af60 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -902,3 +902,62 @@ firewall: portgroups: *portgroupshost customhostgroup9: portgroups: *portgroupshost + + idh: + chain: + DOCKER-USER: + hostgroups: + customhostgroup0: + portgroups: *portgroupsdocker + customhostgroup1: + portgroups: *portgroupsdocker + customhostgroup2: + portgroups: *portgroupsdocker + customhostgroup3: + portgroups: *portgroupsdocker + customhostgroup4: + portgroups: *portgroupsdocker + customhostgroup5: + portgroups: *portgroupsdocker + customhostgroup6: + portgroups: *portgroupsdocker + customhostgroup7: + portgroups: *portgroupsdocker + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: + portgroups: *portgroupsdocker + INPUT: + hostgroups: + anywhere: + portgroups: *portgroupshost + dockernet: + portgroups: *portgroupshost + localhost: + portgroups: *portgroupshost + manager: + portgroups: *portgroupshost + managersearch: + portgroups: *portgroupshost + standalone: + portgroups: *portgroupshost + customhostgroup0: + portgroups: *portgroupshost + customhostgroup1: + portgroups: *portgroupshost + customhostgroup2: + portgroups: *portgroupshost + customhostgroup3: + portgroups: *portgroupshost + customhostgroup4: + portgroups: *portgroupshost + customhostgroup5: + portgroups: *portgroupshost + customhostgroup6: + portgroups: *portgroupshost + customhostgroup7: + portgroups: *portgroupshost + customhostgroup8: + portgroups: *portgroupshost + customhostgroup9: + portgroups: *portgroupshost