Merge pull request #7732 from Security-Onion-Solutions/feature/idh-allow-multiple-int

Feature/idh allow multiple int

salt/idh/init.sls

@@ -19,11 +19,36 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %}
 
 include:
   - idh.openssh.config
 
-# IDH State
+
+# If True, block IDH Services from accepting connections on Managment IP
+{% if RESTRICTIDHSERVICES %}
+  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% set idh_services = salt['pillar.get']('idh:services', []) %}
+
+  {% for service in idh_services %}
+  {% if service in ["smnp","ntp", "tftp"] %}
+    {% set proto = 'udp' %}
+  {% else %}
+    {% set proto = 'tcp' %}
+  {% endif %}
+block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} :
+  iptables.insert:
+    - table: filter
+    - chain: INPUT
+    - jump: DROP
+    - position: 1
+    - proto:  {{ proto }}
+    - dport: {{ OPENCANARYCONFIG[service~'.port'] }}
+    - destination: {{ MAINIP }}
+  {% endfor %}
+{% endif %}
 
 # Create a config directory
 temp:

salt/top.sls

@@ -499,7 +499,7 @@ base:
     - ssl
     - sensoroni
     - telegraf
-    - firewall
+    - firewall # It's important that this state runs before the IDH state, since the IDH state (optionally) inserts BLOCK rules at position 1
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}

setup/so-functions

@@ -450,6 +450,13 @@ collect_hostname_validate() {
 	done
 }
 
+collect_idh_preferences() {
+	IDHMGTRESTRICT='False'
+	whiptail_idh_preferences
+
+	if [[ "$idh_preferences" != "" ]]; then IDHMGTRESTRICT='True'; fi
+}
+
 collect_idh_services() {
 	whiptail_idh_services
 
@@ -2900,6 +2907,7 @@ write_out_idh_services() {
 
 	printf '%s\n'\
 	"idh:"\
+	"  restrict_management_ip: $IDHMGTRESTRICT"\
 	"  services:" >> "$pillar_file"
 	for service in ${idh_services[@]}; do
 	  echo "    - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file"

setup/so-setup

@@ -341,10 +341,6 @@ if [[ $is_manager || $is_import ]]; then
 	check_elastic_license
 fi
 
-if [[ $is_idh ]]; then
-	collect_idh_services
-fi
-
 if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
@@ -389,6 +385,11 @@ if ! [[ -f $install_opt_file ]]; then
 		copy_ssh_key >> $setup_log 2>&1
 	fi
 
+	if [[ $is_idh ]]; then
+	  collect_idh_services
+	  collect_idh_preferences
+    fi
+
 	# Check if this is an airgap install
 	if [[ ( $is_manager || $is_import) && $is_iso ]]; then
 		whiptail_airgap

setup/so-whiptail

@@ -742,6 +742,17 @@ whiptail_homenet_sensor() {
 	export HNSENSOR
 }
 
+ whiptail_idh_preferences() {
+
+	[ -n "$TESTING" ] && return
+
+	idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
+		"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \
+		"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
 
 whiptail_idh_services() {