CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 11:12:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove firewall pillar from top, add roles to hosts during setup - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

Browse Source
This commit is contained in:
m0duspwnens
2020-06-11 08:49:52 -04:00
parent 5317ee8b5a
commit 9466cc5439
2 changed files with 17 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pillar/top.sls
View File

@@ -14,7 +14,6 @@ base:
'*_sensor': '*_sensor':
- static - static
- firewall.*
- brologs - brologs
- healthcheck.sensor - healthcheck.sensor
- minions.{{ grains.id }} - minions.{{ grains.id }}
@@ -22,7 +21,6 @@ base:
'*_master or *_mastersearch': '*_master or *_mastersearch':
- match: compound - match: compound
- static - static
- firewall.*
- data.* - data.*
- secrets - secrets
- minions.{{ grains.id }} - minions.{{ grains.id }}
@@ -33,7 +31,6 @@ base:
'*_eval': '*_eval':
- static - static
- firewall.*
- data.* - data.*
- brologs - brologs
- secrets - secrets
@@ -53,18 +50,15 @@ base:
'*_node': '*_node':
- static - static
- firewall.*
- minions.{{ grains.id }} - minions.{{ grains.id }}
'*_heavynode': '*_heavynode':
- static - static
- firewall.*
- brologs - brologs
- minions.{{ grains.id }} - minions.{{ grains.id }}
'*_helix': '*_helix':
- static - static
- firewall.*
- fireeye - fireeye
- brologs - brologs
- logstash - logstash
@@ -73,14 +67,12 @@ base:
'*_fleet': '*_fleet':
- static - static
- firewall.*
- data.* - data.*
- secrets - secrets
- minions.{{ grains.id }} - minions.{{ grains.id }}
'*_searchnode': '*_searchnode':
- static - static
- firewall.*
- logstash - logstash
- logstash.search - logstash.search
- minions.{{ grains.id }} - minions.{{ grains.id }}

33
setup/so-functions
View File

@@ -1368,19 +1368,20 @@ set_initial_firewall_policy() {
set_main_ip set_main_ip
if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi
if [ -f $default_salt_dir/pillar/firewall/addfirewall.sh ]; then chmod +x $default_salt_dir/pillar/firewall/addfirewall.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi
case "$install_type" in case "$install_type" in
'MASTER') 'MASTER')
printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
;; ;;
'EVAL' | 'MASTERSEARCH' | 'STANDALONE') 'EVAL' | 'MASTERSEARCH' | 'STANDALONE')
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
salt-call -l info state.apply firewall >> $setup_log 2>&1 $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
case "$install_type" in case "$install_type" in
'EVAL') 'EVAL')
$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True
@@ -1391,24 +1392,24 @@ set_initial_firewall_policy() {
esac esac
;; ;;
'HELIXSENSOR') 'HELIXSENSOR')
printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\ $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
$local_salt_dir/pillar/firewall/masterfw.sls\ $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
$local_salt_dir/pillar/firewall/forward_nodes.sls $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
;; ;;
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET') 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh minions "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
case "$install_type" in case "$install_type" in
'SENSOR') 'SENSOR')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
;; ;;
'SEARCHNODE') 'SEARCHNODE')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
;; ;;
'HEAVYNODE') 'HEAVYNODE')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
;; ;;
@@ -1488,7 +1489,7 @@ update_sudoers() {
if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
# Update Sudoers so that soremote can accept keys without a password # Update Sudoers so that soremote can accept keys without a password
echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/common/tools/sbin/so-firewall" | tee -a /etc/sudoers
echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers
echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers
else else