mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #13251 from Security-Onion-Solutions/kafkaflt
FIX: update firewall defaults
This commit is contained in:
Jorge Reyes
GitHub
@@ -77,7 +77,6 @@ firewall:
|
|||||||
elastic_agent_data:
|
elastic_agent_data:
|
||||||
tcp:
|
tcp:
|
||||||
- 5055
|
- 5055
|
||||||
- 9092
|
|
||||||
udp: []
|
udp: []
|
||||||
elastic_agent_update:
|
elastic_agent_update:
|
||||||
tcp:
|
tcp:
|
||||||
@@ -91,10 +90,14 @@ firewall:
|
|||||||
tcp:
|
tcp:
|
||||||
- 8086
|
- 8086
|
||||||
udp: []
|
udp: []
|
||||||
kafka:
|
kafka_controller:
|
||||||
tcp:
|
tcp:
|
||||||
- 9093
|
- 9093
|
||||||
udp: []
|
udp: []
|
||||||
|
kafka_data:
|
||||||
|
tcp:
|
||||||
|
- 9092
|
||||||
|
udp: []
|
||||||
kibana:
|
kibana:
|
||||||
tcp:
|
tcp:
|
||||||
- 5601
|
- 5601
|
||||||
@@ -369,7 +372,6 @@ firewall:
|
|||||||
- elastic_agent_update
|
- elastic_agent_update
|
||||||
- localrules
|
- localrules
|
||||||
- sensoroni
|
- sensoroni
|
||||||
- kafka
|
|
||||||
fleet:
|
fleet:
|
||||||
portgroups:
|
portgroups:
|
||||||
- elasticsearch_rest
|
- elasticsearch_rest
|
||||||
@@ -440,7 +442,6 @@ firewall:
|
|||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- elastic_agent_update
|
- elastic_agent_update
|
||||||
- sensoroni
|
- sensoroni
|
||||||
- kafka
|
|
||||||
analyst:
|
analyst:
|
||||||
portgroups:
|
portgroups:
|
||||||
- nginx
|
- nginx
|
||||||
@@ -565,7 +566,6 @@ firewall:
|
|||||||
- elastic_agent_update
|
- elastic_agent_update
|
||||||
- localrules
|
- localrules
|
||||||
- sensoroni
|
- sensoroni
|
||||||
- kafka
|
|
||||||
fleet:
|
fleet:
|
||||||
portgroups:
|
portgroups:
|
||||||
- elasticsearch_rest
|
- elasticsearch_rest
|
||||||
@@ -634,7 +634,6 @@ firewall:
|
|||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- elastic_agent_update
|
- elastic_agent_update
|
||||||
- sensoroni
|
- sensoroni
|
||||||
- kafka
|
|
||||||
analyst:
|
analyst:
|
||||||
portgroups:
|
portgroups:
|
||||||
- nginx
|
- nginx
|
||||||
@@ -762,7 +761,6 @@ firewall:
|
|||||||
- beats_5044
|
- beats_5044
|
||||||
- beats_5644
|
- beats_5644
|
||||||
- beats_5056
|
- beats_5056
|
||||||
- kafka
|
|
||||||
- elasticsearch_node
|
- elasticsearch_node
|
||||||
- elastic_agent_control
|
- elastic_agent_control
|
||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
@@ -832,7 +830,6 @@ firewall:
|
|||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- elastic_agent_update
|
- elastic_agent_update
|
||||||
- sensoroni
|
- sensoroni
|
||||||
- kafka
|
|
||||||
analyst:
|
analyst:
|
||||||
portgroups:
|
portgroups:
|
||||||
- nginx
|
- nginx
|
||||||
@@ -1297,21 +1294,17 @@ firewall:
|
|||||||
portgroups:
|
portgroups:
|
||||||
- redis
|
- redis
|
||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- kafka
|
|
||||||
manager:
|
manager:
|
||||||
portgroups:
|
portgroups:
|
||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- kafka
|
|
||||||
managersearch:
|
managersearch:
|
||||||
portgroups:
|
portgroups:
|
||||||
- redis
|
- redis
|
||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- kafka
|
|
||||||
self:
|
self:
|
||||||
portgroups:
|
portgroups:
|
||||||
- redis
|
- redis
|
||||||
- elastic_agent_data
|
- elastic_agent_data
|
||||||
- kafka
|
|
||||||
beats_endpoint:
|
beats_endpoint:
|
||||||
portgroups:
|
portgroups:
|
||||||
- beats_5044
|
- beats_5044
|
||||||
@@ -1324,6 +1317,8 @@ firewall:
|
|||||||
endgame:
|
endgame:
|
||||||
portgroups:
|
portgroups:
|
||||||
- endgame
|
- endgame
|
||||||
|
receiver:
|
||||||
|
portgroups: []
|
||||||
customhostgroup0:
|
customhostgroup0:
|
||||||
portgroups: []
|
portgroups: []
|
||||||
customhostgroup1:
|
customhostgroup1:
|
||||||
|
|||||||
@@ -18,4 +18,28 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{# Only add Kafka firewall items when Kafka enabled #}
|
||||||
|
{% set role = GLOBALS.role.split('-')[1] %}
|
||||||
|
|
||||||
|
{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone'] %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[role].portgroups.append('kafka_controller') %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if GLOBALS.pipeline == 'KAFKA' and role == 'receiver' %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.self.portgroups.append('kafka_controller') %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.standalone.portgroups.append('kafka_controller') %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.manager.portgroups.append('kafka_controller') %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.managersearch.portgroups.append('kafka_controller') %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone', 'receiver'] %}
|
||||||
|
{% for r in ['manager', 'managersearch', 'standalone', 'receiver', 'fleet', 'idh', 'sensor', 'searchnode','heavynode', 'elastic_agent_endpoint', 'desktop'] %}
|
||||||
|
{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %}
|
||||||
|
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('kafka_data') %}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}
|
{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}
|
||||||
|
|||||||
@@ -78,6 +78,8 @@ so-logstash:
|
|||||||
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %}
|
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %}
|
||||||
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
|
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
|
||||||
- /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
|
- /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
|
||||||
|
{% endif %}
|
||||||
|
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-searchnode'] %}
|
||||||
- /etc/pki/kafka-logstash.p12:/usr/share/logstash/kafka-logstash.p12:ro
|
- /etc/pki/kafka-logstash.p12:/usr/share/logstash/kafka-logstash.p12:ro
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if GLOBALS.role == 'so-eval' %}
|
{% if GLOBALS.role == 'so-eval' %}
|
||||||
|
|||||||
@@ -73,6 +73,15 @@ manager_sbin:
|
|||||||
- exclude_pat:
|
- exclude_pat:
|
||||||
- "*_test.py"
|
- "*_test.py"
|
||||||
|
|
||||||
|
manager_sbin_jinja:
|
||||||
|
file.recurse:
|
||||||
|
- name: /usr/sbin/
|
||||||
|
- source: salt://manager/tools/sbin_jinja/
|
||||||
|
- user: socore
|
||||||
|
- group: socore
|
||||||
|
- file_mode: 755
|
||||||
|
- template: jinja
|
||||||
|
|
||||||
so-repo-file:
|
so-repo-file:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /opt/so/conf/reposync/repodownload.conf
|
- name: /opt/so/conf/reposync/repodownload.conf
|
||||||
|
|||||||
Reference in New Issue
Block a user