Merge pull request #13251 from Security-Onion-Solutions/kafkaflt

FIX: update firewall defaults
2025-12-06 09:12:45 +01:00 · 2024-06-24 12:29:48 -04:00
parent 9fce85c988 680e84851b
commit 9a0bad88cc
4 changed files with 43 additions and 13 deletions
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -77,7 +77,6 @@ firewall:
    elastic_agent_data:
      tcp:
        - 5055
-        - 9092
      udp: []
    elastic_agent_update:
      tcp:
@@ -91,10 +90,14 @@ firewall:
      tcp:
        - 8086
      udp: []
-    kafka:
+    kafka_controller:
      tcp:
        - 9093
      udp: []
+    kafka_data:
+      tcp:
+        - 9092
+      udp: []
    kibana:
      tcp:
        - 5601
@@ -369,7 +372,6 @@ firewall:
                - elastic_agent_update
                - localrules
                - sensoroni
-                - kafka
            fleet:
              portgroups:
                - elasticsearch_rest
@@ -440,7 +442,6 @@ firewall:
                - elastic_agent_data
                - elastic_agent_update
                - sensoroni
-                - kafka
            analyst:
              portgroups:
                - nginx
@@ -565,7 +566,6 @@ firewall:
                - elastic_agent_update
                - localrules
                - sensoroni
-                - kafka
            fleet:
              portgroups:
                - elasticsearch_rest
@@ -634,7 +634,6 @@ firewall:
                - elastic_agent_data
                - elastic_agent_update
                - sensoroni
-                - kafka
            analyst:
              portgroups:
                - nginx
@@ -762,7 +761,6 @@ firewall:
                - beats_5044
                - beats_5644
                - beats_5056
-                - kafka
                - elasticsearch_node
                - elastic_agent_control
                - elastic_agent_data
@@ -832,7 +830,6 @@ firewall:
                - elastic_agent_data
                - elastic_agent_update
                - sensoroni
-                - kafka
            analyst:
              portgroups:
                - nginx
@@ -1297,21 +1294,17 @@ firewall:
              portgroups:
                - redis
                - elastic_agent_data
-                - kafka
            manager:
              portgroups:
                - elastic_agent_data
-                - kafka
            managersearch:
              portgroups:
                - redis
                - elastic_agent_data
-                - kafka
            self:
              portgroups:
                - redis
                - elastic_agent_data
-                - kafka
            beats_endpoint:
              portgroups:
                - beats_5044
@@ -1324,6 +1317,8 @@ firewall:
            endgame:
              portgroups:
                - endgame
+            receiver:
+              portgroups: []
            customhostgroup0:
              portgroups: []
            customhostgroup1:
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -18,4 +18,28 @@
 {%   endfor %}
 {% endif %}

+{# Only add Kafka firewall items when Kafka enabled #}
+{% set role = GLOBALS.role.split('-')[1] %}
+
+{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone'] %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[role].portgroups.append('kafka_controller') %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
+{% endif %}
+
+{% if GLOBALS.pipeline == 'KAFKA' and role == 'receiver' %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.self.portgroups.append('kafka_controller') %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.standalone.portgroups.append('kafka_controller') %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.manager.portgroups.append('kafka_controller') %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.managersearch.portgroups.append('kafka_controller') %}
+{%   do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
+{% endif %}
+
+{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone', 'receiver'] %}
+{%   for r in ['manager', 'managersearch', 'standalone', 'receiver', 'fleet', 'idh', 'sensor', 'searchnode','heavynode', 'elastic_agent_endpoint', 'desktop'] %}
+{%     if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %}
+{%       do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('kafka_data') %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
 {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -78,6 +78,8 @@ so-logstash:
      {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %}
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
+      {% endif %}
+      {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-searchnode'] %}
      - /etc/pki/kafka-logstash.p12:/usr/share/logstash/kafka-logstash.p12:ro
      {% endif %}
      {% if GLOBALS.role == 'so-eval' %}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -73,6 +73,15 @@ manager_sbin:
    - exclude_pat:
      - "*_test.py"

+manager_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin/
+    - source: salt://manager/tools/sbin_jinja/
+    - user: socore
+    - group: socore
+    - file_mode: 755
+    - template: jinja
+
 so-repo-file:
  file.managed:
    - name: /opt/so/conf/reposync/repodownload.conf