From 593cdbd06001f3492423c1c590b4e5ac3d5ae92d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 08:50:06 -0400 Subject: [PATCH 1/6] add rules for idh to connect to managers, change idh from sensor to idh in so-firewall-minion --- salt/firewall/defaults.yaml | 33 ++++++++++++++++++++++ salt/manager/tools/sbin/so-firewall-minion | 4 +-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 3095c052e..48074b0be 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -383,6 +383,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -548,6 +559,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -723,6 +745,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - docker_registry diff --git a/salt/manager/tools/sbin/so-firewall-minion b/salt/manager/tools/sbin/so-firewall-minion index 4834f0e41..7b0ddab90 100755 --- a/salt/manager/tools/sbin/so-firewall-minion +++ b/salt/manager/tools/sbin/so-firewall-minion @@ -74,9 +74,9 @@ fi so-firewall includehost heavynode "$IP" --apply ;; 'IDH') - so-firewall includehost sensor "$IP" --apply + so-firewall includehost idh "$IP" --apply ;; 'RECEIVER') so-firewall includehost receiver "$IP" --apply ;; - esac \ No newline at end of file + esac From 682289ef23736b687cd271a503c58200143c4c9f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:01:09 -0400 Subject: [PATCH 2/6] add sensoroni ports where missing --- salt/firewall/defaults.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 48074b0be..125bf0f08 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -370,6 +370,7 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + - sensoroni fleet: portgroups: - elasticsearch_rest @@ -404,6 +405,7 @@ firewall: - yum - docker_registry - influxdb + - sensoroni searchnode: portgroups: - redis @@ -416,6 +418,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni heavynode: portgroups: - redis @@ -428,6 +431,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni receiver: portgroups: - yum @@ -436,6 +440,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni beats_endpoint: portgroups: - beats_5044 @@ -546,6 +551,7 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + - sensoroni fleet: portgroups: - elasticsearch_rest @@ -580,6 +586,7 @@ firewall: - yum - docker_registry - influxdb + - sensoroni searchnode: portgroups: - redis @@ -591,6 +598,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni heavynode: portgroups: - redis @@ -602,6 +610,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni receiver: portgroups: - yum @@ -610,6 +619,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni beats_endpoint: portgroups: - beats_5044 @@ -793,6 +803,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni beats_endpoint: portgroups: - beats_5044 From a51acfc314004e9c2f066fe387a85f34a92ab7da Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:17:22 -0400 Subject: [PATCH 3/6] rename analyst to workstation for fw rules. allow workstation to connect to salt_manager port on managers --- salt/firewall/defaults.yaml | 31 ++++++++++++++-------- salt/firewall/soc_firewall.yaml | 2 +- salt/manager/tools/sbin/so-firewall-minion | 3 +++ 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 125bf0f08..0d32d57ca 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1,6 +1,5 @@ firewall: hostgroups: - analyst: [] anywhere: - 0.0.0.0/0 beats_endpoint: [] @@ -26,6 +25,7 @@ firewall: standalone: [] strelka_frontend: [] syslog: [] + workstation: [] customhostgroup0: [] customhostgroup1: [] customhostgroup2: [] @@ -215,9 +215,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -458,9 +458,9 @@ firewall: endgame: portgroups: - endgame - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -507,6 +507,9 @@ firewall: receiver: portgroups: - salt_manager + workstation: + portgroups: + - salt_manager self: portgroups: - syslog @@ -637,9 +640,9 @@ firewall: endgame: portgroups: - endgame - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -686,6 +689,9 @@ firewall: receiver: portgroups: - salt_manager + workstation: + portgroups: + - salt_manager self: portgroups: - syslog @@ -824,9 +830,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: @@ -876,6 +882,9 @@ firewall: receiver: portgroups: - salt_manager + workstation: + portgroups: + - salt_manager self: portgroups: - syslog @@ -1169,9 +1178,9 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - analyst: + workstation: portgroups: - - nginx + - yum customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 0011a245e..78c0ebc73 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,6 +1,6 @@ firewall: hostgroups: - analyst: &hostgroupsettings + workstation: &hostgroupsettings description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" helplink: firewall.html diff --git a/salt/manager/tools/sbin/so-firewall-minion b/salt/manager/tools/sbin/so-firewall-minion index 7b0ddab90..d3bbb3eeb 100755 --- a/salt/manager/tools/sbin/so-firewall-minion +++ b/salt/manager/tools/sbin/so-firewall-minion @@ -79,4 +79,7 @@ fi 'RECEIVER') so-firewall includehost receiver "$IP" --apply ;; + 'WORKSTATION') + so-firewall includehost workstation "$IP" --apply + ;; esac From 726ec7235000959622e9af7df4f5a80dc6aa1fb3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:22:59 -0400 Subject: [PATCH 4/6] allow idh to connect to salt_manager ports on managres --- salt/firewall/defaults.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 0d32d57ca..ff776d309 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -492,6 +492,9 @@ firewall: fleet: portgroups: - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -674,6 +677,9 @@ firewall: fleet: portgroups: - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -863,7 +869,10 @@ firewall: - all fleet: portgroups: - - salt_manager + - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all From 0f52530d0760cf67cbda82ee81d18b220fe3cc17 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:37:58 -0400 Subject: [PATCH 5/6] soc_firewall.yaml update adding idh and rename analyst to workstation --- salt/firewall/soc_firewall.yaml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 78c0ebc73..27c52e123 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -213,7 +213,7 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -338,7 +338,9 @@ firewall: DOCKER-USER: hostgroups: manager: - portgroups: *portgroupsdocker + portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -359,7 +361,7 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -389,12 +391,16 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + workstation: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -422,6 +428,8 @@ firewall: hostgroups: managersearch: portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -442,7 +450,7 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -472,12 +480,16 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + workstation: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -509,6 +521,8 @@ firewall: portgroups: *portgroupsdocker fleet: portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -531,7 +545,7 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker @@ -565,12 +579,16 @@ firewall: portgroups: *portgroupshost standalone: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + workstation: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -793,7 +811,7 @@ firewall: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker - analyst: + workstation: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker From 014aeffb2af91889bc182a8dd4cbf215ceef820f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Aug 2023 09:56:33 -0400 Subject: [PATCH 6/6] add analyst back --- salt/firewall/defaults.yaml | 17 +++++++++++++++-- salt/firewall/soc_firewall.yaml | 13 ++++++++++++- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index ff776d309..9b8325a34 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1,5 +1,6 @@ firewall: hostgroups: + analyst: [] anywhere: - 0.0.0.0/0 beats_endpoint: [] @@ -215,9 +216,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - workstation: + analyst: portgroups: - - yum + - nginx customhostgroup0: portgroups: [] customhostgroup1: @@ -441,6 +442,9 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni + analyst: + portgroups: + - nginx beats_endpoint: portgroups: - beats_5044 @@ -626,6 +630,9 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni + analyst: + portgroups: + - nginx beats_endpoint: portgroups: - beats_5044 @@ -816,6 +823,9 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni + analyst: + portgroups: + - nginx beats_endpoint: portgroups: - beats_5044 @@ -1187,6 +1197,9 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + analyst: + portgroups: + - nginx workstation: portgroups: - yum diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 27c52e123..8f8dbb69d 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,6 +1,6 @@ firewall: hostgroups: - workstation: &hostgroupsettings + analyst: &hostgroupsettings description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" helplink: firewall.html @@ -45,6 +45,7 @@ firewall: standalone: *hostgroupsettings strelka_frontend: *hostgroupsettings syslog: *hostgroupsettings + workstation: *hostgroupsettings customhostgroup0: &customhostgroupsettings description: List of IP or CIDR blocks to allow to this hostgroup. forcedType: "[]string" @@ -213,6 +214,8 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -361,6 +364,8 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -450,6 +455,8 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -545,6 +552,8 @@ firewall: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: @@ -811,6 +820,8 @@ firewall: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker + analyst: + portgroups: *portgroupsdocker workstation: portgroups: *portgroupsdocker customhostgroup0: