From accb3d536d2976dcf244311e9a16bf8fc5622614 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 9 Jun 2020 13:30:24 -0400 Subject: [PATCH] add chain to iptables state - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641 --- .../assigned_hostgroups.local.map.yaml | 11 +- salt/firewall/assigned_hostgroups.map.yaml | 640 ++++++++++-------- salt/firewall/hostgroups.local.yaml | 4 +- salt/firewall/hostgroups.yaml | 5 + salt/firewall/init.sls | 26 +- salt/firewall/portgroups.yaml | 6 + salt/firewall/unneeded_hostgroups.local.yaml | 115 ---- salt/firewall/unneeded_hostgroups.yaml | 95 --- salt/firewall/unneeded_ports.yml | 145 ---- salt/firewall/unneeded_ports.yml.old | 63 -- salt/firewall/unneeded_role.map.jinja | 288 -------- 11 files changed, 394 insertions(+), 1004 deletions(-) delete mode 100644 salt/firewall/unneeded_hostgroups.local.yaml delete mode 100644 salt/firewall/unneeded_hostgroups.yaml delete mode 100644 salt/firewall/unneeded_ports.yml delete mode 100644 salt/firewall/unneeded_ports.yml.old delete mode 100644 salt/firewall/unneeded_role.map.jinja diff --git a/salt/firewall/assigned_hostgroups.local.map.yaml b/salt/firewall/assigned_hostgroups.local.map.yaml index 3484e2db6..fcfb09d8c 100644 --- a/salt/firewall/assigned_hostgroups.local.map.yaml +++ b/salt/firewall/assigned_hostgroups.local.map.yaml @@ -6,16 +6,9 @@ role: eval: - hostgroups: - helixsensor: - hostgroups: + helisensor: master: - hostgroups: mastersearch: - hostgroups: standalone: - hostgroups: searchnode: - hostgroups: - fleet: - hostgroups: \ No newline at end of file + fleet: \ No newline at end of file diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 319bda8e1..3cab69f69 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -3,286 +3,376 @@ role: eval: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} - master: - portgroups: - - {{ portgroups.wazuh_endpoint }} - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.salt_master }} - - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_minion }} - sensor: - portgroups: - - {{ portgroups.sensoroni }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_endpoint: - portgroups: - - {{ portgroups.wazuh_endpoint }} - analyst: - portgroups: - - {{ portgroups.nginx }} + chain: + DOCKER-USER: + hostgroups: + master: + portgroups: + - {{ portgroups.wazuh_endpoint }} + - {{ portgroups.playbook }} + - {{ portgroups.mysql }} + - {{ portgroups.navigator }} + - {{ portgroups.kibana }} + - {{ portgroups.redis }} + - {{ portgroups.influxdb }} + - {{ portgroups.fleet_api }} + - {{ portgroups.cortex }} + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.cortex_es_rest }} + - {{ portgroups.cortex_es_node }} + minion: + portgroups: + - {{ portgroups.acng }} + - {{ portgroups.docker_registry }} + - {{ portgroups.osquery_8080 }} + - {{ portgroups.influxdb }} + - {{ portgroups.wazuh_minion }} + sensor: + portgroups: + - {{ portgroups.sensoroni }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + search_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + self: + portgroups: + - {{ portgroups.syslog}} + beats_endpoint: + portgroups: + - {{ portgroups.beats_5044 }} + osquery_endpoint: + portgroups: + - {{ portgroups.fleet_api }} + wazuh_endpoint: + portgroups: + - {{ portgroups.wazuh_endpoint }} + analyst: + portgroups: + - {{ portgroups.nginx }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + minion: + portgroups: + - {{ portgroups.salt_master }} helixsensor: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} - master: - portgroups: - - {{ portgroups.wazuh_endpoint }} - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.salt_master }} - - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_minion }} - sensor: - portgroups: - - {{ portgroups.sensoroni }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_endpoint: - portgroups: - - {{ portgroups.wazuh_endpoint }} - analyst: - portgroups: - - {{ portgroups.nginx }} + chain: + DOCKER-USER: + hostgroups: + master: + portgroups: + - {{ portgroups.wazuh_endpoint }} + - {{ portgroups.playbook }} + - {{ portgroups.mysql }} + - {{ portgroups.navigator }} + - {{ portgroups.kibana }} + - {{ portgroups.redis }} + - {{ portgroups.influxdb }} + - {{ portgroups.fleet_api }} + - {{ portgroups.cortex }} + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.cortex_es_rest }} + - {{ portgroups.cortex_es_node }} + minion: + portgroups: + - {{ portgroups.acng }} + - {{ portgroups.docker_registry }} + - {{ portgroups.osquery_8080 }} + - {{ portgroups.influxdb }} + - {{ portgroups.wazuh_minion }} + sensor: + portgroups: + - {{ portgroups.sensoroni }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + search_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + self: + portgroups: + - {{ portgroups.syslog}} + beats_endpoint: + portgroups: + - {{ portgroups.beats_5044 }} + osquery_endpoint: + portgroups: + - {{ portgroups.fleet_api }} + wazuh_endpoint: + portgroups: + - {{ portgroups.wazuh_endpoint }} + analyst: + portgroups: + - {{ portgroups.nginx }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + minion: + portgroups: + - {{ portgroups.salt_master }} master: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} - master: - portgroups: - - {{ portgroups.wazuh_endpoint }} - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.salt_master }} - - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_minion }} - sensor: - portgroups: - - {{ portgroups.sensoroni }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_endpoint: - portgroups: - - {{ portgroups.wazuh_endpoint }} - analyst: - portgroups: - - {{ portgroups.nginx }} + chain: + DOCKER-USER: + hostgroups: + master: + portgroups: + - {{ portgroups.wazuh_endpoint }} + - {{ portgroups.playbook }} + - {{ portgroups.mysql }} + - {{ portgroups.navigator }} + - {{ portgroups.kibana }} + - {{ portgroups.redis }} + - {{ portgroups.influxdb }} + - {{ portgroups.fleet_api }} + - {{ portgroups.cortex }} + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.cortex_es_rest }} + - {{ portgroups.cortex_es_node }} + minion: + portgroups: + - {{ portgroups.acng }} + - {{ portgroups.docker_registry }} + - {{ portgroups.osquery_8080 }} + - {{ portgroups.influxdb }} + - {{ portgroups.wazuh_minion }} + sensor: + portgroups: + - {{ portgroups.sensoroni }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + search_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + self: + portgroups: + - {{ portgroups.syslog}} + beats_endpoint: + portgroups: + - {{ portgroups.beats_5044 }} + osquery_endpoint: + portgroups: + - {{ portgroups.fleet_api }} + wazuh_endpoint: + portgroups: + - {{ portgroups.wazuh_endpoint }} + analyst: + portgroups: + - {{ portgroups.nginx }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + minion: + portgroups: + - {{ portgroups.salt_master }} mastersearch: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} - master: - portgroups: - - {{ portgroups.wazuh_endpoint }} - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.salt_master }} - - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_minion }} - sensor: - portgroups: - - {{ portgroups.sensoroni }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_endpoint: - portgroups: - - {{ portgroups.wazuh_endpoint }} - analyst: - portgroups: - - {{ portgroups.nginx }} + chain: + DOCKER-USER: + hostgroups: + master: + portgroups: + - {{ portgroups.wazuh_endpoint }} + - {{ portgroups.playbook }} + - {{ portgroups.mysql }} + - {{ portgroups.navigator }} + - {{ portgroups.kibana }} + - {{ portgroups.redis }} + - {{ portgroups.influxdb }} + - {{ portgroups.fleet_api }} + - {{ portgroups.cortex }} + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.cortex_es_rest }} + - {{ portgroups.cortex_es_node }} + minion: + portgroups: + - {{ portgroups.acng }} + - {{ portgroups.docker_registry }} + - {{ portgroups.osquery_8080 }} + - {{ portgroups.influxdb }} + - {{ portgroups.wazuh_minion }} + sensor: + portgroups: + - {{ portgroups.sensoroni }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + search_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + self: + portgroups: + - {{ portgroups.syslog}} + beats_endpoint: + portgroups: + - {{ portgroups.beats_5044 }} + osquery_endpoint: + portgroups: + - {{ portgroups.fleet_api }} + wazuh_endpoint: + portgroups: + - {{ portgroups.wazuh_endpoint }} + analyst: + portgroups: + - {{ portgroups.nginx }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + minion: + portgroups: + - {{ portgroups.salt_master }} standalone: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} - master: - portgroups: - - {{ portgroups.wazuh_endpoint }} - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.salt_master }} - - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_minion }} - sensor: - portgroups: - - {{ portgroups.sensoroni }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_endpoint: - portgroups: - - {{ portgroups.wazuh_endpoint }} - analyst: - portgroups: - - {{ portgroups.nginx }} + chain: + DOCKER-USER: + hostgroups: + master: + portgroups: + - {{ portgroups.wazuh_endpoint }} + - {{ portgroups.playbook }} + - {{ portgroups.mysql }} + - {{ portgroups.navigator }} + - {{ portgroups.kibana }} + - {{ portgroups.redis }} + - {{ portgroups.influxdb }} + - {{ portgroups.fleet_api }} + - {{ portgroups.cortex }} + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.cortex_es_rest }} + - {{ portgroups.cortex_es_node }} + minion: + portgroups: + - {{ portgroups.acng }} + - {{ portgroups.docker_registry }} + - {{ portgroups.osquery_8080 }} + - {{ portgroups.influxdb }} + - {{ portgroups.wazuh_minion }} + sensor: + portgroups: + - {{ portgroups.sensoroni }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + search_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + self: + portgroups: + - {{ portgroups.syslog}} + beats_endpoint: + portgroups: + - {{ portgroups.beats_5044 }} + osquery_endpoint: + portgroups: + - {{ portgroups.fleet_api }} + wazuh_endpoint: + portgroups: + - {{ portgroups.wazuh_endpoint }} + analyst: + portgroups: + - {{ portgroups.nginx }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + minion: + portgroups: + - {{ portgroups.salt_master }} + searchnode: - hostgroups: - master: - portgroups: - - {{ portgroups.elasticsearch_node }} - dockernet: - portgroups: - - {{ portgroups.all }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_node }} + chain: + DOCKER-USER: + hostgroups: + master: + portgroups: + - {{ portgroups.elasticsearch_node }} + dockernet: + portgroups: + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elasticsearch_node }} + INPUT: + hostgroups: + dockernet: + portgroups: + - {{ portgroups.all }} sensor: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} + chain: + INPUT: + hostgroups: + dockernet: + portgroups: + - {{ portgroups.all }} heavynode: - hostgroups: - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} fleet: - hostgroups: - dockernet: - portgroups: - - {{ portgroups.all }} - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.mysql }} - - {{ portgroups.osquery_8080 }} - localhost: - portgroups: - - {{ portgroups.mysql }} - - {{ portgroups.osquery_8080 }} - analyst: - portgroups: - - {{ portgroups.fleet_webui }} \ No newline at end of file + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.mysql }} + - {{ portgroups.osquery_8080 }} + localhost: + portgroups: + - {{ portgroups.mysql }} + - {{ portgroups.osquery_8080 }} + analyst: + portgroups: + - {{ portgroups.fleet_webui }} + INPUT: + hostgroups: + dockernet: + portgroups: + - {{ portgroups.all }} \ No newline at end of file diff --git a/salt/firewall/hostgroups.local.yaml b/salt/firewall/hostgroups.local.yaml index c8ae00303..f933dd7c4 100644 --- a/salt/firewall/hostgroups.local.yaml +++ b/salt/firewall/hostgroups.local.yaml @@ -4,7 +4,6 @@ firewall: ips: delete: insert: - - 10.11.1.1 beats_endpoint: ips: delete: @@ -44,5 +43,4 @@ firewall: wazuh_endpoint: ips: delete: - insert: - \ No newline at end of file + insert: \ No newline at end of file diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index fe781a848..56fbf96bc 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -1,5 +1,10 @@ firewall: hostgroups: + anywhere: + ips: + delete: + insert: + - 0.0.0.0/0 dockernet: ips: delete: diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index de4f3bfe8..781feb495 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -136,30 +136,34 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}: {% endif %} -{% for hostgroup, portgroups in assigned_hostgroups.role[role].hostgroups.items() %} - {% for action in ['insert', 'delete' ] %} - {% if hostgroups[hostgroup].ips[action] %} - {% for ip in hostgroups[hostgroup].ips[action] %} - {% for portgroup in portgroups.portgroups %} - {% for proto, ports in portgroup.items() %} - {% for port in ports %} +{% for chain, hg in assigned_hostgroups.role[role].chain.items() %} + {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %} + {% for action in ['insert', 'delete' ] %} + {% if hostgroups[hostgroup].ips[action] %} + {% for ip in hostgroups[hostgroup].ips[action] %} + {% for portgroup in portgroups.portgroups %} + {% for proto, ports in portgroup.items() %} + {% for port in ports %} -{{action}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}: +{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}: iptables.{{action}}: - table: filter - - chain: DOCKER-USER + - chain: {{ chain }} - jump: ACCEPT - proto: {{ proto }} - source: {{ ip }} - dport: {{ port }} + {% if action == 'insert' %} - position: 1 + {% endif %} - save: True + {% endfor %} {% endfor %} {% endfor %} {% endfor %} - {% endfor %} - {% endif %} + {% endif %} + {% endfor %} {% endfor %} {% endfor %} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index bb80aa7b8..e505dd3d0 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -71,6 +71,12 @@ firewall: sensoroni: tcp: - 443 + ssh: + tcp: + - 22 + syslog: + tcp: + - 514 wazuh_minion: tcp: - 55000 diff --git a/salt/firewall/unneeded_hostgroups.local.yaml b/salt/firewall/unneeded_hostgroups.local.yaml deleted file mode 100644 index 45dd886b1..000000000 --- a/salt/firewall/unneeded_hostgroups.local.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{% import_yaml 'firewall/port_groups.yaml' as default_port_groups %} -{% set default_port_groups = default_port_groups.firewall.aliases.ports %} - -{% import_yaml 'firewall/port_groups.local.yaml' as local_port_groups %} -{% set local_port_groups = local_port_groups.firewall.aliases.ports %} - -{% set port_groups = local_port_groups, default=default_port_groups, merge=True %} - -firewall: - aliases: - analyst: - ips: - delete: - allow: - port_groups: - - {{ port_groups.nginx }} - beats_endpoint: - ips: - delete: - allow: - port_groups: - - {{ port_groups.beats_5044 }} - dockernet: - ips: - delete: - allow: - - 172.17.0.0/24 - fleet: - ips: - delete: - allow: - port_groups: - - {{ port_groups.mysql }} - - {{ port_groups.redis }} - - {{ port_groups.osquery_8080 }} - heavy_node: - ips: - delete: - allow: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - localhost: - ips: - delete: - allow: - - 127.0.0.1 - master: - ips: - delete: - allow: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.osquery_8090 }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - ips: - delete: - allow: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - node: - ips: - delete: - allow: - port_groups: - - {{ port_groups.elasticsearch_node }} - osquery_endpoint: - ips: - delete: - allow: - port_groups: - - {{ port_groups.osquery_8090 }} - search_node: - ips: - delete: - allow: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - self: - ips: - delete: - allow: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint'))))[0] }} - sensor: - ips: - delete: - allow: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - wazuh_endpoint: - ips: - delete: - allow: - port_groups: - - {{ port_groups.wazuh_endpoint }} \ No newline at end of file diff --git a/salt/firewall/unneeded_hostgroups.yaml b/salt/firewall/unneeded_hostgroups.yaml deleted file mode 100644 index bdf7463e3..000000000 --- a/salt/firewall/unneeded_hostgroups.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{% import_yaml 'firewall/port_groups.yaml' as port_groups %} -{% set port_groups = port_groups.firewall.aliases.ports %} - -firewall: - aliases: - analyst: - ips: - delete: - insert: - port_groups: - - {{ port_groups.nginx }} - beats_endpoint: - ips: - delete: - insert: - port_groups: - - {{ port_groups.beats_5044 }} - fleet: - ips: - delete: - insert: - port_groups: - - {{ port_groups.mysql }} - - {{ port_groups.redis }} - - {{ port_groups.osquery_8080 }} - heavy_node: - ips: - delete: - insert: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - master: - ips: - delete: - insert: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.osquery_8090 }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - ips: - delete: - insert: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - node: - ips: - delete: - insert: - port_groups: - - {{ port_groups.elasticsearch_node }} - osquery_endpoint: - ips: - delete: - insert: - port_groups: - - {{ port_groups.osquery_8090 }} - search_node: - ips: - delete: - insert: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - sensor: - ips: - delete: - insert: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - wazuh_endpoint: - ips: - delete: - insert: - port_groups: - - {{ port_groups.wazuh_endpoint }} \ No newline at end of file diff --git a/salt/firewall/unneeded_ports.yml b/salt/firewall/unneeded_ports.yml deleted file mode 100644 index acca97343..000000000 --- a/salt/firewall/unneeded_ports.yml +++ /dev/null @@ -1,145 +0,0 @@ -firewall: - aliases: - analyst: - ports: - nginx: - tcp: - - 80 - - 443 - beats_endpoint: - ports: - beats: - tcp: - - 5044 - fleet: - ports: - mysql: - tcp: - - 3306 - redis: - tcp: - - 6379 - osquery: - tcp: - - 8080 - forward_nodes: - ports: - sensoroni: - tcp: - - 443 - beats: - tcp: - - 5044 - beats_so: - tcp: - - 5644 - heavy_node: - ports: - redis: - tcp: - - 6379 - beats: - - 5044 - beats2: - - 5644 - master: - ports: - wazuh: - tcp: - - 1514 - udp: - - 1514 - playbook: - tcp: - - 3200 - mysql: - tcp: - - 3306 - navigator: - tcp: - - 4200 - kibana: - tcp: - - 5601 - redis: - tcp: - - 6379 - influxdb: - tcp: - - 8086 - osquery: - tcp: - - 8090 - cortex: - tcp: - - 9001 - elasticsearch_rest: - tcp: - - 9200 - elasticsearch_node: - tcp: - - 9300 - cortex_es_rest: - tcp: - - 9400 - cortex_es_node: - tcp: - - 9500 - minions: - ports: - acng: - - 3142 - salt: - tcp: - - 4505 - - 4506 - registry: - tcp: - - 5000 - osquery: - tcp: - - 8080 - influxdb: - tcp: - - 8086 - wazuh: - tcp: - - 55000 - node: - ports: - elasticsearch_node: - tcp: - - 9300 - osquery_endpoint: - ports: - fleet: - tcp: - - 8090 - search_nodes: - ports: - redis: - tcp: - - 6379 - elasticsearch_node: - - 9300 - sensor: - ports: - wazuh_endpoint: - ports: - wazuh: - tcp: - - 1514 - udp: - - 1514 - - - - - - - - - - - - \ No newline at end of file diff --git a/salt/firewall/unneeded_ports.yml.old b/salt/firewall/unneeded_ports.yml.old deleted file mode 100644 index f318863c5..000000000 --- a/salt/firewall/unneeded_ports.yml.old +++ /dev/null @@ -1,63 +0,0 @@ -firewall: - aliases: - analyst: - ports: - tcp: - - 80 - - 443 - udp: - beats_endpoint: - ports: - tcp: - - 5044 - forward_nodes: - ports: - tcp: - - 443 - - 5044 - - 5644 - - 9822 - udp: - master: - ports: - tcp: - - 1514 - - 3200 - - 3306 - - 4200 - - 5601 - - 6379 - - 8086 - - 8090 - - 9001 - - 9200 - - 9300 - - 9400 - - 9500 - udp: - - 1514 - minions: - ports: - tcp: - - 3142 - - 4505 - - 4506 - - 5000 - - 8080 - - 8086 - - 55000 - osquery_endpoint: - ports: - tcp: - - 8090 - search_nodes: - ports: - tcp: - - 6379 - - 9300 - wazuh_endpoint: - ports: - tcp: - - 1514 - udp: - -1514 diff --git a/salt/firewall/unneeded_role.map.jinja b/salt/firewall/unneeded_role.map.jinja deleted file mode 100644 index f2858b509..000000000 --- a/salt/firewall/unneeded_role.map.jinja +++ /dev/null @@ -1,288 +0,0 @@ -{% import_yaml 'firewall/port_groups.yaml' as port_groups %} -{% set port_groups = port_groups.firewall.aliases.ports %} - -role: - eval: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - master: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.fleet_api }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - sensor: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - search_node: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - beats_endpoint: - port_groups: - - {{ port_groups.beats_5044 }} - osquery_endpoint: - port_groups: - - {{ port_groups.fleet_api }} - wazuh_endpoint: - port_groups: - - {{ port_groups.wazuh_endpoint }} - analyst: - port_groups: - - {{ port_groups.nginx }} - helisensor: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - master: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.fleet_api }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - sensor: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - search_node: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - beats_endpoint: - port_groups: - - {{ port_groups.beats_5044 }} - osquery_endpoint: - port_groups: - - {{ port_groups.fleet_api }} - wazuh_endpoint: - port_groups: - - {{ port_groups.wazuh_endpoint }} - analyst: - port_groups: - - {{ port_groups.nginx }} - master: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - master: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.fleet_api }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - sensor: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - search_node: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - beats_endpoint: - port_groups: - - {{ port_groups.beats_5044 }} - osquery_endpoint: - port_groups: - - {{ port_groups.fleet_api }} - wazuh_endpoint: - port_groups: - - {{ port_groups.wazuh_endpoint }} - analyst: - port_groups: - - {{ port_groups.nginx }} - mastersearch: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - master: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.fleet_api }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - sensor: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - search_node: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - beats_endpoint: - port_groups: - - {{ port_groups.beats_5044 }} - osquery_endpoint: - port_groups: - - {{ port_groups.fleet_api }} - wazuh_endpoint: - port_groups: - - {{ port_groups.wazuh_endpoint }} - analyst: - port_groups: - - {{ port_groups.nginx }} - standalone: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - master: - port_groups: - - {{ port_groups.wazuh_endpoint }} - - {{ port_groups.playbook }} - - {{ port_groups.mysql }} - - {{ port_groups.navigator }} - - {{ port_groups.kibana }} - - {{ port_groups.redis }} - - {{ port_groups.influxdb }} - - {{ port_groups.fleet_api }} - - {{ port_groups.cortex }} - - {{ port_groups.elasticsearch_rest }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.cortex_es_rest }} - - {{ port_groups.cortex_es_node }} - minion: - port_groups: - - {{ port_groups.acng }} - - {{ port_groups.salt_master }} - - {{ port_groups.docker_registry }} - - {{ port_groups.osquery_8080 }} - - {{ port_groups.influxdb }} - - {{ port_groups.wazuh_minion }} - sensor: - port_groups: - - {{ port_groups.sensoroni }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - search_node: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.elasticsearch_node }} - beats_endpoint: - port_groups: - - {{ port_groups.beats_5044 }} - osquery_endpoint: - port_groups: - - {{ port_groups.fleet_api }} - wazuh_endpoint: - port_groups: - - {{ port_groups.wazuh_endpoint }} - analyst: - port_groups: - - {{ port_groups.nginx }} - searchnode: - hostgroups: - master: - port_groups: - - {{ port_groups.elasticsearch_node }} - dockernet: - port_groups: - - {{ port_groups.all }} - - {{ port_groups.elasticsearch_node }} - - {{ port_groups.elasticsearch_node }} - sensor: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - heavynode: - hostgroups: - self: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.beats_5044 }} - - {{ port_groups.beats_5644 }} - fleet: - hostgroups: - dockernet: - port_groups: - - {{ port_groups.all }} - self: - port_groups: - - {{ port_groups.redis }} - - {{ port_groups.mysql }} - - {{ port_groups.osquery_8080 }} - localhost: - port_groups: - - {{ port_groups.mysql }} - - {{ port_groups.osquery_8080 }} - analyst: - port_groups: - - {{ port_groups.fleet_webui }} \ No newline at end of file