CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-22 02:08:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/2.4/dev' into fleet-sa

Browse Source
This commit is contained in:
Josh Brower
2023-04-03 07:27:04 -04:00
parent e4b10aa28c a0bb6a700a
commit af392681e3
572 changed files with 7060 additions and 31492 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/firewall/assigned_hostgroups.map.yaml
+72 -49
View File
@@ -2,13 +2,14 @@
{% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
{% set portgroups = portgroups.firewall.ports %}
{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
role:
eval:
chain:
DOCKER-USER:
hostgroups:
manager:
eval:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
@@ -113,6 +114,9 @@ role:
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
{% if ISAIRGAP is sameas true %}
- {{ portgroups.agrules }}
{% endif %}
@@ -122,16 +126,31 @@ role:
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
@@ -168,11 +187,20 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
managersearch:
chain:
DOCKER-USER:
hostgroups:
manager:
managersearch:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
@@ -181,20 +209,38 @@ role:
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.docker_registry }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
heavynodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.yum }}
- {{ portgroups.docker_registry }}
- {{ portgroups.influxdb }}
- {{ portgroups.elastic_agent_control }}
- {{ portgroups.elastic_agent_data }}
self:
portgroups:
- {{ portgroups.syslog}}
@@ -231,10 +277,22 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
sensors:
portgroups:
- {{ portgroups.salt_manager }}
searchnodes:
portgroups:
- {{ portgroups.salt_manager }}
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups:
- {{ portgroups.all }}
standalone:
portgroups:
- {{ portgroups.playbook }}
@@ -278,6 +336,7 @@ role:
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
@@ -286,6 +345,7 @@ role:
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
@@ -338,47 +398,6 @@ role:
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
searchnode:
chain:
DOCKER-USER:
@@ -394,11 +413,9 @@ role:
elasticsearch_rest:
portgroups:
- {{ portgroups.elasticsearch_rest }}
{% if TRUE_CLUSTER %}
searchnodes:
portgroups:
- {{ portgroups.elasticsearch_node }}
{% endif %}
self:
portgroups:
- {{ portgroups.syslog}}
@@ -452,6 +469,8 @@ role:
self:
portgroups:
- {{ portgroups.syslog}}
- {{ portgroups.elasticsearch_node }}
- {{ portgroups.elasticsearch_rest }}
strelka_frontend:
portgroups:
- {{ portgroups.strelka_frontend }}
@@ -558,9 +577,10 @@ role:
hostgroups:
anywhere:
portgroups:
{% set idh_services = salt['pillar.get']('idh:services', []) %}
{% for service in idh_services %}
- {{ portgroups['idh_'~service] }}
{% for service in IDH_PORTGROUPS.keys() %}
{% if service != 'openssh' %}
- {{ IDH_PORTGROUPS[service] }}
{% endif %}
{% endfor %}
dockernet:
portgroups:
@@ -570,4 +590,7 @@ role:
- {{ portgroups.all }}
manager:
portgroups:
- {{ portgroups.ssh }}
- {{ IDH_PORTGROUPS.openssh }}
standalone:
portgroups:
- {{ IDH_PORTGROUPS.openssh }}
salt/firewall/containers.map.jinja
+80 -2
View File
@@ -1,11 +1,35 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.role == 'so-eval' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-influxdb',
'so-kibana',
'so-kratos',
'so-mysql',
'so-nginx',
'so-redis',
'so-soc',
'so-soctopus',
'so-strelka-coordinator',
'so-strelka-gatekeeper',
'so-strelka-frontend',
'so-strelka-backend',
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% elif GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-filebeat',
'so-grafana',
'so-influxdb',
'so-kibana',
'so-kratos',
@@ -22,3 +46,57 @@
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% elif GLOBALS.role == 'so-searchnode' %}
{% set NODE_CONTAINERS = [
'so-elasticsearch',
'so-logstash',
'so-nginx'
] %}
{% elif GLOBALS.role == 'so-heavynode' %}
{% set NODE_CONTAINERS = [
'so-curator',
'so-elasticsearch',
'so-logstash',
'so-nginx',
'so-redis',
'so-strelka-coordinator',
'so-strelka-gatekeeper',
'so-strelka-frontend',
'so-strelka-backend',
'so-strelka-manager',
'so-strelka-filestream'
] %}
{% elif GLOBALS.role == 'so-import' %}
{% set NODE_CONTAINERS = [
'so-dockerregistry',
'so-elasticsearch',
'so-elastic-fleet',
'so-elastic-fleet-package-registry',
'so-influxdb',
'so-kibana',
'so-kratos',
'so-nginx',
'so-soc'
] %}
{% elif GLOBALS.role == 'so-receiver' %}
{% set NODE_CONTAINERS = [
'so-logstash',
'so-redis',
] %}
{% elif GLOBALS.role == 'so-idh' %}
{% set NODE_CONTAINERS = [
'so-idh',
] %}
{% elif GLOBALS.role == 'so-sensor' %}
{% set NODE_CONTAINERS = [] %}
{% else %}
{% set NODE_CONTAINERS = [] %}
{% endif %}
salt/firewall/hostgroups.yaml
-23
View File
@@ -1,23 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKER %}
firewall:
hostgroups:
anywhere:
ips:
delete:
insert:
- 0.0.0.0/0
dockernet:
ips:
delete:
insert:
- {{ DOCKER.sosrange }}
localhost:
ips:
delete:
insert:
- 127.0.0.1
self:
ips:
delete:
insert:
- {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
salt/firewall/hostgroups/anywhere
+1
View File
@@ -0,0 +1 @@
0.0.0.0/0
salt/firewall/hostgroups/dockernet
+2
View File
@@ -0,0 +1,2 @@
{% from 'docker/docker.map.jinja' import DOCKER -%}
{{ DOCKER.sorange }}
salt/firewall/hostgroups/localhost
+1
View File
@@ -0,0 +1 @@
127.0.0.1
salt/firewall/hostgroups/self
+2
View File
@@ -0,0 +1,2 @@
{% from 'vars/globals.map.jinja' import GLOBALS -%}
{{ GLOBALS.node_ip }}
salt/firewall/init.sls
+15
View File
@@ -13,10 +13,25 @@ iptables_config:
- source: salt://firewall/iptables.jinja
- template: jinja
disable_firewalld:
service.dead:
- name: firewalld
- enable: False
- require:
- file: iptables_config
iptables_restore:
cmd.run:
- name: iptables-restore < /etc/sysconfig/iptables
enable_firewalld:
service.running:
- name: firewalld
- enable: True
- onfail:
- file: iptables_config
- cmd: iptables_restore
{% else %}
{{sls}}_state_not_allowed:
salt/firewall/iptables.jinja
+13 -13
View File
@@ -33,11 +33,11 @@
{%- endif %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- if bindip | length and bindip != '0.0.0.0' %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- else %}
{%- do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- endif %}
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- endfor %}
{%- endif %}
{%- endfor %}
@@ -50,11 +50,11 @@
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
-A POSTROUTING -s {{DOCKER.sorange}} ! -o sobridge -j MASQUERADE
{%- for rule in PR %}
{{ rule }}
{%- endfor %}
-A DOCKER -i sosbridge -j RETURN
-A DOCKER -i sobridge -j RETURN
{%- for rule in D1 %}
{{ rule }}
{%- endfor %}
@@ -98,10 +98,10 @@ COMMIT
-A INPUT -j LOGGING
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o sosbridge -j DOCKER
-A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT
-A FORWARD -i sosbridge -o sosbridge -j ACCEPT
-A FORWARD -o sobridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o sobridge -j DOCKER
-A FORWARD -i sobridge ! -o sobridge -j ACCEPT
-A FORWARD -i sobridge -o sobridge -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
@@ -113,12 +113,12 @@ COMMIT
{{ rule }}
{%- endfor %}
-A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i sobridge ! -o sobridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o sobridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING
-A DOCKER-USER ! -i sobridge -o sobridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER ! -i sobridge -o sobridge -j LOGGING
-A DOCKER-USER -j RETURN
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
-A LOGGING -j DROP
salt/firewall/map.jinja
+14 -27
View File
@@ -1,47 +1,34 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set role = grains.id.split('_') | last %}
{% set translated_pillar_assigned_hostgroups = {} %}
{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
{% set default_portgroups = default_portgroups.firewall.ports %}
{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %}
{% if local_portgroups.firewall.ports %}
{% set local_portgroups = local_portgroups.firewall.ports %}
{% else %}
{% set local_portgroups = {} %}
{% endif %}
{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
{% set defined_portgroups = portgroups %}
{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %}
{% endif %}
{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
{% set hostgroup_list = [
'analyst',
'analyst_workstations',
'eval',
'fleet',
'heavynodes',
'idh',
'manager',
'receivers',
'searchnodes',
'sensors',
'standalone',
'beats_endpoint',
'beats_endpoint_ssl',
'elasticsearch_rest',
'elastic_agent_endpoint',
'endgame',
'strelka_frontend',
'syslog'
]
%}
{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %}
{% for hg in hostgroup_list %}
{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% import_text hg as hg_ips %}
{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
{% endfor %}
{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
{% set hostgroups = local_hostgroups.firewall.hostgroups %}
{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
salt/firewall/portgroups/portgroups.yaml
-552
View File
@@ -1,552 +0,0 @@
role:
eval:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
elastic_agent_endpoint:
portgroups:
- elastic_agent_control
- elastic_agent_data
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
- beats_5644
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
- beats_5644
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
endgame:
portgroups:
- endgame
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
managersearch:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
elastic_agent_endpoint:
portgroups:
- elastic_agent_control
- elastic_agent_data
endgame:
portgroups:
- endgame
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
standalone:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- minio
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
- yum
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- minio
- elasticsearch_node
heavy_node:
portgroups:
- redis
- minio
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
elastic_agent_endpoint:
portgroups:
- elastic_agent_control
- elastic_agent_data
endgame:
portgroups:
- endgame
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- playbook
- mysql
- kibana
- redis
- influxdb
- cortex
- elasticsearch_rest
- elasticsearch_node
- cortex_es_rest
- cortex_es_node
minion:
portgroups:
- acng
- docker_registry
- influxdb
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- elasticsearch_node
self:
portgroups:
- syslog}}
beats_endpoint:
portgroups:
- beats_5044
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
- elasticsearch_rest
elasticsearch_rest:
portgroups:
- elasticsearch_rest
search_node:
portgroups:
- elasticsearch_node
self:
portgroups:
- syslog
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- syslog
strelka_frontend:
portgroups:
- strelka_frontend
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
- elasticsearch_rest
elasticsearch_rest:
portgroups:
- elasticsearch_rest
self:
portgroups:
- syslog
strelka_frontend:
portgroups:
- strelka_frontend
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- kibana
- redis
- influxdb
- elasticsearch_rest
- elasticsearch_node
minion:
portgroups:
- docker_registry
- sensoroni
sensor:
portgroups:
- beats_5044
- beats_5644
search_node:
portgroups:
- redis
- elasticsearch_node
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
elasticsearch_rest:
portgroups:
- elasticsearch_rest
analyst:
portgroups:
- nginx
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
minion:
portgroups:
- salt_manager
receiver:
chain:
DOCKER-USER:
hostgroups:
sensor:
portgroups:
- beats_5644
search_node:
portgroups:
- redis
- beats_5644
self:
portgroups:
- redis
- syslog
- beats_5644
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
beats_endpoint_ssl:
portgroups:
- beats_5644
endgame:
portgroups:
- endgame
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
idh:
chain:
INPUT:
hostgroups:
anywhere:
portgroups:
- ssh
dockernet:
portgroups:
- all
localhost:
portgroups:
- all
manager:
portgroups:
- ssh
salt/firewall/ports/ports.yaml
+2 -1
View File
@@ -35,6 +35,7 @@ firewall:
elastic_agent_data:
tcp:
- 5055
- 9200
endgame:
tcp:
- 3765
@@ -53,7 +54,7 @@ firewall:
- 443
playbook:
tcp:
- 3200
- 3000
redis:
tcp:
- 6379
salt/firewall/soc_firewall.yaml → salt/firewall/soc/defaults_soc_firewall.yaml
+14 -6
View File
@@ -1,4 +1,12 @@
firewall:
custom_groups:
groups:
description: List of group names to create.
multiline: True
forcedType: "[]string"
global: True
title: Custom Firewall Groups
helpLink: firewall.html#host-groups
hostgroups:
analyst_workstations:
description: List of IP addresses or CIDR blocks to allow analyst workstations.
@@ -23,40 +31,40 @@ firewall:
file: True
global: True
title: Beats Endpoints SSL
helplink: firewall.html#host-groups
helpLink: firewall.html#host-groups
elastic_agent_endpoint:
description: List of IP addresses or CIDR blocks for Elastic Agent connections.
file: True
global: True
title: Elastic Agents
helplink: firewall.html#host-groups
helpLink: firewall.html#host-groups
elasticsearch_rest:
description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
file: True
global: True
title: Elasticsearch Rest
advanced: True
helplink: firewall.html#host-groups
helpLink: firewall.html#host-groups
endgame:
description: List of IP addresses or CIDR blocks to allow Endgame access.
file: True
global: True
title: Endgame
advanced: True
helplink: firewall.html#host-groups
helpLink: firewall.html#host-groups
strelka_frontend:
description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
file: True
global: True
title: Strelka Frontend
advanced: True
helplink: firewall.html#host-groups
helpLink: firewall.html#host-groups
syslog:
description: List of IP addresses or CIDR blocks to allow syslog.
file: True
global: True
title: Syslog Endpoint Traffic
helplink: firewall.html#host-groups
helpLink: firewall.html#host-groups
standalone:
description: List of IP addresses or CIDR blocks to allow standalone connections.
file: True
salt/firewall/soc/init.sls
+5
View File
@@ -0,0 +1,5 @@
soc_firewall_yaml:
file.managed:
- name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml
- source: salt://firewall/soc/soc_firewall.yaml.jinja
- template: jinja
salt/firewall/soc/soc.map.jinja
+9
View File
@@ -0,0 +1,9 @@
{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %}
{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %}
{% for group in PILLAR_SOC_FIREWALL_GROUPS %}
{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %}
{% set title = group[0]|upper ~ group[1:] %}
{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %}
{% endfor %}
salt/firewall/soc/soc_firewall.yaml.jinja
+2
View File
@@ -0,0 +1,2 @@
{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}
{{ SOC_FIREWALL | yaml(False) }}