Merge branch 'delta' of https://github.com/Security-Onion-Solutions/securityonion into delta

salt/firewall/assigned_hostgroups.map.yaml

@@ -659,7 +659,6 @@ role:
         hostgroups:
           anywhere:
             portgroups:
-              - {{ portgroups.ssh }}
             {% set idh_services = salt['pillar.get']('idh:services', []) %}
             {% for service in idh_services %}
               - {{ portgroups['idh_'~service] }}
@@ -669,4 +668,7 @@ role:
               - {{ portgroups.all }}
           localhost:
             portgroups:
-              - {{ portgroups.all }}
+              - {{ portgroups.all }}
+          manager:
+            portgroups:
+              - {{ portgroups.ssh }}

salt/firewall/portgroups.yaml

@@ -1,6 +1,10 @@
 {% if grains.role == 'so-idh' %}
   {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% from 'idh/openssh/map.jinja' import openssh_map %}
   {% set idh_services = salt['pillar.get']('idh:services', []) %}
+  {% set ssh_port = openssh_map.config.port %}
+{% else %}
+  {% set ssh_port = 22 %}
 {% endif %}
 
 firewall:
@@ -88,7 +92,7 @@ firewall:
           - 443
       ssh:
         tcp:
-          - 22
+          - {{ ssh_port }}
       strelka_frontend:
         tcp:
           - 57314

salt/idh/defaults/defaults.yaml

@@ -32,4 +32,8 @@ idh:
       tcpbanner_1.keep_alive_secret: ''
       tcpbanner_1.keep_alive_probes: 11
       tcpbanner_1.keep_alive_interval: 300
-      tcpbanner_1.keep_alive_idle: 300
+      tcpbanner_1.keep_alive_idle: 300
+  openssh:
+    enable: true
+    config:
+      port: 2222

salt/idh/init.sls

@@ -20,6 +20,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 
+include:
+  - idh.openssh.config
+
 # IDH State
 
 # Create a config directory
@@ -72,4 +75,4 @@ append_so-idh_so-status.conf:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
+{% endif %}

salt/idh/openssh/config.sls

@@ -0,0 +1,23 @@
+{% from "idh/openssh/map.jinja" import openssh_map with context %}
+
+include:
+  - idh.openssh
+
+{% if grains.os_family == 'RedHat' %}
+sshd_selinux:
+  selinux.port_policy_present:
+    - name: tcp/{{ openssh_map.config.port }}
+    - port: {{ openssh_map.config.port }}
+    - protocol: tcp
+    - sel_type: ssh_port_t
+    - prereq:
+      - file: openssh_config
+{% endif %}
+
+openssh_config:
+  file.replace:
+    - name: {{ openssh_map.conf }}
+    - pattern: '(^|^#)Port \d+$'
+    - repl: 'Port {{ openssh_map.config.port }}'
+    - watch_in:
+      - service: {{ openssh_map.service }}

salt/idh/openssh/init.sls

@@ -0,0 +1,17 @@
+{# This state is designed to only manage the openssh server settings of an IDH node and is seperate from the ssh setting for OpenCanary #}
+{% from "idh/openssh/map.jinja" import openssh_map with context %}
+
+openssh:
+  pkg.installed:
+    - name: {{ openssh_map.server }}
+  {% if openssh_map.enable is sameas true %}
+  service.running:
+    - enable: {{ openssh_map.enable }}
+    - name: {{ openssh_map.service }}
+    - require:
+      - pkg: {{ openssh_map.server }}
+  {% else %}
+  service.dead:
+    - enable: False
+    - name: {{ openssh_map.service }}
+  {% endif %}

salt/idh/openssh/map.jinja

@@ -0,0 +1,16 @@
+{% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %}
+
+{% set openssh_map = salt['grains.filter_by']({
+    'Debian': {
+        'client': 'openssh-client',
+        'server': 'openssh-server',
+        'service': 'ssh',
+        'conf': '/etc/ssh/sshd_config'
+    },
+    'RedHat': {
+        'client': 'openssh-clients',
+        'server': 'openssh-server',
+        'service': 'sshd',
+        'conf': '/etc/ssh/sshd_config'
+    },
+}, merge=salt['pillar.get']('idh:openssh', default=idh_defaults.idh.openssh, merge=True)) %}