From c4626020a451cc8e00c1538f939c1b7e6a26e39a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 13 Jan 2020 20:07:54 +0000 Subject: [PATCH] update so-allow to allow arguments --- salt/common/tools/sbin/so-allow | 118 +++++++++++++++++++++++++------- 1 file changed, 94 insertions(+), 24 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 1685e386a..ff5a8c893 100644 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -1,4 +1,23 @@ #!/bin/bash +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +SKIP=0 + got_root() { # Make sure you are root @@ -11,32 +30,83 @@ got_root() { got_root -echo "This program allows you to add a firewall rule to allow connections from a new IP address." -echo "" -echo "Choose the role for the IP or Range you would like to add" -echo "" -echo "[a] - Analyst - ports 80/tcp and 443/tcp" -echo "[b] - Logstash Beat - port 5044/tcp" -echo "[o] - Osquery endpoint - port 8080/tcp" -echo "[w] - Wazuh endpoint - port 1514" -echo "" -echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" -read ROLE -echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" -read IP +while getopts "abowi:" OPTION +do + case $OPTION in + + h) + usage + exit 0 + ;; + a) + FULLROLE="analyst" + SKIP=1 + ;; + b) + FULLROLE=beats_endpoint + SKIP=1 + ;; + i) IP=$OPTARG + ;; + o) + FULLROLE=osquery_endpoint + SKIP=1 + ;; + w) + FULLROLE=wazuh_endpoint + SKIP=1 + ;; + esac +done + +if [ "$SKIP" -eq 0 ]; then + + echo "This program allows you to add a firewall rule to allow connections from a new IP address." + echo "" + echo "Choose the role for the IP or Range you would like to add" + echo "" + echo "[a] - Analyst - ports 80/tcp and 443/tcp" + echo "[b] - Logstash Beat - port 5044/tcp" + echo "[o] - Osquery endpoint - port 8080/tcp" + echo "[w] - Wazuh endpoint - port 1514" + echo "" + echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" + read ROLE + echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" + read IP + + if [ "$ROLE" == "a" ]; then + FULLROLE=analyst + elif [ "$ROLE" == "b" ]; then + FULLROLE=beats_endpoint + elif [ "$ROLE" == "o" ]; then + FULLROLE=osquery_endpoint + elif [ "$ROLE" == "w" ]; then + FULLROLE=wazuh_endpoint + else + echo "I don't recognize that role" + exit 1 + fi -if [ "$ROLE" == "a" ]; then - FULLROLE=analyst -elif [ "$ROLE" == "b" ]; then - FULLROLE=beats_endpoint -elif [ "$ROLE" == "o" ]; then - FULLROLE=osquery_endpoint -elif [ "$ROLE" == "w" ]; then - FULLROLE=wazuh_endpoint -else - echo "I don't recognize that role" - exit 1 fi echo "Adding $IP to the $FULLROLE role. This can take a few seconds" /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP + +# Check if Wazuh enabled +if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then + # If analyst, add to Wazuh AR whitelist + if [ "$FULLROLE" == "analyst" ]; then + WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + if ! grep -q "$IP" $WAZUH_MGR_CFG ; then + DATE=`date` + sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG + sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG + echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG + echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." + echo + echo "Restarting OSSEC Server..." + /usr/sbin/so-wazuh-restart + fi + fi +fi