From 61ae61953fa37e25dc80b9dcadaa9952c29509aa Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 23 Feb 2022 15:14:11 -0500
Subject: [PATCH 1/2] allow only manager to connect to ssh port for idh node

---
 salt/firewall/assigned_hostgroups.map.yaml |  6 ++++--
 salt/firewall/portgroups.yaml              |  6 +++++-
 salt/idh/defaults/defaults.yaml            |  6 +++++-
 salt/idh/init.sls                          |  5 ++++-
 salt/idh/openssh/config.sls                | 23 ++++++++++++++++++++++
 salt/idh/openssh/init.sls                  | 17 ++++++++++++++++
 salt/idh/openssh/map.jinja                 | 16 +++++++++++++++
 7 files changed, 74 insertions(+), 5 deletions(-)
 create mode 100644 salt/idh/openssh/config.sls
 create mode 100644 salt/idh/openssh/init.sls
 create mode 100644 salt/idh/openssh/map.jinja

diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index f58fff158..9e105e567 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -659,7 +659,6 @@ role:
         hostgroups:
           anywhere:
             portgroups:
-              - {{ portgroups.ssh }}
             {% set idh_services = salt['pillar.get']('idh:services', []) %}
             {% for service in idh_services %}
               - {{ portgroups['idh_'~service] }}
@@ -669,4 +668,7 @@ role:
               - {{ portgroups.all }}
           localhost:
             portgroups:
-              - {{ portgroups.all }}
\ No newline at end of file
+              - {{ portgroups.all }}
+          manager:
+            portgroups:
+              - {{ portgroups.ssh }}
diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml
index e928987f7..1a183a178 100644
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -1,6 +1,10 @@
 {% if grains.role == 'so-idh' %}
   {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% from 'idh/openssh/map.jinja' import openssh_map %}
   {% set idh_services = salt['pillar.get']('idh:services', []) %}
+  {% set ssh_port = openssh_map.config.port %}
+{% else %}
+  {% set ssh_port = 22 %}
 {% endif %}
 
 firewall:
@@ -88,7 +92,7 @@ firewall:
           - 443
       ssh:
         tcp:
-          - 22
+          - {{ ssh_port }}
       strelka_frontend:
         tcp:
           - 57314
diff --git a/salt/idh/defaults/defaults.yaml b/salt/idh/defaults/defaults.yaml
index 5f3cc826c..673b18c55 100644
--- a/salt/idh/defaults/defaults.yaml
+++ b/salt/idh/defaults/defaults.yaml
@@ -32,4 +32,8 @@ idh:
       tcpbanner_1.keep_alive_secret: ''
       tcpbanner_1.keep_alive_probes: 11
       tcpbanner_1.keep_alive_interval: 300
-      tcpbanner_1.keep_alive_idle: 300
\ No newline at end of file
+      tcpbanner_1.keep_alive_idle: 300
+  openssh:
+    enable: true
+    config:
+      port: 2222
diff --git a/salt/idh/init.sls b/salt/idh/init.sls
index 6627e266d..089ecc4df 100644
--- a/salt/idh/init.sls
+++ b/salt/idh/init.sls
@@ -20,6 +20,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 
+include:
+  - idh.openssh.config
+
 # IDH State
 
 # Create a config directory
@@ -72,4 +75,4 @@ append_so-idh_so-status.conf:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/salt/idh/openssh/config.sls b/salt/idh/openssh/config.sls
new file mode 100644
index 000000000..2112aa334
--- /dev/null
+++ b/salt/idh/openssh/config.sls
@@ -0,0 +1,23 @@
+{% from "idh/openssh/map.jinja" import openssh_map with context %}
+
+include:
+  - idh.openssh
+
+{% if grains.os_family == 'RedHat' %}
+sshd_selinux:
+  selinux.port_policy_present:
+    - name: tcp/{{ openssh_map.config.port }}
+    - port: {{ openssh_map.config.port }}
+    - protocol: tcp
+    - sel_type: ssh_port_t
+    - prereq:
+      - file: openssh_config
+{% endif %}
+
+openssh_config:
+  file.replace:
+    - name: {{ openssh_map.conf }}
+    - pattern: '(^|^#)Port \d+$'
+    - repl: 'Port {{ openssh_map.config.port }}'
+    - watch_in:
+      - service: {{ openssh_map.service }}
diff --git a/salt/idh/openssh/init.sls b/salt/idh/openssh/init.sls
new file mode 100644
index 000000000..ba0a8ab04
--- /dev/null
+++ b/salt/idh/openssh/init.sls
@@ -0,0 +1,17 @@
+{# This state is designed to only manage the openssh server settings of an IDH node and is seperate from the ssh setting for OpenCanary #}
+{% from "idh/openssh/map.jinja" import openssh_map with context %}
+
+openssh:
+  pkg.installed:
+    - name: {{ openssh_map.server }}
+  {% if openssh_map.enable is sameas true %}
+  service.running:
+    - enable: {{ openssh_map.enable }}
+    - name: {{ openssh_map.service }}
+    - require:
+      - pkg: {{ openssh_map.server }}
+  {% else %}
+  service.dead:
+    - enable: False
+    - name: {{ openssh_map.service }}
+  {% endif %}
diff --git a/salt/idh/openssh/map.jinja b/salt/idh/openssh/map.jinja
new file mode 100644
index 000000000..4bb99bc03
--- /dev/null
+++ b/salt/idh/openssh/map.jinja
@@ -0,0 +1,16 @@
+{% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %}
+
+{% set openssh_map = salt['grains.filter_by']({
+    'Debian': {
+        'client': 'openssh-client',
+        'server': 'openssh-server',
+        'service': 'ssh',
+        'conf': '/etc/ssh/sshd_config'
+    },
+    'RedHat': {
+        'client': 'openssh-clients',
+        'server': 'openssh-server',
+        'service': 'sshd',
+        'conf': '/etc/ssh/sshd_config'
+    },
+}, merge=salt['pillar.get']('idh:openssh', default=idh_defaults.idh.openssh, merge=True)) %}

From 2bf20bd1f06845e9dbb206ee60a0e3f597260eff Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 23 Feb 2022 19:33:10 -0500
Subject: [PATCH 2/2] UC true

---
 salt/playbook/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 81db5205c..57f9afb24 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -117,7 +117,7 @@ idh-plays:
     - source: salt://idh/plays
     - makedirs: True
   cmd.run:
-    - name: so-playbook-import true
+    - name: so-playbook-import True
     - onchanges:
       - file: /opt/so/conf/soctopus/sigma-import
 {% endif %}