CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial Firewall State Simplification

Browse Source
This commit is contained in:
Mike Reeves
2020-05-07 11:36:38 -04:00
parent a883af32e7
commit dd8627f9dd
5 changed files with 134 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/firewall/addfirewall.sh
View File

@@ -8,6 +8,6 @@ IPADDRESS=$2
if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
echo "Firewall Rule Already There" echo "Firewall Rule Already There"
else else
echo " - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls echo " - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
salt-call state.apply firewall queue=True salt-call state.apply firewall queue=True
fi fi

62
pillar/firewall/ports.sls Normal file
View File

@@ -0,0 +1,62 @@
firewall:
analyst:
ports:
tcp:
- 80
- 443
udp:
beats_endpoint:
ports:
tcp:
- 5044
forward_nodes:
ports:
tcp:
- 443
- 5044
- 5644
- 9822
udp:
master:
ports:
tcp:
- 1514
- 3200
- 3306
- 4200
- 5601
- 6379
- 8086
- 8090
- 9001
- 9200
- 9300
- 9400
- 9500
udp:
- 1514
minions:
ports:
tcp:
- 3142
- 4505
- 4506
- 5000
- 8080
- 8086
- 55000
osquery_endpoint:
ports:
tcp:
- 8090
search_nodes:
ports:
tcp:
- 6379
- 9300
wazuh_endpoint:
ports:
tcp:
- 1514
udp:
-1514

178
salt/firewall/init.sls
View File

@@ -112,29 +112,6 @@ enable_docker_user_established:
- match: conntrack - match: conntrack
- ctstate: 'RELATED,ESTABLISHED' - ctstate: 'RELATED,ESTABLISHED'
# Add rule(s) for Wazuh manager
enable_wazuh_manager_1514_tcp_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
enable_wazuh_manager_1514_udp_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: udp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
# Rules if you are a Master # Rules if you are a Master
{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %} {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %}
#This should be more granular #This should be more granular
@@ -147,16 +124,16 @@ iptables_allow_master_docker:
- position: 1 - position: 1
- save: True - save: True
{% for ip in pillar.get('masterfw') %} {% for ip in pillar.get('firewall:master:ips') %}
# Allow Redis # Allow Redis
enable_maternode_redis_6379_{{ip}}: enable_masternode_{{ip}}_{{port}}:
iptables.insert: iptables.insert:
- table: filter - table: filter
- chain: DOCKER-USER - chain: DOCKER-USER
- jump: ACCEPT - jump: ACCEPT
- proto: tcp - proto: tcp
- source: {{ ip }} - source: {{ ip }}
- dport: 6379 - dport: {{ port }}
- position: 1 - position: 1
- save: True - save: True
@@ -292,13 +269,49 @@ enable_master_cyberchef_9080_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
# Add rule(s) for Wazuh manager
enable_wazuh_manager_1514_tcp_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
enable_wazuh_manager_1514_udp_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: udp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
{% endfor %}
{% for k in pillar.get('masterfw-custom', {}) %}
enable_custom_masterfw_{{ k }}:
iptables.insert:
- table: filter
- chain: {{ k.chain }}
- jump: ACCEPT
- proto: {{ k.proto }}
- source: {{ k.source }}
- dport: {{ k.dport }}
- position: 1
- save: True
{% endfor %} {% endfor %}
# Make it so all the minions can talk to salt and update etc. # Make it so all the minions can talk to salt and update etc.
{% for ip in pillar.get('minions') %} {% for ip in pillar.get('firewall:minions') %}
enable_salt_minions_4505_{{ip}}: enable_salt_minions_salt_4505_{{ip}}:
iptables.insert: iptables.insert:
- table: filter - table: filter
- chain: INPUT - chain: INPUT
@@ -309,7 +322,7 @@ enable_salt_minions_4505_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_salt_minions_4506_{{ip}}: enable_salt_minions_salt_4506_{{ip}}:
iptables.insert: iptables.insert:
- table: filter - table: filter
- chain: INPUT - chain: INPUT
@@ -320,7 +333,7 @@ enable_salt_minions_4506_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_salt_minions_5000_{{ip}}: enable_salt_minions_registry_5000_{{ip}}:
iptables.insert: iptables.insert:
- table: filter - table: filter
- chain: DOCKER-USER - chain: DOCKER-USER
@@ -331,7 +344,7 @@ enable_salt_minions_5000_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_salt_minions_3142_{{ip}}: enable_salt_minions_acng_3142_{{ip}}:
iptables.insert: iptables.insert:
- table: filter - table: filter
- chain: DOCKER-USER - chain: DOCKER-USER
@@ -378,7 +391,7 @@ enable_minion_wazuh_55000_{{ip}}:
{% endfor %} {% endfor %}
# Allow Forward Nodes to send their beats traffic # Allow Forward Nodes to send their beats traffic
{% for ip in pillar.get('forward_nodes') %} {% for ip in pillar.get('firewall:forward_nodes') %}
enable_forwardnode_beats_5044_{{ip}}: enable_forwardnode_beats_5044_{{ip}}:
iptables.insert: iptables.insert:
@@ -442,7 +455,7 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
{% endif %} {% endif %}
{% for ip in pillar.get('search_nodes') %} {% for ip in pillar.get('firewall:search_nodes') %}
enable_searchnode_redis_6379_{{ip}}: enable_searchnode_redis_6379_{{ip}}:
iptables.insert: iptables.insert:
@@ -469,7 +482,7 @@ enable_searchnode_ES_9300_{{ip}}:
{% endfor %} {% endfor %}
# Allow Beats Endpoints to send their beats traffic # Allow Beats Endpoints to send their beats traffic
{% for ip in pillar.get('beats_endpoint') %} {% for ip in pillar.get('firewall:beats_endpoint') %}
enable_standard_beats_5044_{{ip}}: enable_standard_beats_5044_{{ip}}:
iptables.insert: iptables.insert:
@@ -485,7 +498,7 @@ enable_standard_beats_5044_{{ip}}:
{% endfor %} {% endfor %}
# Allow OSQuery Endpoints to send their traffic # Allow OSQuery Endpoints to send their traffic
{% for ip in pillar.get('osquery_endpoint') %} {% for ip in pillar.get('firewall:osquery_endpoint') %}
enable_standard_osquery_8090_{{ip}}: enable_standard_osquery_8090_{{ip}}:
iptables.insert: iptables.insert:
@@ -501,7 +514,7 @@ enable_standard_osquery_8090_{{ip}}:
{% endfor %} {% endfor %}
# Allow Wazuh Endpoints to send their traffic # Allow Wazuh Endpoints to send their traffic
{% for ip in pillar.get('wazuh_endpoint') %} {% for ip in pillar.get('firewall:wazuh_endpoint') %}
enable_wazuh_endpoint_tcp_1514_{{ip}}: enable_wazuh_endpoint_tcp_1514_{{ip}}:
iptables.insert: iptables.insert:
@@ -527,8 +540,8 @@ enable_wazuh_endpoint_udp_1514_{{ip}}:
{% endfor %} {% endfor %}
# Allow Analysts # All Analysts get the following access to the master:
{% for ip in pillar.get('analyst') %} {% for ip in pillar.get('firewall:analyst') %}
enable_standard_analyst_80_{{ip}}: enable_standard_analyst_80_{{ip}}:
iptables.insert: iptables.insert:
@@ -552,73 +565,12 @@ enable_standard_analyst_443_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
#enable_standard_analyst_3000_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 3000
# - position: 1
# - save: True
#enable_standard_analyst_7000_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 7000
# - position: 1
# - save: True
#enable_standard_analyst_9000_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9000
# - position: 1
# - save: True
#enable_standard_analyst_9001_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9001
# - position: 1
# - save: True
# This is temporary for sensoroni testing
#enable_standard_analyst_9822_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9822
# - position: 1
# - save: True
{% endfor %} {% endfor %}
# Rules for search nodes connecting to master
{% endif %} {% endif %}
# Rules if you are a Node # All Nodes get the below rules:
{% if 'node' in grains['role'] %} {% if 'node' in grains['role'] %}
#This should be more granular
iptables_allow_docker: iptables_allow_docker:
iptables.insert: iptables.insert:
- table: filter - table: filter
@@ -652,7 +604,7 @@ enable_docker_ES_9300:
- save: True - save: True
{% for ip in pillar.get('masterfw') %} {% for ip in pillar.get('firewall:masterfw') %}
enable_cluster_ES_9300_{{ip}}: enable_cluster_ES_9300_{{ip}}:
iptables.insert: iptables.insert:
@@ -669,7 +621,7 @@ enable_cluster_ES_9300_{{ip}}:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
# Rules if you are a Sensor # All Sensors get the below rules:
{% if grains['role'] == 'so-sensor' %} {% if grains['role'] == 'so-sensor' %}
{% endif %} {% endif %}
@@ -678,16 +630,7 @@ enable_cluster_ES_9300_{{ip}}:
# Rules if you are a Warm Node # Rules if you are a Warm Node
# Some Fixer upper type rules # All heavy nodes get the below rules:
# Drop it like it's hot
# Make the input policy send stuff that doesn't match to be logged and dropped
iptables_drop_all_the_things:
iptables.append:
- table: filter
- chain: LOGGING
- jump: DROP
- save: True
{% if grains['role'] == 'so-heavynode' %} {% if grains['role'] == 'so-heavynode' %}
# Allow Redis # Allow Redis
enable_heavynode_redis_6379_{{ip}}: enable_heavynode_redis_6379_{{ip}}:
@@ -796,7 +739,7 @@ enable_fleettemp_osquery_8080_{{ip}}:
# Allow Analysts to access Fleet WebUI # Allow Analysts to access Fleet WebUI
{% for ip in pillar.get('analyst') %} {% for ip in pillar.get('firewall:analyst') %}
enable_fleetnode_fleet_443_{{ip}}: enable_fleetnode_fleet_443_{{ip}}:
iptables.insert: iptables.insert:
@@ -812,7 +755,7 @@ enable_fleetnode_fleet_443_{{ip}}:
{% endfor %} {% endfor %}
# Needed for osquery endpoints to checkin to Fleet API for mgt # Needed for osquery endpoints to checkin to Fleet API for mgt
{% for ip in pillar.get('osquery_endpoint') %} {% for ip in pillar.get('firewall:osquery_endpoint') %}
enable_fleetnode_8090_{{ip}}: enable_fleetnode_8090_{{ip}}:
iptables.insert: iptables.insert:
@@ -828,3 +771,10 @@ enable_fleetnode_8090_{{ip}}:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
# Make the input policy send stuff that doesn't match to be logged and dropped
iptables_drop_all_the_things:
iptables.append:
- table: filter
- chain: LOGGING
- jump: DROP
- save: True

2
salt/top.sls
View File

@@ -1,4 +1,4 @@
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%} {%- set BROVER = salt['pillar.get']('static:broversion', '') -%}
{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}

8
setup/so-functions
View File

@@ -711,11 +711,13 @@ firewall_generate_templates() {
local firewall_pillar_path=/opt/so/saltstack/pillar/firewall local firewall_pillar_path=/opt/so/saltstack/pillar/firewall
mkdir -p "$firewall_pillar_path" mkdir -p "$firewall_pillar_path"
for i in analyst beats_endpoint forward_nodes masterfw minions osquery_endpoint search_nodes wazuh_endpoint for i in analyst beats_endpoint forward_nodes master minions osquery_endpoint search_nodes wazuh_endpoint
do do
printf '%s\n'\ printf '%s\n'\
"$i:"\ "firewall:"
" - 127.0.0.1"\ " $i:"\
" ips:" \
" - 127.0.0.1"\
"" > "$firewall_pillar_path"/$i.sls "" > "$firewall_pillar_path"/$i.sls
echo "Added $i Template" echo "Added $i Template"
done done