From 3e2e68fbd023d22fd69a5a339425087e83eeeadd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 14:24:47 -0500 Subject: [PATCH 1/6] custom hostgroups in soc --- salt/firewall/{ => soc}/defaults_soc_firewall.yaml | 0 salt/firewall/soc/init.sls | 5 +++++ salt/firewall/soc/soc.map.jinja | 2 ++ salt/firewall/soc/soc_firewall.yaml.jinja | 1 + 4 files changed, 8 insertions(+) rename salt/firewall/{ => soc}/defaults_soc_firewall.yaml (100%) create mode 100644 salt/firewall/soc/init.sls create mode 100644 salt/firewall/soc/soc.map.jinja create mode 100644 salt/firewall/soc/soc_firewall.yaml.jinja diff --git a/salt/firewall/defaults_soc_firewall.yaml b/salt/firewall/soc/defaults_soc_firewall.yaml similarity index 100% rename from salt/firewall/defaults_soc_firewall.yaml rename to salt/firewall/soc/defaults_soc_firewall.yaml diff --git a/salt/firewall/soc/init.sls b/salt/firewall/soc/init.sls new file mode 100644 index 000000000..2530606cc --- /dev/null +++ b/salt/firewall/soc/init.sls @@ -0,0 +1,5 @@ +soc_firewall_yaml: + file.managed: + - name: /opt/so/saltstack/local/salt/firewall/soc_firewall.yaml + - source: salt://firewall/soc/soc_firewall.yaml.jinja + - template: jinja diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja new file mode 100644 index 000000000..cd3fa0401 --- /dev/null +++ b/salt/firewall/soc/soc.map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} +{% set SOC_FIREWALL = salt['pillar.get'}('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja new file mode 100644 index 000000000..916fd83d1 --- /dev/null +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -0,0 +1 @@ +{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %} From 29c68c1273a7970c25d8446bd13c2442992b100a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 14:32:35 -0500 Subject: [PATCH 2/6] fix bracket, add output to template --- salt/firewall/soc/soc.map.jinja | 2 +- salt/firewall/soc/soc_firewall.yaml.jinja | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja index cd3fa0401..7e86d5252 100644 --- a/salt/firewall/soc/soc.map.jinja +++ b/salt/firewall/soc/soc.map.jinja @@ -1,2 +1,2 @@ {% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} -{% set SOC_FIREWALL = salt['pillar.get'}('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} +{% set SOC_FIREWALL = salt['pillar.get']('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja index 916fd83d1..0a8a4761f 100644 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -1 +1,3 @@ {% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %} + +{{ SOC_FIREWALL | yaml(false) }} From d502d95dba620c14509214c6d80093c7b507d72a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 15:24:02 -0500 Subject: [PATCH 3/6] changes for soc firewall --- pillar/top.sls | 8 ++++++++ salt/firewall/soc/soc.map.jinja | 9 ++++++++- salt/firewall/soc/soc_firewall.yaml.jinja | 3 +-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 86de8709e..41d3265f0 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -60,6 +60,8 @@ base: - elasticsearch.adv_elasticsearch - backup.soc_backup - backup.adv_backup + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -94,6 +96,8 @@ base: - influxdb.adv_influxdb - backup.soc_backup - backup.adv_backup + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -125,6 +129,8 @@ base: - soc.soc_soc - backup.soc_backup - backup.adv_backup + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -197,6 +203,8 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja index 7e86d5252..00fc50dd1 100644 --- a/salt/firewall/soc/soc.map.jinja +++ b/salt/firewall/soc/soc.map.jinja @@ -1,2 +1,9 @@ {% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} -{% set SOC_FIREWALL = salt['pillar.get']('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} +{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %} +{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %} + +{% for group in PILLAR_SOC_FIREWALL_GROUPS %} +{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %} +{% set title = group[0]|upper ~ group[1:] %} +{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %} +{% endfor %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja index 0a8a4761f..bc6a429f0 100644 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -1,3 +1,2 @@ -{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %} - +{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%} {{ SOC_FIREWALL | yaml(false) }} From fa5b9799f51c59581bff85c0f6125aa3878fe58c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 15:26:39 -0500 Subject: [PATCH 4/6] add firewall.soc to top for managers --- salt/top.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 25ec1ccd4..c09974418 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -77,6 +77,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - idstools @@ -121,6 +122,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - manager @@ -163,6 +165,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - idstools @@ -227,6 +230,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - manager @@ -296,6 +300,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - idstools From 6b486d96047f66e73b1055d19da53c2c0e75b1f4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 15:55:27 -0500 Subject: [PATCH 5/6] move to default --- salt/firewall/soc/init.sls | 2 +- salt/firewall/soc/soc_firewall.yaml.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/firewall/soc/init.sls b/salt/firewall/soc/init.sls index 2530606cc..bae1a3048 100644 --- a/salt/firewall/soc/init.sls +++ b/salt/firewall/soc/init.sls @@ -1,5 +1,5 @@ soc_firewall_yaml: file.managed: - - name: /opt/so/saltstack/local/salt/firewall/soc_firewall.yaml + - name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml - source: salt://firewall/soc/soc_firewall.yaml.jinja - template: jinja diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja index bc6a429f0..0502c0246 100644 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -1,2 +1,2 @@ {% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%} -{{ SOC_FIREWALL | yaml(false) }} +{{ SOC_FIREWALL | yaml(False) }} From d12ea041bf5860fa13dad73e95a76cf5f5e8918a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 16:20:16 -0500 Subject: [PATCH 6/6] capitalize --- salt/firewall/soc/defaults_soc_firewall.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/firewall/soc/defaults_soc_firewall.yaml b/salt/firewall/soc/defaults_soc_firewall.yaml index 718cba441..fd72df523 100644 --- a/salt/firewall/soc/defaults_soc_firewall.yaml +++ b/salt/firewall/soc/defaults_soc_firewall.yaml @@ -31,40 +31,40 @@ firewall: file: True global: True title: Beats Endpoints SSL - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups elastic_agent_endpoint: description: List of IP addresses or CIDR blocks for Elastic Agent connections. file: True global: True title: Elastic Agents - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups elasticsearch_rest: description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch. file: True global: True title: Elasticsearch Rest advanced: True - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups endgame: description: List of IP addresses or CIDR blocks to allow Endgame access. file: True global: True title: Endgame advanced: True - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups strelka_frontend: description: List of IP addresses or CIDR blocks to allow access to the Strelka front end. file: True global: True title: Strelka Frontend advanced: True - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups syslog: description: List of IP addresses or CIDR blocks to allow syslog. file: True global: True title: Syslog Endpoint Traffic - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups standalone: description: List of IP addresses or CIDR blocks to allow standalone connections. file: True