From 512c044d80be5c42ee7033bfccfabe40325ac9cd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 16:53:51 -0400 Subject: [PATCH 01/25] Thresholding --- salt/suricata/soc_suricata.yaml | 6 ++++ salt/suricata/thresholding/sids.yaml | 44 ++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 salt/suricata/thresholding/sids.yaml diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 65cb69a35..251de8663 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,4 +1,10 @@ suricata: + thresholding: + sids__yaml: + description: Threshold SIDS List + file: True + syntax: yaml + title: SIDS config: vars: address-groups: diff --git a/salt/suricata/thresholding/sids.yaml b/salt/suricata/thresholding/sids.yaml new file mode 100644 index 000000000..e9dc04e25 --- /dev/null +++ b/salt/suricata/thresholding/sids.yaml @@ -0,0 +1,44 @@ +thresholding: + sids: + 99999999999999999: + - threshold: + gen_id: 1 + type: threshold + track: by_src + count: 10 + seconds: 10 + - threshold: + gen_id: 1 + type: limit + track: by_dst + count: 100 + seconds: 30 + - rate_filter: + gen_id: 1 + track: by_rule + count: 50 + seconds: 30 + new_action: alert + timeout: 30 + - suppress: + gen_id: 1 + track: by_either + ip: 10.10.3.7 + 99999999999999998: + - threshold: + gen_id: 1 + type: limit + track: by_dst + count: 10 + seconds: 10 + - rate_filter: + gen_id: 1 + track: by_src + count: 50 + seconds: 20 + new_action: pass + timeout: 60 + - suppress: + gen_id: 1 + track: by_src + ip: 10.10.3.0/24 \ No newline at end of file From 9fffe1b5fa4e2fc4402e94dbb83c395bd358d9e9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 11:11:19 -0400 Subject: [PATCH 02/25] Replace so-firewall --- salt/common/tools/sbin/so-allow | 139 +-------- salt/common/tools/sbin/so-firewall | 467 +++++------------------------ 2 files changed, 87 insertions(+), 519 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 6738126df..c8f658052 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -1,142 +1,11 @@ -#!/usr/bin/env python3 +#!/usr/bin/env bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - -import ipaddress -import textwrap -import os -import subprocess -import sys -import argparse -import re -from lxml import etree as ET -from datetime import datetime as dt -from datetime import timezone as tz - - -LOCAL_SALT_DIR='/opt/so/saltstack/local' -VALID_ROLES = { - 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, - 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, - 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, - 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, - 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, - 't': { 'role': 'elastic_agent_endpoint', 'desc': 'Elastic Agent endpoint - 8220/tcp,5055/tcp' } -} - - -def validate_ip_cidr(ip_cidr: str) -> bool: - try: - ipaddress.ip_address(ip_cidr) - except ValueError: - try: - ipaddress.ip_network(ip_cidr) - except ValueError: - return False - return True - - -def role_prompt() -> str: - print() - print('Choose the role for the IP or Range you would like to allow') - print() - for role in VALID_ROLES: - print(f'[{role}] - {VALID_ROLES[role]["desc"]}') - print() - role = input('Please enter your selection: ') - if role in VALID_ROLES.keys(): - return VALID_ROLES[role]['role'] - else: - print(f'Invalid role \'{role}\', please try again.', file=sys.stderr) - sys.exit(1) - - -def ip_prompt() -> str: - ip = input('Enter a single ip address or range to allow (ex: 10.10.10.10 or 10.10.0.0/16): ') - if validate_ip_cidr(ip): - return ip - else: - print(f'Invalid IP address or CIDR block \'{ip}\', please try again.', file=sys.stderr) - sys.exit(1) - - -def apply(role: str, ip: str) -> int: - firewall_cmd = ['so-firewall', 'includehost', role, ip] - salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] - print(f'Adding {ip} to the {role} role. This can take a few seconds...') - cmd = subprocess.run(firewall_cmd) - if cmd.returncode == 0: - cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) - else: - return cmd.returncode - - -def main(): - if os.geteuid() != 0: - print('You must run this script as root', file=sys.stderr) - sys.exit(1) - - main_parser = argparse.ArgumentParser( - formatter_class=argparse.RawDescriptionHelpFormatter, - epilog=textwrap.dedent(f'''\ - additional information: - To use this script in interactive mode call it with no arguments - ''' - )) - - group = main_parser.add_argument_group(title='roles') - group.add_argument('-a', dest='roles', action='append_const', const=VALID_ROLES['a']['role'], help="Analyst - 80/tcp, 443/tcp") - group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") - group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") - group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") - group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") - group.add_argument('-t', dest='roles', action='append_const', const=VALID_ROLES['t']['role'], help="Elastic Agent endpoint - 8220/tcp,5055/tcp") - - ip_g = main_parser.add_argument_group(title='allow') - ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') - - args = main_parser.parse_args(sys.argv[1:]) - - if args.roles is None: - role = role_prompt() - ip = ip_prompt() - try: - return_code = apply(role, ip) - except Exception as e: - print(f'Unexpected exception occurred: {e}', file=sys.stderr) - return_code = e.errno - sys.exit(return_code) - elif args.roles is not None and args.ip is None: - if os.environ.get('IP') is None: - main_parser.print_help() - sys.exit(1) - else: - args.ip = os.environ['IP'] - - if validate_ip_cidr(args.ip): - try: - for role in args.roles: - return_code = apply(role, args.ip) - if return_code > 0: - break - except Exception as e: - print(f'Unexpected exception occurred: {e}', file=sys.stderr) - return_code = e.errno - else: - print(f'Invalid IP address or CIDR block \'{args.ip}\', please try again.', file=sys.stderr) - return_code = 1 - - sys.exit(return_code) - - -if __name__ == '__main__': - try: - main() - except KeyboardInterrupt: - sys.exit(1) +echo "Please use the Configuration section in SOC to allow hosts" +echo "" +echo "If you need command line options on adding hosts please run so-firewall" diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 669d9597b..a15435665 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -1,401 +1,100 @@ -#!/usr/bin/env python3 +#!/usr/bin/env bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common -import os -import re -import subprocess -import sys -import time -import yaml +if [[ $# -lt 1 ]]; then + echo "Usage: $0 --role= --ip= --apply=" + echo "" + echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true" + echo "" + exit 1 +fi -lockFile = "/tmp/so-firewall.lock" -hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml" -portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml" -defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml" -supportedProtocols = ['tcp', 'udp'] -readonly = False +for i in "$@"; do + case $i in + -r=*|--role=*) + ROLE="${i#*=}" + shift + ;; + -i=*|--ip=*) + IP="${i#*=}" + shift + ;; + -a=*|--apply*) + APPLY="${i#*=}" + shift + ;; + -*|--*) + echo "Unknown option $i" + exit 1 + ;; + *) + ;; + esac +done -def showUsage(options, args): - print('Usage: {} [OPTIONS] [ARGS...]'.format(sys.argv[0])) - print(' Options:') - print(' --apply - After updating the firewall configuration files, apply the new firewall state') - print(' --defaultports - Read port groups from default configuration files instead of local configuration.') - print('') - print(' General commands:') - print(' help - Prints this usage information.') - print(' apply - Apply the firewall state.') - print('') - print(' Host commands:') - print(' listhostgroups - Lists the known host groups.') - print(' includedhosts - Lists the IPs included in the given group. Args: ') - print(' excludedhosts - Lists the IPs excluded from the given group. Args: ') - print(' includehost - Includes the given IP in the given group. Args: ') - print(' excludehost - Excludes the given IP from the given group. Args: ') - print(' removehost - Removes an excluded IP from the given group. Args: ') - print(' addhostgroup - Adds a new, custom host group. Args: ') - print('') - print(' Port commands:') - print(' listportgroups - Lists the known port groups.') - print(' listports - Lists ports in the given group and protocol. Args: ') - print(' addport - Adds a PORT to the given group. Args: ') - print(' removeport - Removes a PORT from the given group. Args: ') - print(' addportgroup - Adds a new, custom port group. Args: ') - print('') - print(' Where:') - print(' GROUP_NAME - The name of an alias group (Ex: analyst)') - print(' IP - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).') - print(' PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols)) - print(' PORT - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).') - sys.exit(1) +ROLE=${ROLE,,} +APPLY=${APPLY,,} -def checkDefaultPortsOption(options): - global portgroupsFilename - if "--defaultports" in options: - portgroupsFilename = defaultPortgroupsFilename +function rolecall() { + THEROLE=$1 + THEROLES="analyst analyst_workstation heavynode idhnode receiver searchnode sensor" -def checkApplyOption(options): - if "--apply" in options: - return apply(None, None) + for AROLE in $THEROLES; do + if [ "$AROLE" = "$THEROLE" ]; then + return 0 + fi + done + return 1 +} -def loadYaml(filename): - global readonly +# Make sure the required options are specified +if [ -z "$ROLE" ]; then + echo "Please specify a role with --role=" + exit 1 +fi +if [ -z "$IP" ]; then + echo "Please specify an IP address with --ip=" + exit 1 +fi - file = open(filename, "r") - content = file.read() +# Are we dealing with a role that this script supports? +if rolecall "$ROLE"; then + echo "$ROLE is a supported role" +else + echo "This is not a supported role" + exit 1 +fi - # Remove Jinja templating (for read-only operations) - if "{%" in content or "{{" in content: - content = content.replace("{{ ssh_port }}", "22") - pattern = r'.*({%|{{|}}|%}).*' - content = re.sub(pattern, "", content) - readonly = True +local_salt_dir=/opt/so/saltstack/local/salt/firewall - return yaml.safe_load(content) +# Let's see if the file exists and if it does, let's see if the IP exists. +if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then + if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then + echo "Host already exists" + exit 0 + fi +fi -def writeYaml(filename, content): - global readonly +# If you have reached this part of your quest then let's add the IP +if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then + touch $local_salt_dir/hostgroups/$ROLE + echo "Adding $IP to the $ROLE role" + echo "$IP" > $local_salt_dir/hostgroups/$ROLE +else + echo "Adding $IP to the $ROLE role" + echo "$IP" >> $local_salt_dir/hostgroups/$ROLE +fi - if readonly: - raise Exception("Cannot write yaml file that has been flagged as read-only") - - file = open(filename, "w") - return yaml.dump(content, file) - -def listHostGroups(): - content = loadYaml(hostgroupsFilename) - hostgroups = content['firewall']['hostgroups'] - if hostgroups is not None: - for group in hostgroups: - print(group) - return 0 - -def listIps(name, mode): - content = loadYaml(hostgroupsFilename) - if name not in content['firewall']['hostgroups']: - print('Host group does not exist', file=sys.stderr) - return 4 - hostgroup = content['firewall']['hostgroups'][name] - ips = hostgroup['ips'][mode] - if ips is not None: - for ip in ips: - print(ip) - return 0 - -def addIp(name, ip, mode): - content = loadYaml(hostgroupsFilename) - if name not in content['firewall']['hostgroups']: - print('Host group does not exist', file=sys.stderr) - return 4 - hostgroup = content['firewall']['hostgroups'][name] - ips = hostgroup['ips'][mode] - if ips is None: - ips = [] - hostgroup['ips'][mode] = ips - if ip not in ips: - ips.append(ip) - else: - print('Already exists', file=sys.stderr) - return 3 - writeYaml(hostgroupsFilename, content) - return 0 - -def removeIp(name, ip, mode, silence = False): - content = loadYaml(hostgroupsFilename) - if name not in content['firewall']['hostgroups']: - print('Host group does not exist', file=sys.stderr) - return 4 - hostgroup = content['firewall']['hostgroups'][name] - ips = hostgroup['ips'][mode] - if ips is None: - ips = [] - hostgroup['ips'][mode] = ips - if ip in ips: - ips.remove(ip) - else: - if not silence: - print('IP does not exist', file=sys.stderr) - return 3 - writeYaml(hostgroupsFilename, content) - return 0 - -def createProtocolMap(): - map = {} - for protocol in supportedProtocols: - map[protocol] = [] - return map - -def listPortGroups(): - content = loadYaml(portgroupsFilename) - portgroups = content['firewall']['aliases']['ports'] - if portgroups is not None: - for group in portgroups: - print(group) - return 0 - -def addhostgroup(options, args): - if len(args) != 1: - print('Missing host group name argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - content = loadYaml(hostgroupsFilename) - if name in content['firewall']['hostgroups']: - print('Already exists', file=sys.stderr) - return 3 - content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }} - writeYaml(hostgroupsFilename, content) - return 0 - -def listportgroups(options, args): - if len(args) != 0: - print('Unexpected arguments', file=sys.stderr) - showUsage(options, args) - checkDefaultPortsOption(options) - return listPortGroups() - -def addportgroup(options, args): - if len(args) != 1: - print('Missing port group name argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name in ports: - print('Already exists', file=sys.stderr) - return 3 - ports[name] = createProtocolMap() - writeYaml(portgroupsFilename, content) - return 0 - -def listports(options, args): - if len(args) != 2: - print('Missing port group name or port protocol', file=sys.stderr) - showUsage(options, args) - - checkDefaultPortsOption(options) - name = args[0] - protocol = args[1] - if protocol not in supportedProtocols: - print('Port protocol is not supported', file=sys.stderr) - return 5 - - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name not in ports: - print('Port group does not exist', file=sys.stderr) - return 3 - if protocol not in ports[name]: - print('Port group does not contain protocol', file=sys.stderr) - return 3 - ports = ports[name][protocol] - if ports is not None: - for port in ports: - print(port) - return 0 - -def addport(options, args): - if len(args) != 3: - print('Missing port group name or port protocol, or port argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - protocol = args[1] - port = args[2] - if protocol not in supportedProtocols: - print('Port protocol is not supported', file=sys.stderr) - return 5 - - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name not in ports: - print('Port group does not exist', file=sys.stderr) - return 3 - ports = ports[name][protocol] - if ports is None: - ports = [] - content['firewall']['aliases']['ports'][name][protocol] = ports - if port in ports: - print('Already exists', file=sys.stderr) - return 3 - ports.append(port) - writeYaml(portgroupsFilename, content) - code = checkApplyOption(options) - return code - -def removeport(options, args): - if len(args) != 3: - print('Missing port group name or port protocol, or port argument', file=sys.stderr) - showUsage(options, args) - - name = args[0] - protocol = args[1] - port = args[2] - if protocol not in supportedProtocols: - print('Port protocol is not supported', file=sys.stderr) - return 5 - - content = loadYaml(portgroupsFilename) - ports = content['firewall']['aliases']['ports'] - if ports is None: - ports = {} - content['firewall']['aliases']['ports'] = ports - if name not in ports: - print('Port group does not exist', file=sys.stderr) - return 3 - ports = ports[name][protocol] - if ports is None or port not in ports: - print('Port does not exist', file=sys.stderr) - return 3 - ports.remove(port) - writeYaml(portgroupsFilename, content) - code = checkApplyOption(options) - return code - - -def listhostgroups(options, args): - if len(args) != 0: - print('Unexpected arguments', file=sys.stderr) - showUsage(options, args) - return listHostGroups() - -def includedhosts(options, args): - if len(args) != 1: - print('Missing host group name argument', file=sys.stderr) - showUsage(options, args) - return listIps(args[0], 'insert') - -def excludedhosts(options, args): - if len(args) != 1: - print('Missing host group name argument', file=sys.stderr) - showUsage(options, args) - return listIps(args[0], 'delete') - -def includehost(options, args): - if len(args) != 2: - print('Missing host group name or ip argument', file=sys.stderr) - showUsage(options, args) - result = addIp(args[0], args[1], 'insert') - if result == 0: - removeIp(args[0], args[1], 'delete', True) - code = result - if code == 0: - code = checkApplyOption(options) - return code - -def excludehost(options, args): - if len(args) != 2: - print('Missing host group name or ip argument', file=sys.stderr) - showUsage(options, args) - result = addIp(args[0], args[1], 'delete') - if result == 0: - removeIp(args[0], args[1], 'insert', True) - code = result - if code == 0: - code = checkApplyOption(options) - return code - -def removehost(options, args): - if len(args) != 2: - print('Missing host group name or ip argument', file=sys.stderr) - showUsage(options, args) - code = removeIp(args[0], args[1], 'delete') - if code == 0: - code = checkApplyOption(options) - return code - -def apply(options, args): - proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True']) - return proc.returncode - -def main(): - options = [] - args = sys.argv[1:] - for option in args: - if option.startswith("--"): - options.append(option) - args.remove(option) - - if len(args) == 0: - showUsage(options, None) - - commands = { - "help": showUsage, - "listhostgroups": listhostgroups, - "includedhosts": includedhosts, - "excludedhosts": excludedhosts, - "includehost": includehost, - "excludehost": excludehost, - "removehost": removehost, - "listportgroups": listportgroups, - "listports": listports, - "addport": addport, - "removeport": removeport, - "addhostgroup": addhostgroup, - "addportgroup": addportgroup, - "apply": apply - } - - code=1 - - try: - lockAttempts = 0 - maxAttempts = 30 - while lockAttempts < maxAttempts: - lockAttempts = lockAttempts + 1 - try: - f = open(lockFile, "x") - f.close() - break - except: - time.sleep(2) - - if lockAttempts == maxAttempts: - print("Lock file (" + lockFile + ") could not be created; proceeding without lock.") - - cmd = commands.get(args[0], showUsage) - code = cmd(options, args[1:]) - finally: - try: - os.remove(lockFile) - except: - print("Lock file (" + lockFile + ") already removed") - - sys.exit(code) - -if __name__ == "__main__": - main() +# Check to see if we are applying this right away. +if [ "$APPLY" = "true" ]; then + echo "Applying the firewall rules" + salt-call state.apply firewall queue=True +else + echo "Firewall rules will be applied next salt run" +fi From 678d5c5c9c356dd862be8386db2189754202da4b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 11:22:20 -0400 Subject: [PATCH 03/25] Replace so-firewall --- salt/common/tools/sbin/so-allow | 2 +- salt/common/tools/sbin/so-firewall | 10 +++++++++- salt/nginx/config/ssl.key | 2 +- setup/so-variables | 3 +++ 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index c8f658052..146a4b644 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/usr/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index a15435665..0403f75c1 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/usr/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at @@ -71,6 +71,14 @@ else exit 1 fi +# Are we dealing with an IP? +if valid_ip4 "$IP"; then + echo "$IP is valid" +else + echo "$IP is not a valid IP Address" + exit 1 +fi + local_salt_dir=/opt/so/saltstack/local/salt/firewall # Let's see if the file exists and if it does, let's see if the IP exists. diff --git a/salt/nginx/config/ssl.key b/salt/nginx/config/ssl.key index 16878f704..909861578 100644 --- a/salt/nginx/config/ssl.key +++ b/salt/nginx/config/ssl.key @@ -1 +1 @@ -# Replace this text with the text from the .crt \ No newline at end of file +# Replace this text with the text from the .key \ No newline at end of file diff --git a/setup/so-variables b/setup/so-variables index f29d9ae55..09f6cbd37 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -80,6 +80,9 @@ whiptail_title="Security Onion Setup - $SOVERSION" export whiptail_title mkdir -p $local_salt_dir/pillar/minions +mkdir -p $local_salt_dir/salt/firewall/hostgroups +mkdir -p $local_salt_dir/salt/firewall/portgroups +mkdir -p $local_salt_dir/salt/firewall/ports for THEDIR in bpf pcap elasticsearch ntp firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert do From 27a9edbef7a28edd3ac3720a01abed18207eba01 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 13:20:16 -0400 Subject: [PATCH 04/25] Change Firewall Pillar Structure --- ...alyst_workstations => analyst_workstation} | 0 .../hostgroups/{heavynodes => heavynode} | 0 .../hostgroups/{receivers => receiver} | 0 .../hostgroups/{searchnodes => searchnode} | 0 salt/firewall/portgroups/analyst | 0 salt/firewall/portgroups/analyst_workstations | 0 salt/firewall/portgroups/eval | 0 salt/firewall/portgroups/heavynodes | 0 salt/firewall/portgroups/idh | 0 salt/firewall/portgroups/manager | 0 salt/firewall/portgroups/portgroups.yaml | 611 ++++++++++++++++++ salt/firewall/portgroups/receivers | 0 salt/firewall/portgroups/searchnodes | 0 salt/firewall/portgroups/sensors | 0 salt/firewall/portgroups/standalone | 19 - salt/firewall/soc_firewall.yaml | 16 +- 16 files changed, 619 insertions(+), 27 deletions(-) rename salt/firewall/hostgroups/{analyst_workstations => analyst_workstation} (100%) rename salt/firewall/hostgroups/{heavynodes => heavynode} (100%) rename salt/firewall/hostgroups/{receivers => receiver} (100%) rename salt/firewall/hostgroups/{searchnodes => searchnode} (100%) delete mode 100644 salt/firewall/portgroups/analyst delete mode 100644 salt/firewall/portgroups/analyst_workstations delete mode 100644 salt/firewall/portgroups/eval delete mode 100644 salt/firewall/portgroups/heavynodes delete mode 100644 salt/firewall/portgroups/idh delete mode 100644 salt/firewall/portgroups/manager create mode 100644 salt/firewall/portgroups/portgroups.yaml delete mode 100644 salt/firewall/portgroups/receivers delete mode 100644 salt/firewall/portgroups/searchnodes delete mode 100644 salt/firewall/portgroups/sensors delete mode 100644 salt/firewall/portgroups/standalone diff --git a/salt/firewall/hostgroups/analyst_workstations b/salt/firewall/hostgroups/analyst_workstation similarity index 100% rename from salt/firewall/hostgroups/analyst_workstations rename to salt/firewall/hostgroups/analyst_workstation diff --git a/salt/firewall/hostgroups/heavynodes b/salt/firewall/hostgroups/heavynode similarity index 100% rename from salt/firewall/hostgroups/heavynodes rename to salt/firewall/hostgroups/heavynode diff --git a/salt/firewall/hostgroups/receivers b/salt/firewall/hostgroups/receiver similarity index 100% rename from salt/firewall/hostgroups/receivers rename to salt/firewall/hostgroups/receiver diff --git a/salt/firewall/hostgroups/searchnodes b/salt/firewall/hostgroups/searchnode similarity index 100% rename from salt/firewall/hostgroups/searchnodes rename to salt/firewall/hostgroups/searchnode diff --git a/salt/firewall/portgroups/analyst b/salt/firewall/portgroups/analyst deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/analyst_workstations b/salt/firewall/portgroups/analyst_workstations deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/eval b/salt/firewall/portgroups/eval deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/heavynodes b/salt/firewall/portgroups/heavynodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/idh b/salt/firewall/portgroups/idh deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/manager b/salt/firewall/portgroups/manager deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml new file mode 100644 index 000000000..490d74d36 --- /dev/null +++ b/salt/firewall/portgroups/portgroups.yaml @@ -0,0 +1,611 @@ +firewall: + portgroups: + role: + eval: + ports: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - docker_registry + - influxdb + - sensoroni + - beats_5044 + - beats_5644 + - redis + - syslog + - strelka_frontend + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + manager: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - wazuh_api + - wazuh_authd + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - fleet_api + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + self: + portgroups: + - syslog}} + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + osquery_endpoint: + portgroups: + - fleet_api + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + managersearch: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - wazuh_api + - wazuh_authd + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - fleet_api + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + osquery_endpoint: + portgroups: + - fleet_api + syslog: + portgroups: + - syslog + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + standalone: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - wazuh_api + - wazuh_authd + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - fleet_api + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + osquery_endpoint: + portgroups: + - fleet_api + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + helixsensor: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - wazuh_agent + - playbook + - mysql + - kibana + - redis + - influxdb + - fleet_api + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - osquery_8080 + - influxdb + - wazuh_api + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + osquery_endpoint: + portgroups: + - fleet_api + wazuh_agent: + portgroups: + - wazuh_agent + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + searchnode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + search_node: + portgroups: + - elasticsearch_node + self: + portgroups: + - syslog}} + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + sensor: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + heavynode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + self: + portgroups: + - syslog}} + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + fleet: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - redis + - mysql + - osquery_8080 + localhost: + portgroups: + - mysql + - osquery_8080 + analyst: + portgroups: + - fleet_webui + minion: + portgroups: + - fleet_api + osquery_endpoint: + portgroups: + - fleet_api}} + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + import: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + minion: + portgroups: + - docker_registry + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + + receiver: + chain: + DOCKER-USER: + hostgroups: + sensor: + portgroups: + - beats_5644 + search_node: + portgroups: + - redis + - beats_5644 + self: + portgroups: + - redis + - syslog}} + - beats_5644 + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + endgame: + portgroups: + - endgame + wazuh_agent: + portgroups: + - wazuh_agent + wazuh_api: + portgroups: + - wazuh_api + wazuh_authd: + portgroups: + - wazuh_authd + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + idh: + chain: + INPUT: + hostgroups: + anywhere: + portgroups: + - idh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + manager: + portgroups: + - ssh \ No newline at end of file diff --git a/salt/firewall/portgroups/receivers b/salt/firewall/portgroups/receivers deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/searchnodes b/salt/firewall/portgroups/searchnodes deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/sensors b/salt/firewall/portgroups/sensors deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/firewall/portgroups/standalone b/salt/firewall/portgroups/standalone deleted file mode 100644 index ea8f495f9..000000000 --- a/salt/firewall/portgroups/standalone +++ /dev/null @@ -1,19 +0,0 @@ -playbook -mysql -kibana -redis -influxdb -elasticsearch_rest -elasticsearch_node -docker_registry -yum -sensoroni -beats_5044 -beats_5644 -elastic_agent_control -elastic_agent_data -elasticsearch_rest -endgame -strelka_frontend -syslog -nginx \ No newline at end of file diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 02199bc79..923ce4dd9 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,15 +1,15 @@ firewall: hostgroups: - analyst_workstations: + analyst_workstation: description: List of IP Addresses or CIDR blocks to allow analyst workstations. file: True global: True - title: Analyst Workstations + title: Analyst Workstation analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. file: True global: True - title: Analysts + title: Analyst standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True @@ -26,7 +26,7 @@ firewall: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True global: True - title: IDH Nodes + title: IDHNode manager: description: List of IP Addresses or CIDR blocks to allow manager connections. file: True @@ -37,22 +37,22 @@ firewall: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True global: True - title: Heavy Nodes + title: HeavyNode searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True - title: Search Nodes + title: SearchNode sensors: description: List of IP Addresses or CIDR blocks to allow Sensor connections. file: True global: True - title: Sensors + title: Sensor receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True - title: Receivers + title: Receiver portgroups: analyst: description: List of ports for use with Analyst connections. From 555bd678fb8f128d16f3ddeade70f82b10bda205 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 13:28:32 -0400 Subject: [PATCH 05/25] Change Firewall Pillar Structure --- salt/firewall/soc_firewall.yaml | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 923ce4dd9..39e8b7354 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -54,24 +54,18 @@ firewall: global: True title: Receiver portgroups: - analyst: - description: List of ports for use with Analyst connections. + portgroups__yaml: + description: Port Groups file: True global: True - title: Analyst Ports - analyst_workstations: - description: List of ports for use with analyst workstations. - file: True - global: True - title: Analyst Workstation Ports - standalone: - description: List of ports for use with Standalone. - file: True - global: True - title: Standalone + advanced: True + title: Port Groups + syntax: yaml ports: ports__yaml: description: Ports in YAML. file: True global: True - title: Ports \ No newline at end of file + advanced: True + title: Ports + syntax: yaml \ No newline at end of file From b622940f3f47732961cad251b5f4d1a8c48ca1e8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 13:32:41 -0400 Subject: [PATCH 06/25] Remvoe NTP from setup --- setup/so-setup | 4 ---- 1 file changed, 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8dba4676a..3966d6d3d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -460,10 +460,6 @@ if ! [[ -f $install_opt_file ]]; then if [[ $monints ]]; then configure_network_sensor fi - # Configure NTP - info "Configuring NTP" - [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - # Reserve the ports that SO needs info "Reserving ports" reserve_ports info "Setting Paths" From 0ade4d78477a38eb28ec76e44666f73da9506838 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 13:45:29 -0400 Subject: [PATCH 07/25] Adjust portgroup yaml --- salt/firewall/portgroups/portgroups.yaml | 1163 ++++++++++------------ 1 file changed, 552 insertions(+), 611 deletions(-) diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml index 490d74d36..331b5e3f2 100644 --- a/salt/firewall/portgroups/portgroups.yaml +++ b/salt/firewall/portgroups/portgroups.yaml @@ -1,611 +1,552 @@ -firewall: - portgroups: - role: - eval: - ports: - - playbook - - mysql - - kibana - - redis - - influxdb - - elasticsearch_rest - - elasticsearch_node - - docker_registry - - influxdb - - sensoroni - - beats_5044 - - beats_5644 - - redis - - syslog - - strelka_frontend - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - wazuh_agent - - wazuh_api - - wazuh_authd - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - fleet_api - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - osquery_8080 - - influxdb - - wazuh_api - - fleet_api - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - self: - portgroups: - - syslog}} - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - endgame: - portgroups: - - endgame - osquery_endpoint: - portgroups: - - fleet_api - wazuh_agent: - portgroups: - - wazuh_agent - wazuh_api: - portgroups: - - wazuh_api - wazuh_authd: - portgroups: - - wazuh_authd - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - managersearch: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - wazuh_agent - - wazuh_api - - wazuh_authd - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - fleet_api - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - osquery_8080 - - influxdb - - wazuh_api - - fleet_api - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - endgame: - portgroups: - - endgame - osquery_endpoint: - portgroups: - - fleet_api - syslog: - portgroups: - - syslog - wazuh_agent: - portgroups: - - wazuh_agent - wazuh_api: - portgroups: - - wazuh_api - wazuh_authd: - portgroups: - - wazuh_authd - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - standalone: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - wazuh_agent - - wazuh_api - - wazuh_authd - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - fleet_api - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - osquery_8080 - - influxdb - - wazuh_api - - fleet_api - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - endgame: - portgroups: - - endgame - osquery_endpoint: - portgroups: - - fleet_api - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - wazuh_agent: - portgroups: - - wazuh_agent - wazuh_api: - portgroups: - - wazuh_api - wazuh_authd: - portgroups: - - wazuh_authd - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - wazuh_agent - - playbook - - mysql - - kibana - - redis - - influxdb - - fleet_api - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - osquery_8080 - - influxdb - - wazuh_api - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - osquery_endpoint: - portgroups: - - fleet_api - wazuh_agent: - portgroups: - - wazuh_agent - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - search_node: - portgroups: - - elasticsearch_node - self: - portgroups: - - syslog}} - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - self: - portgroups: - - syslog}} - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - fleet: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - redis - - mysql - - osquery_8080 - localhost: - portgroups: - - mysql - - osquery_8080 - analyst: - portgroups: - - fleet_webui - minion: - portgroups: - - fleet_api - osquery_endpoint: - portgroups: - - fleet_api}} - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - kibana - - redis - - influxdb - - elasticsearch_rest - - elasticsearch_node - minion: - portgroups: - - docker_registry - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - - receiver: - chain: - DOCKER-USER: - hostgroups: - sensor: - portgroups: - - beats_5644 - search_node: - portgroups: - - redis - - beats_5644 - self: - portgroups: - - redis - - syslog}} - - beats_5644 - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - endgame: - portgroups: - - endgame - wazuh_agent: - portgroups: - - wazuh_agent - wazuh_api: - portgroups: - - wazuh_api - wazuh_authd: - portgroups: - - wazuh_authd - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - - idh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - manager: - portgroups: - - ssh \ No newline at end of file +role: + eval: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + manager: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + - beats_5644 + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + endgame: + portgroups: + - endgame + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + managersearch: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + standalone: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - minio + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + - yum + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - minio + - elasticsearch_node + heavy_node: + portgroups: + - redis + - minio + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + elastic_agent_endpoint: + portgroups: + - elastic_agent_control + - elastic_agent_data + endgame: + portgroups: + - endgame + strelka_frontend: + portgroups: + - strelka_frontend + syslog: + portgroups: + - syslog + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + helixsensor: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - playbook + - mysql + - kibana + - redis + - influxdb + - cortex + - elasticsearch_rest + - elasticsearch_node + - cortex_es_rest + - cortex_es_node + minion: + portgroups: + - acng + - docker_registry + - influxdb + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + self: + portgroups: + - syslog}} + beats_endpoint: + portgroups: + - beats_5044 + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + searchnode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + search_node: + portgroups: + - elasticsearch_node + self: + portgroups: + - syslog + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + sensor: + chain: + DOCKER-USER: + hostgroups: + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + heavynode: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - elasticsearch_node + - elasticsearch_rest + dockernet: + portgroups: + - elasticsearch_node + - elasticsearch_rest + elasticsearch_rest: + portgroups: + - elasticsearch_rest + self: + portgroups: + - syslog + strelka_frontend: + portgroups: + - strelka_frontend + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + import: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + minion: + portgroups: + - docker_registry + - sensoroni + sensor: + portgroups: + - beats_5044 + - beats_5644 + search_node: + portgroups: + - redis + - elasticsearch_node + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + elasticsearch_rest: + portgroups: + - elasticsearch_rest + analyst: + portgroups: + - nginx + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + minion: + portgroups: + - salt_manager + + receiver: + chain: + DOCKER-USER: + hostgroups: + sensor: + portgroups: + - beats_5644 + search_node: + portgroups: + - redis + - beats_5644 + self: + portgroups: + - redis + - syslog + - beats_5644 + syslog: + portgroups: + - syslog + beats_endpoint: + portgroups: + - beats_5044 + beats_endpoint_ssl: + portgroups: + - beats_5644 + endgame: + portgroups: + - endgame + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + idh: + chain: + INPUT: + hostgroups: + anywhere: + portgroups: + - ssh + dockernet: + portgroups: + - all + localhost: + portgroups: + - all + manager: + portgroups: + - ssh \ No newline at end of file From 097c05b114b91b2fee8e581383bbdd39049cb268 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 13:49:26 -0400 Subject: [PATCH 08/25] Cleanup on aisle 4 --- salt/firewall/assigned_hostgroups.map.yaml | 567 --------------------- salt/firewall/hostgroups.yaml | 23 - salt/firewall/portgroups.yaml | 116 ----- 3 files changed, 706 deletions(-) delete mode 100644 salt/firewall/assigned_hostgroups.map.yaml delete mode 100644 salt/firewall/hostgroups.yaml delete mode 100644 salt/firewall/portgroups.yaml diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml deleted file mode 100644 index 7f8c01910..000000000 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ /dev/null @@ -1,567 +0,0 @@ -{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{% import_yaml 'firewall/portgroups.yaml' as portgroups %} -{% set portgroups = portgroups.firewall.aliases.ports %} -{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} - -role: - eval: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.agrules }} - {% endif %} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.yum }} - {% endif %} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.beats_5644 }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.beats_5644 }} - self: - portgroups: - - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - endgame: - portgroups: - - {{ portgroups.endgame }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - managersearch: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - standalone: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - dockernet: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - {% if TRUE_CLUSTER %} - search_node: - portgroups: - - {{ portgroups.elasticsearch_node }} - {% endif %} - self: - portgroups: - - {{ portgroups.syslog}} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - {{ portgroups.syslog}} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - dockernet: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - self: - portgroups: - - {{ portgroups.syslog}} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.sensoroni }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - - receiver: - chain: - DOCKER-USER: - hostgroups: - sensor: - portgroups: - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.beats_5644 }} - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.syslog}} - - {{ portgroups.beats_5644 }} - syslog: - portgroups: - - {{ portgroups.syslog }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - endgame: - portgroups: - - {{ portgroups.endgame }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% for service in idh_services %} - - {{ portgroups['idh_'~service] }} - {% endfor %} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - manager: - portgroups: - - {{ portgroups.ssh }} diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml deleted file mode 100644 index 778912911..000000000 --- a/salt/firewall/hostgroups.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} -firewall: - hostgroups: - anywhere: - ips: - delete: - insert: - - 0.0.0.0/0 - dockernet: - ips: - delete: - insert: - - {{ DNET }}/24 - localhost: - ips: - delete: - insert: - - 127.0.0.1 - self: - ips: - delete: - insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml deleted file mode 100644 index a2780270d..000000000 --- a/salt/firewall/portgroups.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{% if grains.role == 'so-idh' %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% from 'idh/openssh/map.jinja' import openssh_map %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% set ssh_port = openssh_map.config.port %} -{% else %} - {% set ssh_port = 22 %} -{% endif %} - -firewall: - aliases: - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - acng: - tcp: - - 3142 - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - cortex: - tcp: - - 9001 - cortex_es_node: - tcp: - - 9500 - cortex_es_rest: - tcp: - - 9400 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - minio: - tcp: - - 9595 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - {{ ssh_port }} - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 - -{% if idh_services is defined %} - {% for service in idh_services %} - {% if service in ["smnp","ntp", "tftp"] %} - {% set proto = 'udp' %} - {% else %} - {% set proto = 'tcp' %} - {% endif %} - idh_{{service}}: - {{proto}}: - - {{ OPENCANARYCONFIG[service~'.port'] }} - {% endfor %} -{% endif %} From 85339d7cb1e07362e45f0283e143c00e6b3bab31 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 15:43:34 -0400 Subject: [PATCH 09/25] Add helpLinks to everything --- salt/bpf/soc_bpf.yaml | 3 ++ salt/elastalert/soc_elastalert.yaml | 9 ++++ salt/elasticsearch/soc_elasticsearch.yaml | 15 ++++++ salt/firewall/soc_firewall.yaml | 14 +++++- salt/grafana/soc_grafana.yaml | 11 +++++ salt/idstools/soc_idstools.yaml | 11 ++++- salt/influxdb/soc_influxdb.yaml | 12 ++++- salt/kibana/soc_kibana.yaml | 2 + salt/nginx/soc_nginx.yaml | 5 +- salt/ntp/soc_ntp.yaml | 1 + salt/pcap/soc_pcap.yaml | 11 +++++ salt/soc/soc_soc.yaml | 6 ++- salt/suricata/soc_suricata.yaml | 56 ++++++++++++++++++++++- 13 files changed, 150 insertions(+), 6 deletions(-) diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 62395830f..86e4c0ee8 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,7 +1,10 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. + helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. + helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. + helpLink: bpf.html diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 5d9e386e8..0e1d15c5a 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -3,32 +3,41 @@ elastalert: disable_rules_on_error: description: Disable rules on failure. global: True + helpLink: elastalert.html run_every: minutes: description: Amount of time in minutes between searches. global: True + helpLink: elastalert.html buffer_time: minutes: description: Amount of time in minutes to look through. global: True + helpLink: elastalert.html old_query_limit: minutes: description: Amount of time in minutes between queries to start at the most recently run query. global: True + helpLink: elastalert.html es_conn_timeout: description: Timeout in seconds for connecting to and reading from Elasticsearch. global: True + helpLink: elastalert.html max_query_size: description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. global: True + helpLink: elastalert.html alert_time_limit: days: description: The retry window for failed alerts. global: True + helpLink: elastalert.html index_settings: shards: description: The amount of shards to use for elastalert. global: True + helpLink: elastalert.html replicas: description: The amount of replicas for the Elastalert index. global: True + helpLink: elastalert.html diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0e8faf4a2..d82c4adfa 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -5,43 +5,54 @@ elasticsearch: description: The name of the Security Onion Elasticsearch cluster, for identification purposes. readonly: True global: True + helpLink: elasticsearch.html routing: allocation: disk: threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + helpLink: elasticsearch.html watermark: low: description: The lower percentage of used disk space representing a healthy node. + helpLink: elasticsearch.html high: description: The higher percentage of used disk space representing an unhealthy node. + helpLink: elasticsearch.html flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. + helpLink: elasticsearch.html script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True + helpLink: elasticsearch.html indices: query: bool: max_clause_count: description: Max number of boolean clauses per query. global: True + helpLink: elasticsearch.html index_settings: so-aws: &indexSettings warm: description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. global: True + helpLink: elasticsearch.html close: description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. global: True + helpLink: elasticsearch.html delete: description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. global: True + helpLink: elasticsearch.html index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. global: True + helpLink: elasticsearch.html index_template: template: settings: @@ -51,15 +62,19 @@ elasticsearch: limit: description: Max number of fields that can exist on a single index. Larger values will consume more resources. global: True + helpLink: elasticsearch.html refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True + helpLink: elasticsearch.html number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True + helpLink: elasticsearch.html number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs. global: True + helpLink: elasticsearch.html so-azure: *indexSettings so-barracuda: *indexSettings so-beats: *indexSettings diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 39e8b7354..e630736b3 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -5,54 +5,64 @@ firewall: file: True global: True title: Analyst Workstation + helpLink: firewall.html#host-groups analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. file: True global: True title: Analyst + helpLink: firewall.html#host-groups standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True global: True title: Standalone advanced: True + helpLink: firewall.html#host-groups eval: description: List of IP Addresses or CIDR blocks to allow eval connections. file: True global: True title: Eval advanced: True + helpLink: firewall.html#host-groups idh: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True global: True title: IDHNode + helpLink: firewall.html#host-groups manager: description: List of IP Addresses or CIDR blocks to allow manager connections. file: True global: True title: Manager advanced: True + helpLink: firewall.html#host-groups heavynodes: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True global: True title: HeavyNode + helpLink: firewall.html#host-groups searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True title: SearchNode + helpLink: firewall.html#host-groups sensors: description: List of IP Addresses or CIDR blocks to allow Sensor connections. file: True global: True title: Sensor + helpLink: firewall.html#host-groups receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True title: Receiver + helpLink: firewall.html#host-groups portgroups: portgroups__yaml: description: Port Groups @@ -61,6 +71,7 @@ firewall: advanced: True title: Port Groups syntax: yaml + helpLink: firewall.html#function ports: ports__yaml: description: Ports in YAML. @@ -68,4 +79,5 @@ firewall: global: True advanced: True title: Ports - syntax: yaml \ No newline at end of file + syntax: yaml + helpLink: firewall.html#port-groups diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml index f9c291a74..5789f6c81 100644 --- a/salt/grafana/soc_grafana.yaml +++ b/salt/grafana/soc_grafana.yaml @@ -4,35 +4,46 @@ grafana: enabled: description: Enable the sending of emails from Grafana. global: True + helpLink: grafana.html host: description: Hostname of the SMTP server. global: True + helpLink: grafana.html user: description: User used to authenticate SMTP. global: True + helpLink: grafana.html password: description: Password used to authenticate SMTP. global: True sensitive: True + helpLink: grafana.html cert_file: description: Location of cert file for SMTP. global: True + helpLink: grafana.html key_file: description: Location of key file for SMTP. global: True + helpLink: grafana.html skip_verify: description: Verify SSL certificates. global: True + helpLink: grafana.html from_address: description: The email address you would like in the from field. global: True + helpLink: grafana.html from_name: description: The name displayed for the from email address. global: True + helpLink: grafana.html ehlo_identity: description: Used with servers with SMTP service extensions. global: True + helpLink: grafana.html enterprise: license_path: description: Path to enterprise license key. global: True + helpLink: grafana.html diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 9f1867bb7..383f6b42d 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -3,22 +3,28 @@ idstools: oinkcode: description: Enter your registration code for paid rulesets. global: True + helpLink: managing-alerts.html ruleset: description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. global: True + helpLink: managing-alerts.html urls: description: This is a list of additional rule download locations. global: True + helpLink: managing-alerts.html sids: disabled: description: List of disables SIDS. global: True + helpLink: managing-alerts.html enabled: description: List of SIDS that are disabled by the rule source that you want to enable. global: True + helpLink: managing-alerts.html modify: description: List of SIDS that are modified. global: True + helpLink: managing-alerts.html rules: local__rules: description: This is where custom Suricata rules are entered. @@ -26,15 +32,18 @@ idstools: global: True advanced: True title: Local Rules + helpLink: managing-alerts.html filters__rules: description: You can set custom filters for Suricata when using it for meta data creation. file: True global: True advanced: True title: Filter Rules + helpLink: managing-alerts.html extraction__rules: description: This is a list of mime types for file extraction when Suricata is used for meta data creation. file: True global: True advanced: True - title: Extraction Rules \ No newline at end of file + title: Extraction Rules + helpLink: managing-alerts.html \ No newline at end of file diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 8e52e9b02..8bcd4b97a 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -3,14 +3,24 @@ influxdb: so_short_term: duration: description: Amount of time to keep short term data. + global: True + helpLink: grafana.html#data shard_duration: description: Time range + global: True + helpLink: grafana.html#data so_long_term: duration: description: Amount of time to keep long term downsampled data. + global: True + helpLink: grafana.html#data shard_duration: description: Amount of the time range covered by the shard group. + global: True + helpLink: grafana.html#data downsample: so_long_term: resolution: - description: Amount of time to turn into a single data point. \ No newline at end of file + description: Amount of time to turn into a single data point. + global: True + helpLink: grafana.html#data \ No newline at end of file diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index dd0e87734..fe6c9525c 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -3,3 +3,5 @@ kibana: elasticsearch: requestTimeout: description: Request timeout length. + global: True + helpLink: kibana.html diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index d5811654e..54b57c22a 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -5,15 +5,18 @@ nginx: global: True advanced: True title: Replace Default Cert + helpLink: nginx.html ssl__key: description: Paste your .key file here file: True title: SSL Key File advanced: True global: True + helpLink: nginx.html ssl__crt: description: Paste your .crt file here file: True title: SSL Cert File advanced: True - global: True \ No newline at end of file + global: True + helpLink: nginx.html \ No newline at end of file diff --git a/salt/ntp/soc_ntp.yaml b/salt/ntp/soc_ntp.yaml index 01484d714..1b75099a1 100644 --- a/salt/ntp/soc_ntp.yaml +++ b/salt/ntp/soc_ntp.yaml @@ -3,3 +3,4 @@ ntp: servers: description: NTP Server List title: NTP Servers + helpLink: ntp.html diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 321e93713..e25b1253b 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,24 +1,35 @@ pcap: enabled: description: Enable or Disable Stenographer on all sensors or a single sensor + helpLink: pcap.html config: maxdirectoryfiles: description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space. + helpLink: pcap.html diskfreepercentage: description: The disk space percent to always keep free for pcap + helpLink: pcap.html blocks: description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True + helpLink: pcap.html preallocate_file_mb: description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. advanced: True + helpLink: pcap.html aiops: description: The max number of async writes to allow at once. advanced: True + helpLink: pcap.html pin_to_cpu: description: Enable CPU pinning for PCAP. + advanced: True + helpLink: pcap.html cpus_to_pin_to: description: CPU to pin PCAP to. Currently only a single CPU is supported + advanced: True + helpLink: pcap.html disks: description: List of disks to use for PCAP. This is currently not used. advanced: True + helpLink: pcap.html diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f16f5da87..848fa7091 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -7,21 +7,25 @@ soc: file: True global: True syntax: md + helpLink: soc.html motd__md: title: Overview Page description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser. file: True global: True syntax: md + helpLink: soc.html custom__js: title: Custom Javascript description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. file: True global: True advanced: True + helpLink: soc.html custom_roles: title: Custom Roles description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system. file: True global: True - advanced: True \ No newline at end of file + advanced: True + helpLink: soc.html \ No newline at end of file diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 251de8663..6eae3b37d 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -5,125 +5,179 @@ suricata: file: True syntax: yaml title: SIDS + helpLink: suricata.html config: vars: address-groups: HOME_NET: description: List of hosts or netowrks. + helpLink: suricata.html EXTERNAL_NET: description: List of hosts or netowrks. + helpLink: suricata.html HTTP_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html SMTP_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html SQL_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DNS_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html TELNET_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html AIM_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DC_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DNP3_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html DNP3_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html MODBUS_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html MODBUS_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html ENIP_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html ENIP_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html port-groups: HTTP_PORTS: description: List of HTTP ports to look for HTTP traffic on. + helpLink: suricata.html SHELLCODE_PORTS: description: List of SHELLCODE ports to look for SHELLCODE traffic on. + helpLink: suricata.html ORACLE_PORTS: description: List of ORACLE ports to look for ORACLE traffic on. + helpLink: suricata.html SSH_PORTS: description: List of SSH ports to look for SSH traffic on. + helpLink: suricata.html DNP3_PORTS: description: List of DNP3 ports to look for DNP3 traffic on. + helpLink: suricata.html MODBUS_PORTS: description: List of MODBUS ports to look for MODBUS traffic on. + helpLink: suricata.html FILE_DATA_PORTS: description: List of FILE_DATA ports to look for FILE_DATA traffic on. + helpLink: suricata.html FTP_PORTS: description: List of FTP ports to look for FTP traffic on. + helpLink: suricata.html VXLAN_PORTS: description: List of VXLAN ports to look for VXLAN traffic on. + helpLink: suricata.html TEREDO_PORTS: description: List of TEREDO ports to look for TEREDO traffic on. + helpLink: suricata.html outputs: eve-log: xff: enabled: description: Enable X-Forward-For support. + helpLink: suricata.html mode: description: Operation mode. This should always be extra-data if you use PCAP. + helpLink: suricata.html deployment: description: forward would use the first IP address and reverse would use the last. + helpLink: suricata.html header: description: Header name where the actual IP address will be reported. + helpLink: suricata.html asn1-max-frames: description: Maximum nuber of asn1 frames to decode. + helpLink: suricata.html max-pending-packets: description: Number of packets preallocated per thread. + helpLink: suricata.html default-packet-size: description: Preallocated size for each packet. + helpLink: suricata.html pcre: match-limit: description: Match limit for PCRE. + helpLink: suricata.html match-limit-recursion: description: Recursion limit for PCRE. + helpLink: suricata.html defrag: memcap: description: Max memory to use for defrag. You should only change this if you know what you are doing. + helpLink: suricata.html hash-size: description: Hash size + helpLink: suricata.html trackers: description: Number of defragmented flows to follow. + helpLink: suricata.html max-frags: description: Max number of fragments to keep + helpLink: suricata.html prealloc: description: Preallocate memory. + helpLink: suricata.html timeout: description: Timeout value. + helpLink: suricata.html flow: memcap: description: Reserverd memory for flows. + helpLink: suricata.html hash-size: description: Determines the size of the hash used to identify flows inside the engine. + helpLink: suricata.html prealloc: description: Number of preallocated flows. + helpLink: suricata.html stream: memcap: description: Can be specified in kb,mb,gb. + helpLink: suricata.html checksum-validation: description: Validate checksum of packets. + helpLink: suricata.html reassembly: memcap: description: Can be specified in kb,mb,gb. + helpLink: suricata.html host: hash-size: description: Hash size in bytes. + helpLink: suricata.html prealloc: description: How many streams to preallocate. + helpLink: suricata.html memcap: description: Memory settings for host. + helpLink: suricata.html decoder: teredo: enabled: description: Enable TEREDO capabilities + helpLink: suricata.html ports: description: Ports to listen for. This should be a variable. + helpLink: suricata.html vxlan: enabled: description: Enable VXLAN capabilities. + helpLink: suricata.html ports: - description: Ports to listen for. This should be a variable. \ No newline at end of file + description: Ports to listen for. This should be a variable. + helpLink: suricata.html \ No newline at end of file From 2995ae32bd300acfc5e9f4727a64cdace33811e8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Sep 2022 10:49:26 -0400 Subject: [PATCH 10/25] 2.4 fw changes --- files/firewall/portgroups.local.yaml | 3 +- salt/firewall/assigned_hostgroups.map.yaml | 40 +++--- salt/firewall/hostgroups/beats_endpoint | 0 salt/firewall/hostgroups/beats_endpoint_ssl | 0 .../hostgroups/elastic_agent_endpoint | 0 salt/firewall/hostgroups/elasticsearch_rest | 0 salt/firewall/hostgroups/endgame | 0 salt/firewall/hostgroups/minion | 0 salt/firewall/hostgroups/strelka_frontend | 0 salt/firewall/hostgroups/syslog | 0 salt/firewall/init.sls | 2 +- salt/firewall/map.jinja | 33 ++++- salt/firewall/portgroups.yaml | 116 ------------------ 13 files changed, 52 insertions(+), 142 deletions(-) create mode 100644 salt/firewall/hostgroups/beats_endpoint create mode 100644 salt/firewall/hostgroups/beats_endpoint_ssl create mode 100644 salt/firewall/hostgroups/elastic_agent_endpoint create mode 100644 salt/firewall/hostgroups/elasticsearch_rest create mode 100644 salt/firewall/hostgroups/endgame create mode 100644 salt/firewall/hostgroups/minion create mode 100644 salt/firewall/hostgroups/strelka_frontend create mode 100644 salt/firewall/hostgroups/syslog delete mode 100644 salt/firewall/portgroups.yaml diff --git a/files/firewall/portgroups.local.yaml b/files/firewall/portgroups.local.yaml index 300d2ecda..8b37ee951 100644 --- a/files/firewall/portgroups.local.yaml +++ b/files/firewall/portgroups.local.yaml @@ -1,3 +1,2 @@ firewall: - aliases: - ports: \ No newline at end of file + ports: diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 7f8c01910..a25265c77 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -27,16 +27,16 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -109,17 +109,17 @@ role: {% if ISAIRGAP is sameas true %} - {{ portgroups.yum }} {% endif %} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -184,16 +184,16 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -260,17 +260,17 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: + - {{ portgroups.yum }} + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - heavy_node: + heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.minio }} @@ -339,11 +339,11 @@ role: - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} @@ -386,7 +386,7 @@ role: portgroups: - {{ portgroups.elasticsearch_rest }} {% if TRUE_CLUSTER %} - search_node: + searchnodes: portgroups: - {{ portgroups.elasticsearch_node }} {% endif %} @@ -472,11 +472,11 @@ role: portgroups: - {{ portgroups.docker_registry }} - {{ portgroups.sensoroni }} - sensor: + sensors: portgroups: - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} @@ -511,10 +511,10 @@ role: chain: DOCKER-USER: hostgroups: - sensor: + sensors: portgroups: - {{ portgroups.beats_5644 }} - search_node: + searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.beats_5644 }} diff --git a/salt/firewall/hostgroups/beats_endpoint b/salt/firewall/hostgroups/beats_endpoint new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/beats_endpoint_ssl b/salt/firewall/hostgroups/beats_endpoint_ssl new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/elastic_agent_endpoint b/salt/firewall/hostgroups/elastic_agent_endpoint new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/elasticsearch_rest b/salt/firewall/hostgroups/elasticsearch_rest new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/endgame b/salt/firewall/hostgroups/endgame new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/minion b/salt/firewall/hostgroups/minion new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/strelka_frontend b/salt/firewall/hostgroups/strelka_frontend new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/syslog b/salt/firewall/hostgroups/syslog new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 1d6ba350f..42aad75c6 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -144,4 +144,4 @@ iptables_drop_all_the_things: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2c7d03225..45e2989e2 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,8 +1,8 @@ {% set role = grains.id.split('_') | last %} {% set translated_pillar_assigned_hostgroups = {} %} -{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.aliases.ports %} +{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} +{% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} {% if local_portgroups.firewall.aliases.ports %} {% set local_portgroups = local_portgroups.firewall.aliases.ports %} @@ -13,7 +13,34 @@ {% set defined_portgroups = portgroups %} {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} -{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %} +{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} +{% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} +{% set hostgroup_list = [ + 'analyst', + 'analyst_workstations', + 'eval', + 'heavynodes', + 'idh', + 'manager', + 'minion', + 'receivers', + 'searchnodes', + 'sensors', + 'standalone', + 'beats_endpoint', + 'beats_endpoint_ssl', + 'elasticsearch_rest', + 'elastic_agent_endpoint', + 'endgame', + 'strelka_frontend', + 'syslog' + ] +%} +{% for hg in hostgroup_list %} +{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %} +{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} +{% endfor %} + {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml deleted file mode 100644 index a2780270d..000000000 --- a/salt/firewall/portgroups.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{% if grains.role == 'so-idh' %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% from 'idh/openssh/map.jinja' import openssh_map %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% set ssh_port = openssh_map.config.port %} -{% else %} - {% set ssh_port = 22 %} -{% endif %} - -firewall: - aliases: - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - acng: - tcp: - - 3142 - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - cortex: - tcp: - - 9001 - cortex_es_node: - tcp: - - 9500 - cortex_es_rest: - tcp: - - 9400 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - minio: - tcp: - - 9595 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - {{ ssh_port }} - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 - -{% if idh_services is defined %} - {% for service in idh_services %} - {% if service in ["smnp","ntp", "tftp"] %} - {% set proto = 'udp' %} - {% else %} - {% set proto = 'tcp' %} - {% endif %} - idh_{{service}}: - {{proto}}: - - {{ OPENCANARYCONFIG[service~'.port'] }} - {% endfor %} -{% endif %} From 06d3681cec98a834a60ea521ac8f986da0337d82 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Sep 2022 13:39:10 -0400 Subject: [PATCH 11/25] 2.4/firewall --- .../assigned_hostgroups.local.map.yaml | 8 ++-- salt/firewall/assigned_hostgroups.map.yaml | 38 ++----------------- salt/firewall/hostgroups.yaml | 23 +++++++++++ ...alyst_workstation => analyst_workstations} | 0 .../hostgroups/{heavynode => heavynodes} | 0 .../hostgroups/{receiver => receivers} | 0 .../hostgroups/{searchnode => searchnodes} | 0 salt/firewall/map.jinja | 4 +- 8 files changed, 32 insertions(+), 41 deletions(-) create mode 100644 salt/firewall/hostgroups.yaml rename salt/firewall/hostgroups/{analyst_workstation => analyst_workstations} (100%) rename salt/firewall/hostgroups/{heavynode => heavynodes} (100%) rename salt/firewall/hostgroups/{receiver => receivers} (100%) rename salt/firewall/hostgroups/{searchnode => searchnodes} (100%) diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 3f30fc367..9a758161c 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -1,8 +1,8 @@ -{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.aliases.ports %} +{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} +{% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.aliases.ports %} - {% set local_portgroups = local_portgroups.firewall.aliases.ports %} +{% if local_portgroups.firewall.ports %} + {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} {% set local_portgroups = {} %} {% endif %} diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index a25265c77..f12cfc634 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,7 +1,7 @@ {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{% import_yaml 'firewall/portgroups.yaml' as portgroups %} -{% set portgroups = portgroups.firewall.aliases.ports %} -{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} +{% import_yaml 'firewall/ports/ports.yaml' as portgroups %} +{% set portgroups = portgroups.firewall.ports %} +{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %} role: eval: @@ -14,16 +14,11 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -34,12 +29,10 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -90,19 +83,14 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -116,13 +104,11 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} self: @@ -170,16 +156,11 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -191,12 +172,10 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -247,16 +226,11 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -268,12 +242,10 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -328,14 +300,10 @@ role: - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml new file mode 100644 index 000000000..d34a4bc0d --- /dev/null +++ b/salt/firewall/hostgroups.yaml @@ -0,0 +1,23 @@ +{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +firewall: + hostgroups: + anywhere: + ips: + delete: + insert: + - 0.0.0.0/0 + dockernet: + ips: + delete: + insert: + - {{ DNET }}/24 + localhost: + ips: + delete: + insert: + - 127.0.0.1 + self: + ips: + delete: + insert: + - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} diff --git a/salt/firewall/hostgroups/analyst_workstation b/salt/firewall/hostgroups/analyst_workstations similarity index 100% rename from salt/firewall/hostgroups/analyst_workstation rename to salt/firewall/hostgroups/analyst_workstations diff --git a/salt/firewall/hostgroups/heavynode b/salt/firewall/hostgroups/heavynodes similarity index 100% rename from salt/firewall/hostgroups/heavynode rename to salt/firewall/hostgroups/heavynodes diff --git a/salt/firewall/hostgroups/receiver b/salt/firewall/hostgroups/receivers similarity index 100% rename from salt/firewall/hostgroups/receiver rename to salt/firewall/hostgroups/receivers diff --git a/salt/firewall/hostgroups/searchnode b/salt/firewall/hostgroups/searchnodes similarity index 100% rename from salt/firewall/hostgroups/searchnode rename to salt/firewall/hostgroups/searchnodes diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 45e2989e2..0cce4cd99 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -4,8 +4,8 @@ {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.aliases.ports %} - {% set local_portgroups = local_portgroups.firewall.aliases.ports %} +{% if local_portgroups.firewall.ports %} + {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} {% set local_portgroups = {} %} {% endif %} From abee5afd7b037146d9886cb8891ab85e025b2d09 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Sep 2022 15:40:52 -0400 Subject: [PATCH 12/25] adjust standalone firewall assigned_hostgroups --- salt/firewall/assigned_hostgroups.map.yaml | 39 +++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index f12cfc634..1d39b6a0d 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -220,7 +220,7 @@ role: chain: DOCKER-USER: hostgroups: - manager: + standalone: portgroups: - {{ portgroups.playbook }} - {{ portgroups.mysql }} @@ -229,6 +229,18 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} + - {{ portgroups.endgame }} + - {{ portgroups.strelka_frontend }} minion: portgroups: - {{ portgroups.docker_registry }} @@ -237,14 +249,26 @@ role: - {{ portgroups.yum }} sensors: portgroups: + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} searchnodes: portgroups: + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} self: @@ -286,6 +310,19 @@ role: localhost: portgroups: - {{ portgroups.all }} + standalone: + portgroups: + - {{ portgroups.salt_manager }} + sensors: + portgroups: + - {{ portgroups.salt_manager }} + minion: + searchnodes: + portgroups: + - {{ portgroups.salt_manager }} + heavynodes: + portgroups: + - {{ portgroups.salt_manager }} minion: portgroups: - {{ portgroups.salt_manager }} From 4eebd855ac3b902d995ca188da149f5169ba1ccb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 15:47:16 -0400 Subject: [PATCH 13/25] Firewall Changes --- salt/common/tools/sbin/so-firewall | 2 +- salt/firewall/hostgroups/minion | 0 setup/so-functions | 9 +++------ 3 files changed, 4 insertions(+), 7 deletions(-) delete mode 100644 salt/firewall/hostgroups/minion diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 0403f75c1..e16cc1e2c 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -43,7 +43,7 @@ APPLY=${APPLY,,} function rolecall() { THEROLE=$1 - THEROLES="analyst analyst_workstation heavynode idhnode receiver searchnode sensor" + THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager receivers searchnodes sensors standalone strelka_frontend syslog" for AROLE in $THEROLES; do if [ "$AROLE" = "$THEROLE" ]; then diff --git a/salt/firewall/hostgroups/minion b/salt/firewall/hostgroups/minion deleted file mode 100644 index e69de29bb..000000000 diff --git a/setup/so-functions b/setup/so-functions index 20340436e..9e72f227d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2171,16 +2171,13 @@ set_initial_firewall_policy() { case "$install_type" in 'MANAGER') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=manager --ip=$MAINIP --apply=true ;; 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true ;; esac + fi } # Set up the management interface on the ISO From 3100efc95472e5fe29c49c74803d68b6e73cd13e Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 22 Sep 2022 16:03:12 -0400 Subject: [PATCH 14/25] fix syntax --- salt/firewall/assigned_hostgroups.map.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 1d39b6a0d..718d59a20 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -230,7 +230,6 @@ role: - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} - {{ portgroups.beats_5044 }} @@ -316,7 +315,6 @@ role: sensors: portgroups: - {{ portgroups.salt_manager }} - minion: searchnodes: portgroups: - {{ portgroups.salt_manager }} From 81f79c3a021f4678a6ae865ffdb49a73acbf25a8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 16:32:09 -0400 Subject: [PATCH 15/25] Firewall Changes --- salt/common/tools/sbin/so-common | 12 ++++++++++++ salt/common/tools/sbin/so-firewall | 17 +++++------------ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c0b028130..44ca007ff 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -507,6 +507,18 @@ valid_hostname() { [[ $hostname =~ ^[a-zA-Z0-9\-]+$ ]] && [[ $hostname != 'localhost' ]] && return 0 || return 1 } +verify_ip4() { + local ip=$1 + # Is this an IP or CIDR? + if grep -qP "^[^/]+/[^/]+$" <<< $ip; then + # Looks like a CIDR + valid_ip4_cidr_mask "$ip" + else + # We know this is not a CIDR - Is it an IP? + valid_ip4 "$ip" + fi +} + valid_ip4() { local ip=$1 diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index e16cc1e2c..9da3bd32b 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -71,11 +71,11 @@ else exit 1 fi -# Are we dealing with an IP? -if valid_ip4 "$IP"; then - echo "$IP is valid" + # Are we dealing with an IP? +if verify_ip4 "$IP"; then + echo "$IP is a valid IP or CIDR" else - echo "$IP is not a valid IP Address" + echo "$IP is not a valid IP or CIDR" exit 1 fi @@ -90,14 +90,7 @@ if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then fi # If you have reached this part of your quest then let's add the IP -if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then - touch $local_salt_dir/hostgroups/$ROLE - echo "Adding $IP to the $ROLE role" - echo "$IP" > $local_salt_dir/hostgroups/$ROLE -else - echo "Adding $IP to the $ROLE role" - echo "$IP" >> $local_salt_dir/hostgroups/$ROLE -fi +echo "Adding $IP to the $ROLE role" # Check to see if we are applying this right away. if [ "$APPLY" = "true" ]; then From f9c77900aef3043c82107d77c9846f3f8a10e8d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 16:54:57 -0400 Subject: [PATCH 16/25] Firewall Changes --- setup/so-functions | 6 ++++++ setup/so-setup | 1 + setup/so-whiptail | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9e72f227d..ed7644986 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2180,6 +2180,12 @@ set_initial_firewall_policy() { fi } +set_initial_firewall_access() { + if [[ ! -z "$ALLOW_CIDR" ]] + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true + fi +} + # Set up the management interface on the ISO set_management_interface() { title "Setting up the main interface" diff --git a/setup/so-setup b/setup/so-setup index 3966d6d3d..74da11ec3 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -565,6 +565,7 @@ if ! [[ -f $install_opt_file ]]; then title "Setting up Playbook" logCmd "so-playbook-reset" checkin_at_boot + set_initial_firewall_access whiptail_setup_complete else es_heapsize diff --git a/setup/so-whiptail b/setup/so-whiptail index 7b50a0b28..d7f3bd535 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1267,7 +1267,7 @@ whiptail_so_allow_yesno() { [ -n "$TESTING" ] && return whiptail --title "$whiptail_title" \ - --yesno "Do you want to run so-allow to allow other machines to access this Security Onion installation via the web interface?" \ + --yesno "Do you want to allow access to this Security Onion installation via the web interface?" \ 8 75 } @@ -1280,7 +1280,7 @@ whiptail_so_allow() { 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? - export ALLOW_ROLE='a' + export ALLOW_ROLE='analyst' export ALLOW_CIDR whiptail_check_exitstatus $exitstatus From 75b058c37f0563110f5e059a83c7f4ecabd26302 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 17:03:03 -0400 Subject: [PATCH 17/25] Firewall Changes --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index ed7644986..2e48cb8e6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2177,7 +2177,6 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true ;; esac - fi } set_initial_firewall_access() { From 4b059ce7fb3ce250ee24c2e613a62981ebccfe50 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 17:04:18 -0400 Subject: [PATCH 18/25] Firewall Changes --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 2e48cb8e6..5a0e35be0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2180,7 +2180,7 @@ set_initial_firewall_policy() { } set_initial_firewall_access() { - if [[ ! -z "$ALLOW_CIDR" ]] + if [[ ! -z "$ALLOW_CIDR" ]]; then $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true fi } From a7872234aba87d438ae594c5cc2ba378d134a57a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 22 Sep 2022 17:07:00 -0400 Subject: [PATCH 19/25] Remove NTP from setup --- setup/so-setup | 4 ---- 1 file changed, 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 74da11ec3..a114233d6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -330,7 +330,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings # Start the install @@ -351,7 +350,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings elif [[ $is_manager ]]; then @@ -368,7 +366,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings elif [[ $is_managersearch ]]; then @@ -385,7 +382,6 @@ if ! [[ -f $install_opt_file ]]; then calculate_useable_cores collect_webuser_inputs get_redirect - collect_ntp_servers collect_so_allow whiptail_end_settings elif [[ $is_sensor ]]; then From 5e32e333c4743432960e62efc000cd1ef8786706 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 23 Sep 2022 08:37:59 -0400 Subject: [PATCH 20/25] remove minion hg --- salt/firewall/map.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 0cce4cd99..1ec3271c4 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -22,7 +22,6 @@ 'heavynodes', 'idh', 'manager', - 'minion', 'receivers', 'searchnodes', 'sensors', From 975c7fabcc215d33fc256a125fa90774350f7ebd Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 23 Sep 2022 08:39:48 -0400 Subject: [PATCH 21/25] remove minion hg --- salt/firewall/assigned_hostgroups.map.yaml | 53 ---------------------- 1 file changed, 53 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 718d59a20..e91859743 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -17,11 +17,6 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -70,9 +65,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} manager: chain: DOCKER-USER: @@ -89,14 +81,6 @@ role: {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.yum }} - {% endif %} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -143,9 +127,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} managersearch: chain: DOCKER-USER: @@ -159,12 +140,6 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -213,9 +188,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} standalone: chain: DOCKER-USER: @@ -240,12 +212,6 @@ role: - {{ portgroups.elastic_agent_data }} - {{ portgroups.endgame }} - {{ portgroups.strelka_frontend }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} sensors: portgroups: - {{ portgroups.docker_registry }} @@ -321,9 +287,6 @@ role: heavynodes: portgroups: - {{ portgroups.salt_manager }} - minion: - portgroups: - - {{ portgroups.salt_manager }} helixsensor: chain: DOCKER-USER: @@ -337,11 +300,6 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -370,9 +328,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} searchnode: chain: DOCKER-USER: @@ -471,10 +426,6 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.sensoroni }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -506,10 +457,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - receiver: chain: DOCKER-USER: From 02f1d24ea6760b3e7b0c85f6316976f96d3fa2d6 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 23 Sep 2022 08:40:25 -0400 Subject: [PATCH 22/25] remove minion hg --- files/firewall/hostgroups.local.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 5e16461a4..c4ebc3613 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -40,10 +40,6 @@ firewall: ips: delete: insert: - minion: - ips: - delete: - insert: node: ips: delete: @@ -67,4 +63,4 @@ firewall: syslog: ips: delete: - insert: \ No newline at end of file + insert: From 2b9322b823253b77c46af774a9fe556e341cc227 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 23 Sep 2022 08:52:58 -0400 Subject: [PATCH 23/25] Helps if you add the IP address --- salt/common/tools/sbin/so-firewall | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 9da3bd32b..2a8aed0e7 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -91,6 +91,7 @@ fi # If you have reached this part of your quest then let's add the IP echo "Adding $IP to the $ROLE role" +echo "$IP" >> $local_salt_dir/hostgroups/$ROLE # Check to see if we are applying this right away. if [ "$APPLY" = "true" ]; then From 3e2be096be1e6b25ec557887d1b8db6a4a410e36 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 23 Sep 2022 13:08:03 -0400 Subject: [PATCH 24/25] update soc_firewall.yaml --- salt/firewall/soc_firewall.yaml | 51 +++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index e630736b3..9ff89231e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,10 +1,10 @@ firewall: hostgroups: - analyst_workstation: + analyst_workstations: description: List of IP Addresses or CIDR blocks to allow analyst workstations. file: True global: True - title: Analyst Workstation + title: Analyst Workstations helpLink: firewall.html#host-groups analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. @@ -12,6 +12,51 @@ firewall: global: True title: Analyst helpLink: firewall.html#host-groups + beats_endpoint: + description: List of IP Addresses or CIDR blocks of standard beats without encryption. + file: True + global: True + title: Beats Endpoints + helpLink: firewall.html#host-groups + beats_endpoint_ssl: + description: List of IP Addresses or CIDR blocks of standard beats with encryption. + file: True + global: True + title: Beats Endpoints SSL + helplink: firewall.html#host-groups + elastic_agent_endpoint: + description: List of IP Addresses or CIDR blocks for Elastic Agent connections. + file: True + global: True + title: Elastic Agents + helplink: firewall.html#host-groups + elasticsearch_rest: + description: List of IP Addresses or CIDR blocks to allow access directly to Elasticsearch. + file: True + global: True + title: Elasticsearch Rest + advanced: True + helplink: firewall.html#host-groups + endgame: + description: List of IP Addresses or CIDR blocks to allow endgame access. + file: True + global: True + title: Endgame + advanced: True + helplink: firewall.html#host-groups + strelka_frontend: + description: List of IP Addresses or CIDR blocks to allow access to the Strelka front end. + file: True + global: True + title: Strelka Frontend + advanced: True + helplink: firewall.html#host-groups + syslog: + description: List of IP Addresses or CIDR blocks to allow syslog. + file: True + global: True + title: Syslog Endpoint Traffic + helplink: firewall.html#host-groups standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True @@ -30,7 +75,7 @@ firewall: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True global: True - title: IDHNode + title: IDH Nodes helpLink: firewall.html#host-groups manager: description: List of IP Addresses or CIDR blocks to allow manager connections. From d26be44df106d3760f527581926be84926f07178 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 23 Sep 2022 13:09:46 -0400 Subject: [PATCH 25/25] update soc_firewall.yaml --- salt/firewall/soc_firewall.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 9ff89231e..e1e219913 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -88,25 +88,25 @@ firewall: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True global: True - title: HeavyNode + title: Heavy Nodes helpLink: firewall.html#host-groups searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True - title: SearchNode + title: Search Nodes helpLink: firewall.html#host-groups sensors: description: List of IP Addresses or CIDR blocks to allow Sensor connections. file: True global: True - title: Sensor + title: Sensors helpLink: firewall.html#host-groups receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True - title: Receiver + title: Receivers helpLink: firewall.html#host-groups portgroups: portgroups__yaml: