diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index c5685838d..39e8a6074 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -31,13 +31,13 @@ idh: tcpbanner_1.keep_alive_probes: 11 tcpbanner_1.keep_alive_interval: 300 tcpbanner_1.keep_alive_idle: 300 - ftp.enabled: true + ftp.enabled: false ftp.port: 21 ftp.banner: FTP server ready - git.enabled: true + git.enabled: false git.port: 9418 http.banner: Apache/2.2.34 (Ubuntu) - http.enabled: true + http.enabled: false http.port: 80 http.skin: nasLogin http.skinlist: @@ -45,7 +45,7 @@ idh: name: basicLogin - desc: Synology NAS Login name: nasLogin - httpproxy.enabled: true + httpproxy.enabled: false httpproxy.port: 8080 httpproxy.skin: squid httpproxy.skinlist: @@ -53,36 +53,36 @@ idh: name: squid - desc: Microsoft ISA Server Web Proxy name: ms-isa - mssql.enabled: true + mssql.enabled: false mssql.version: '2012' mssql.port: 1433 - mysql.enabled: true + mysql.enabled: false mysql.port: 3306 mysql.banner: 5.5.43-0ubuntu0.14.04.1 - ntp.enabled: true - ntp.port: '123' - redis.enabled: true + ntp.enabled: false + ntp.port: 123 + redis.enabled: false redis.port: 6379 - sip.enabled: true + sip.enabled: false sip.port: 5060 smb.auditfile: /var/log/samba-audit.log - smb.enabled: true - snmp.enabled: true + smb.enabled: false + snmp.enabled: false snmp.port: 161 - ssh.enabled: true + ssh.enabled: false ssh.port: 22 ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 - telnet.enabled: true - telnet.port: '23' + telnet.enabled: false + telnet.port: 23 telnet.banner: '' telnet.honeycreds: - username: admin password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - username: admin password: admin1 - tftp.enabled: true + tftp.enabled: false tftp.port: 69 - vnc.enabled: true + vnc.enabled: false vnc.port: 5900 openssh: enable: true diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index f81de4518..6833f3838 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,10 +1,33 @@ -{% set idh_services = salt['pillar.get']('idh:services', []) %} +{# this list of services is used to loop through and add fw rules if the service is enabled #} +{# smb is not in this list since it does not need any ports open #} +{% set idh_services = [ + 'ftp', + 'git', + 'http', + 'httpproxy', + 'mssql', + 'mysql', + 'ntp', + 'redis', + 'sip', + 'snmp', + 'ssh', + 'telnet', + 'tftp', + 'vnc' +] %} {% set IDH_PORTGROUPS = {} %} {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} +{# update skinlist to skin.list to avoid issues with SOC UI config #} +{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http.skinlist') %} +{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy.skinlist') %} +{% do OPENCANARYCONFIG.update({'http.skin.list': HTTPSKINLIST}) %} +{% do OPENCANARYCONFIG.update({'httpproxy.skin.list': HTTPPROXYSKINLIST}) %} + {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} {% for service in idh_services %} @@ -13,7 +36,9 @@ {% else %} {% set proto = 'tcp' %} {% endif %} - {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% if OPENCANARYCONFIG[service ~ '.enabled'] %} + {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% endif %} {% endfor %} {% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %} diff --git a/salt/idh/openssh/map.jinja b/salt/idh/openssh/map.jinja index 4bb99bc03..bd8fbe316 100644 --- a/salt/idh/openssh/map.jinja +++ b/salt/idh/openssh/map.jinja @@ -1,4 +1,4 @@ -{% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %} +{% import_yaml "idh/defaults.yaml" as idh_defaults with context %} {% set openssh_map = salt['grains.filter_by']({ 'Debian': {