mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
103 lines
2.3 KiB
Bash
Executable File
103 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/bash
|
|
|
|
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
. /usr/sbin/so-common
|
|
|
|
if [[ $# -lt 1 ]]; then
|
|
echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>"
|
|
echo ""
|
|
echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
|
|
for i in "$@"; do
|
|
case $i in
|
|
-r=*|--role=*)
|
|
ROLE="${i#*=}"
|
|
shift
|
|
;;
|
|
-i=*|--ip=*)
|
|
IP="${i#*=}"
|
|
shift
|
|
;;
|
|
-a=*|--apply*)
|
|
APPLY="${i#*=}"
|
|
shift
|
|
;;
|
|
-*|--*)
|
|
echo "Unknown option $i"
|
|
exit 1
|
|
;;
|
|
*)
|
|
;;
|
|
esac
|
|
done
|
|
|
|
ROLE=${ROLE,,}
|
|
APPLY=${APPLY,,}
|
|
|
|
function rolecall() {
|
|
THEROLE=$1
|
|
THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog"
|
|
|
|
for AROLE in $THEROLES; do
|
|
if [ "$AROLE" = "$THEROLE" ]; then
|
|
return 0
|
|
fi
|
|
done
|
|
return 1
|
|
}
|
|
|
|
# Make sure the required options are specified
|
|
if [ -z "$ROLE" ]; then
|
|
echo "Please specify a role with --role="
|
|
exit 1
|
|
fi
|
|
if [ -z "$IP" ]; then
|
|
echo "Please specify an IP address with --ip="
|
|
exit 1
|
|
fi
|
|
|
|
# Are we dealing with a role that this script supports?
|
|
if rolecall "$ROLE"; then
|
|
echo "$ROLE is a supported role"
|
|
else
|
|
echo "This is not a supported role"
|
|
exit 1
|
|
fi
|
|
|
|
# Are we dealing with an IP?
|
|
if verify_ip4 "$IP"; then
|
|
echo "$IP is a valid IP or CIDR"
|
|
else
|
|
echo "$IP is not a valid IP or CIDR"
|
|
exit 1
|
|
fi
|
|
|
|
local_salt_dir=/opt/so/saltstack/local/salt/firewall
|
|
|
|
# Let's see if the file exists and if it does, let's see if the IP exists.
|
|
if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then
|
|
if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
|
|
echo "Host already exists"
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
# If you have reached this part of your quest then let's add the IP
|
|
echo "Adding $IP to the $ROLE role"
|
|
echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
|
|
|
|
# Check to see if we are applying this right away.
|
|
if [ "$APPLY" = "true" ]; then
|
|
echo "Applying the firewall rules"
|
|
salt-call state.apply firewall queue=True
|
|
else
|
|
echo "Firewall rules will be applied next salt run"
|
|
fi
|