mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-15 21:52:47 +01:00
47 lines
1.6 KiB
Django/Jinja
47 lines
1.6 KiB
Django/Jinja
{# this list of services is used to loop through and add fw rules if the service is enabled #}
|
|
{# smb is not in this list since it does not need any ports open #}
|
|
{% set IDH_SERVICES = [
|
|
'ftp',
|
|
'git',
|
|
'http',
|
|
'httpproxy',
|
|
'mssql',
|
|
'mysql',
|
|
'ntp',
|
|
'redis',
|
|
'sip',
|
|
'snmp',
|
|
'ssh',
|
|
'telnet',
|
|
'tftp',
|
|
'vnc'
|
|
] %}
|
|
|
|
{% set IDH_PORTGROUPS = {} %}
|
|
|
|
{% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %}
|
|
{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %}
|
|
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
|
|
{# update skinlist to skin.list to avoid issues with SOC UI config #}
|
|
{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %}
|
|
{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
|
|
{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
|
|
{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}
|
|
|
|
{% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}
|
|
|
|
{% for service in IDH_SERVICES %}
|
|
{% if service in ["smnp","ntp", "tftp"] %}
|
|
{% set proto = 'udp' %}
|
|
{% else %}
|
|
{% set proto = 'tcp' %}
|
|
{% endif %}
|
|
{% if OPENCANARYCONFIG[service ~ '_x_enabled'] %}
|
|
{% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
{% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %}
|
|
|
|
{% do OPENCANARYCONFIG.update({'device.node_id': grains.host}) %}
|