From 47e1e04dcbc79e61ff91c87c59f93dfef25773e4 Mon Sep 17 00:00:00 2001 From: singuliere Date: Tue, 27 Feb 2018 17:01:33 +0100 Subject: [PATCH] remove redundant iptables comparison --- testinfra/app/test_network.py | 43 ------------------------ testinfra/mon/iptables-mon-prod.j2 | 38 --------------------- testinfra/mon/iptables-mon-staging.j2 | 42 ----------------------- testinfra/mon/test_network.py | 40 ---------------------- testinfra/vars/app-prod.yml | 39 ---------------------- testinfra/vars/app-staging.yml | 48 --------------------------- testinfra/vars/mon-prod.yml | 38 --------------------- 7 files changed, 288 deletions(-) delete mode 100644 testinfra/app/test_network.py delete mode 100644 testinfra/mon/iptables-mon-prod.j2 delete mode 100644 testinfra/mon/iptables-mon-staging.j2 diff --git a/testinfra/app/test_network.py b/testinfra/app/test_network.py deleted file mode 100644 index 41cb7db95ee..00000000000 --- a/testinfra/app/test_network.py +++ /dev/null @@ -1,43 +0,0 @@ -import os -import difflib -import pytest -from jinja2 import Template - - -securedrop_test_vars = pytest.securedrop_test_vars - - -def test_app_iptables_rules(SystemInfo, Command, Sudo): - - # Build a dict of variables to pass to jinja for iptables comparison - kwargs = dict( - mon_ip=os.environ.get('MON_IP', securedrop_test_vars.mon_ip), - default_interface=Command.check_output("ip r | head -n 1 | " - "awk '{ print $5 }'"), - tor_user_id=Command.check_output("id -u debian-tor"), - securedrop_user_id=Command.check_output("id -u www-data"), - ssh_group_gid=Command.check_output("getent group ssh | cut -d: -f3"), - dns_server=securedrop_test_vars.dns_server) - - # Build iptables scrape cmd, purge comments + counters - iptables = "iptables-save | sed 's/ \[[0-9]*\:[0-9]*\]//g' | egrep -v '^#'" - environment = os.environ.get("CI_SD_ENV", "staging") - iptables_file = "{}/iptables-app-{}.j2".format( - os.path.dirname(os.path.abspath(__file__)), - environment) - - # template out a local iptables jinja file - jinja_iptables = Template(open(iptables_file, 'r').read()) - iptables_expected = jinja_iptables.render(**kwargs) - - with Sudo(): - # Actually run the iptables scrape command - iptables = Command.check_output(iptables) - # print diff comparison (only shows up in pytests if test fails or - # verbosity turned way up) - for iptablesdiff in difflib.context_diff(iptables_expected.split('\n'), - iptables.split('\n')): - print(iptablesdiff) - # Conduct the string comparison of the expected and actual iptables - # ruleset - assert iptables_expected == iptables diff --git a/testinfra/mon/iptables-mon-prod.j2 b/testinfra/mon/iptables-mon-prod.j2 deleted file mode 100644 index fcf53c49f68..00000000000 --- a/testinfra/mon/iptables-mon-prod.j2 +++ /dev/null @@ -1,38 +0,0 @@ -*filter -:INPUT DROP -:FORWARD DROP -:OUTPUT DROP -:LOGNDROP - --A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT --A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT --A INPUT -s {{ app_ip }}/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT --A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT --A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP --A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP --A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner {{ tor_user_id }} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT --A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner {{ tor_user_id }} -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP --A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner {{ tor_user_id }} -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT --A OUTPUT -p tcp -m owner --uid-owner {{ tor_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT --A OUTPUT -m owner --uid-owner {{ tor_user_id }} -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP --A OUTPUT -m owner --gid-owner {{ ssh_group_gid }} -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP --A OUTPUT -d {{ dns_server }}/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A OUTPUT -d {{ dns_server }}/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT --A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT --A OUTPUT -d {{ app_ip }}/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT --A OUTPUT -d {{ dns_server }}/32 -p tcp -m tcp --dport 53 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT --A OUTPUT -d {{ dns_server }}/32 -p udp -m udp --dport 53 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT --A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT --A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT --A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP --A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid --A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid --A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid --A LOGNDROP -j DROP -COMMIT diff --git a/testinfra/mon/iptables-mon-staging.j2 b/testinfra/mon/iptables-mon-staging.j2 deleted file mode 100644 index 55e3787e2a3..00000000000 --- a/testinfra/mon/iptables-mon-staging.j2 +++ /dev/null @@ -1,42 +0,0 @@ -*filter -:INPUT DROP -:FORWARD DROP -:OUTPUT DROP -:LOGNDROP - --A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT --A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT --A INPUT -s {{ app_ip }}/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -s {{ dns_server }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT --A INPUT -i {{ default_interface }} -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT --A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP --A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP --A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner {{ tor_user_id }} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT --A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner {{ tor_user_id }} -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP --A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner {{ tor_user_id }} -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT --A OUTPUT -p tcp -m owner --uid-owner {{ tor_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT --A OUTPUT -m owner --uid-owner {{ tor_user_id }} -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP --A OUTPUT -m owner --gid-owner {{ ssh_group_gid }} -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP --A OUTPUT -d {{ dns_server }}/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A OUTPUT -d {{ dns_server }}/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT --A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT --A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT --A OUTPUT -d {{ app_ip }}/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT --A OUTPUT -d {{ dns_server }}/32 -p tcp -m tcp --dport 53 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT --A OUTPUT -d {{ dns_server }}/32 -p udp -m udp --dport 53 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT --A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT --A OUTPUT -o {{ default_interface }} -p tcp -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT --A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP --A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid --A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid --A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid --A LOGNDROP -j DROP -COMMIT diff --git a/testinfra/mon/test_network.py b/testinfra/mon/test_network.py index 2ca17533bea..2d893f661ec 100644 --- a/testinfra/mon/test_network.py +++ b/testinfra/mon/test_network.py @@ -1,48 +1,8 @@ import os -import difflib -import pytest -from jinja2 import Template - securedrop_test_vars = pytest.securedrop_test_vars -def test_mon_iptables_rules(SystemInfo, Command, Sudo): - - # Build a dict of variables to pass to jinja for iptables comparison - kwargs = dict( - app_ip=os.environ.get('APP_IP', securedrop_test_vars.app_ip), - default_interface=Command.check_output( - "ip r | head -n 1 | awk '{ print $5 }'"), - tor_user_id=Command.check_output("id -u debian-tor"), - ssh_group_gid=Command.check_output("getent group ssh | cut -d: -f3"), - postfix_user_id=Command.check_output("id -u postfix"), - dns_server=securedrop_test_vars.dns_server) - - # Build iptables scrape cmd, purge comments + counters - iptables = "iptables-save | sed 's/ \[[0-9]*\:[0-9]*\]//g' | egrep -v '^#'" - environment = os.environ.get("CI_SD_ENV", "staging") - iptables_file = "{}/iptables-mon-{}.j2".format( - os.path.dirname(os.path.abspath(__file__)), - environment) - - # template out a local iptables jinja file - jinja_iptables = Template(open(iptables_file, 'r').read()) - iptables_expected = jinja_iptables.render(**kwargs) - - with Sudo(): - # Actually run the iptables scrape command - iptables = Command.check_output(iptables) - # print diff comparison (only shows up in pytests if test fails or - # verbosity turned way up) - for iptablesdiff in difflib.context_diff(iptables_expected.split('\n'), - iptables.split('\n')): - print(iptablesdiff) - # Conduct the string comparison of the expected and actual iptables - # ruleset - assert iptables_expected == iptables - - @pytest.mark.parametrize('ossec_service', [ dict(host="0.0.0.0", proto="tcp", port=22, listening=True), dict(host="0.0.0.0", proto="udp", port=1514, listening=True), diff --git a/testinfra/vars/app-prod.yml b/testinfra/vars/app-prod.yml index 1369938c2db..9a1894703b9 100644 --- a/testinfra/vars/app-prod.yml +++ b/testinfra/vars/app-prod.yml @@ -40,42 +40,3 @@ allowed_apache_logfiles: - /var/log/apache2/journalist-access.log - /var/log/apache2/journalist-error.log - /var/log/apache2/other_vhosts_access.log - -iptables_complete_ruleset: |- - -P INPUT DROP - -P FORWARD DROP - -P OUTPUT DROP - -N LOGNDROP - -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT - -A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT - -A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT - -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT - -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT - -A INPUT -s 10.0.1.5/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT - -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT - -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP - -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT - -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT - -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT - -A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT - -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT - -A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP - -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP - -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT - -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT - -A OUTPUT -d 10.0.1.5/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT - -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT - -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP - -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid - -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid - -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid - -A LOGNDROP -j DROP diff --git a/testinfra/vars/app-staging.yml b/testinfra/vars/app-staging.yml index ce2c9535cef..b0dab992c23 100644 --- a/testinfra/vars/app-staging.yml +++ b/testinfra/vars/app-staging.yml @@ -84,51 +84,3 @@ allowed_apache_logfiles: - /var/log/apache2/journalist-error.log - /var/log/apache2/other_vhosts_access.log - /var/log/apache2/source-error.log - -# Hardcoded values, only appropriate for local testing via Vagrant. -iptables_complete_ruleset: |- - -P INPUT DROP - -P FORWARD DROP - -P OUTPUT DROP - -N LOGNDROP - -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT - -A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT - -A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT - -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT - -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT - -A INPUT -s 10.0.1.3/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT - -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT - -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP - -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT - -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT - -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT - -A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT - -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT - -A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP - -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP - -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT - -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT - -A OUTPUT -d 10.0.1.3/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT - -A OUTPUT -o eth0 -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT - -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP - -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid - -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid - -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid - -A LOGNDROP -j DROP diff --git a/testinfra/vars/mon-prod.yml b/testinfra/vars/mon-prod.yml index 463574a08d0..14ae9fb8316 100644 --- a/testinfra/vars/mon-prod.yml +++ b/testinfra/vars/mon-prod.yml @@ -11,44 +11,6 @@ tor_stealth_services: - service: "HiddenServicePort 22 127.0.0.1:22" stealth: admin -iptables_complete_ruleset: |- - -P INPUT DROP - -P FORWARD DROP - -P OUTPUT DROP - -N LOGNDROP - -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT - -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT - -A INPUT -s 10.0.1.4/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT - -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT - -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP - -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT - -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT - -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP - -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP - -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT - -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT - -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT - -A OUTPUT -d 10.0.1.4/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT - -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT - -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT - -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT - -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT - -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP - -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid - -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid - -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid - -A LOGNDROP -j DROP - # Postfix should indeed be running on prod hosts, otherwise # OSSEC alerts cannot be delivered. It's disabled in staging. postfix_enabled: True