Simple Firewall Configuration (#157)

* Firewall changes: - Firewalld Services instead of ephemeral commands - New port format to specify protocol for modularity - Defaults to UFW and if RHEL uses firewalld - Added default firewall ports per group var - Checks to see if firewall package is installed and service is running and enabled * Handlers for firewalls and merge into single yml * Firewall change requests - port proto combos predefined and referenced - super user privileges for handlers and package interactions * Firewall changes after tests - SSH Allow in UFW - Make Firewalld aware of service - Removing unnecessary reload handle of UFW - Adding RHEL 8 firewall_service * replace with firewalld in name for task running only for firewalld * Adding comments and desc to port dictionary Co-authored-by: David Twersky <jewunix@gmail.com>
splunk · Dec 8, 2022 · e6d5ab3 · e6d5ab3
1 parent 67114f3
commit e6d5ab3
Show file tree

Hide file tree

Showing 12 changed files with 117 additions and 0 deletions.
diff --git a/environments/production/group_vars/heavyforwarder.yml b/environments/production/group_vars/heavyforwarder.yml
@@ -0,0 +1,6 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunktcpin_port }}"
+  - "{{ splunkhec_port }}"
diff --git a/environments/production/group_vars/indexer.yml b/environments/production/group_vars/indexer.yml
@@ -0,0 +1,7 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunktcpin_port }}"
+  - "{{ splunkhec_port }}"
+  - "{{ splunkidxcrep_port }}"
diff --git a/environments/production/group_vars/search.yml b/environments/production/group_vars/search.yml
@@ -0,0 +1,5 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunkshcrep_port }}"
diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml
@@ -75,3 +75,16 @@ add_pstack_script: false # Set to true to install a pstack generation script for
 configure_dmesg: false
 install_utilities: false # Set to true to install the list of packages defined in the linux_packages var after installing splunk
 use_tuned_thp: false
+# Firewall configs
+configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
+splunk_firewall_service: splunk # The name of the Splunk firewall service to install for firewalld
+# Firewall port presets - reference these in group_vars to assign them to splunk
+splunkweb_port: {desc: "Splunk Web", protocol: "tcp", number: 8000}
+splunkhec_port: {desc: "Splunk HEC", protocol: "tcp", number: 8088}
+splunktcpin_port: {desc: "Splunk TCPIN", protocol: "tcp", number: 9997}
+splunkapi_port: {desc: "Splunk API", protocol: "tcp", number: "{{ splunkd_port }}"}
+splunkidxcrep_port: {desc: "Splunk Indexer Clustering Replication", protocol: "tcp", number: "{{ splunk_idxc_rep_port }}"}
+splunkshcrep_port: {desc: "Splunk Search Head Clustering Replication", protocol: "tcp", number: "{{ splunk_shc_rep_port }}"}
+splunk_firewall_ports: # List of ports to allow through local firewall in dict form
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
diff --git a/roles/splunk/handlers/main.yml b/roles/splunk/handlers/main.yml
@@ -89,3 +89,7 @@
     port: "{{ splunkd_port }}"
     state: started
     delay: 5
+
+- name: reload firewalld
+  command: firewall-cmd --reload
+  become: true
diff --git a/roles/splunk/tasks/configure_firewall.yml b/roles/splunk/tasks/configure_firewall.yml
@@ -0,0 +1,62 @@
+---
+- name: Ensure {{ firewall_service }} package is installed
+  ansible.builtin.package:
+    name: "{{ firewall_service }}"
+    state: present
+  become: true
+
+- name: Configure firewalld for Splunk
+  block:
+    - name: Ensure firewalld is Started and Enabled
+      ansible.builtin.systemd:
+        name: "{{ firewall_service }}"
+        state: started
+        enabled: true
+      become: true
+
+    - name: Add splunk firewalld service
+      ansible.builtin.template:
+        src: firewalld_service.xml.j2
+        dest: /etc/firewalld/services/{{ splunk_firewall_service }}.xml
+        backup: true
+        mode: 0644
+        owner: root
+        group: root
+      become: true
+      register: firewalld
+
+    - name: reload firewalld
+      command: firewall-cmd --reload
+      become: true
+      when: firewalld.changed
+
+    - name: Activate splunk firewalld service
+      ansible.posix.firewalld:
+        service: "{{ splunk_firewall_service }}"
+        permanent: true
+        state: enabled
+        immediate: true
+      notify: reload firewalld
+      become: true
+  when: firewall_service == "firewalld"
+
+- name: Configure UFW for Splunk
+  block:
+    - name: Ensure SSH is enabled
+      community.general.ufw:
+        port: 22
+        proto: tcp
+        rule: allow
+        state: enabled
+      become: true
+
+    - name: Add splunk port to UFW
+      community.general.ufw:
+        port: "{{ item.number }}"
+        proto: "{{ item.protocol }}"
+        rule: allow
+        state: reloaded
+        comment: "{{ item.desc | default('') }}"
+      become: true
+      loop: "{{ splunk_firewall_ports }}"
+  when: firewall_service == "ufw"
diff --git a/roles/splunk/tasks/configure_os.yml b/roles/splunk/tasks/configure_os.yml
@@ -20,3 +20,10 @@
 - name: Enable read for dmesg
   include_tasks: configure_dmesg.yml
   when: configure_dmesg
+
+- name: Configure firewall service
+  include_tasks: "configure_firewall.yml"
+  when:
+    - firewall_service != 'undefined'
+    - configure_firewall != false
+    - "'full' in group_names"
diff --git a/roles/splunk/templates/firewalld_service.xml.j2 b/roles/splunk/templates/firewalld_service.xml.j2
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+    <short>splunk</short>
+    <description>Ports to be configured for splunk</description>
+    {% for port in splunk_firewall_ports %}
+        <!-- {{ port.desc | default('') }} -->
+        <port protocol="{{ port.protocol }}" port="{{ port.number }}"/>
+    {% endfor %}
+</service>
diff --git a/roles/splunk/vars/Debian.yml b/roles/splunk/vars/Debian.yml
@@ -14,3 +14,4 @@ linux_packages:
   - nethogs
   - gdb
   - dnsutils
+firewall_service: ufw
diff --git a/roles/splunk/vars/RedHat.yml b/roles/splunk/vars/RedHat.yml
@@ -17,3 +17,4 @@ linux_packages:
   - nethogs
   - gdb
   - bind-utils
+firewall_service: firewalld
diff --git a/roles/splunk/vars/RedHat8.yml b/roles/splunk/vars/RedHat8.yml
@@ -17,3 +17,4 @@ linux_packages:
   - nethogs
   - gdb
   - bind-utils
+firewall_service: firewalld
diff --git a/roles/splunk/vars/main.yml b/roles/splunk/vars/main.yml
@@ -6,3 +6,4 @@ splunk_build: "{{ splunk_package_url | regex_search('\\d+\\.\\d+\\.\\d+(?:\\.\\d
 # Create desired splunk version string (to compare with the output from the splunk version command for upgrades)
 splunk_version: "{{ splunk_product }} {{ splunk_v }} (build {{ splunk_build }})"
 splunk_auth: "{{ splunk_admin_username }}:{{ splunk_admin_password }}"
+firewall_service: ufw
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,3 +14,4 @@ linux_packages: @@
       - nethogs
       - gdb
       - dnsutils
+    firewall_service: ufw