From 9a7c104dfb05e07c64ad408d41c4ab092fd90a19 Mon Sep 17 00:00:00 2001
From: arcsector <26469747+arcsector@users.noreply.github.com>
Date: Wed, 30 Nov 2022 00:18:52 -0800
Subject: [PATCH 1/6] Firewall changes: - Firewalld Services instead of
ephemeral commands - New port format to specify protocol for modularity -
Defaults to UFW and if RHEL uses firewalld - Added default firewall ports per
group var - Checks to see if firewall package is installed and service is
running and enabled
---
.../production/group_vars/heavyforwarder.yml | 15 +++++++++++++
.../production/group_vars/indexer.yml | 18 ++++++++++++++++
environments/production/group_vars/search.yml | 10 +++++++++
roles/splunk/defaults/main.yml | 6 ++++++
.../tasks/configure_firewall_firewalld.yml | 21 +++++++++++++++++++
roles/splunk/tasks/configure_firewall_ufw.yml | 19 +++++++++++++++++
roles/splunk/tasks/configure_os.yml | 6 ++++++
.../splunk/templates/firewalld_service.xml.j2 | 8 +++++++
roles/splunk/vars/Debian.yml | 1 +
roles/splunk/vars/RedHat.yml | 1 +
roles/splunk/vars/main.yml | 1 +
11 files changed, 106 insertions(+)
create mode 100644 environments/production/group_vars/heavyforwarder.yml
create mode 100644 environments/production/group_vars/indexer.yml
create mode 100644 environments/production/group_vars/search.yml
create mode 100644 roles/splunk/tasks/configure_firewall_firewalld.yml
create mode 100644 roles/splunk/tasks/configure_firewall_ufw.yml
create mode 100644 roles/splunk/templates/firewalld_service.xml.j2
diff --git a/environments/production/group_vars/heavyforwarder.yml b/environments/production/group_vars/heavyforwarder.yml
new file mode 100644
index 00000000..8954de94
--- /dev/null
+++ b/environments/production/group_vars/heavyforwarder.yml
@@ -0,0 +1,15 @@
+---
+splunk_firewall_ports:
+ # HEC
+ - protocol: tcp
+ number: 8088
+
+ # Splunk TCPIN
+ - protocol: tcp
+ number: 9997
+
+ - protocol: tcp
+ number: 8000
+
+ - protocol: tcp
+ number: "{{ splunkd_port }}"
diff --git a/environments/production/group_vars/indexer.yml b/environments/production/group_vars/indexer.yml
new file mode 100644
index 00000000..1dd05e33
--- /dev/null
+++ b/environments/production/group_vars/indexer.yml
@@ -0,0 +1,18 @@
+---
+splunk_firewall_ports:
+ # HEC
+ - protocol: tcp
+ number: 8088
+
+ # Splunk TCPIN
+ - protocol: tcp
+ number: 9997
+
+ - protocol: tcp
+ number: 8000
+
+ - protocol: tcp
+ number: "{{ splunkd_port }}"
+
+ - protocol: tcp
+ number: "{{ splunk_idxc_rep_port }}"
diff --git a/environments/production/group_vars/search.yml b/environments/production/group_vars/search.yml
new file mode 100644
index 00000000..ce98e2f8
--- /dev/null
+++ b/environments/production/group_vars/search.yml
@@ -0,0 +1,10 @@
+---
+splunk_firewall_ports:
+ - protocol: tcp
+ number: 8000
+
+ - protocol: tcp
+ number: "{{ splunkd_port }}"
+
+ - protocol: tcp
+ number: "{{ splunk_shc_rep_port }}"
diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml
index 0fde8733..ba295346 100644
--- a/roles/splunk/defaults/main.yml
+++ b/roles/splunk/defaults/main.yml
@@ -31,6 +31,12 @@ splunk_admin_username: admin
splunk_admin_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
splunk_configure_secret: false # If set to true, you need to update files/splunk.secret
splunk_secret_file: splunk.secret # Used to specify your splunk.secret filename(s), files should be placed in the "files" folder of the role
+configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
+splunk_firewall_ports: # List of ports to allow through local firewall in dict form
+ - protocol: tcp
+ number: "{{ splunkd_port }}"
+ - protocol: tcp
+ number: 8000
# Although there are tasks for the following Splunk configurations in this role, they are not included in any tasks by default. You can add them to your install_splunk.yml if you would like to have Ansible manage any of these files
splunk_configure_authentication: false
ad_bind_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
diff --git a/roles/splunk/tasks/configure_firewall_firewalld.yml b/roles/splunk/tasks/configure_firewall_firewalld.yml
new file mode 100644
index 00000000..a39cb923
--- /dev/null
+++ b/roles/splunk/tasks/configure_firewall_firewalld.yml
@@ -0,0 +1,21 @@
+---
+- name: Ensure firewalld is installed
+ ansible.builtin.package:
+ name: firewalld
+ state: present
+
+- name: Ensure Firewalld is Started and Enabled
+ ansible.builtin.systemd:
+ name: firewalld
+ state: started
+ enabled: true
+
+- name: Configure firewalld for Splunk
+ ansible.builtin.template:
+ src: firewalld_service.xml.j2
+ dest: /etc/firewalld/services/splunk.xml
+ backup: true
+ mode: 0644
+ owner: root
+ group: root
+ become: true
diff --git a/roles/splunk/tasks/configure_firewall_ufw.yml b/roles/splunk/tasks/configure_firewall_ufw.yml
new file mode 100644
index 00000000..3cd5b34a
--- /dev/null
+++ b/roles/splunk/tasks/configure_firewall_ufw.yml
@@ -0,0 +1,19 @@
+---
+- name: Ensure ufw is installed
+ ansible.builtin.package:
+ name: ufw
+ state: present
+
+- name: Ensure UFW is Started and Enabled
+ ansible.builtin.systemd:
+ name: ufw
+ state: started
+ enabled: true
+
+- name: Configure ufw for Splunk
+ become: true
+ community.general.ufw:
+ port: "{{ item.number }}"
+ proto: "{{ item.protocol }}"
+ rule: allow
+ loop: "{{ splunk_firewall_ports }}"
diff --git a/roles/splunk/tasks/configure_os.yml b/roles/splunk/tasks/configure_os.yml
index cca1567b..891c3a43 100644
--- a/roles/splunk/tasks/configure_os.yml
+++ b/roles/splunk/tasks/configure_os.yml
@@ -20,3 +20,9 @@
- name: Enable read for dmesg
include_tasks: configure_dmesg.yml
when: configure_dmesg
+
+- name: Configure firewall service
+ include_tasks: "configure_firewall_{{ firewall_service }}.yml"
+ when:
+ - firewall_service != 'undefined'
+ - configure_firewall != false
diff --git a/roles/splunk/templates/firewalld_service.xml.j2 b/roles/splunk/templates/firewalld_service.xml.j2
new file mode 100644
index 00000000..2e5606aa
--- /dev/null
+++ b/roles/splunk/templates/firewalld_service.xml.j2
@@ -0,0 +1,8 @@
+
+
+ splunk
+ Ports to be configured for splunk
+ {% for port in splunk_firewall_ports %}
+
+ {% endfor %}
+
diff --git a/roles/splunk/vars/Debian.yml b/roles/splunk/vars/Debian.yml
index be21e04f..3ab03973 100644
--- a/roles/splunk/vars/Debian.yml
+++ b/roles/splunk/vars/Debian.yml
@@ -14,3 +14,4 @@ linux_packages:
- nethogs
- gdb
- dnsutils
+firewall_service: ufw
diff --git a/roles/splunk/vars/RedHat.yml b/roles/splunk/vars/RedHat.yml
index 0e3a4ec9..61d35591 100644
--- a/roles/splunk/vars/RedHat.yml
+++ b/roles/splunk/vars/RedHat.yml
@@ -17,3 +17,4 @@ linux_packages:
- nethogs
- gdb
- bind-utils
+firewall_service: firewalld
diff --git a/roles/splunk/vars/main.yml b/roles/splunk/vars/main.yml
index 0f2b0466..97fcce6d 100644
--- a/roles/splunk/vars/main.yml
+++ b/roles/splunk/vars/main.yml
@@ -6,3 +6,4 @@ splunk_build: "{{ splunk_package_url | regex_search('\\d+\\.\\d+\\.\\d+(?:\\.\\d
# Create desired splunk version string (to compare with the output from the splunk version command for upgrades)
splunk_version: "{{ splunk_product }} {{ splunk_v }} (build {{ splunk_build }})"
splunk_auth: "{{ splunk_admin_username }}:{{ splunk_admin_password }}"
+firewall_service: ufw
From 27e265b7b184c4145d19202f557c1268e9607635 Mon Sep 17 00:00:00 2001
From: arcsector <26469747+arcsector@users.noreply.github.com>
Date: Wed, 30 Nov 2022 00:35:37 -0800
Subject: [PATCH 2/6] Handlers for firewalls and merge into single yml
---
roles/splunk/handlers/main.yml | 7 ++++
roles/splunk/tasks/configure_firewall.yml | 33 +++++++++++++++++++
.../tasks/configure_firewall_firewalld.yml | 21 ------------
roles/splunk/tasks/configure_firewall_ufw.yml | 19 -----------
roles/splunk/tasks/configure_os.yml | 2 +-
5 files changed, 41 insertions(+), 41 deletions(-)
create mode 100644 roles/splunk/tasks/configure_firewall.yml
delete mode 100644 roles/splunk/tasks/configure_firewall_firewalld.yml
delete mode 100644 roles/splunk/tasks/configure_firewall_ufw.yml
diff --git a/roles/splunk/handlers/main.yml b/roles/splunk/handlers/main.yml
index 41794ecb..a82648c6 100644
--- a/roles/splunk/handlers/main.yml
+++ b/roles/splunk/handlers/main.yml
@@ -89,3 +89,10 @@
port: "{{ splunkd_port }}"
state: started
delay: 5
+
+- name: reload firewalld
+ command: firewall-cmd --reload
+ become: true
+
+- name: reload ufw
+ command: ufw reload
diff --git a/roles/splunk/tasks/configure_firewall.yml b/roles/splunk/tasks/configure_firewall.yml
new file mode 100644
index 00000000..0856098c
--- /dev/null
+++ b/roles/splunk/tasks/configure_firewall.yml
@@ -0,0 +1,33 @@
+---
+- name: Ensure {{ firewall_service }} package is installed
+ ansible.builtin.package:
+ name: "{{ firewall_service }}"
+ state: present
+
+- name: Ensure {{ firewall_service }} is Started and Enabled
+ ansible.builtin.systemd:
+ name: "{{ firewall_service }}"
+ state: started
+ enabled: true
+
+- name: Configure firewalld for Splunk
+ ansible.builtin.template:
+ src: firewalld_service.xml.j2
+ dest: /etc/firewalld/services/splunk.xml
+ backup: true
+ mode: 0644
+ owner: root
+ group: root
+ become: true
+ notify: reload firewalld
+ when: firewall_service == "firewalld"
+
+- name: Configure UFW for Splunk
+ community.general.ufw:
+ port: "{{ item.number }}"
+ proto: "{{ item.protocol }}"
+ rule: allow
+ become: true
+ loop: "{{ splunk_firewall_ports }}"
+ when: firewall_service == "ufw"
+ notify: reload ufw
diff --git a/roles/splunk/tasks/configure_firewall_firewalld.yml b/roles/splunk/tasks/configure_firewall_firewalld.yml
deleted file mode 100644
index a39cb923..00000000
--- a/roles/splunk/tasks/configure_firewall_firewalld.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-- name: Ensure firewalld is installed
- ansible.builtin.package:
- name: firewalld
- state: present
-
-- name: Ensure Firewalld is Started and Enabled
- ansible.builtin.systemd:
- name: firewalld
- state: started
- enabled: true
-
-- name: Configure firewalld for Splunk
- ansible.builtin.template:
- src: firewalld_service.xml.j2
- dest: /etc/firewalld/services/splunk.xml
- backup: true
- mode: 0644
- owner: root
- group: root
- become: true
diff --git a/roles/splunk/tasks/configure_firewall_ufw.yml b/roles/splunk/tasks/configure_firewall_ufw.yml
deleted file mode 100644
index 3cd5b34a..00000000
--- a/roles/splunk/tasks/configure_firewall_ufw.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- name: Ensure ufw is installed
- ansible.builtin.package:
- name: ufw
- state: present
-
-- name: Ensure UFW is Started and Enabled
- ansible.builtin.systemd:
- name: ufw
- state: started
- enabled: true
-
-- name: Configure ufw for Splunk
- become: true
- community.general.ufw:
- port: "{{ item.number }}"
- proto: "{{ item.protocol }}"
- rule: allow
- loop: "{{ splunk_firewall_ports }}"
diff --git a/roles/splunk/tasks/configure_os.yml b/roles/splunk/tasks/configure_os.yml
index 891c3a43..0383eb56 100644
--- a/roles/splunk/tasks/configure_os.yml
+++ b/roles/splunk/tasks/configure_os.yml
@@ -22,7 +22,7 @@
when: configure_dmesg
- name: Configure firewall service
- include_tasks: "configure_firewall_{{ firewall_service }}.yml"
+ include_tasks: "configure_firewall.yml"
when:
- firewall_service != 'undefined'
- configure_firewall != false
From f93c8a18104136f20458ce214e3770068b9d1f80 Mon Sep 17 00:00:00 2001
From: arcsector <26469747+arcsector@users.noreply.github.com>
Date: Wed, 30 Nov 2022 15:30:49 -0800
Subject: [PATCH 3/6] Firewall change requests - port proto combos predefined
and referenced - super user privileges for handlers and package interactions
---
.../production/group_vars/heavyforwarder.yml | 17 ++++-----------
.../production/group_vars/indexer.yml | 21 +++++--------------
environments/production/group_vars/search.yml | 11 +++-------
roles/splunk/defaults/main.yml | 18 ++++++++++------
roles/splunk/handlers/main.yml | 1 +
roles/splunk/tasks/configure_firewall.yml | 2 ++
roles/splunk/tasks/configure_os.yml | 1 +
7 files changed, 28 insertions(+), 43 deletions(-)
diff --git a/environments/production/group_vars/heavyforwarder.yml b/environments/production/group_vars/heavyforwarder.yml
index 8954de94..1b020e73 100644
--- a/environments/production/group_vars/heavyforwarder.yml
+++ b/environments/production/group_vars/heavyforwarder.yml
@@ -1,15 +1,6 @@
---
splunk_firewall_ports:
- # HEC
- - protocol: tcp
- number: 8088
-
- # Splunk TCPIN
- - protocol: tcp
- number: 9997
-
- - protocol: tcp
- number: 8000
-
- - protocol: tcp
- number: "{{ splunkd_port }}"
+ - "{{ splunkweb_port }}"
+ - "{{ splunkapi_port }}"
+ - "{{ splunktcpin_port }}"
+ - "{{ splunkhec_port }}"
diff --git a/environments/production/group_vars/indexer.yml b/environments/production/group_vars/indexer.yml
index 1dd05e33..4d7e5a87 100644
--- a/environments/production/group_vars/indexer.yml
+++ b/environments/production/group_vars/indexer.yml
@@ -1,18 +1,7 @@
---
splunk_firewall_ports:
- # HEC
- - protocol: tcp
- number: 8088
-
- # Splunk TCPIN
- - protocol: tcp
- number: 9997
-
- - protocol: tcp
- number: 8000
-
- - protocol: tcp
- number: "{{ splunkd_port }}"
-
- - protocol: tcp
- number: "{{ splunk_idxc_rep_port }}"
+ - "{{ splunkweb_port }}"
+ - "{{ splunkapi_port }}"
+ - "{{ splunktcpin_port }}"
+ - "{{ splunkhec_port }}"
+ - "{{ splunkidxcrep_port }}"
diff --git a/environments/production/group_vars/search.yml b/environments/production/group_vars/search.yml
index ce98e2f8..61b4b837 100644
--- a/environments/production/group_vars/search.yml
+++ b/environments/production/group_vars/search.yml
@@ -1,10 +1,5 @@
---
splunk_firewall_ports:
- - protocol: tcp
- number: 8000
-
- - protocol: tcp
- number: "{{ splunkd_port }}"
-
- - protocol: tcp
- number: "{{ splunk_shc_rep_port }}"
+ - "{{ splunkweb_port }}"
+ - "{{ splunkapi_port }}"
+ - "{{ splunkshcrep_port }}"
diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml
index ba295346..5043b440 100644
--- a/roles/splunk/defaults/main.yml
+++ b/roles/splunk/defaults/main.yml
@@ -31,12 +31,6 @@ splunk_admin_username: admin
splunk_admin_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
splunk_configure_secret: false # If set to true, you need to update files/splunk.secret
splunk_secret_file: splunk.secret # Used to specify your splunk.secret filename(s), files should be placed in the "files" folder of the role
-configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
-splunk_firewall_ports: # List of ports to allow through local firewall in dict form
- - protocol: tcp
- number: "{{ splunkd_port }}"
- - protocol: tcp
- number: 8000
# Although there are tasks for the following Splunk configurations in this role, they are not included in any tasks by default. You can add them to your install_splunk.yml if you would like to have Ansible manage any of these files
splunk_configure_authentication: false
ad_bind_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
@@ -81,3 +75,15 @@ add_pstack_script: false # Set to true to install a pstack generation script for
configure_dmesg: false
install_utilities: false # Set to true to install the list of packages defined in the linux_packages var after installing splunk
use_tuned_thp: false
+# Firewall configs
+configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
+# Firewall port presets - reference these in group_vars to assign them to splunk
+splunkweb_port: {protocol: "tcp", number: 8000}
+splunkhec_port: {protocol: "tcp", number: 8088}
+splunktcpin_port: {protocol: "tcp", number: 9997}
+splunkapi_port: {protocol: "tcp", number: "{{ splunkd_port }}"}
+splunkidxcrep_port: {protocol: "tcp", number: "{{ splunk_idxc_rep_port }}"}
+splunkshcrep_port: {protocol: "tcp", number: "{{ splunk_shc_rep_port }}"}
+splunk_firewall_ports: # List of ports to allow through local firewall in dict form
+ - "{{ splunkweb_port }}"
+ - "{{ splunkapi_port }}"
\ No newline at end of file
diff --git a/roles/splunk/handlers/main.yml b/roles/splunk/handlers/main.yml
index a82648c6..16d43eba 100644
--- a/roles/splunk/handlers/main.yml
+++ b/roles/splunk/handlers/main.yml
@@ -96,3 +96,4 @@
- name: reload ufw
command: ufw reload
+ become: true
diff --git a/roles/splunk/tasks/configure_firewall.yml b/roles/splunk/tasks/configure_firewall.yml
index 0856098c..73d5be90 100644
--- a/roles/splunk/tasks/configure_firewall.yml
+++ b/roles/splunk/tasks/configure_firewall.yml
@@ -3,12 +3,14 @@
ansible.builtin.package:
name: "{{ firewall_service }}"
state: present
+ become: true
- name: Ensure {{ firewall_service }} is Started and Enabled
ansible.builtin.systemd:
name: "{{ firewall_service }}"
state: started
enabled: true
+ become: true
- name: Configure firewalld for Splunk
ansible.builtin.template:
diff --git a/roles/splunk/tasks/configure_os.yml b/roles/splunk/tasks/configure_os.yml
index 0383eb56..6ecf2b7a 100644
--- a/roles/splunk/tasks/configure_os.yml
+++ b/roles/splunk/tasks/configure_os.yml
@@ -26,3 +26,4 @@
when:
- firewall_service != 'undefined'
- configure_firewall != false
+ - "'full' in group_names"
From 1acc13b0aa4e7bb55809fb2ed801ffca86b3ba3f Mon Sep 17 00:00:00 2001
From: arcsector <26469747+arcsector@users.noreply.github.com>
Date: Fri, 2 Dec 2022 14:02:21 -0800
Subject: [PATCH 4/6] Firewall changes after tests - SSH Allow in UFW - Make
Firewalld aware of service - Removing unnecessary reload handle of UFW -
Adding RHEL 8 firewall_service
---
roles/splunk/defaults/main.yml | 1 +
roles/splunk/handlers/main.yml | 4 --
roles/splunk/tasks/configure_firewall.yml | 72 +++++++++++++++--------
roles/splunk/vars/RedHat8.yml | 1 +
4 files changed, 51 insertions(+), 27 deletions(-)
diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml
index 5043b440..6d3f7470 100644
--- a/roles/splunk/defaults/main.yml
+++ b/roles/splunk/defaults/main.yml
@@ -77,6 +77,7 @@ install_utilities: false # Set to true to install the list of packages defined i
use_tuned_thp: false
# Firewall configs
configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
+splunk_firewall_service: splunk # The name of the Splunk firewall service to install for firewalld
# Firewall port presets - reference these in group_vars to assign them to splunk
splunkweb_port: {protocol: "tcp", number: 8000}
splunkhec_port: {protocol: "tcp", number: 8088}
diff --git a/roles/splunk/handlers/main.yml b/roles/splunk/handlers/main.yml
index 16d43eba..9815e4bc 100644
--- a/roles/splunk/handlers/main.yml
+++ b/roles/splunk/handlers/main.yml
@@ -93,7 +93,3 @@
- name: reload firewalld
command: firewall-cmd --reload
become: true
-
-- name: reload ufw
- command: ufw reload
- become: true
diff --git a/roles/splunk/tasks/configure_firewall.yml b/roles/splunk/tasks/configure_firewall.yml
index 73d5be90..9841dca0 100644
--- a/roles/splunk/tasks/configure_firewall.yml
+++ b/roles/splunk/tasks/configure_firewall.yml
@@ -5,31 +5,57 @@
state: present
become: true
-- name: Ensure {{ firewall_service }} is Started and Enabled
- ansible.builtin.systemd:
- name: "{{ firewall_service }}"
- state: started
- enabled: true
- become: true
-
- name: Configure firewalld for Splunk
- ansible.builtin.template:
- src: firewalld_service.xml.j2
- dest: /etc/firewalld/services/splunk.xml
- backup: true
- mode: 0644
- owner: root
- group: root
- become: true
- notify: reload firewalld
+ block:
+ - name: Ensure {{ firewall_service }} is Started and Enabled
+ ansible.builtin.systemd:
+ name: "{{ firewall_service }}"
+ state: started
+ enabled: true
+ become: true
+
+ - name: Add splunk firewalld service
+ ansible.builtin.template:
+ src: firewalld_service.xml.j2
+ dest: /etc/firewalld/services/{{ splunk_firewall_service }}.xml
+ backup: true
+ mode: 0644
+ owner: root
+ group: root
+ become: true
+ register: firewalld
+
+ - name: reload firewalld
+ command: firewall-cmd --reload
+ become: true
+ when: firewalld.changed
+
+ - name: Activate splunk firewalld service
+ ansible.posix.firewalld:
+ service: "{{ splunk_firewall_service }}"
+ permanent: yes
+ state: enabled
+ immediate: true
+ notify: reload firewalld
+ become: true
when: firewall_service == "firewalld"
- name: Configure UFW for Splunk
- community.general.ufw:
- port: "{{ item.number }}"
- proto: "{{ item.protocol }}"
- rule: allow
- become: true
- loop: "{{ splunk_firewall_ports }}"
+ block:
+ - name: Ensure SSH is enabled
+ community.general.ufw:
+ port: 22
+ proto: tcp
+ rule: allow
+ state: enabled
+ become: true
+
+ - name: Add splunk port to UFW
+ community.general.ufw:
+ port: "{{ item.number }}"
+ proto: "{{ item.protocol }}"
+ rule: allow
+ state: reloaded
+ become: true
+ loop: "{{ splunk_firewall_ports }}"
when: firewall_service == "ufw"
- notify: reload ufw
diff --git a/roles/splunk/vars/RedHat8.yml b/roles/splunk/vars/RedHat8.yml
index 25db47c4..941406f4 100644
--- a/roles/splunk/vars/RedHat8.yml
+++ b/roles/splunk/vars/RedHat8.yml
@@ -17,3 +17,4 @@ linux_packages:
- nethogs
- gdb
- bind-utils
+firewall_service: firewalld
From ef3a94cd4e2a942164db9a5be7d4a58a34ae9acf Mon Sep 17 00:00:00 2001
From: David Twersky
Date: Mon, 5 Dec 2022 19:31:08 -0500
Subject: [PATCH 5/6] replace with firewalld in name for task running only for
firewalld
---
roles/splunk/tasks/configure_firewall.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/roles/splunk/tasks/configure_firewall.yml b/roles/splunk/tasks/configure_firewall.yml
index 9841dca0..d0b20ebe 100644
--- a/roles/splunk/tasks/configure_firewall.yml
+++ b/roles/splunk/tasks/configure_firewall.yml
@@ -1,5 +1,5 @@
---
-- name: Ensure {{ firewall_service }} package is installed
+- name: Ensure {{ firewall_service }} package is installed
ansible.builtin.package:
name: "{{ firewall_service }}"
state: present
@@ -7,7 +7,7 @@
- name: Configure firewalld for Splunk
block:
- - name: Ensure {{ firewall_service }} is Started and Enabled
+ - name: Ensure firewalld is Started and Enabled
ansible.builtin.systemd:
name: "{{ firewall_service }}"
state: started
From 4c7b5f3381933bc6473b3c48df1ee23cda16ef8e Mon Sep 17 00:00:00 2001
From: arcsector <26469747+arcsector@users.noreply.github.com>
Date: Tue, 6 Dec 2022 22:44:40 -0800
Subject: [PATCH 6/6] Adding comments and desc to port dictionary
---
roles/splunk/defaults/main.yml | 12 ++++++------
roles/splunk/tasks/configure_firewall.yml | 3 ++-
roles/splunk/templates/firewalld_service.xml.j2 | 1 +
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml
index 6d3f7470..daa85702 100644
--- a/roles/splunk/defaults/main.yml
+++ b/roles/splunk/defaults/main.yml
@@ -79,12 +79,12 @@ use_tuned_thp: false
configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
splunk_firewall_service: splunk # The name of the Splunk firewall service to install for firewalld
# Firewall port presets - reference these in group_vars to assign them to splunk
-splunkweb_port: {protocol: "tcp", number: 8000}
-splunkhec_port: {protocol: "tcp", number: 8088}
-splunktcpin_port: {protocol: "tcp", number: 9997}
-splunkapi_port: {protocol: "tcp", number: "{{ splunkd_port }}"}
-splunkidxcrep_port: {protocol: "tcp", number: "{{ splunk_idxc_rep_port }}"}
-splunkshcrep_port: {protocol: "tcp", number: "{{ splunk_shc_rep_port }}"}
+splunkweb_port: {desc: "Splunk Web", protocol: "tcp", number: 8000}
+splunkhec_port: {desc: "Splunk HEC", protocol: "tcp", number: 8088}
+splunktcpin_port: {desc: "Splunk TCPIN", protocol: "tcp", number: 9997}
+splunkapi_port: {desc: "Splunk API", protocol: "tcp", number: "{{ splunkd_port }}"}
+splunkidxcrep_port: {desc: "Splunk Indexer Clustering Replication", protocol: "tcp", number: "{{ splunk_idxc_rep_port }}"}
+splunkshcrep_port: {desc: "Splunk Search Head Clustering Replication", protocol: "tcp", number: "{{ splunk_shc_rep_port }}"}
splunk_firewall_ports: # List of ports to allow through local firewall in dict form
- "{{ splunkweb_port }}"
- "{{ splunkapi_port }}"
\ No newline at end of file
diff --git a/roles/splunk/tasks/configure_firewall.yml b/roles/splunk/tasks/configure_firewall.yml
index d0b20ebe..7e7ceccc 100644
--- a/roles/splunk/tasks/configure_firewall.yml
+++ b/roles/splunk/tasks/configure_firewall.yml
@@ -33,7 +33,7 @@
- name: Activate splunk firewalld service
ansible.posix.firewalld:
service: "{{ splunk_firewall_service }}"
- permanent: yes
+ permanent: true
state: enabled
immediate: true
notify: reload firewalld
@@ -56,6 +56,7 @@
proto: "{{ item.protocol }}"
rule: allow
state: reloaded
+ comment: "{{ item.desc | default('') }}"
become: true
loop: "{{ splunk_firewall_ports }}"
when: firewall_service == "ufw"
diff --git a/roles/splunk/templates/firewalld_service.xml.j2 b/roles/splunk/templates/firewalld_service.xml.j2
index 2e5606aa..ea5481dd 100644
--- a/roles/splunk/templates/firewalld_service.xml.j2
+++ b/roles/splunk/templates/firewalld_service.xml.j2
@@ -3,6 +3,7 @@
splunk
Ports to be configured for splunk
{% for port in splunk_firewall_ports %}
+
{% endfor %}