Simple Firewall Configuration (splunk#157)

* Firewall changes:
- Firewalld Services instead of ephemeral commands
- New port format to specify protocol for modularity
- Defaults to UFW and if RHEL uses firewalld
- Added default firewall ports per group var
- Checks to see if firewall package is installed and service is running and enabled

* Handlers for firewalls and merge into single yml

* Firewall change requests
- port proto combos predefined and referenced
- super user privileges for handlers and package interactions

* Firewall changes after tests
- SSH Allow in UFW
- Make Firewalld aware of service
- Removing unnecessary reload handle of UFW
- Adding RHEL 8 firewall_service

* replace  with firewalld in name for task running only for firewalld

* Adding comments and desc to port dictionary

Co-authored-by: David Twersky <jewunix@gmail.com>

Author: arcsector

environments/production/group_vars/heavyforwarder.yml

@@ -0,0 +1,6 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunktcpin_port }}"
+  - "{{ splunkhec_port }}"

environments/production/group_vars/indexer.yml

@@ -0,0 +1,7 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunktcpin_port }}"
+  - "{{ splunkhec_port }}"
+  - "{{ splunkidxcrep_port }}"

environments/production/group_vars/search.yml

@@ -0,0 +1,5 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunkshcrep_port }}"

roles/splunk/defaults/main.yml

@@ -75,3 +75,16 @@ add_pstack_script: false # Set to true to install a pstack generation script for
 configure_dmesg: false
 install_utilities: false # Set to true to install the list of packages defined in the linux_packages var after installing splunk
 use_tuned_thp: false
+# Firewall configs
+configure_firewall: false # Whether or not to configure the firewall service on your machine, if set to true, opens firewall ports using UFW (default) or Firewalld depending on OS
+splunk_firewall_service: splunk # The name of the Splunk firewall service to install for firewalld
+# Firewall port presets - reference these in group_vars to assign them to splunk
+splunkweb_port: {desc: "Splunk Web", protocol: "tcp", number: 8000}
+splunkhec_port: {desc: "Splunk HEC", protocol: "tcp", number: 8088}
+splunktcpin_port: {desc: "Splunk TCPIN", protocol: "tcp", number: 9997}
+splunkapi_port: {desc: "Splunk API", protocol: "tcp", number: "{{ splunkd_port }}"}
+splunkidxcrep_port: {desc: "Splunk Indexer Clustering Replication", protocol: "tcp", number: "{{ splunk_idxc_rep_port }}"}
+splunkshcrep_port: {desc: "Splunk Search Head Clustering Replication", protocol: "tcp", number: "{{ splunk_shc_rep_port }}"}
+splunk_firewall_ports: # List of ports to allow through local firewall in dict form
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"

roles/splunk/handlers/main.yml

@@ -89,3 +89,7 @@
     port: "{{ splunkd_port }}"
     state: started
     delay: 5
+
+- name: reload firewalld
+  command: firewall-cmd --reload
+  become: true

roles/splunk/tasks/configure_firewall.yml

@@ -0,0 +1,62 @@
+---
+- name: Ensure {{ firewall_service }} package is installed
+  ansible.builtin.package:
+    name: "{{ firewall_service }}"
+    state: present
+  become: true
+
+- name: Configure firewalld for Splunk
+  block:
+    - name: Ensure firewalld is Started and Enabled
+      ansible.builtin.systemd:
+        name: "{{ firewall_service }}"
+        state: started
+        enabled: true
+      become: true
+
+    - name: Add splunk firewalld service
+      ansible.builtin.template:
+        src: firewalld_service.xml.j2
+        dest: /etc/firewalld/services/{{ splunk_firewall_service }}.xml
+        backup: true
+        mode: 0644
+        owner: root
+        group: root
+      become: true
+      register: firewalld
+
+    - name: reload firewalld
+      command: firewall-cmd --reload
+      become: true
+      when: firewalld.changed
+
+    - name: Activate splunk firewalld service
+      ansible.posix.firewalld:
+        service: "{{ splunk_firewall_service }}"
+        permanent: true
+        state: enabled
+        immediate: true
+      notify: reload firewalld
+      become: true
+  when: firewall_service == "firewalld"
+
+- name: Configure UFW for Splunk
+  block:
+    - name: Ensure SSH is enabled
+      community.general.ufw:
+        port: 22
+        proto: tcp
+        rule: allow
+        state: enabled
+      become: true
+
+    - name: Add splunk port to UFW
+      community.general.ufw:
+        port: "{{ item.number }}"
+        proto: "{{ item.protocol }}"
+        rule: allow
+        state: reloaded
+        comment: "{{ item.desc | default('') }}"
+      become: true
+      loop: "{{ splunk_firewall_ports }}"
+  when: firewall_service == "ufw"

roles/splunk/tasks/configure_os.yml

@@ -20,3 +20,10 @@
 - name: Enable read for dmesg
   include_tasks: configure_dmesg.yml
   when: configure_dmesg
+
+- name: Configure firewall service
+  include_tasks: "configure_firewall.yml"
+  when:
+    - firewall_service != 'undefined'
+    - configure_firewall != false
+    - "'full' in group_names"

roles/splunk/templates/firewalld_service.xml.j2

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+    <short>splunk</short>
+    <description>Ports to be configured for splunk</description>
+    {% for port in splunk_firewall_ports %}
+        <!-- {{ port.desc | default('') }} -->
+        <port protocol="{{ port.protocol }}" port="{{ port.number }}"/>
+    {% endfor %}
+</service>

roles/splunk/vars/Debian.yml

@@ -14,3 +14,4 @@ linux_packages:
   - nethogs
   - gdb
   - dnsutils
+firewall_service: ufw

roles/splunk/vars/RedHat.yml

@@ -17,3 +17,4 @@ linux_packages:
   - nethogs
   - gdb
   - bind-utils
+firewall_service: firewalld