From 64741b571edd028a6a5d3b32cd2b467d68a7b699 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 8 Jun 2022 11:33:41 -0700
Subject: [PATCH 1/2] Management framework: switch default network visibilities

Up to now, agents and controllers listened locally only, and the Supervisor
(which listens when we run an agent) listened globally. It's now the other way
around: controllers and agents listen globally and the Supervisor, when
listening, does so locally.
---
 scripts/policy/frameworks/management/agent/boot.zeek | 12 ++++++++----
 .../policy/frameworks/management/agent/config.zeek   |  2 +-
 scripts/policy/frameworks/management/config.zeek     |  5 ++---
 .../frameworks/management/controller/config.zeek     |  2 +-
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/scripts/policy/frameworks/management/agent/boot.zeek b/scripts/policy/frameworks/management/agent/boot.zeek
index cd1e302c76..3f328bce7a 100644
--- a/scripts/policy/frameworks/management/agent/boot.zeek
+++ b/scripts/policy/frameworks/management/agent/boot.zeek
@@ -8,12 +8,16 @@
 
 @load ./config
 
-# The agent needs the supervisor to listen for node management requests.  We
-# need to tell it to do so, and we need to do so here, in the agent
-# bootstrapping code, so the redef applies prior to the fork of the agent
-# process itself.
+# The agent needs the supervisor to listen for node management requests, which
+# by default it does not. We need to tell it to do so here, in the agent
+# bootstrap code, so the redef applies prior to the fork of the agent process.
 redef SupervisorControl::enable_listen = T;
 
+# The Supervisor listens on Broker's default address: any interface. In the
+# Management framework there's no need for other machines to interact with
+# instance Supervisors directly, so restrict it to listening locally.
+redef Broker::default_listen_address = "127.0.0.1";
+
 event zeek_init()
 	{
 	if ( ! Supervisor::is_supervisor() )
diff --git a/scripts/policy/frameworks/management/agent/config.zeek b/scripts/policy/frameworks/management/agent/config.zeek
index 4e1d23774e..ae9266c57a 100644
--- a/scripts/policy/frameworks/management/agent/config.zeek
+++ b/scripts/policy/frameworks/management/agent/config.zeek
@@ -106,7 +106,7 @@ function endpoint_info(): Broker::EndpointInfo
 	else if ( Management::default_address != "" )
 		network$address = Management::default_address;
 	else
-		network$address = "127.0.0.1";
+		network$address = "0.0.0.0";
 
 	if ( Management::Agent::listen_port != "" )
 		network$bound_port = to_port(Management::Agent::listen_port);
diff --git a/scripts/policy/frameworks/management/config.zeek b/scripts/policy/frameworks/management/config.zeek
index 9ca80caf85..dde21d13b4 100644
--- a/scripts/policy/frameworks/management/config.zeek
+++ b/scripts/policy/frameworks/management/config.zeek
@@ -19,9 +19,8 @@ export {
 
 	## The fallback listen address if more specific adddresses, such as
 	## the controller's :zeek:see:`Management::Controller::listen_address`
-	## remains empty. Unless redefined, this uses Broker's own default
-	## listen address.
-	const default_address = Broker::default_listen_address &redef;
+	## remains empty. Unless redefined, this listens on all interfaces.
+	const default_address = "0.0.0.0" &redef;
 
 	## The retry interval for Broker connnects. Defaults to a more
 	## aggressive value compared to Broker's 30s.
diff --git a/scripts/policy/frameworks/management/controller/config.zeek b/scripts/policy/frameworks/management/controller/config.zeek
index a524fb049b..01b8445a2b 100644
--- a/scripts/policy/frameworks/management/controller/config.zeek
+++ b/scripts/policy/frameworks/management/controller/config.zeek
@@ -86,7 +86,7 @@ function network_info(): Broker::NetworkInfo
 	else if ( Management::default_address != "" )
 		ni$address = Management::default_address;
 	else
-		ni$address = "127.0.0.1";
+		ni$address = "0.0.0.0";
 
 	if ( Management::Controller::listen_port != "" )
 		ni$bound_port = to_port(Management::Controller::listen_port);

From 5a5c7029678901701a03b63704a93c57d362e6db Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 8 Jun 2022 14:55:56 -0700
Subject: [PATCH 2/2] Management framework: bump external cluster testsuite

---
 testing/external/commit-hash.zeek-testing-cluster | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster
index dcaea9023d..7fd0a99548 100644
--- a/testing/external/commit-hash.zeek-testing-cluster
+++ b/testing/external/commit-hash.zeek-testing-cluster
@@ -1 +1 @@
-837a20a947645b63340a4231d5a8665126283f66
+9f5872df390dbee8d55a9fd35fb5c4902d61d8c1