CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Re-Architecting Network Setup on all containers

Browse Source
This commit is contained in:
Mike Reeves
2018-06-20 13:22:57 -04:00
parent 55736efe7f
commit 93916ba358
7 changed files with 24 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/common/init.sls
View File

@@ -66,9 +66,9 @@ docker:
# - driver: bridge # - driver: bridge
# dockernet work around # dockernet work around
dockernet: #dockernet:
cmd.script: # cmd.script:
- source: salt://common/scripts/dockernet.sh # - source: salt://common/scripts/dockernet.sh
# Snag the so-core docker # Snag the so-core docker
@@ -118,7 +118,6 @@ so-core:
- /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/log/nginx/:/var/log/nginx:rw
- /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw
- /opt/so/tmp/nginx/:/run:rw - /opt/so/tmp/nginx/:/run:rw
- network_mode: so-elastic-net
- cap_add: NET_BIND_SERVICE - cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
- 80:80 - 80:80

8
salt/elasticsearch/init.sls
View File

@@ -98,7 +98,7 @@ so-elasticsearch:
- /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
- /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
- /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
- network_mode: so-elastic-net
# See if Freqserver is enabled # See if Freqserver is enabled
{% if freq == 1 %} {% if freq == 1 %}
@@ -132,7 +132,7 @@ so-freq:
- user: freqserver - user: freqserver
- binds: - binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw - /opt/so/log/freq_server:/var/log/freq_server:rw
- network_mode: so-elastic-net
{% endif %} {% endif %}
@@ -168,7 +168,7 @@ so-domainstats:
- user: domainstats - user: domainstats
- binds: - binds:
- /opt/so/log/domainstats:/var/log/domain_stats - /opt/so/log/domainstats:/var/log/domain_stats
- network_mode: so-elastic-net
{% endif %} {% endif %}
@@ -237,7 +237,7 @@ so-curator:
- /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
- /opt/so/conf/curator/action/:/etc/curator/action:ro - /opt/so/conf/curator/action/:/etc/curator/action:ro
- /opt/so/log/curator:/var/log/curator - /opt/so/log/curator:/var/log/curator
- network_mode: so-elastic-net
# Begin Curator Cron Jobs # Begin Curator Cron Jobs

2
salt/filebeat/init.sls
View File

@@ -53,4 +53,4 @@ so-filebeat:
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
- network_mode: so-elastic-net

24
salt/firewall/init.sls
View File

@@ -62,16 +62,6 @@ del_return_rule:
# Make it so all the minions can talk to salt and update etc. # Make it so all the minions can talk to salt and update etc.
{% for ip in pillar.get('minions') %} {% for ip in pillar.get('minions') %}
enable_salt_minions_3142_{{ip}}:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 3142
- save: True
enable_salt_minions_4505_{{ip}}: enable_salt_minions_4505_{{ip}}:
iptables.append: iptables.append:
- table: filter - table: filter
@@ -114,8 +104,22 @@ enable_salt_minions_3142_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_salt_minions_5044_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 5044
- position: 1
- save: True
{% endfor %} {% endfor %}
# Rules for storage nodes connecting to master
{% endif %} {% endif %}
# Rules if you are a Storage Node # Rules if you are a Storage Node

1
salt/kibana/init.sls
View File

@@ -54,6 +54,5 @@ so-kibana:
- /opt/so/log/kibana:/var/log/kibana:rw - /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/custdashboards/:/usr/share/kibana/custdashboards/:ro - /opt/so/conf/kibana/custdashboards/:/usr/share/kibana/custdashboards/:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro
- network_mode: so-elastic-net
- port_bindings: - port_bindings:
- 127.0.0.1:5601:5601 - 127.0.0.1:5601:5601

2
salt/logstash/init.sls
View File

@@ -136,4 +136,4 @@ so-logstash:
- /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
- /etc/pki/filebeat.key:/usr/share/logstash/filebeat.key:ro - /etc/pki/filebeat.key:/usr/share/logstash/filebeat.key:ro
- /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
- network_mode: so-elastic-net

2
salt/redis/init.sls
View File

@@ -59,4 +59,4 @@ so-redis:
- /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
- /opt/so/conf/redis/working:/redis:rw - /opt/so/conf/redis/working:/redis:rw
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- network_mode: so-elastic-net