diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index 5ff6b900b..778912911 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -1,3 +1,4 @@ +{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} firewall: hostgroups: anywhere: @@ -9,7 +10,7 @@ firewall: ips: delete: insert: - - 172.17.0.0/24 + - {{ DNET }}/24 localhost: ips: delete: diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 220f3c4cb..e85358542 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -12,6 +12,8 @@ {% else %} {% set MAINIP = salt['pillar.get']('global:managerip') %} {% endif %} +{% set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} + include: - mysql @@ -71,7 +73,7 @@ fleetdb: fleetdbuser: mysql_user.present: - - host: 172.17.0.0/255.255.0.0 + - host: {{ DNET }}/255.255.0.0 - password: {{ FLEETPASS }} - connection_host: {{ MAINIP }} - connection_port: 3306 @@ -85,7 +87,7 @@ fleetdbpriv: - grant: all privileges - database: fleet.* - user: fleetdbuser - - host: 172.17.0.0/255.255.0.0 + - host: {{ DNET }}/255.255.0.0 - connection_host: {{ MAINIP }} - connection_port: 3306 - connection_user: root diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index c78743eb5..eb009b23e 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -10,6 +10,8 @@ {% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db', None) -%} +{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} + include: - mysql @@ -19,7 +21,7 @@ create_playbookdbuser: - mysql.user_create: - user: playbookdbuser - password: {{ PLAYBOOKPASS }} - - host: 172.17.0.0/255.255.0.0 + - host: {{ DNET }}/255.255.255.0 - connection_host: {{ MAINIP }} - connection_port: 3306 - connection_user: root @@ -28,7 +30,7 @@ create_playbookdbuser: query_playbookdbuser_grants: mysql_query.run: - database: playbook - - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'172.17.0.0/255.255.0.0';" + - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DNET }}/255.255.255.0';" - connection_host: {{ MAINIP }} - connection_port: 3306 - connection_user: root diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index d9da3f140..5bb348309 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -9,6 +9,8 @@ {%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} {%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %} {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} +{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} + { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", "server": { @@ -49,7 +51,7 @@ }, {% endif %} "statickeyauth": { - "anonymousCidr": "172.17.0.0/24", + "anonymousCidr": "{{ DNET }}/24", "apiKey": "{{ SENSORONIKEY }}" } }, diff --git a/setup/so-functions b/setup/so-functions index 2505e1616..607d0bd8e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -841,10 +841,18 @@ docker_registry() { echo "Setting up Docker Registry" >> "$setup_log" 2>&1 mkdir -p /etc/docker >> "$setup_log" 2>&1 # Make the host use the manager docker registry + DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi printf '%s\n'\ "{"\ - " \"registry-mirrors\": [ \"$proxy:5000\" ]"\ + " \"registry-mirrors\": [ \"$proxy:5000\" ],"\ + " \"bip\": \"$DNETBIP\","\ + " \"default-address-pools\": ["\ + " {"\ + " \"base\" : \"$DOCKERNET\","\ + " \"size\" : 24"\ + " }"\ + " ]"\ "}" > /etc/docker/daemon.json echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1 @@ -1130,12 +1138,17 @@ manager_global() { fi fi + if [ -z "$DOCKERNET" ]; then + DOCKERNET=172.17.0.0 + fi + # Create a global file for global values printf '%s\n'\ "global:"\ " soversion: '$SOVERSION'"\ " hnmanager: '$HNMANAGER'"\ " ntpserver: '$NTPSERVER'"\ + " dockernet: '$DOCKERNET'"\ " proxy: '$PROXY'"\ " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ diff --git a/setup/so-setup b/setup/so-setup index 2d48f88d8..d699e9f57 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -320,9 +320,8 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then calculate_useable_cores fi -if [[ $is_helix || $is_manager || $is_import ]]; then - whiptail_homenet_manager -fi +whiptail_homenet_manager +whiptail_dockernet_check if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then set_base_heapsizes diff --git a/setup/so-whiptail b/setup/so-whiptail index a6369c9b5..393c2c4af 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -457,6 +457,31 @@ whiptail_dhcp_warn() { } +whiptail_dockernet_check(){ + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --yesno \ + "Do you want to keep the default Docker IP range? \n \n(Choose yes if you don't know what this means)" 10 75 + + local exitstatus=$? + + if [[ $exitstatus == 1 ]]; then + whiptail_dockernet_net + fi +} + +whiptail_dockernet_net() { + + [ -n "$TESTING" ] && return + + DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \ + "\nEnter a /24 network range for docker to use: \nThe same range MUST be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} whiptail_enable_components() { [ -n "$TESTING" ] && return