CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1702 from Security-Onion-Solutions/dockernet

Browse Source 
Custom Docker IP Range
This commit is contained in:
Mike Reeves
2020-10-28 10:48:56 -04:00
committed by GitHub
parent 7ea8dc84b6 bed70ab6bf
commit 97207bd006
7 changed files with 54 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/firewall/hostgroups.yaml
View File

@@ -1,3 +1,4 @@
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
firewall: firewall:
hostgroups: hostgroups:
anywhere: anywhere:
@@ -9,7 +10,7 @@ firewall:
ips: ips:
delete: delete:
insert: insert:
- 172.17.0.0/24 - {{ DNET }}/24
localhost: localhost:
ips: ips:
delete: delete:

6
salt/fleet/init.sls
View File

@@ -12,6 +12,8 @@
{% else %} {% else %}
{% set MAINIP = salt['pillar.get']('global:managerip') %} {% set MAINIP = salt['pillar.get']('global:managerip') %}
{% endif %} {% endif %}
{% set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
include: include:
- mysql - mysql
@@ -71,7 +73,7 @@ fleetdb:
fleetdbuser: fleetdbuser:
mysql_user.present: mysql_user.present:
- host: 172.17.0.0/255.255.0.0 - host: {{ DNET }}/255.255.0.0
- password: {{ FLEETPASS }} - password: {{ FLEETPASS }}
- connection_host: {{ MAINIP }} - connection_host: {{ MAINIP }}
- connection_port: 3306 - connection_port: 3306
@@ -85,7 +87,7 @@ fleetdbpriv:
- grant: all privileges - grant: all privileges
- database: fleet.* - database: fleet.*
- user: fleetdbuser - user: fleetdbuser
- host: 172.17.0.0/255.255.0.0 - host: {{ DNET }}/255.255.0.0
- connection_host: {{ MAINIP }} - connection_host: {{ MAINIP }}
- connection_port: 3306 - connection_port: 3306
- connection_user: root - connection_user: root

6
salt/playbook/init.sls
View File

@@ -10,6 +10,8 @@
{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %}
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
{%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db', None) -%}
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
include: include:
- mysql - mysql
@@ -19,7 +21,7 @@ create_playbookdbuser:
- mysql.user_create: - mysql.user_create:
- user: playbookdbuser - user: playbookdbuser
- password: {{ PLAYBOOKPASS }} - password: {{ PLAYBOOKPASS }}
- host: 172.17.0.0/255.255.0.0 - host: {{ DNET }}/255.255.255.0
- connection_host: {{ MAINIP }} - connection_host: {{ MAINIP }}
- connection_port: 3306 - connection_port: 3306
- connection_user: root - connection_user: root
@@ -28,7 +30,7 @@ create_playbookdbuser:
query_playbookdbuser_grants: query_playbookdbuser_grants:
mysql_query.run: mysql_query.run:
- database: playbook - database: playbook
- query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'172.17.0.0/255.255.0.0';" - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DNET }}/255.255.255.0';"
- connection_host: {{ MAINIP }} - connection_host: {{ MAINIP }}
- connection_port: 3306 - connection_port: 3306
- connection_user: root - connection_user: root

4
salt/soc/files/soc/soc.json
View File

@@ -9,6 +9,8 @@
{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} {%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %}
{%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %} {%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %}
{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %}
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
{ {
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log", "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
"server": { "server": {
@@ -49,7 +51,7 @@
}, },
{% endif %} {% endif %}
"statickeyauth": { "statickeyauth": {
"anonymousCidr": "172.17.0.0/24", "anonymousCidr": "{{ DNET }}/24",
"apiKey": "{{ SENSORONIKEY }}" "apiKey": "{{ SENSORONIKEY }}"
} }
}, },

15
setup/so-functions
View File

@@ -841,10 +841,18 @@ docker_registry() {
echo "Setting up Docker Registry" >> "$setup_log" 2>&1 echo "Setting up Docker Registry" >> "$setup_log" 2>&1
mkdir -p /etc/docker >> "$setup_log" 2>&1 mkdir -p /etc/docker >> "$setup_log" 2>&1
# Make the host use the manager docker registry # Make the host use the manager docker registry
DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
printf '%s\n'\ printf '%s\n'\
"{"\ "{"\
" \"registry-mirrors\": [ \"$proxy:5000\" ]"\ " \"registry-mirrors\": [ \"$proxy:5000\" ],"\
" \"bip\": \"$DNETBIP\","\
" \"default-address-pools\": ["\
" {"\
" \"base\" : \"$DOCKERNET\","\
" \"size\" : 24"\
" }"\
" ]"\
"}" > /etc/docker/daemon.json "}" > /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1 echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1
@@ -1130,12 +1138,17 @@ manager_global() {
fi fi
fi fi
if [ -z "$DOCKERNET" ]; then
DOCKERNET=172.17.0.0
fi
# Create a global file for global values # Create a global file for global values
printf '%s\n'\ printf '%s\n'\
"global:"\ "global:"\
" soversion: '$SOVERSION'"\ " soversion: '$SOVERSION'"\
" hnmanager: '$HNMANAGER'"\ " hnmanager: '$HNMANAGER'"\
" ntpserver: '$NTPSERVER'"\ " ntpserver: '$NTPSERVER'"\
" dockernet: '$DOCKERNET'"\
" proxy: '$PROXY'"\ " proxy: '$PROXY'"\
" mdengine: '$ZEEKVERSION'"\ " mdengine: '$ZEEKVERSION'"\
" ids: '$NIDS'"\ " ids: '$NIDS'"\

5
setup/so-setup
View File

@@ -320,9 +320,8 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then
calculate_useable_cores calculate_useable_cores
fi fi
if [[ $is_helix || $is_manager || $is_import ]]; then whiptail_homenet_manager
whiptail_homenet_manager whiptail_dockernet_check
fi
if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then
set_base_heapsizes set_base_heapsizes

25
setup/so-whiptail
View File

@@ -457,6 +457,31 @@ whiptail_dhcp_warn() {
} }
whiptail_dockernet_check(){
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --yesno \
"Do you want to keep the default Docker IP range? \n \n(Choose yes if you don't know what this means)" 10 75
local exitstatus=$?
if [[ $exitstatus == 1 ]]; then
whiptail_dockernet_net
fi
}
whiptail_dockernet_net() {
[ -n "$TESTING" ] && return
DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \
"\nEnter a /24 network range for docker to use: \nThe same range MUST be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_enable_components() { whiptail_enable_components() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return