From f1135342a93848c392b5e126315f55977a6d6496 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 11:17:48 -0500 Subject: [PATCH 01/37] Add Docker IP Skeleton --- salt/docker/defaults.yaml | 6 ++++++ salt/docker/docker.map.jinja | 8 ++++++++ 2 files changed, 14 insertions(+) create mode 100644 salt/docker/defaults.yaml create mode 100644 salt/docker/docker.map.jinja diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml new file mode 100644 index 000000000..486c9ebb4 --- /dev/null +++ b/salt/docker/defaults.yaml @@ -0,0 +1,6 @@ +docker: + bip: 172.17.0.1/24 + range: 172.17.0.0/24 + containers: + 'so-elasticsearch': + final_octet: 22 \ No newline at end of file diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja new file mode 100644 index 000000000..9dd813566 --- /dev/null +++ b/salt/docker/docker.map.jinja @@ -0,0 +1,8 @@ +{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} +{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} +{% set RANGESPLIT = DOCKER.range.split('.') %} +{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} + +{% for container, vals in DOCKER.containers.items() %} +{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octect}) %} +{% endfor %} From 5c50fdb74cb23e3b5c921cd2a28aa498bd1e35d9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 13:00:56 -0500 Subject: [PATCH 02/37] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index c1610dfd6..314ff5575 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -10,6 +10,7 @@ include: - ssl {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %} {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %} From a2d3b95e92a00e78a914a2351cf26f84743e8042 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 13:04:31 -0500 Subject: [PATCH 03/37] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 314ff5575..166b4b6d7 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -290,6 +290,8 @@ so-elasticsearch: - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch + - bridge: + - ipv4_address: {{ SOMETHING }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} From 3378f5830014122dccd47192819911fa3f395085 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 17:07:42 -0500 Subject: [PATCH 04/37] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 166b4b6d7..e6afb5444 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -291,7 +291,7 @@ so-elasticsearch: - name: so-elasticsearch - user: elasticsearch - bridge: - - ipv4_address: {{ SOMETHING }} + - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} From a40e10da832892b1f13d09bca73ec008ff800b1f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 17:41:38 -0500 Subject: [PATCH 05/37] Add Docker IP Skeleton --- salt/docker/docker.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 9dd813566..61416f7a4 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -4,5 +4,5 @@ {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% for container, vals in DOCKER.containers.items() %} -{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octect}) %} +{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %} {% endfor %} From e41361e127f1369d41a049ed1cbc96c9374f2d77 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 17:43:14 -0500 Subject: [PATCH 06/37] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index e6afb5444..9c95422d4 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -290,8 +290,7 @@ so-elasticsearch: - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch - - bridge: - - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} + - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} From 6016b0e38a6b9a1198cde39bf689af33e65b085d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 20:20:38 -0500 Subject: [PATCH 07/37] Add dynamic ability for IP range for sosnet --- salt/docker/defaults.yaml | 4 +++- salt/docker/init.sls | 6 ++++++ salt/elasticsearch/init.sls | 4 +++- setup/so-functions | 17 +++++++++++++++-- setup/so-setup | 4 ++++ setup/so-whiptail | 16 ++++++++++++++-- 6 files changed, 45 insertions(+), 6 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 486c9ebb4..ae41918e9 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,6 +1,8 @@ docker: - bip: 172.17.0.1/24 + bip: 172.17.0.1 range: 172.17.0.0/24 + sosrange: 172.17.1.0/24 + sosbip: 172.17.1.1 containers: 'so-elasticsearch': final_octet: 22 \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 8b698c281..2497ddae5 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -3,6 +3,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% from 'docker/docker.map.jinja' import DOCKER %} + dockergroup: group.present: - name: docker @@ -50,3 +52,7 @@ dockerreserveports: - source: salt://common/files/99-reserved-ports.conf - name: /etc/sysctl.d/99-reserved-ports.conf +sosnet: + docker_network.present: + - subnet: {{ DOCKER.sosnet }} + - gateway: {{ DOCKER.sosbip }} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 9c95422d4..fc26991a3 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -290,7 +290,9 @@ so-elasticsearch: - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch - - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} diff --git a/setup/so-functions b/setup/so-functions index 56d2a0394..4941f48ad 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -254,11 +254,16 @@ collect_dns_domain() { collect_dockernet() { if ! whiptail_dockernet_check; then - whiptail_dockernet_net "172.17.0.0" + whiptail_dockernet_sosnet "172.17.1.0" + whiptail_dockernet_nososnet "172.17.0.0" while ! valid_ip4 "$DOCKERNET"; do whiptail_invalid_input - whiptail_dockernet_net "$DOCKERNET" + whiptail_dockernet_nonsosnet "$DOCKERNET" + done + while ! valid_ip4 "$DOCKERNET2"; do + whiptail_invalid_input + whiptail_dockernet_sosnet "$DOCKERNET2" done fi } @@ -996,6 +1001,9 @@ docker_registry() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 fi + if [ -z "$DOCKERNET2" ]; then + DOCKERNET2=172.17.1.0 + fi # Make the host use the manager docker registry DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi @@ -1376,9 +1384,12 @@ create_global() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 + DOCKERNET2=172.17.1.0 DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 else DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 fi if [ -f "$global_pillar_file" ]; then @@ -1462,6 +1473,8 @@ docker_pillar() { touch $adv_docker_pillar_file printf '%s\n'\ "docker:"\ + " sosrange: '$DOCKERNET2/24'"\ + " sosbip: '$DOCKER2BIP'"\ " range: '$DOCKERNET/24'"\ " bip: '$DOCKERBIP'" > $docker_pillar_file } diff --git a/setup/so-setup b/setup/so-setup index a114233d6..9bdf2bc33 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -319,6 +319,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_minion_info @@ -339,6 +340,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_minion_info @@ -357,6 +359,7 @@ if ! [[ -f $install_opt_file ]]; then waitforstate=true check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_default_log_size >> $setup_log 2>&1 @@ -373,6 +376,7 @@ if ! [[ -f $install_opt_file ]]; then waitforstate=true check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_default_log_size >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index d7f3bd535..88635216b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -325,12 +325,24 @@ whiptail_dockernet_check(){ } -whiptail_dockernet_net() { +whiptail_dockernet_sosnet() { + + [ -n "$TESTING" ] && return + + DOCKERNET2=$(whiptail --title "$whiptail_title" --inputbox \ + "\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + +whiptail_dockernet_nososnet() { [ -n "$TESTING" ] && return DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \ - "\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) + "\nEnter a /24 size network range for NON SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From efc8621524e50f83a071bd03e15d0e5b1aca254b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 10:31:37 -0500 Subject: [PATCH 08/37] Fix some settings and add all defaults --- salt/docker/defaults.yaml | 48 ++++++++++++++++++++++++++++++++---- salt/docker/docker.map.jinja | 2 +- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index ae41918e9..fdfb6ff70 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,8 +1,46 @@ docker: - bip: 172.17.0.1 - range: 172.17.0.0/24 - sosrange: 172.17.1.0/24 - sosbip: 172.17.1.1 + bip: '172.17.0.1' + range: '172.17.0.0/24' + sosrange: '172.17.1.0/24' + sosbip: '172.17.1.1' containers: + 'registry': + final_octet: 20 + 'so-elastic-agent': + final_octet: 21 'so-elasticsearch': - final_octet: 22 \ No newline at end of file + final_octet: 22 + 'so-filebeat': + final_octet: 23 + 'so-grafana': + final_octet: 24 + 'so-idh': + final_octet: 25 + 'so-influxdb': + final_octet: 26 + 'so-kibana': + final_octet: 27 + 'so-kratos': + final_octet: 28 + 'so-logstash': + final_octet: 29 + 'so-mysql': + final_octet: 30 + 'so-nginx': + final_octet: 31 + 'so-playbook': + final_octet: 32 + 'so-redis': + final_octet: 33 + 'so-soc': + final_octet: 34 + 'so-soctopus': + final_octet: 35 + 'so-strelka-backend': + final_octet: 36 + 'so-strelka-filestream': + final_octet: 37 + 'so-strelka-frontend': + final_octet: 38 + 'so-strelka-manager': + final_octet: 39 diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 61416f7a4..7046fc196 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -1,6 +1,6 @@ {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} -{% set RANGESPLIT = DOCKER.range.split('.') %} +{% set RANGESPLIT = DOCKER.sosrange.split('.') %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% for container, vals in DOCKER.containers.items() %} From 591616fe5b8fa675696b6c7c91054c7b15fc768b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 11:05:17 -0500 Subject: [PATCH 09/37] Add statics to all containers --- salt/docker/defaults.yaml | 8 ++++++-- salt/elastic-fleet/init.sls | 4 ++++ salt/filebeat/init.sls | 4 ++++ salt/grafana/init.sls | 6 ++++-- salt/idh/init.sls | 1 + salt/idstools/init.sls | 4 ++++ salt/influxdb/init.sls | 4 ++++ salt/kibana/init.sls | 7 ++++--- salt/kratos/init.sls | 4 ++++ salt/logstash/init.sls | 23 +++++++++++++---------- salt/mysql/init.sls | 5 ++++- salt/nginx/init.sls | 4 ++++ salt/playbook/init.sls | 5 ++++- salt/redis/init.sls | 5 ++++- salt/registry/init.sls | 4 ++++ salt/soctopus/init.sls | 5 ++++- salt/strelka/init.sls | 20 +++++++++++++++++++- 17 files changed, 91 insertions(+), 22 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index fdfb6ff70..fee8a5951 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -6,7 +6,7 @@ docker: containers: 'registry': final_octet: 20 - 'so-elastic-agent': + 'so-elastic-fleet': final_octet: 21 'so-elasticsearch': final_octet: 22 @@ -14,7 +14,7 @@ docker: final_octet: 23 'so-grafana': final_octet: 24 - 'so-idh': + 'so-idstools': final_octet: 25 'so-influxdb': final_octet: 26 @@ -44,3 +44,7 @@ docker: final_octet: 38 'so-strelka-manager': final_octet: 39 + 'so-strelka-gatekeeper': + final_octet: 40 + 'so-strelka-coordinator': + final_octet: 41 diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 4b985c23f..45d15ad58 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -4,6 +4,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} # These values are generated during node install and stored in minion pillar {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} @@ -47,6 +48,9 @@ so-elastic-fleet: - hostname: Fleet-{{ GLOBALS.hostname }} - detach: True - user: 947 + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 3eed07696..908deba14 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} @@ -97,6 +98,9 @@ so-filebeat: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-filebeat:{{ GLOBALS.so_version }} - hostname: so-filebeat - user: root + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - binds: - /nsm:/nsm:ro diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index f20cdffff..901a8b6f7 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,8 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - +{% from 'docker/docker.map.jinja' import DOCKER %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} @@ -126,6 +125,9 @@ so-grafana: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-grafana:{{ GLOBALS.so_version }} - hostname: grafana - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - binds: - /nsm/grafana:/var/lib/grafana:rw - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 1d0d640f4..2cf22c358 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 8a7aa6500..418ecec28 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -4,6 +4,7 @@ # Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set proxy = salt['pillar.get']('manager:proxy') %} @@ -31,6 +32,9 @@ so-idstools: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} - hostname: so-idstools - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} {% if proxy %} - environment: - http_proxy={{ proxy }} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 321ce76d6..33aa87769 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,5 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} @@ -47,6 +48,9 @@ so-influxdb: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: - INFLUXDB_HTTP_LOG_ENABLED=false - binds: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 9aac6bc37..9f45e2376 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -5,12 +5,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - {% import_yaml 'kibana/defaults.yaml' as default_settings %} {% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %} - {% from 'kibana/config.map.jinja' import KIBANACONFIG with context %} # Add ES Group @@ -84,6 +82,9 @@ so-kibana: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - hostname: kibana - user: kibana + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index 6f3f3e19d..b58ecc8fa 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} # Add Kratos Group @@ -58,6 +59,9 @@ so-kratos: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} - hostname: kratos - name: so-kratos + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index bf4d03984..481f727e4 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -6,19 +6,19 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} +{% from 'vars/globals.map.jinja' import GLOBALS %} - {% from 'logstash/map.jinja' import REDIS_NODES with context %} - {% from 'vars/globals.map.jinja' import GLOBALS %} - - # Logstash Section - Decide which pillar to use - {% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} - {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} +# Logstash Section - Decide which pillar to use +{% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} +{% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} {% set nodetype = GLOBALS.role %} - {% endif %} +{% endif %} - {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} - {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} - {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} +{% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} +{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} include: - ssl @@ -139,6 +139,9 @@ so-logstash: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} - environment: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 04ab5b140..e9766ea83 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -5,8 +5,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') %} # MySQL Setup @@ -84,6 +84,9 @@ so-mysql: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-mysql:{{ GLOBALS.so_version }} - hostname: so-mysql - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: - 0.0.0.0:3306:3306 - environment: diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 201a35704..69fc541fa 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,6 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - ssl @@ -83,6 +84,9 @@ so-nginx: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 75b6b5b2e..6784422c3 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -5,8 +5,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db') -%} @@ -80,6 +80,9 @@ so-playbook: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-playbook:{{ GLOBALS.so_version }} - hostname: playbook - name: so-playbook + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 1a353a1f0..a481c989d 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -46,6 +46,9 @@ so-redis: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - hostname: so-redis - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: - 0.0.0.0:6379:6379 - 0.0.0.0:9696:9696 diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 76ccbf070..c4ffc4800 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,5 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - ssl @@ -37,6 +38,9 @@ so-dockerregistry: docker_container.running: - image: ghcr.io/security-onion-solutions/registry:latest - hostname: so-registry + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['registry'].ip }} - restart_policy: always - port_bindings: - 0.0.0.0:5000:5000 diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index a2cba07ad..13559c626 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,6 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -63,6 +63,9 @@ so-soctopus: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soctopus:{{ GLOBALS.so_version }} - hostname: soctopus - name: so-soctopus + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }} - binds: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index e3477dd9e..00bc33223 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} @@ -152,6 +152,9 @@ strelka_coordinator: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: - 0.0.0.0:6380:6379 @@ -165,6 +168,9 @@ strelka_gatekeeper: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: - 0.0.0.0:6381:6379 @@ -182,6 +188,9 @@ strelka_frontend: - /nsm/strelka/log/:/var/log/strelka/:rw - privileged: True - name: so-strelka-frontend + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: - 0.0.0.0:57314:57314 @@ -198,6 +207,9 @@ strelka_backend: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - restart_policy: on-failure @@ -212,6 +224,9 @@ strelka_manager: - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager append_so-strelka-manager_so-status.conf: @@ -226,6 +241,9 @@ strelka_filestream: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream append_so-strelka-filestream_so-status.conf: From c0afcca87a03470c0a71ea1e996c8c81cf8202e1 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 15 Nov 2022 11:16:18 -0500 Subject: [PATCH 10/37] Update init.sls --- salt/docker/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 2497ddae5..91d22949a 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -54,5 +54,5 @@ dockerreserveports: sosnet: docker_network.present: - - subnet: {{ DOCKER.sosnet }} + - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} From 1c242fb7f3c552c188a3d8f422581f340e100e92 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 15 Nov 2022 11:52:25 -0500 Subject: [PATCH 11/37] Update top.sls --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 973978537..6f72da687 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -35,6 +35,7 @@ base: '* and G@saltversion:{{saltversion}}': - match: compound + - docker - salt.minion - patch.os.schedule - motd From a371c89f380606cf0c110a0627d073b24fda2f21 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 15 Nov 2022 11:52:51 -0500 Subject: [PATCH 12/37] Update top.sls --- salt/top.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index 6f72da687..973978537 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -35,7 +35,6 @@ base: '* and G@saltversion:{{saltversion}}': - match: compound - - docker - salt.minion - patch.os.schedule - motd From 813e59aa61f6e2552013c7461e786f34ccd19e35 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 13:23:35 -0500 Subject: [PATCH 13/37] Add statics --- salt/docker/defaults.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index fee8a5951..c02c5c757 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -48,3 +48,7 @@ docker: final_octet: 40 'so-strelka-coordinator': final_octet: 41 + 'so-soc': + final_octet: 42 + 'so-curator': + final_octet: 43 From edd993fd8208176c1cf4809b21e51138dad73fb8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 16:02:17 -0500 Subject: [PATCH 14/37] change dupe soc to elastalert --- salt/docker/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index c02c5c757..14c136145 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -48,7 +48,7 @@ docker: final_octet: 40 'so-strelka-coordinator': final_octet: 41 - 'so-soc': + 'so-elastalert': final_octet: 42 'so-curator': final_octet: 43 From 75825617da9349571d51a789d4e55c62716763ad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:13:25 -0500 Subject: [PATCH 15/37] add soc to sosnet --- salt/soc/init.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 8356bd1d8..c38e60a4c 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -2,6 +2,7 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - manager.sync_es_users @@ -92,6 +93,9 @@ so-soc: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - hostname: soc - name: so-soc + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw From d246aa6a80e813f2e4349de3774a92b7e79aa114 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:14:33 -0500 Subject: [PATCH 16/37] we dont need default network config --- salt/common/files/daemon.json | 9 --------- 1 file changed, 9 deletions(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index c2df49f34..d13a80e4b 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,12 +1,3 @@ -{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %} -{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %} { "registry-mirrors": [ "https://:5000" ], - "bip": "{{ DOCKERBIND }}", - "default-address-pools": [ - { - "base" : "{{ DOCKERRANGE }}", - "size" : 24 - } - ] } From 54e4749ddfc60e27d46dbeff2a97a1e20c9e2508 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:30:55 -0500 Subject: [PATCH 17/37] remove comma --- salt/common/files/daemon.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index d13a80e4b..c2a2bfedb 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,3 +1,3 @@ { - "registry-mirrors": [ "https://:5000" ], + "registry-mirrors": [ "https://:5000" ] } From 19f043cfe2f7911cdbf38faa70513b545a16d68d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:39:08 -0500 Subject: [PATCH 18/37] add some options for sosnet --- salt/docker/init.sls | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 91d22949a..bbb7c6e4d 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -52,7 +52,12 @@ dockerreserveports: - source: salt://common/files/99-reserved-ports.conf - name: /etc/sysctl.d/99-reserved-ports.conf -sosnet: +sos_docker_net: docker_network.present: + - name: sosnet - subnet: {{ DOCKER.sosrange }} - - gateway: {{ DOCKER.sosbip }} + - gateway: {{ DOCKER.sosbip }} + - options: + com.docker.network.bridge.name: sosbridge + com.docker.network.driver.mtu: 1500 + com.docker.network.bridge.enable_ip_masquerade: true From 9ffde8bff523668cb652d226fb8d46132bad5a71 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:46:08 -0500 Subject: [PATCH 19/37] ensure options are strings --- salt/docker/init.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index bbb7c6e4d..ae2fadb45 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -58,6 +58,6 @@ sos_docker_net: - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} - options: - com.docker.network.bridge.name: sosbridge - com.docker.network.driver.mtu: 1500 - com.docker.network.bridge.enable_ip_masquerade: true + com.docker.network.bridge.name: 'sosbridge' + com.docker.network.driver.mtu: '1500' + com.docker.network.bridge.enable_ip_masquerade: 'true' From a3b505971b5b670eccb87a15132e0bed37f63273 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 16 Nov 2022 12:51:43 -0500 Subject: [PATCH 20/37] remove /24 from docker bip --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4941f48ad..98aee00ea 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1385,11 +1385,11 @@ create_global() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 DOCKERNET2=172.17.1.0 - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 - DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') else - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 - DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') fi if [ -f "$global_pillar_file" ]; then From d97e13b473a41b998705e62842dfcda2c2577dfe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 16 Nov 2022 14:47:40 -0500 Subject: [PATCH 21/37] add /24 back to default bip, rever daemon.json --- salt/common/files/daemon.json | 13 ++++++++++++- setup/so-functions | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index c2a2bfedb..ff6f930bf 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,3 +1,14 @@ +{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %} +{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %} { - "registry-mirrors": [ "https://:5000" ] + "registry-mirrors": [ + "https://:5000" + ], + "bip": "{{ DOCKERBIND }}", + "default-address-pools": [ + { + "base": "{{ DOCKERRANGE }}", + "size": 24 + } + ] } diff --git a/setup/so-functions b/setup/so-functions index 98aee00ea..e3307bade 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1385,10 +1385,10 @@ create_global() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 DOCKERNET2=172.17.1.0 - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') else - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') fi From 4b6b42f9b93e3c843b0e3d62eeab28c6000070a0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Nov 2022 10:19:18 -0500 Subject: [PATCH 22/37] dont try to add sosnet if it exists --- .vscode/sftp.json | 12 ++++++++++++ salt/docker/init.sls | 1 + 2 files changed, 13 insertions(+) create mode 100644 .vscode/sftp.json diff --git a/.vscode/sftp.json b/.vscode/sftp.json new file mode 100644 index 000000000..7de9a4d41 --- /dev/null +++ b/.vscode/sftp.json @@ -0,0 +1,12 @@ +{ + "name": "10.66.166.230", + "host": "10.66.166.230", + "protocol": "sftp", + "port": 22, + "username": "onionuser", + "remotePath": "/home/onionuser/so/", + "uploadOnSave": false, + "useTempFile": false, + "autoDelete": true, + "openSsh": false +} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index ae2fadb45..a121ef0d8 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -61,3 +61,4 @@ sos_docker_net: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' + - unless: `docker network ls | grep sosnet` From 6d89d58c50fff6149a54ba0b3aaf4e789ffc282d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Nov 2022 11:10:30 -0500 Subject: [PATCH 23/37] ensure createrepo and yum-utils is installed from so repo --- .vscode/sftp.json | 12 ------------ setup/so-functions | 17 +++++++++-------- 2 files changed, 9 insertions(+), 20 deletions(-) delete mode 100644 .vscode/sftp.json diff --git a/.vscode/sftp.json b/.vscode/sftp.json deleted file mode 100644 index 7de9a4d41..000000000 --- a/.vscode/sftp.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "10.66.166.230", - "host": "10.66.166.230", - "protocol": "sftp", - "port": 22, - "username": "onionuser", - "remotePath": "/home/onionuser/so/", - "uploadOnSave": false, - "useTempFile": false, - "autoDelete": true, - "openSsh": false -} diff --git a/setup/so-functions b/setup/so-functions index e3307bade..d233b3cb4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1893,14 +1893,6 @@ securityonion_repo() { repo_sync_local() { # Sync the repo from the the SO repo locally. # Check for reposync - REPOSYNC=$(rpm -qa | grep createrepo | wc -l) - if [[ ! "$REPOSYNC" -gt 0 ]]; then - # Install reposync - info "Installing createrepo" - logCmd "yum -y install yum-utils createrepo" - else - info "We have what we need to sync" - fi info "Backing up old repos" mkdir -p /nsm/repo mkdir -p /root/reposync_cache @@ -1924,6 +1916,15 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf + REPOSYNC=$(rpm -qa | grep createrepo | wc -l) + if [[ ! "$REPOSYNC" -gt 0 ]]; then + # Install reposync + info "Installing createrepo" + logCmd "yum -y install -c /root/repodownload.conf yum-utils createrepo" + else + info "We have what we need to sync" + fi + logCmd "reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" From b05839bb9330980e4b72174698c2153dfd061334 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Nov 2022 13:07:58 -0500 Subject: [PATCH 24/37] use single quote --- salt/docker/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index a121ef0d8..71ed4a153 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -61,4 +61,4 @@ sos_docker_net: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' - - unless: `docker network ls | grep sosnet` + - unless: 'docker network ls | grep sosnet' From b4908e2bb9f548c036874ee8e3db3ae27f89f8b5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Dec 2022 09:31:45 -0500 Subject: [PATCH 25/37] add iptables.jinja --- salt/firewall/iptables.jinja | 306 +++++++++++++++++++++++++++++++++++ 1 file changed, 306 insertions(+) create mode 100644 salt/firewall/iptables.jinja diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja new file mode 100644 index 000000000..68f3f4ea7 --- /dev/null +++ b/salt/firewall/iptables.jinja @@ -0,0 +1,306 @@ +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} +{% from 'firewall/map.jinja' import hostgroups with context %} +{% from 'firewall/map.jinja' import assigned_hostgroups with context %} + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:DOCKER - [0:0] +:OUTPUT_direct - [0:0] +:POSTROUTING_ZONES - [0:0] +:POSTROUTING_ZONES_SOURCE - [0:0] +:POSTROUTING_direct - [0:0] +:POST_docker - [0:0] +:POST_docker_allow - [0:0] +:POST_docker_deny - [0:0] +:POST_docker_log - [0:0] +:POST_public - [0:0] +:POST_public_allow - [0:0] +:POST_public_deny - [0:0] +:POST_public_log - [0:0] +:PREROUTING_ZONES - [0:0] +:PREROUTING_ZONES_SOURCE - [0:0] +:PREROUTING_direct - [0:0] +:PRE_docker - [0:0] +:PRE_docker_allow - [0:0] +:PRE_docker_deny - [0:0] +:PRE_docker_log - [0:0] +:PRE_public - [0:0] +:PRE_public_allow - [0:0] +:PRE_public_deny - [0:0] +:PRE_public_log - [0:0] +-A PREROUTING -j PREROUTING_direct +-A PREROUTING -j PREROUTING_ZONES_SOURCE +-A PREROUTING -j PREROUTING_ZONES +-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER +-A OUTPUT -j OUTPUT_direct +-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER +-A POSTROUTING -s {{DOCKER.range}} ! -o sosnet -j MASQUERADE +-A POSTROUTING -j POSTROUTING_direct +-A POSTROUTING -j POSTROUTING_ZONES_SOURCE +-A POSTROUTING -j POSTROUTING_ZONES + +{%- for container in NODE_CONTAINERS %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} +-A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE +{%- endfor %} +{%- endfor %} +-A DOCKER -i sosnet -j RETURN +{%- for container in NODE_CONTAINERS %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} +-A DOCKER ! -i sosnet -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} +{%- endfor %} +{%- endfor %} + +-A POSTROUTING_ZONES -o sosnet -g POST_docker +-A POSTROUTING_ZONES -o bond0 -g POST_public +-A POSTROUTING_ZONES -o eth1 -g POST_public +-A POSTROUTING_ZONES -o eth0 -g POST_public +-A POSTROUTING_ZONES -g POST_public +-A POST_docker -j POST_docker_log +-A POST_docker -j POST_docker_deny +-A POST_docker -j POST_docker_allow +-A POST_public -j POST_public_log +-A POST_public -j POST_public_deny +-A POST_public -j POST_public_allow +-A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i bond0 -g PRE_public +-A PREROUTING_ZONES -i eth1 -g PRE_public +-A PREROUTING_ZONES -i eth0 -g PRE_public +-A PREROUTING_ZONES -g PRE_public +-A PRE_docker -j PRE_docker_log +-A PRE_docker -j PRE_docker_deny +-A PRE_docker -j PRE_docker_allow +-A PRE_public -j PRE_public_log +-A PRE_public -j PRE_public_deny +-A PRE_public -j PRE_public_allow +COMMIT + +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:FORWARD_direct - [0:0] +:INPUT_direct - [0:0] +:OUTPUT_direct - [0:0] +:POSTROUTING_direct - [0:0] +:PREROUTING_ZONES - [0:0] +:PREROUTING_ZONES_SOURCE - [0:0] +:PREROUTING_direct - [0:0] +:PRE_docker - [0:0] +:PRE_docker_allow - [0:0] +:PRE_docker_deny - [0:0] +:PRE_docker_log - [0:0] +:PRE_public - [0:0] +:PRE_public_allow - [0:0] +:PRE_public_deny - [0:0] +:PRE_public_log - [0:0] +-A PREROUTING -j PREROUTING_direct +-A PREROUTING -j PREROUTING_ZONES_SOURCE +-A PREROUTING -j PREROUTING_ZONES +-A INPUT -j INPUT_direct +-A FORWARD -j FORWARD_direct +-A OUTPUT -j OUTPUT_direct +-A POSTROUTING -j POSTROUTING_direct +-A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i bond0 -g PRE_public +-A PREROUTING_ZONES -i eth1 -g PRE_public +-A PREROUTING_ZONES -i eth0 -g PRE_public +-A PREROUTING_ZONES -g PRE_public +-A PRE_docker -j PRE_docker_log +-A PRE_docker -j PRE_docker_deny +-A PRE_docker -j PRE_docker_allow +-A PRE_public -j PRE_public_log +-A PRE_public -j PRE_public_deny +-A PRE_public -j PRE_public_allow +COMMIT + +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:FORWARD_direct - [0:0] +:INPUT_direct - [0:0] +:OUTPUT_direct - [0:0] +-A INPUT -j INPUT_direct +-A FORWARD -j FORWARD_direct +-A OUTPUT -j OUTPUT_direct +COMMIT + +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:OUTPUT_direct - [0:0] +:PREROUTING_ZONES - [0:0] +:PREROUTING_ZONES_SOURCE - [0:0] +:PREROUTING_direct - [0:0] +:PRE_docker - [0:0] +:PRE_docker_allow - [0:0] +:PRE_docker_deny - [0:0] +:PRE_docker_log - [0:0] +:PRE_public - [0:0] +:PRE_public_allow - [0:0] +:PRE_public_deny - [0:0] +:PRE_public_log - [0:0] +-A PREROUTING -j PREROUTING_direct +-A PREROUTING -j PREROUTING_ZONES_SOURCE +-A PREROUTING -j PREROUTING_ZONES +-A OUTPUT -j OUTPUT_direct +-A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i bond0 -g PRE_public +-A PREROUTING_ZONES -i eth1 -g PRE_public +-A PREROUTING_ZONES -i eth0 -g PRE_public +-A PREROUTING_ZONES -g PRE_public +-A PRE_docker -j PRE_docker_log +-A PRE_docker -j PRE_docker_deny +-A PRE_docker -j PRE_docker_allow +-A PRE_public -j PRE_public_log +-A PRE_public -j PRE_public_deny +-A PRE_public -j PRE_public_allow +COMMIT + + +*filter +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:DOCKER - [0:0] +:DOCKER-ISOLATION-STAGE-1 - [0:0] +:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-USER - [0:0] +:FORWARD_IN_ZONES - [0:0] +:FORWARD_IN_ZONES_SOURCE - [0:0] +:FORWARD_OUT_ZONES - [0:0] +:FORWARD_OUT_ZONES_SOURCE - [0:0] +:FORWARD_direct - [0:0] +:FWDI_docker - [0:0] +:FWDI_docker_allow - [0:0] +:FWDI_docker_deny - [0:0] +:FWDI_docker_log - [0:0] +:FWDI_public - [0:0] +:FWDI_public_allow - [0:0] +:FWDI_public_deny - [0:0] +:FWDI_public_log - [0:0] +:FWDO_docker - [0:0] +:FWDO_docker_allow - [0:0] +:FWDO_docker_deny - [0:0] +:FWDO_docker_log - [0:0] +:FWDO_public - [0:0] +:FWDO_public_allow - [0:0] +:FWDO_public_deny - [0:0] +:FWDO_public_log - [0:0] +:INPUT_ZONES - [0:0] +:INPUT_ZONES_SOURCE - [0:0] +:INPUT_direct - [0:0] +:IN_docker - [0:0] +:IN_docker_allow - [0:0] +:IN_docker_deny - [0:0] +:IN_docker_log - [0:0] +:IN_public - [0:0] +:IN_public_allow - [0:0] +:IN_public_deny - [0:0] +:IN_public_log - [0:0] +:LOGGING - [0:0] +:OUTPUT_direct - [0:0] + +{%- set count = namespace(value=0) %} +{%- for chain, hg in assigned_hostgroups.chain.items() %} + {%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %} + {%- for action in ['insert', 'delete' ] %} + {%- if hostgroups[hostgroup].ips[action] %} + {%- for ip in hostgroups[hostgroup].ips[action] %} + {%- for portgroup in portgroups.portgroups %} + {%- for proto, ports in portgroup.items() %} + {%- for port in ports %} + {%- set count.value = count.value + 1 %} +-A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT + {%- endfor %} + {%- endfor %} + {%- endfor %} + {%- endfor %} + {%- endif %} + {%- endfor %} + {%- endfor %} +{%- endfor %} + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j INPUT_direct +-A INPUT -j INPUT_ZONES_SOURCE +-A INPUT -j INPUT_ZONES +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A INPUT -p icmp -j ACCEPT +-A INPUT -j LOGGING +-A FORWARD -j DOCKER-USER +-A FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A FORWARD -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o sosnet -j DOCKER +-A FORWARD -i sosnet ! -o sosnet -j ACCEPT +-A FORWARD -i sosnet -o sosnet -j ACCEPT +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i lo -j ACCEPT +-A FORWARD -j FORWARD_direct +-A FORWARD -j FORWARD_IN_ZONES_SOURCE +-A FORWARD -j FORWARD_IN_ZONES +-A FORWARD -j FORWARD_OUT_ZONES_SOURCE +-A FORWARD -j FORWARD_OUT_ZONES +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j OUTPUT_direct +-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP +-A DOCKER-ISOLATION-STAGE-1 -i sosnet ! -o sosnet -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -j RETURN +-A DOCKER-ISOLATION-STAGE-2 -o sosnet -j DROP +-A DOCKER-ISOLATION-STAGE-2 -j RETURN +-A DOCKER-USER ! -i sosnet -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A DOCKER-USER ! -i sosnet -o sosnet -j LOGGING +-A DOCKER-USER -j RETURN +-A FORWARD_IN_ZONES -i sosnet -g FWDI_docker +-A FORWARD_IN_ZONES -i bond0 -g FWDI_public +-A FORWARD_IN_ZONES -i eth1 -g FWDI_public +-A FORWARD_IN_ZONES -i eth0 -g FWDI_public +-A FORWARD_IN_ZONES -g FWDI_public +-A FORWARD_OUT_ZONES -o sosnet -g FWDO_docker +-A FORWARD_OUT_ZONES -o bond0 -g FWDO_public +-A FORWARD_OUT_ZONES -o eth1 -g FWDO_public +-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public +-A FORWARD_OUT_ZONES -g FWDO_public +-A FWDI_docker -j FWDI_docker_log +-A FWDI_docker -j FWDI_docker_deny +-A FWDI_docker -j FWDI_docker_allow +-A FWDI_docker -j ACCEPT +-A FWDI_public -j FWDI_public_log +-A FWDI_public -j FWDI_public_deny +-A FWDI_public -j FWDI_public_allow +-A FWDI_public -p icmp -j ACCEPT +-A FWDO_docker -j FWDO_docker_log +-A FWDO_docker -j FWDO_docker_deny +-A FWDO_docker -j FWDO_docker_allow +-A FWDO_docker -j ACCEPT +-A FWDO_public -j FWDO_public_log +-A FWDO_public -j FWDO_public_deny +-A FWDO_public -j FWDO_public_allow +-A INPUT_ZONES -i sosnet -g IN_docker +-A INPUT_ZONES -i bond0 -g IN_public +-A INPUT_ZONES -i eth1 -g IN_public +-A INPUT_ZONES -i eth0 -g IN_public +-A INPUT_ZONES -g IN_public +-A IN_docker -j IN_docker_log +-A IN_docker -j IN_docker_deny +-A IN_docker -j IN_docker_allow +-A IN_docker -j ACCEPT +-A IN_public -j IN_public_log +-A IN_public -j IN_public_deny +-A IN_public -j IN_public_allow +-A IN_public -p icmp -j ACCEPT +-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT +-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: " +-A LOGGING -j DROP +COMMIT From 90882ce1db820110c2cf6a76bc7ba94d66d2a490 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Dec 2022 13:26:10 -0500 Subject: [PATCH 26/37] disable docker from managing iptables --- salt/docker/files/iptables-disabled.conf | 3 +++ salt/docker/init.sls | 11 +++++++++++ 2 files changed, 14 insertions(+) create mode 100644 salt/docker/files/iptables-disabled.conf diff --git a/salt/docker/files/iptables-disabled.conf b/salt/docker/files/iptables-disabled.conf new file mode 100644 index 000000000..c6cf9b170 --- /dev/null +++ b/salt/docker/files/iptables-disabled.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 71ed4a153..96dd0ee95 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -20,6 +20,17 @@ dockerheldpackages: - hold: True - update_holds: True +#disable docker from managing iptables +iptables_disabled: + file.managed: + - name: /etc/systemd/system/docker.service.d/iptables-disabled.conf + - source: salt://docker/files/iptables-disabled.conf + - makedirs: True + cmd.run: + - name: systemctl daemon-reload + - onchanges: + - file: iptables_disabled + # Make sure etc/docker exists dockeretc: file.directory: From 24876eecd956ca9eec9da71b53137ef00a11a02c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 22 Dec 2022 14:02:40 -0500 Subject: [PATCH 27/37] change refs from sosnet to sosbridge --- salt/docker/init.sls | 4 ++-- salt/elastic-fleet/init.sls | 4 ++-- salt/elasticsearch/init.sls | 2 +- salt/filebeat/init.sls | 2 +- salt/firewall/iptables.jinja | 36 ++++++++++++++++++------------------ salt/grafana/init.sls | 2 +- salt/idstools/init.sls | 2 +- salt/influxdb/init.sls | 2 +- salt/kibana/init.sls | 2 +- salt/kratos/init.sls | 2 +- salt/logstash/init.sls | 2 +- salt/mysql/init.sls | 2 +- salt/nginx/init.sls | 2 +- salt/playbook/init.sls | 2 +- salt/redis/init.sls | 2 +- salt/registry/init.sls | 2 +- salt/soc/init.sls | 2 +- salt/soctopus/init.sls | 2 +- salt/strelka/init.sls | 12 ++++++------ 19 files changed, 43 insertions(+), 43 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 96dd0ee95..f65e8eff8 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -65,11 +65,11 @@ dockerreserveports: sos_docker_net: docker_network.present: - - name: sosnet + - name: sosbridge - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} - options: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' - - unless: 'docker network ls | grep sosnet' + - unless: 'docker network ls | grep sosbridge' diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 45d15ad58..36df7af35 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -49,7 +49,7 @@ so-elastic-fleet: - detach: True - user: 947 - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} @@ -81,4 +81,4 @@ append_so-elastic-fleet_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index fc26991a3..900cddd45 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -291,7 +291,7 @@ so-elasticsearch: - name: so-elasticsearch - user: elasticsearch - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 908deba14..dfef2d720 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -99,7 +99,7 @@ so-filebeat: - hostname: so-filebeat - user: root - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - binds: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 68f3f4ea7..f02d51e32 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -38,7 +38,7 @@ -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT -j OUTPUT_direct -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.range}} ! -o sosnet -j MASQUERADE +-A POSTROUTING -s {{DOCKER.range}} ! -o sosbridge -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES @@ -48,14 +48,14 @@ -A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE {%- endfor %} {%- endfor %} --A DOCKER -i sosnet -j RETURN +-A DOCKER -i sosbridge -j RETURN {%- for container in NODE_CONTAINERS %} {%- for port, proto in DOCKER.containers[container].ports.items() %} --A DOCKER ! -i sosnet -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} +-A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} {%- endfor %} {%- endfor %} --A POSTROUTING_ZONES -o sosnet -g POST_docker +-A POSTROUTING_ZONES -o sosbridge -g POST_docker -A POSTROUTING_ZONES -o bond0 -g POST_public -A POSTROUTING_ZONES -o eth1 -g POST_public -A POSTROUTING_ZONES -o eth0 -g POST_public @@ -66,7 +66,7 @@ -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow --A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i sosbridge -g PRE_docker -A PREROUTING_ZONES -i bond0 -g PRE_public -A PREROUTING_ZONES -i eth1 -g PRE_public -A PREROUTING_ZONES -i eth0 -g PRE_public @@ -107,7 +107,7 @@ COMMIT -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct --A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i sosbridge -g PRE_docker -A PREROUTING_ZONES -i bond0 -g PRE_public -A PREROUTING_ZONES -i eth1 -g PRE_public -A PREROUTING_ZONES -i eth0 -g PRE_public @@ -151,7 +151,7 @@ COMMIT -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct --A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i sosbridge -g PRE_docker -A PREROUTING_ZONES -i bond0 -g PRE_public -A PREROUTING_ZONES -i eth1 -g PRE_public -A PREROUTING_ZONES -i eth0 -g PRE_public @@ -239,10 +239,10 @@ COMMIT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 --A FORWARD -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -o sosnet -j DOCKER --A FORWARD -i sosnet ! -o sosnet -j ACCEPT --A FORWARD -i sosnet -o sosnet -j ACCEPT +-A FORWARD -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o sosbridge -j DOCKER +-A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT +-A FORWARD -i sosbridge -o sosbridge -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct @@ -255,19 +255,19 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j OUTPUT_direct -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP --A DOCKER-ISOLATION-STAGE-1 -i sosnet ! -o sosnet -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN --A DOCKER-ISOLATION-STAGE-2 -o sosnet -j DROP +-A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN --A DOCKER-USER ! -i sosnet -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-USER ! -i sosnet -o sosnet -j LOGGING +-A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING -A DOCKER-USER -j RETURN --A FORWARD_IN_ZONES -i sosnet -g FWDI_docker +-A FORWARD_IN_ZONES -i sosbridge -g FWDI_docker -A FORWARD_IN_ZONES -i bond0 -g FWDI_public -A FORWARD_IN_ZONES -i eth1 -g FWDI_public -A FORWARD_IN_ZONES -i eth0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public --A FORWARD_OUT_ZONES -o sosnet -g FWDO_docker +-A FORWARD_OUT_ZONES -o sosbridge -g FWDO_docker -A FORWARD_OUT_ZONES -o bond0 -g FWDO_public -A FORWARD_OUT_ZONES -o eth1 -g FWDO_public -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public @@ -287,7 +287,7 @@ COMMIT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow --A INPUT_ZONES -i sosnet -g IN_docker +-A INPUT_ZONES -i sosbridge -g IN_docker -A INPUT_ZONES -i bond0 -g IN_public -A INPUT_ZONES -i eth1 -g IN_public -A INPUT_ZONES -i eth0 -g IN_public diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 901a8b6f7..f51ab7ebd 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -126,7 +126,7 @@ so-grafana: - hostname: grafana - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - binds: - /nsm/grafana:/var/lib/grafana:rw diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 418ecec28..490cea3f7 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -33,7 +33,7 @@ so-idstools: - hostname: so-idstools - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} {% if proxy %} - environment: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 0dfa452f5..b2ab49625 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -49,7 +49,7 @@ so-influxdb: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: - INFLUXDB_HTTP_LOG_ENABLED=false diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 9f45e2376..f7c4e81a3 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -83,7 +83,7 @@ so-kibana: - hostname: kibana - user: kibana - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index f22db4069..ab7692951 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -69,7 +69,7 @@ so-kratos: - hostname: kratos - name: so-kratos - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 481f727e4..2224f57d4 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -140,7 +140,7 @@ so-logstash: - hostname: so-logstash - name: so-logstash - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index e9766ea83..2ab88f7fe 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -85,7 +85,7 @@ so-mysql: - hostname: so-mysql - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: - 0.0.0.0:3306:3306 diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 69fc541fa..dd8f1b829 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -85,7 +85,7 @@ so-nginx: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 6784422c3..1a8ae7f67 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -81,7 +81,7 @@ so-playbook: - hostname: playbook - name: so-playbook - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw diff --git a/salt/redis/init.sls b/salt/redis/init.sls index d8ef991fa..95598cbbd 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -47,7 +47,7 @@ so-redis: - hostname: so-redis - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: - 0.0.0.0:6379:6379 diff --git a/salt/registry/init.sls b/salt/registry/init.sls index b716ed2bb..ab85f4af3 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -39,7 +39,7 @@ so-dockerregistry: - image: ghcr.io/security-onion-solutions/registry:latest - hostname: so-registry - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} - restart_policy: always - port_bindings: diff --git a/salt/soc/init.sls b/salt/soc/init.sls index e8ab21b4a..35a58d8ec 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -97,7 +97,7 @@ so-soc: - hostname: soc - name: so-soc - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 13559c626..792353a27 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -64,7 +64,7 @@ so-soctopus: - hostname: soctopus - name: so-soctopus - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }} - binds: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 122c30fd6..c67ad5d7f 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -169,7 +169,7 @@ strelka_coordinator: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -185,7 +185,7 @@ strelka_gatekeeper: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -205,7 +205,7 @@ strelka_frontend: - privileged: True - name: so-strelka-frontend - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: @@ -224,7 +224,7 @@ strelka_backend: - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - restart_policy: on-failure @@ -241,7 +241,7 @@ strelka_manager: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager @@ -258,7 +258,7 @@ strelka_filestream: - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream From c35a3e122f6ab237eccf44d9acdb7f7d0735746d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Jan 2023 11:13:50 -0500 Subject: [PATCH 28/37] add ip to container.add containers to sosbridge --- salt/curator/init.sls | 2 ++ salt/docker/defaults.yaml | 4 ++++ salt/elastic-fleet-package-registry/init.sls | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 9671020e5..0015bd2eb 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -128,6 +128,8 @@ so-curator: - hostname: curator - name: so-curator - user: curator + - networks: + - sosbridge: [] - interactive: True - tty: True - binds: diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 1a179e251..5c9487853 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -15,6 +15,10 @@ docker: ports: 9200: tcp 9300: tcp + 'so-elastic-fleet-package-registry': + final_octet: 40 + ports: + 8080: tcp 'so-filebeat': final_octet: 23 'so-grafana': diff --git a/salt/elastic-fleet-package-registry/init.sls b/salt/elastic-fleet-package-registry/init.sls index f14ad47c7..acb8bfb63 100644 --- a/salt/elastic-fleet-package-registry/init.sls +++ b/salt/elastic-fleet-package-registry/init.sls @@ -4,6 +4,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} # Add Group elasticsagentprgroup: @@ -27,6 +28,9 @@ so-elastic-fleet-package-registry: - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} - detach: True - user: 948 + - networks: + - sosbridge: + - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: From 203e61245261e5912936ad1aa09f4121620c1d44 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 3 Jan 2023 11:21:05 -0500 Subject: [PATCH 29/37] enable icc and hostbinding on sosbridge --- salt/docker/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index f65e8eff8..f8f89e058 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -72,4 +72,6 @@ sos_docker_net: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' + com.docker.network.bridge.enable_icc: 'true' + com.docker.network.bridge.host_binding_ipv4: '0.0.0.0' - unless: 'docker network ls | grep sosbridge' From f10238da4205a24f2a38a9cced842ad9e5a7576b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 4 Jan 2023 16:06:14 -0500 Subject: [PATCH 30/37] fw changes --- salt/curator/init.sls | 4 ++- salt/docker/defaults.yaml | 8 +++--- salt/firewall/containers.map.jinja | 2 ++ salt/firewall/hostgroups.yaml | 4 +-- salt/firewall/iptables.jinja | 46 +++++++++++++++++++++--------- 5 files changed, 43 insertions(+), 21 deletions(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 0015bd2eb..293475187 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -6,6 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from "curator/map.jinja" import CURATOROPTIONS %} {% from "curator/map.jinja" import CURATORMERGED %} {% set REMOVECURATORCRON = False %} @@ -129,7 +130,8 @@ so-curator: - name: so-curator - user: curator - networks: - - sosbridge: [] + - sosbridge: + - ipv4_address: {{ DOCKER.containers['so-curator'].ip }} - interactive: True - tty: True - binds: diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 5c9487853..c8532b682 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -15,10 +15,6 @@ docker: ports: 9200: tcp 9300: tcp - 'so-elastic-fleet-package-registry': - final_octet: 40 - ports: - 8080: tcp 'so-filebeat': final_octet: 23 'so-grafana': @@ -82,3 +78,7 @@ docker: final_octet: 42 'so-curator': final_octet: 43 + 'so-elastic-fleet-package-registry': + final_octet: 44 + ports: + 8080: tcp diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index f46968b75..4aa048375 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -1,6 +1,8 @@ {% set NODE_CONTAINERS = [ + 'so-curator', 'so-dockerregistry', 'so-elasticsearch', + 'so-elastic-fleet-package-registry', 'so-grafana', 'so-influxdb', 'so-kibana', diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index d34a4bc0d..105b98144 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -1,4 +1,4 @@ -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +{% from 'docker/docker.map.jinja' import DOCKER %} firewall: hostgroups: anywhere: @@ -10,7 +10,7 @@ firewall: ips: delete: insert: - - {{ DNET }}/24 + - {{ DOCKER.sosrange }} localhost: ips: delete: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index f02d51e32..cf70f5838 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -1,8 +1,9 @@ -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} -{% from 'firewall/map.jinja' import hostgroups with context %} -{% from 'firewall/map.jinja' import assigned_hostgroups with context %} +{% from 'docker/docker.map.jinja' import DOCKER -%} +{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%} +{% from 'firewall/map.jinja' import hostgroups with context -%} +{% from 'firewall/map.jinja' import assigned_hostgroups with context -%} +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -38,21 +39,25 @@ -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT -j OUTPUT_direct -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.range}} ! -o sosbridge -j MASQUERADE +-A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES {%- for container in NODE_CONTAINERS %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} +{%- if DOCKER.containers[container].ports is defined %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} -A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE -{%- endfor %} +{%- endfor %} +{%- endif %} {%- endfor %} -A DOCKER -i sosbridge -j RETURN {%- for container in NODE_CONTAINERS %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} +{%- if DOCKER.containers[container].ports is defined %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} -A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} -{%- endfor %} +{%- endfor %} +{%- endif %} {%- endfor %} -A POSTROUTING_ZONES -o sosbridge -g POST_docker @@ -78,7 +83,8 @@ -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -119,7 +125,8 @@ COMMIT -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] @@ -131,7 +138,8 @@ COMMIT -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] @@ -163,8 +171,8 @@ COMMIT -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT - - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] @@ -255,6 +263,15 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j OUTPUT_direct -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP + +{%- for container in NODE_CONTAINERS %} +{%- if DOCKER.containers[container].ports is defined %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} +-A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT +{%- endfor %} +{%- endif %} +{%- endfor %} + -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP @@ -304,3 +321,4 @@ COMMIT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: " -A LOGGING -j DROP COMMIT +# Completed on Wed Jan 4 15:23:09 2023 From cb1822a62dff0b2c41f0fa017f0f7ddc0764a147 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 5 Jan 2023 15:57:06 -0500 Subject: [PATCH 31/37] change ref to DOCKER.sosrange --- salt/playbook/init.sls | 4 ++-- salt/soc/defaults.map.jinja | 3 ++- salt/vars/globals.map.jinja | 1 - 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 1a8ae7f67..88f86d31d 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -18,7 +18,7 @@ create_playbookdbuser: mysql_user.present: - name: playbookdbuser - password: {{ PLAYBOOKPASS }} - - host: "{{ GLOBALS.docker_range.split('/')[0] }}/255.255.255.0" + - host: "{{ DOCKER.sosrange.split('/')[0] }}/255.255.255.0" - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root @@ -27,7 +27,7 @@ create_playbookdbuser: query_playbookdbuser_grants: mysql_query.run: - database: playbook - - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ GLOBALS.docker_range.split('/')[0] }}/255.255.255.0';" + - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sosrange.split('/')[0] }}/255.255.255.0';" - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index facba77c8..c1d0e6bd0 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -1,5 +1,6 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER -%} {% for module, application_url in GLOBALS.application_urls.items() %} {% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} @@ -18,7 +19,7 @@ {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':8086'}) %} {% endif %} -{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': GLOBALS.docker_range, 'apiKey': pillar.sensoroni.sensoronikey}) %} +{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sosrange, 'apiKey': pillar.sensoroni.sensoronikey}) %} {% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.minion_id}) %} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index a88b77e45..445be9bc7 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -23,7 +23,6 @@ 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.get('sosmodel',''), 'description': INIT.PILLAR.sensoroni.get('node_description',''), - 'docker_range': INIT.PILLAR.docker.range, 'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey, 'os': INIT.GRAINS.os, 'application_urls': {}, From 4aacc6d1db4e05f02ac19834e115f5c5bad7bd3c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 6 Jan 2023 11:09:09 -0500 Subject: [PATCH 32/37] change role names in so-firewall-minion --- salt/common/tools/sbin/so-firewall-minion | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion index a732fa8ac..acedcffeb 100755 --- a/salt/common/tools/sbin/so-firewall-minion +++ b/salt/common/tools/sbin/so-firewall-minion @@ -49,33 +49,30 @@ fi case "$ROLE" in 'MANAGER') - so-firewall includehost manager "$IP" - so-firewall --apply includehost minion "$IP" + so-firewall --role=manager --ip="$IP" ;; 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - so-firewall includehost manager "$IP" - so-firewall includehost minion "$IP" - so-firewall includehost sensor "$IP" - so-firewall --apply includehost search_node "$IP" + so-firewall --role=manager --ip="$IP" + so-firewall --role=sensors --ip="$IP" + so-firewall --apply --role=searchnodes --ip="$IP" ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') - so-firewall includehost minion "$IP" case "$ROLE" in 'SENSOR') - so-firewall --apply includehost sensor "$IP" + so-firewall --apply --role=sensors --ip="$IP" ;; 'SEARCHNODE') - so-firewall --apply includehost search_node "$IP" + so-firewall --apply --role=searchnodes --ip="$IP" ;; 'HEAVYNODE') - so-firewall includehost sensor "$IP" - so-firewall --apply includehost heavy_node "$IP" + so-firewall --role=sensors --ip="$IP" + so-firewall --apply --role=heavynodes --ip="$IP" ;; 'IDH') - so-firewall --apply includehost beats_endpoint_ssl "$IP" + so-firewall --apply --role=beats_endpoint_ssl --ip="$IP" ;; 'RECEIVER') - so-firewall --apply includehost receiver "$IP" + so-firewall --apply --role=receivers --ip="$IP" ;; esac ;; From dbbcea0009df7d75f9d59f7cb449a893ab8ee119 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Jan 2023 11:53:32 -0500 Subject: [PATCH 33/37] look for True --- salt/common/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index a3df38064..bde47991f 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -206,7 +206,7 @@ function createSTANDALONE() { } function testConnection() { - retry 15 3 "salt '$MINION_ID' test.ping" 0 + retry 15 3 "salt '$MINION_ID' test.ping" True local ret=$? if [[ $ret != 0 ]]; then echo "The Minion has been accepted but is not online. Try again later" From ec5c565cec2c1cc52d9e765c026dcdaf904cfd0e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Jan 2023 14:49:33 -0500 Subject: [PATCH 34/37] put elastalert on sosbridge --- salt/elastalert/init.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index f62c1fed7..16ba95293 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -86,6 +86,9 @@ so-elastalert: - hostname: elastalert - name: so-elastalert - user: so-elastalert + - networks: + - sosbridge: + - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }} - detach: True - binds: - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro From ac157432de3ea2657693f65b36ca92bf9df80d42 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Jan 2023 14:58:36 -0500 Subject: [PATCH 35/37] include docker --- salt/elastalert/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 16ba95293..1db789935 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -5,6 +5,7 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %} # Create the group From 5058210bbb92905e97c4ff0ddf4b64dba702c39a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 9 Jan 2023 14:59:55 -0500 Subject: [PATCH 36/37] Changes to iptables.jinja --- salt/firewall/iptables.jinja | 234 ----------------------------------- 1 file changed, 234 deletions(-) diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index cf70f5838..b1d884cd1 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -2,48 +2,15 @@ {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%} {% from 'firewall/map.jinja' import hostgroups with context -%} {% from 'firewall/map.jinja' import assigned_hostgroups with context -%} - -# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :DOCKER - [0:0] -:OUTPUT_direct - [0:0] -:POSTROUTING_ZONES - [0:0] -:POSTROUTING_ZONES_SOURCE - [0:0] -:POSTROUTING_direct - [0:0] -:POST_docker - [0:0] -:POST_docker_allow - [0:0] -:POST_docker_deny - [0:0] -:POST_docker_log - [0:0] -:POST_public - [0:0] -:POST_public_allow - [0:0] -:POST_public_deny - [0:0] -:POST_public_log - [0:0] -:PREROUTING_ZONES - [0:0] -:PREROUTING_ZONES_SOURCE - [0:0] -:PREROUTING_direct - [0:0] -:PRE_docker - [0:0] -:PRE_docker_allow - [0:0] -:PRE_docker_deny - [0:0] -:PRE_docker_log - [0:0] -:PRE_public - [0:0] -:PRE_public_allow - [0:0] -:PRE_public_deny - [0:0] -:PRE_public_log - [0:0] --A PREROUTING -j PREROUTING_direct --A PREROUTING -j PREROUTING_ZONES_SOURCE --A PREROUTING -j PREROUTING_ZONES -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER --A OUTPUT -j OUTPUT_direct -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE --A POSTROUTING -j POSTROUTING_direct --A POSTROUTING -j POSTROUTING_ZONES_SOURCE --A POSTROUTING -j POSTROUTING_ZONES - {%- for container in NODE_CONTAINERS %} {%- if DOCKER.containers[container].ports is defined %} {%- for port, proto in DOCKER.containers[container].ports.items() %} @@ -60,119 +27,7 @@ {%- endif %} {%- endfor %} --A POSTROUTING_ZONES -o sosbridge -g POST_docker --A POSTROUTING_ZONES -o bond0 -g POST_public --A POSTROUTING_ZONES -o eth1 -g POST_public --A POSTROUTING_ZONES -o eth0 -g POST_public --A POSTROUTING_ZONES -g POST_public --A POST_docker -j POST_docker_log --A POST_docker -j POST_docker_deny --A POST_docker -j POST_docker_allow --A POST_public -j POST_public_log --A POST_public -j POST_public_deny --A POST_public -j POST_public_allow --A PREROUTING_ZONES -i sosbridge -g PRE_docker --A PREROUTING_ZONES -i bond0 -g PRE_public --A PREROUTING_ZONES -i eth1 -g PRE_public --A PREROUTING_ZONES -i eth0 -g PRE_public --A PREROUTING_ZONES -g PRE_public --A PRE_docker -j PRE_docker_log --A PRE_docker -j PRE_docker_deny --A PRE_docker -j PRE_docker_allow --A PRE_public -j PRE_public_log --A PRE_public -j PRE_public_deny --A PRE_public -j PRE_public_allow COMMIT -# Completed on Wed Jan 4 15:23:09 2023 -# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -:FORWARD_direct - [0:0] -:INPUT_direct - [0:0] -:OUTPUT_direct - [0:0] -:POSTROUTING_direct - [0:0] -:PREROUTING_ZONES - [0:0] -:PREROUTING_ZONES_SOURCE - [0:0] -:PREROUTING_direct - [0:0] -:PRE_docker - [0:0] -:PRE_docker_allow - [0:0] -:PRE_docker_deny - [0:0] -:PRE_docker_log - [0:0] -:PRE_public - [0:0] -:PRE_public_allow - [0:0] -:PRE_public_deny - [0:0] -:PRE_public_log - [0:0] --A PREROUTING -j PREROUTING_direct --A PREROUTING -j PREROUTING_ZONES_SOURCE --A PREROUTING -j PREROUTING_ZONES --A INPUT -j INPUT_direct --A FORWARD -j FORWARD_direct --A OUTPUT -j OUTPUT_direct --A POSTROUTING -j POSTROUTING_direct --A PREROUTING_ZONES -i sosbridge -g PRE_docker --A PREROUTING_ZONES -i bond0 -g PRE_public --A PREROUTING_ZONES -i eth1 -g PRE_public --A PREROUTING_ZONES -i eth0 -g PRE_public --A PREROUTING_ZONES -g PRE_public --A PRE_docker -j PRE_docker_log --A PRE_docker -j PRE_docker_deny --A PRE_docker -j PRE_docker_allow --A PRE_public -j PRE_public_log --A PRE_public -j PRE_public_deny --A PRE_public -j PRE_public_allow -COMMIT -# Completed on Wed Jan 4 15:23:09 2023 -# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:FORWARD_direct - [0:0] -:INPUT_direct - [0:0] -:OUTPUT_direct - [0:0] --A INPUT -j INPUT_direct --A FORWARD -j FORWARD_direct --A OUTPUT -j OUTPUT_direct -COMMIT -# Completed on Wed Jan 4 15:23:09 2023 -# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:OUTPUT_direct - [0:0] -:PREROUTING_ZONES - [0:0] -:PREROUTING_ZONES_SOURCE - [0:0] -:PREROUTING_direct - [0:0] -:PRE_docker - [0:0] -:PRE_docker_allow - [0:0] -:PRE_docker_deny - [0:0] -:PRE_docker_log - [0:0] -:PRE_public - [0:0] -:PRE_public_allow - [0:0] -:PRE_public_deny - [0:0] -:PRE_public_log - [0:0] --A PREROUTING -j PREROUTING_direct --A PREROUTING -j PREROUTING_ZONES_SOURCE --A PREROUTING -j PREROUTING_ZONES --A OUTPUT -j OUTPUT_direct --A PREROUTING_ZONES -i sosbridge -g PRE_docker --A PREROUTING_ZONES -i bond0 -g PRE_public --A PREROUTING_ZONES -i eth1 -g PRE_public --A PREROUTING_ZONES -i eth0 -g PRE_public --A PREROUTING_ZONES -g PRE_public --A PRE_docker -j PRE_docker_log --A PRE_docker -j PRE_docker_deny --A PRE_docker -j PRE_docker_allow --A PRE_public -j PRE_public_log --A PRE_public -j PRE_public_deny --A PRE_public -j PRE_public_allow -COMMIT -# Completed on Wed Jan 4 15:23:09 2023 -# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] @@ -181,40 +36,7 @@ COMMIT :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -:FORWARD_IN_ZONES - [0:0] -:FORWARD_IN_ZONES_SOURCE - [0:0] -:FORWARD_OUT_ZONES - [0:0] -:FORWARD_OUT_ZONES_SOURCE - [0:0] -:FORWARD_direct - [0:0] -:FWDI_docker - [0:0] -:FWDI_docker_allow - [0:0] -:FWDI_docker_deny - [0:0] -:FWDI_docker_log - [0:0] -:FWDI_public - [0:0] -:FWDI_public_allow - [0:0] -:FWDI_public_deny - [0:0] -:FWDI_public_log - [0:0] -:FWDO_docker - [0:0] -:FWDO_docker_allow - [0:0] -:FWDO_docker_deny - [0:0] -:FWDO_docker_log - [0:0] -:FWDO_public - [0:0] -:FWDO_public_allow - [0:0] -:FWDO_public_deny - [0:0] -:FWDO_public_log - [0:0] -:INPUT_ZONES - [0:0] -:INPUT_ZONES_SOURCE - [0:0] -:INPUT_direct - [0:0] -:IN_docker - [0:0] -:IN_docker_allow - [0:0] -:IN_docker_deny - [0:0] -:IN_docker_log - [0:0] -:IN_public - [0:0] -:IN_public_allow - [0:0] -:IN_public_deny - [0:0] -:IN_public_log - [0:0] :LOGGING - [0:0] -:OUTPUT_direct - [0:0] {%- set count = namespace(value=0) %} {%- for chain, hg in assigned_hostgroups.chain.items() %} @@ -237,12 +59,7 @@ COMMIT {%- endfor %} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -j INPUT_direct --A INPUT -j INPUT_ZONES_SOURCE --A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP --A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER @@ -252,16 +69,6 @@ COMMIT -A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT -A FORWARD -i sosbridge -o sosbridge -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -i lo -j ACCEPT --A FORWARD -j FORWARD_direct --A FORWARD -j FORWARD_IN_ZONES_SOURCE --A FORWARD -j FORWARD_IN_ZONES --A FORWARD -j FORWARD_OUT_ZONES_SOURCE --A FORWARD -j FORWARD_OUT_ZONES --A FORWARD -m conntrack --ctstate INVALID -j DROP --A FORWARD -j REJECT --reject-with icmp-host-prohibited --A OUTPUT -o lo -j ACCEPT --A OUTPUT -j OUTPUT_direct -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP {%- for container in NODE_CONTAINERS %} @@ -277,48 +84,7 @@ COMMIT -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING -A DOCKER-USER -j RETURN --A FORWARD_IN_ZONES -i sosbridge -g FWDI_docker --A FORWARD_IN_ZONES -i bond0 -g FWDI_public --A FORWARD_IN_ZONES -i eth1 -g FWDI_public --A FORWARD_IN_ZONES -i eth0 -g FWDI_public --A FORWARD_IN_ZONES -g FWDI_public --A FORWARD_OUT_ZONES -o sosbridge -g FWDO_docker --A FORWARD_OUT_ZONES -o bond0 -g FWDO_public --A FORWARD_OUT_ZONES -o eth1 -g FWDO_public --A FORWARD_OUT_ZONES -o eth0 -g FWDO_public --A FORWARD_OUT_ZONES -g FWDO_public --A FWDI_docker -j FWDI_docker_log --A FWDI_docker -j FWDI_docker_deny --A FWDI_docker -j FWDI_docker_allow --A FWDI_docker -j ACCEPT --A FWDI_public -j FWDI_public_log --A FWDI_public -j FWDI_public_deny --A FWDI_public -j FWDI_public_allow --A FWDI_public -p icmp -j ACCEPT --A FWDO_docker -j FWDO_docker_log --A FWDO_docker -j FWDO_docker_deny --A FWDO_docker -j FWDO_docker_allow --A FWDO_docker -j ACCEPT --A FWDO_public -j FWDO_public_log --A FWDO_public -j FWDO_public_deny --A FWDO_public -j FWDO_public_allow --A INPUT_ZONES -i sosbridge -g IN_docker --A INPUT_ZONES -i bond0 -g IN_public --A INPUT_ZONES -i eth1 -g IN_public --A INPUT_ZONES -i eth0 -g IN_public --A INPUT_ZONES -g IN_public --A IN_docker -j IN_docker_log --A IN_docker -j IN_docker_deny --A IN_docker -j IN_docker_allow --A IN_docker -j ACCEPT --A IN_public -j IN_public_log --A IN_public -j IN_public_deny --A IN_public -j IN_public_allow --A IN_public -p icmp -j ACCEPT --A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: " -A LOGGING -j DROP COMMIT -# Completed on Wed Jan 4 15:23:09 2023 From 3e9bddcd11bc070f0f634dbb7bd784fb902e8b32 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 9 Jan 2023 15:36:23 -0500 Subject: [PATCH 37/37] Changes to iptables.jinja --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index cdbbf2d80..ab6f4f491 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -552,6 +552,7 @@ if ! [[ -f $install_opt_file ]]; then generate_ca generate_ssl + logCmd "salt-call state.apply -l info firewall" # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf logCmd "mkdir -p /opt/so/conf/so-status/ " @@ -564,7 +565,6 @@ if ! [[ -f $install_opt_file ]]; then docker_seed_registry title "Applying the manager state" logCmd "salt-call state.apply -l info manager" - logCmd "salt-call state.apply -l info firewall" logCmd "salt-call state.highstate -l info" add_web_user info "Restarting SOC to pick up initial user"