CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-24 21:42:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:customulimit
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:3/dev CSEC_PUBLIC:yaracomments CSEC_PUBLIC:lowercasefix CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:delta CSEC_PUBLIC:fix/idh-skins CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
..
compare: CSEC_PUBLIC:ulimits
Branches Tags
CSEC_PUBLIC:3/dev CSEC_PUBLIC:yaracomments CSEC_PUBLIC:lowercasefix CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:delta CSEC_PUBLIC:fix/idh-skins CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

2 Commits
customulim ... ulimits

Author SHA1 Message Date
Mike Reeves
350588f080 Change ulimits to structured dict format and add daemon.json ulimit support 
Convert ulimits from flat strings to structured dicts with name, soft,
and hard fields for better UI experience. Add default_ulimits as a
configurable setting that dynamically renders into daemon.json, giving
two layers of control: global defaults via the daemon and per-container
overrides.
 2026-03-17 16:51:04 -04:00
Mike Reeves
9a07a32a48 Add customizable ulimit settings for all Docker containers 
Add ulimits as a configurable advanced setting for every container,
allowing customization through the web UI. Move hardcoded ulimits
from elasticsearch and zeek into defaults.yaml and fix elasticsearch
ulimits that were incorrectly nested under the environment key.
 2026-03-17 15:14:34 -04:00
36 changed files with 302 additions and 307 deletions
Expand all files Collapse all files

6
salt/docker/files/daemon.json.jinja → salt/common/files/daemon.json
View File

@@ -1,4 +1,4 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% from 'docker/docker.map.jinja' import DOCKER -%}
{
"registry-mirrors": [
"https://:5000"
@@ -10,9 +10,9 @@
"size": 24
}
]
{%- if DOCKERMERGED.ulimits %},
{%- if DOCKER.default_ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKERMERGED.ulimits %}
{%- for ULIMIT in DOCKER.default_ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},

2
salt/docker/defaults.yaml
View File

@@ -1,7 +1,7 @@
docker:
range: '172.17.1.0/24'
gateway: '172.17.1.1'
ulimits:
default_ulimits:
- name: nofile
soft: 1048576
hard: 1048576

8
salt/docker/docker.map.jinja
View File

@@ -1,8 +1,8 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKER.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKERMERGED.containers.items() %}
{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
{% for container, vals in DOCKER.containers.items() %}
{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
{% endfor %}

9
salt/docker/init.sls
View File

@@ -3,7 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# docker service requires the ca.crt
@@ -41,9 +41,10 @@ dockeretc:
file.directory:
- name: /etc/docker
# Manager daemon.json
docker_daemon:
file.managed:
- source: salt://docker/files/daemon.json.jinja
- source: salt://common/files/daemon.json
- name: /etc/docker/daemon.json
- template: jinja
@@ -74,8 +75,8 @@ dockerreserveports:
sos_docker_net:
docker_network.present:
- name: sobridge
- subnet: {{ DOCKERMERGED.range }}
- gateway: {{ DOCKERMERGED.gateway }}
- subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.gateway }}
- options:
com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500'

16
salt/docker/soc_docker.yaml
View File

@@ -7,19 +7,16 @@ docker:
description: Default docker IP range for containers.
helpLink: docker.html
advanced: True
ulimits:
description: |
Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
forcedType: "[]{}"
syntax: json
default_ulimits:
description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
advanced: True
helpLink: docker.html
forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Resource Name
required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft
label: Soft Limit
forcedType: int
@@ -59,8 +56,7 @@ docker:
multiline: True
forcedType: "[]string"
ulimits:
description: |
Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
advanced: True
helpLink: docker.html
forcedType: "[]{}"
@@ -69,8 +65,6 @@ docker:
- field: name
label: Resource Name
required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft
label: Soft Limit
forcedType: int

20
salt/elastalert/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
- user: so-elastalert
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
- detach: True
- binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,27 +33,27 @@ so-elastalert:
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
{% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
{% if DOCKER.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
{% if DOCKER.containers['so-elastalert'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
{% if DOCKER.containers['so-elastalert'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- elastic-fleet-package-registry.config
@@ -21,33 +21,33 @@ so-elastic-fleet-package-registry:
- user: 948
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- binds:
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/elasticagent/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- ca
@@ -22,17 +22,17 @@ so-elastic-agent:
- user: 949
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
{% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -41,22 +41,22 @@ so-elastic-agent:
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro
{% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
{% if DOCKER.containers['so-elastic-agent'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/elasticfleet/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{# This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
- user: 947
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
{% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
@@ -128,14 +128,14 @@ so-elastic-fleet:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
{% if DOCKER.containers['so-elastic-fleet'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/elasticsearch/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
- user: elasticsearch
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- extra_hosts:
{% for node in ELASTICSEARCH_NODES %}
{% for hostname, ip in node.items() %}
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -45,19 +45,19 @@ so-elasticsearch:
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
{% if DOCKER.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
{% if DOCKER.containers['so-elasticsearch'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -77,8 +77,8 @@ so-elasticsearch:
- {{ repo }}:{{ repo }}:rw
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
{% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}

18
salt/firewall/iptables.jinja
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
{%- set D1 = [] %}
{%- set D2 = [] %}
{%- for container in NODE_CONTAINERS %}
{%- set IP = DOCKERMERGED.containers[container].ip %}
{%- if DOCKERMERGED.containers[container].port_bindings is defined %}
{%- for binding in DOCKERMERGED.containers[container].port_bindings %}
{%- set IP = DOCKER.containers[container].ip %}
{%- if DOCKER.containers[container].port_bindings is defined %}
{%- for binding in DOCKER.containers[container].port_bindings %}
{#- cant split int so we convert to string #}
{%- set binding = binding|string %}
{#- split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
{%- set hostPort = bsa[0] %}
{%- set containerPort = bsa[1] %}
{%- endif %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- if bindip | length and bindip != '0.0.0.0' %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- else %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
{%- endif %}
{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- endfor %}
{%- endif %}
{%- endfor %}
@@ -52,7 +52,7 @@
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
{%- for rule in PR %}
{{ rule }}
{%- endfor %}

4
salt/firewall/map.jinja
View File

@@ -1,11 +1,11 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
{% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

22
salt/hydra/enabled.sls
View File

@@ -11,7 +11,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if 'api' in salt['pillar.get']('features', []) %}
@@ -26,35 +26,35 @@ so-hydra:
- name: so-hydra
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
- ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
- binds:
- /opt/so/conf/hydra/:/hydra-conf:ro
- /opt/so/log/hydra/:/hydra-log:rw
- /nsm/hydra/db:/hydra-data:rw
{% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
{% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
{% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
{% if DOCKER.containers['so-hydra'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-hydra'].extra_env %}
{% if DOCKER.containers['so-hydra'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-hydra'].ulimits %}
{% if DOCKER.containers['so-hydra'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

18
salt/idh/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- idh.config
@@ -22,26 +22,26 @@ so-idh:
- /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
{% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
{% if DOCKER.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
{% if DOCKER.containers['so-idh'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].extra_env %}
{% if DOCKER.containers['so-idh'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-idh'].ulimits %}
{% if DOCKER.containers['so-idh'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-idh'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/influxdb/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
- hostname: influxdb
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
- environment:
- INFLUXD_CONFIG_PATH=/conf/config.yaml
- INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
{% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
{% if DOCKER.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
@@ -43,24 +43,24 @@ so-influxdb:
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
{% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
{% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
{% if DOCKER.containers['so-influxdb'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
{% if DOCKER.containers['so-influxdb'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

16
salt/kafka/enabled.sls
View File

@@ -12,7 +12,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
{% if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
- name: so-kafka
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
- ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
- user: kafka
- environment:
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
- extra_hosts:
{% for node in KAFKANODES %}
- {{ node }}:{{ KAFKANODES[node].ip }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
{% if DOCKER.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
{% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -60,9 +60,9 @@ so-kafka:
{% if KAFKA_EXTERNAL_ACCESS %}
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
{% endif %}
{% if DOCKERMERGED.containers['so-kafka'].ulimits %}
{% if DOCKER.containers['so-kafka'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/kibana/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -20,20 +20,20 @@ so-kibana:
- user: kibana
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
- environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }}
{% if DOCKERMERGED.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
{% if DOCKER.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
{% if DOCKER.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -42,18 +42,18 @@ so-kibana:
- /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
{% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
{% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kibana'].ulimits %}
{% if DOCKER.containers['so-kibana'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/kratos/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -19,35 +19,35 @@ so-kratos:
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/:/kratos-conf:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
{% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
{% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
{% if DOCKER.containers['so-kratos'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-kratos'].extra_env %}
{% if DOCKER.containers['so-kratos'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-kratos'].ulimits %}
{% if DOCKER.containers['so-kratos'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/logstash/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
- name: so-logstash
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
- user: logstash
- extra_hosts:
{% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
{% if DOCKER.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
{% if DOCKERMERGED.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
{% if DOCKER.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
{% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -91,14 +91,14 @@ so-logstash:
- /opt/so/log/fleet/:/osquery/logs:ro
- /opt/so/log/strelka:/strelka:ro
{% endif %}
{% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
{% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-logstash'].ulimits %}
{% if DOCKER.containers['so-logstash'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/nginx/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'nginx/map.jinja' import NGINXMERGED %}
include:
@@ -37,11 +37,11 @@ so-nginx:
- hostname: so-nginx
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
- ipv4_address: {{ DOCKER.containers[container_config].ip }}
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKERMERGED.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
{% if DOCKER.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
@@ -64,26 +64,26 @@ so-nginx:
- /opt/so/rules/nids/suri:/surirules:ro
{% endif %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
{% if DOCKER.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].extra_env %}
{% if DOCKER.containers[container_config].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
{% for XTRAENV in DOCKER.containers[container_config].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers[container_config].ulimits %}
{% if DOCKER.containers[container_config].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
{% for ULIMIT in DOCKER.containers[container_config].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- cap_add: NET_BIND_SERVICE
- port_bindings:
{% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
{% for BINDING in DOCKER.containers[container_config].port_bindings %}
- {{ BINDING }}
{% endfor %}
- watch:

2
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'docker/docker.map.jinja' import DOCKER %}
{%- from 'nginx/map.jinja' import NGINXMERGED %}
{%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}

22
salt/redis/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -21,9 +21,9 @@ so-redis:
- user: socore
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
- ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
{% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -34,26 +34,26 @@ so-redis:
- /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
{% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
{% if DOCKER.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
{% if DOCKER.containers['so-redis'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].extra_env %}
{% if DOCKER.containers['so-redis'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-redis'].ulimits %}
{% if DOCKER.containers['so-redis'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-redis'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
- hostname: so-registry
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
- ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
- restart_policy: always
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
{% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
@@ -32,28 +32,28 @@ so-dockerregistry:
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro
{% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
{% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
{% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- client_timeout: 180
- environment:
- HOME=/root
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
{% if DOCKER.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
{% if DOCKER.containers['so-dockerregistry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

18
salt/sensoroni/enabled.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
@@ -23,26 +23,26 @@ so-sensoroni:
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
{% if DOCKER.containers['so-sensoroni'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
{% if DOCKER.containers['so-sensoroni'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
{% if DOCKER.containers['so-sensoroni'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

4
salt/soc/defaults.map.jinja
View File

@@ -5,7 +5,7 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% from 'docker/docker.map.jinja' import DOCKER -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
{% endif %}
{% endfor %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}

18
salt/soc/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
{% from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
- name: so-soc
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds:
- /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,24 +63,24 @@ so-soc:
- {{hostname}}:{{ip}}
{% endfor %}
{% endfor %}
{% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
{% if DOCKER.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
{% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-soc'].extra_env %}
{% if DOCKER.containers['so-soc'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-soc'].ulimits %}
{% if DOCKER.containers['so-soc'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-soc'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

20
salt/strelka/backend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,32 +18,32 @@ strelka_backend:
- binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
{% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-backend
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
- command: strelka-backend
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
{% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
{% if DOCKER.containers['so-strelka-backend'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
{% if DOCKER.containers['so-strelka-backend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/strelka/coordinator/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,35 +18,35 @@ strelka_coordinator:
- name: so-strelka-coordinator
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
{% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
{% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- binds:
- /nsm/strelka/coord-redis-data:/data:rw
{% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
{% if DOCKER.containers['so-strelka-coordinator'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

20
salt/strelka/filestream/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,32 +18,32 @@ strelka_filestream:
- binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka
{% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-filestream
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
{% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
{% if DOCKER.containers['so-strelka-filestream'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
{% if DOCKER.containers['so-strelka-filestream'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/strelka/frontend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,8 +18,8 @@ strelka_frontend:
- binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /nsm/strelka/log/:/var/log/strelka/:rw
{% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
@@ -27,28 +27,28 @@ strelka_frontend:
- name: so-strelka-frontend
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
{% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
{% if DOCKER.containers['so-strelka-frontend'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
{% if DOCKER.containers['so-strelka-frontend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

22
salt/strelka/gatekeeper/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -18,35 +18,35 @@ strelka_gatekeeper:
- name: so-strelka-gatekeeper
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /nsm/strelka/gk-redis-data:/data:rw
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
{% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

20
salt/strelka/manager/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
@@ -17,32 +17,32 @@ strelka_manager:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
- binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
{% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
{% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- name: so-strelka-manager
- networks:
- sobridge:
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
- command: strelka-manager
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
{% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
{% if DOCKER.containers['so-strelka-manager'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
{% if DOCKER.containers['so-strelka-manager'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

18
salt/suricata/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,15 +20,15 @@ so-suricata:
- privileged: True
- environment:
- INTERFACE={{ GLOBALS.sensor.interface }}
{% if DOCKERMERGED.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
{% if DOCKER.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
@@ -42,15 +42,15 @@ so-suricata:
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- network_mode: host
{% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
{% if DOCKER.containers['so-suricata'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}

18
salt/telegraf/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include:
@@ -25,8 +25,8 @@ so-telegraf:
- HOST_SYS=/host/sys
- HOST_MOUNT_PREFIX=/host
- GODEBUG=x509ignoreCN=0
{% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
{% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
{% if DOCKER.containers['so-telegraf'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
@@ -55,20 +55,20 @@ so-telegraf:
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
{% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
{% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
{% if DOCKER.containers['so-telegraf'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
{% if DOCKER.containers['so-telegraf'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

6
salt/vars/globals.map.jinja
View File

@@ -1,5 +1,5 @@
{% import 'vars/init.map.jinja' as INIT %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'global/map.jinja' import GLOBALMERGED %}
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
'pcap_engine': GLOBALMERGED.pcapengine,
'pipeline': GLOBALMERGED.pipeline,
'so_version': INIT.PILLAR.global.soversion,
'so_docker_gateway': DOCKERMERGED.gateway,
'so_docker_range': DOCKERMERGED.range,
'so_docker_gateway': DOCKER.gateway,
'so_docker_range': DOCKER.range,
'url_base': INIT.PILLAR.global.url_base,
'so_model': INIT.GRAINS.get('sosmodel',''),
'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,

18
salt/zeek/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
@@ -18,9 +18,9 @@ so-zeek:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: True
- privileged: True
{% if DOCKERMERGED.containers['so-zeek'].ulimits %}
{% if DOCKER.containers['so-zeek'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
{% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
@@ -39,21 +39,21 @@ so-zeek:
- /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
- /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
- /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
{% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
{% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
{% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
- network_mode: host
{% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
{% if DOCKER.containers['so-zeek'].extra_hosts %}
- extra_hosts:
{% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKERMERGED.containers['so-zeek'].extra_env %}
{% if DOCKER.containers['so-zeek'].extra_env %}
- environment:
{% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}