CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-25 22:12:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:ulimits
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:3/dev CSEC_PUBLIC:delta CSEC_PUBLIC:yaracomments CSEC_PUBLIC:lowercasefix CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:fix/idh-skins CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
..
compare: CSEC_PUBLIC:customulimit
Branches Tags
CSEC_PUBLIC:3/dev CSEC_PUBLIC:delta CSEC_PUBLIC:yaracomments CSEC_PUBLIC:lowercasefix CSEC_PUBLIC:TOoSmOotH-patch-1 CSEC_PUBLIC:fix/idh-skins CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

12 Commits
ulimits ... customulim

Author SHA1 Message Date
Josh Patterson
057ec6f0f1 ensure valid ulimit names 2026-03-18 12:49:46 -04:00
Josh Patterson
cacae12ba3 remove .jinja from daemon.json 2026-03-18 11:08:33 -04:00
Josh Patterson
e19e83bebb allow user defined ulimits 2026-03-18 10:38:15 -04:00
Josh Patterson
341471d38e DOCKER to DOCKERMERGED 2026-03-17 16:19:36 -04:00
Josh Patterson
2349750e13 DOCKER to DOCKERMERGED 2026-03-17 16:19:02 -04:00
Josh Patterson
00986dc2fd Merge remote-tracking branch 'origin/delta' into customulimit 2026-03-17 16:04:09 -04:00
Josh Patterson
d60bef1371 add spft/hard ulimits 2026-03-17 16:00:09 -04:00
Josh Patterson
5806a85214 Merge pull request #15629 from Security-Onion-Solutions/ulimits 
Add customizable ulimit settings for all Docker containers
 2026-03-17 15:14:31 -04:00
Mike Reeves
2d97dfc8a1 Add customizable ulimit settings for all Docker containers 
Add ulimits as a configurable advanced setting for every container,
allowing customization through the web UI. Move hardcoded ulimits
from elasticsearch and zeek into defaults.yaml and fix elasticsearch
ulimits that were incorrectly nested under the environment key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-17 15:10:42 -04:00
Josh Patterson
d6263812a6 move daemon.json to docker/files 2026-03-17 15:09:09 -04:00
Josh Patterson
ef7d1771ab DOCKER TO DOCKERMERGED 2026-03-17 15:08:10 -04:00
Josh Patterson
4dc377c99f DOCKER to DOCKERMERGED 2026-03-17 15:06:06 -04:00
36 changed files with 307 additions and 302 deletions
Expand all files Collapse all files

2
salt/docker/defaults.yaml
View File

@@ -1,7 +1,7 @@
docker: docker:
range: '172.17.1.0/24' range: '172.17.1.0/24'
gateway: '172.17.1.1' gateway: '172.17.1.1'
default_ulimits: ulimits:
- name: nofile - name: nofile
soft: 1048576 soft: 1048576
hard: 1048576 hard: 1048576

8
salt/docker/docker.map.jinja
View File

@@ -1,8 +1,8 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} {% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKER.range.split('.') %} {% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKER.containers.items() %} {% for container, vals in DOCKERMERGED.containers.items() %}
{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %} {% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
{% endfor %} {% endfor %}

6
salt/common/files/daemon.json → salt/docker/files/daemon.json.jinja
View File

@@ -1,4 +1,4 @@
{% from 'docker/docker.map.jinja' import DOCKER -%} {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{ {
"registry-mirrors": [ "registry-mirrors": [
"https://:5000" "https://:5000"
@@ -10,9 +10,9 @@
"size": 24 "size": 24
} }
] ]
{%- if DOCKER.default_ulimits %}, {%- if DOCKERMERGED.ulimits %},
"default-ulimits": { "default-ulimits": {
{%- for ULIMIT in DOCKER.default_ulimits %} {%- for ULIMIT in DOCKERMERGED.ulimits %}
"{{ ULIMIT.name }}": { "{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}", "Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }}, "Soft": {{ ULIMIT.soft }},

9
salt/docker/init.sls
View File

@@ -3,7 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
# docker service requires the ca.crt # docker service requires the ca.crt
@@ -41,10 +41,9 @@ dockeretc:
file.directory: file.directory:
- name: /etc/docker - name: /etc/docker
# Manager daemon.json
docker_daemon: docker_daemon:
file.managed: file.managed:
- source: salt://common/files/daemon.json - source: salt://docker/files/daemon.json.jinja
- name: /etc/docker/daemon.json - name: /etc/docker/daemon.json
- template: jinja - template: jinja
@@ -75,8 +74,8 @@ dockerreserveports:
sos_docker_net: sos_docker_net:
docker_network.present: docker_network.present:
- name: sobridge - name: sobridge
- subnet: {{ DOCKER.range }} - subnet: {{ DOCKERMERGED.range }}
- gateway: {{ DOCKER.gateway }} - gateway: {{ DOCKERMERGED.gateway }}
- options: - options:
com.docker.network.bridge.name: 'sobridge' com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500' com.docker.network.driver.mtu: '1500'

16
salt/docker/soc_docker.yaml
View File

@@ -7,16 +7,19 @@ docker:
description: Default docker IP range for containers. description: Default docker IP range for containers.
helpLink: docker.html helpLink: docker.html
advanced: True advanced: True
default_ulimits: ulimits:
description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. description: |
advanced: True Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
helpLink: docker.html
forcedType: "[]{}" forcedType: "[]{}"
syntax: json syntax: json
advanced: True
helpLink: docker.html
uiElements: uiElements:
- field: name - field: name
label: Resource Name label: Resource Name
required: True required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft - field: soft
label: Soft Limit label: Soft Limit
forcedType: int forcedType: int
@@ -56,7 +59,8 @@ docker:
multiline: True multiline: True
forcedType: "[]string" forcedType: "[]string"
ulimits: ulimits:
description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. description: |
Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
advanced: True advanced: True
helpLink: docker.html helpLink: docker.html
forcedType: "[]{}" forcedType: "[]{}"
@@ -65,6 +69,8 @@ docker:
- field: name - field: name
label: Resource Name label: Resource Name
required: True required: True
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
- field: soft - field: soft
label: Soft Limit label: Soft Limit
forcedType: int forcedType: int

20
salt/elastalert/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
- elastalert.config - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
- user: so-elastalert - user: so-elastalert
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
- detach: True - detach: True
- binds: - binds:
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,27 +33,27 @@ so-elastalert:
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
{% if DOCKER.containers['so-elastalert'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers['so-elastalert'].extra_hosts %} {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastalert'].extra_env %} {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastalert'].ulimits %} {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
- elastic-fleet-package-registry.config - elastic-fleet-package-registry.config
@@ -21,33 +21,33 @@ so-elastic-fleet-package-registry:
- user: 948 - user: 948
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- binds: - binds:
{% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/elasticagent/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
- ca - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
- user: 949 - user: 949
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-elastic-agent'].extra_hosts %} {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -41,22 +41,22 @@ so-elastic-agent:
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro - /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro - /opt/so/log:/opt/so/log:ro
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- environment: - environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs - LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-agent'].extra_env %} {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastic-agent'].ulimits %} {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/elasticfleet/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{# This value is generated during node install and stored in minion pillar #} {# This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
- user: 947 - user: 947
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-elastic-fleet'].extra_hosts %} {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -128,14 +128,14 @@ so-elastic-fleet:
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs - LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-fleet'].extra_env %} {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastic-fleet'].ulimits %} {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/elasticsearch/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
- user: elasticsearch - user: elasticsearch
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
- extra_hosts: - extra_hosts:
{% for node in ELASTICSEARCH_NODES %} {% for node in ELASTICSEARCH_NODES %}
{% for hostname, ip in node.items() %} {% for hostname, ip in node.items() %}
- {{hostname}}:{{ip}} - {{hostname}}:{{ip}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %} {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -45,19 +45,19 @@ so-elasticsearch:
- discovery.type=single-node - discovery.type=single-node
{% endif %} {% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
{% if DOCKER.containers['so-elasticsearch'].extra_env %} {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elasticsearch'].ulimits %} {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -77,8 +77,8 @@ so-elasticsearch:
- {{ repo }}:{{ repo }}:rw - {{ repo }}:{{ repo }}:rw
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

18
salt/firewall/iptables.jinja
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKER %} {%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %} {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
{%- set role = GLOBALS.role.split('-')[1] %} {%- set role = GLOBALS.role.split('-')[1] %}
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
{%- set D1 = [] %} {%- set D1 = [] %}
{%- set D2 = [] %} {%- set D2 = [] %}
{%- for container in NODE_CONTAINERS %} {%- for container in NODE_CONTAINERS %}
{%- set IP = DOCKER.containers[container].ip %} {%- set IP = DOCKERMERGED.containers[container].ip %}
{%- if DOCKER.containers[container].port_bindings is defined %} {%- if DOCKERMERGED.containers[container].port_bindings is defined %}
{%- for binding in DOCKER.containers[container].port_bindings %} {%- for binding in DOCKERMERGED.containers[container].port_bindings %}
{#- cant split int so we convert to string #} {#- cant split int so we convert to string #}
{%- set binding = binding|string %} {%- set binding = binding|string %}
{#- split the port binding by /. if proto not specified, default is tcp #} {#- split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
{%- set hostPort = bsa[0] %} {%- set hostPort = bsa[0] %}
{%- set containerPort = bsa[1] %} {%- set containerPort = bsa[1] %}
{%- endif %} {%- endif %}
{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} {%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
{%- if bindip | length and bindip != '0.0.0.0' %} {%- if bindip | length and bindip != '0.0.0.0' %}
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} {%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- else %} {%- else %}
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} {%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
{%- endif %} {%- endif %}
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} {%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}
@@ -52,7 +52,7 @@
:DOCKER - [0:0] :DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE -A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
{%- for rule in PR %} {%- for rule in PR %}
{{ rule }} {{ rule }}
{%- endfor %} {%- endfor %}

4
salt/firewall/map.jinja
View File

@@ -1,11 +1,11 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
{# add our ip to self #} {# add our ip to self #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %} {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
{# add dockernet range #} {# add dockernet range #}
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %} {% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
{% if GLOBALS.role == 'so-idh' %} {% if GLOBALS.role == 'so-idh' %}
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} {% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

22
salt/hydra/enabled.sls
View File

@@ -11,7 +11,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% if 'api' in salt['pillar.get']('features', []) %} {% if 'api' in salt['pillar.get']('features', []) %}
@@ -26,35 +26,35 @@ so-hydra:
- name: so-hydra - name: so-hydra
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-hydra'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
- binds: - binds:
- /opt/so/conf/hydra/:/hydra-conf:ro - /opt/so/conf/hydra/:/hydra-conf:ro
- /opt/so/log/hydra/:/hydra-log:rw - /opt/so/log/hydra/:/hydra-log:rw
- /nsm/hydra/db:/hydra-data:rw - /nsm/hydra/db:/hydra-data:rw
{% if DOCKER.containers['so-hydra'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-hydra'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-hydra'].extra_hosts %} {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-hydra'].extra_env %} {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-hydra'].ulimits %} {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

18
salt/idh/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
- idh.config - idh.config
@@ -22,26 +22,26 @@ so-idh:
- /nsm/idh:/var/tmp:rw - /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
{% if DOCKER.containers['so-idh'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-idh'].extra_hosts %} {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-idh'].extra_env %} {% if DOCKERMERGED.containers['so-idh'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-idh'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-idh'].ulimits %} {% if DOCKERMERGED.containers['so-idh'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/influxdb/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
{% set TOKEN = salt['pillar.get']('influxdb:token') %} {% set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
- hostname: influxdb - hostname: influxdb
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
- environment: - environment:
- INFLUXD_CONFIG_PATH=/conf/config.yaml - INFLUXD_CONFIG_PATH=/conf/config.yaml
- INFLUXDB_HTTP_LOG_ENABLED=false - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
- DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_ORG=Security Onion
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
{% if DOCKER.containers['so-influxdb'].extra_env %} {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -43,24 +43,24 @@ so-influxdb:
- /nsm/influxdb:/var/lib/influxdb2:rw - /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro
{% if DOCKER.containers['so-influxdb'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-influxdb'].extra_hosts %} {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-influxdb'].ulimits %} {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

16
salt/kafka/enabled.sls
View File

@@ -12,7 +12,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %} {% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %} {% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
{% if 'gmd' in salt['pillar.get']('features', []) %} {% if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
- name: so-kafka - name: so-kafka
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-kafka'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
- user: kafka - user: kafka
- environment: - environment:
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}" KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
- extra_hosts: - extra_hosts:
{% for node in KAFKANODES %} {% for node in KAFKANODES %}
- {{ node }}:{{ KAFKANODES[node].ip }} - {{ node }}:{{ KAFKANODES[node].ip }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-kafka'].extra_hosts %} {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-kafka'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -60,9 +60,9 @@ so-kafka:
{% if KAFKA_EXTERNAL_ACCESS %} {% if KAFKA_EXTERNAL_ACCESS %}
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
{% endif %} {% endif %}
{% if DOCKER.containers['so-kafka'].ulimits %} {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/kibana/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -20,20 +20,20 @@ so-kibana:
- user: kibana - user: kibana
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
- environment: - environment:
- ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
- ELASTICSEARCH_PORT=9200 - ELASTICSEARCH_PORT=9200
- MANAGER={{ GLOBALS.manager }} - MANAGER={{ GLOBALS.manager }}
{% if DOCKER.containers['so-kibana'].extra_env %} {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers['so-kibana'].extra_hosts %} {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -42,18 +42,18 @@ so-kibana:
- /opt/so/log/kibana:/var/log/kibana:rw - /opt/so/log/kibana:/var/log/kibana:rw
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro
{% if DOCKER.containers['so-kibana'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-kibana'].ulimits %} {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/kratos/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -19,35 +19,35 @@ so-kratos:
- name: so-kratos - name: so-kratos
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
- binds: - binds:
- /opt/so/conf/kratos/:/kratos-conf:ro - /opt/so/conf/kratos/:/kratos-conf:ro
- /opt/so/log/kratos/:/kratos-log:rw - /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw - /nsm/kratos/db:/kratos-data:rw
{% if DOCKER.containers['so-kratos'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-kratos'].extra_hosts %} {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-kratos'].extra_env %} {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-kratos'].ulimits %} {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/logstash/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
- name: so-logstash - name: so-logstash
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
- user: logstash - user: logstash
- extra_hosts: - extra_hosts:
{% for node in LOGSTASH_NODES %} {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
- {{hostname}}:{{ip}} - {{hostname}}:{{ip}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-logstash'].extra_hosts %} {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- environment: - environment:
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
{% if DOCKER.containers['so-logstash'].extra_env %} {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -91,14 +91,14 @@ so-logstash:
- /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/fleet/:/osquery/logs:ro
- /opt/so/log/strelka:/strelka:ro - /opt/so/log/strelka:/strelka:ro
{% endif %} {% endif %}
{% if DOCKER.containers['so-logstash'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-logstash'].ulimits %} {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/nginx/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'nginx/map.jinja' import NGINXMERGED %} {% from 'nginx/map.jinja' import NGINXMERGED %}
include: include:
@@ -37,11 +37,11 @@ so-nginx:
- hostname: so-nginx - hostname: so-nginx
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers[container_config].ip }} - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
{% if DOCKER.containers[container_config].extra_hosts %} {% if DOCKERMERGED.containers[container_config].extra_hosts %}
{% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -64,26 +64,26 @@ so-nginx:
- /opt/so/rules/nids/suri:/surirules:ro - /opt/so/rules/nids/suri:/surirules:ro
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if DOCKER.containers[container_config].custom_bind_mounts %} {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers[container_config].extra_env %} {% if DOCKERMERGED.containers[container_config].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers[container_config].extra_env %} {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers[container_config].ulimits %} {% if DOCKERMERGED.containers[container_config].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers[container_config].ulimits %} {% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- cap_add: NET_BIND_SERVICE - cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers[container_config].port_bindings %} {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- watch: - watch:

2
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'docker/docker.map.jinja' import DOCKER %} {%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
{%- from 'nginx/map.jinja' import NGINXMERGED %} {%- from 'nginx/map.jinja' import NGINXMERGED %}
{%- set role = grains.id.split('_') | last %} {%- set role = grains.id.split('_') | last %}
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}

22
salt/redis/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -21,9 +21,9 @@ so-redis:
- user: socore - user: socore
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-redis'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -34,26 +34,26 @@ so-redis:
- /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro - /etc/pki/redis.key:/certs/redis.key:ro
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
{% if DOCKER.containers['so-redis'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-redis'].extra_hosts %} {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-redis'].extra_env %} {% if DOCKERMERGED.containers['so-redis'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-redis'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-redis'].ulimits %} {% if DOCKERMERGED.containers['so-redis'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/registry/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
- registry.ssl - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
- hostname: so-registry - hostname: so-registry
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
- restart_policy: always - restart_policy: always
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
@@ -32,28 +32,28 @@ so-dockerregistry:
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro
{% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-dockerregistry'].extra_hosts %} {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- client_timeout: 180 - client_timeout: 180
- environment: - environment:
- HOME=/root - HOME=/root
{% if DOCKER.containers['so-dockerregistry'].extra_env %} {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-dockerregistry'].ulimits %} {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

18
salt/sensoroni/enabled.sls
View File

@@ -4,7 +4,7 @@
# Elastic License 2.0. # Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
@@ -23,26 +23,26 @@ so-sensoroni:
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw - /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-sensoroni'].extra_hosts %} {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-sensoroni'].extra_env %} {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-sensoroni'].ulimits %} {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

4
salt/soc/defaults.map.jinja
View File

@@ -5,7 +5,7 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER -%} {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}

18
salt/soc/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %} {% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
{% from 'soc/merged.map.jinja' import SOCMERGED %} {% from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
- name: so-soc - name: so-soc
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
- binds: - binds:
- /nsm/rules:/nsm/rules:rw - /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,24 +63,24 @@ so-soc:
- {{hostname}}:{{ip}} - {{hostname}}:{{ip}}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-soc'].extra_hosts %} {% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-soc'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-soc'].extra_env %} {% if DOCKERMERGED.containers['so-soc'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-soc'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-soc'].ulimits %} {% if DOCKERMERGED.containers['so-soc'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

20
salt/strelka/backend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,32 +18,32 @@ strelka_backend:
- binds: - binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
{% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- name: so-strelka-backend - name: so-strelka-backend
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
- command: strelka-backend - command: strelka-backend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-backend'].extra_hosts %} {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-backend'].extra_env %} {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-backend'].ulimits %} {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/strelka/coordinator/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,35 +18,35 @@ strelka_coordinator:
- name: so-strelka-coordinator - name: so-strelka-coordinator
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no - entrypoint: redis-server --save "" --appendonly no
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %} {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-strelka-coordinator'].extra_env %} {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- binds: - binds:
- /nsm/strelka/coord-redis-data:/data:rw - /nsm/strelka/coord-redis-data:/data:rw
{% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-coordinator'].ulimits %} {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

20
salt/strelka/filestream/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,32 +18,32 @@ strelka_filestream:
- binds: - binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka - /nsm/strelka:/nsm/strelka
{% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- name: so-strelka-filestream - name: so-strelka-filestream
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream - command: strelka-filestream
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-filestream'].extra_hosts %} {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-filestream'].extra_env %} {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-filestream'].ulimits %} {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/strelka/frontend/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,8 +18,8 @@ strelka_frontend:
- binds: - binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /nsm/strelka/log/:/var/log/strelka/:rw - /nsm/strelka/log/:/var/log/strelka/:rw
{% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -27,28 +27,28 @@ strelka_frontend:
- name: so-strelka-frontend - name: so-strelka-frontend
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend - command: strelka-frontend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-frontend'].extra_hosts %} {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
{% if DOCKER.containers['so-strelka-frontend'].extra_env %} {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-frontend'].ulimits %} {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

22
salt/strelka/gatekeeper/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -18,35 +18,35 @@ strelka_gatekeeper:
- name: so-strelka-gatekeeper - name: so-strelka-gatekeeper
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %} {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
- /nsm/strelka/gk-redis-data:/data:rw - /nsm/strelka/gk-redis-data:/data:rw
{% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %} {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

20
salt/strelka/manager/enabled.sls
View File

@@ -5,7 +5,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
@@ -17,32 +17,32 @@ strelka_manager:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
- binds: - binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
{% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- name: so-strelka-manager - name: so-strelka-manager
- networks: - networks:
- sobridge: - sobridge:
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
- command: strelka-manager - command: strelka-manager
- extra_hosts: - extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
{% if DOCKER.containers['so-strelka-manager'].extra_hosts %} {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
{% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-manager'].extra_env %} {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-strelka-manager'].ulimits %} {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

18
salt/suricata/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'suricata/map.jinja' import SURICATAMERGED %} {% from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,15 +20,15 @@ so-suricata:
- privileged: True - privileged: True
- environment: - environment:
- INTERFACE={{ GLOBALS.sensor.interface }} - INTERFACE={{ GLOBALS.sensor.interface }}
{% if DOCKER.containers['so-suricata'].extra_env %} {% if DOCKERMERGED.containers['so-suricata'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #} {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %} {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -42,15 +42,15 @@ so-suricata:
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
- /nsm/suripcap/:/nsm/suripcap:rw - /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- network_mode: host - network_mode: host
{% if DOCKER.containers['so-suricata'].extra_hosts %} {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

18
salt/telegraf/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %} {% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include: include:
@@ -25,8 +25,8 @@ so-telegraf:
- HOST_SYS=/host/sys - HOST_SYS=/host/sys
- HOST_MOUNT_PREFIX=/host - HOST_MOUNT_PREFIX=/host
- GODEBUG=x509ignoreCN=0 - GODEBUG=x509ignoreCN=0
{% if DOCKER.containers['so-telegraf'].extra_env %} {% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -55,20 +55,20 @@ so-telegraf:
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
{% endif %} {% endif %}
{% if DOCKER.containers['so-telegraf'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-telegraf'].extra_hosts %} {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-telegraf'].ulimits %} {% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

6
salt/vars/globals.map.jinja
View File

@@ -1,5 +1,5 @@
{% import 'vars/init.map.jinja' as INIT %} {% import 'vars/init.map.jinja' as INIT %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
{% from 'global/map.jinja' import GLOBALMERGED %} {% from 'global/map.jinja' import GLOBALMERGED %}
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
'pcap_engine': GLOBALMERGED.pcapengine, 'pcap_engine': GLOBALMERGED.pcapengine,
'pipeline': GLOBALMERGED.pipeline, 'pipeline': GLOBALMERGED.pipeline,
'so_version': INIT.PILLAR.global.soversion, 'so_version': INIT.PILLAR.global.soversion,
'so_docker_gateway': DOCKER.gateway, 'so_docker_gateway': DOCKERMERGED.gateway,
'so_docker_range': DOCKER.range, 'so_docker_range': DOCKERMERGED.range,
'url_base': INIT.PILLAR.global.url_base, 'url_base': INIT.PILLAR.global.url_base,
'so_model': INIT.GRAINS.get('sosmodel',''), 'so_model': INIT.GRAINS.get('sosmodel',''),
'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey, 'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,

18
salt/zeek/enabled.sls
View File

@@ -6,7 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
include: include:
@@ -18,9 +18,9 @@ so-zeek:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: True - start: True
- privileged: True - privileged: True
{% if DOCKER.containers['so-zeek'].ulimits %} {% if DOCKERMERGED.containers['so-zeek'].ulimits %}
- ulimits: - ulimits:
{% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} {% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -39,21 +39,21 @@ so-zeek:
- /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
- /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
- /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
{% if DOCKER.containers['so-zeek'].custom_bind_mounts %} {% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- network_mode: host - network_mode: host
{% if DOCKER.containers['so-zeek'].extra_hosts %} {% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
- extra_hosts: - extra_hosts:
{% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %} {% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-zeek'].extra_env %} {% if DOCKERMERGED.containers['so-zeek'].extra_env %}
- environment: - environment:
{% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %} {% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}