diff --git a/README.md b/README.md index c2a34e5..9e5ad88 100644 --- a/README.md +++ b/README.md @@ -34,14 +34,13 @@ images: Bro only uses 2 interfaces because it can only be deployed in passive mode. By default, these interfaces are named *calico* and *passive*. -useHostNetworking is used in situations where container networking is insufficient (such as the lack of SR-IOV). This allows the container to see all physical interfaces of the minions. This has some security concerns due to the fact that Bro now have access to all physical networking. When useHostNetworking is set, specify hostNetworkingInterface to match the physical interface of the minions being deployed to. When useHostNetworking is specified, the container will still be joined to the Calico network, but the passive variable is ignored. +useHostNetworking is used in situations where container networking is insufficient (such as the lack of SR-IOV). This allows the container to see all physical interfaces of the minions. This has some security concerns due to the fact that Bro now have access to all physical networking. When useHostNetworking is set, Bro will listen on the passive interface you identified in the [EDCOP-CONFIGURESENSORS](https://github.com/sealingtech/EDCOP-CONFIGURESENSORS) deployment. When useHostNetworking is specified, the container will still be joined to the Calico network, but the passive variable is ignored. ``` networks: overlay: calico passive: passive useHostNetworking: false - hostNetworkingInterface: eth0 ``` To find the names of your networks, use the following command: diff --git a/bro/Chart.yaml b/bro/Chart.yaml old mode 100755 new mode 100644 diff --git a/bro/templates/_helpers.tpl b/bro/templates/_helpers.tpl old mode 100755 new mode 100644 diff --git a/bro/templates/bro-daemonset.yaml b/bro/templates/bro-daemonset.yaml old mode 100755 new mode 100644 index 8387893..82ff2dc --- a/bro/templates/bro-daemonset.yaml +++ b/bro/templates/bro-daemonset.yaml @@ -18,36 +18,55 @@ spec: release: {{ .Release.Name }} annotations: networks: '[ - {{ if .Values.networks.useHostNetworking }} + {{- if .Values.networks.useHostNetworking }} { "name": "{{ .Values.networks.overlay }}" } - {{ else }} + {{- else }} { "name": "{{ .Values.networks.overlay }}" }, { "name": "{{ .Values.networks.passive }}" } - {{ end }} + {{- end }} ]' spec: - {{ if .Values.networks.useHostNetworking }}hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet{{ end }} + {{- if .Values.networks.useHostNetworking }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- end }} + initContainers: + - name: verifynode + image: {{ .Values.images.runner }} + env: + - name: INTERFACE + valueFrom: + secretKeyRef: + name: passive-interface + key: interface + - name: STARTUP_SCRIPT + value: | + #!/bin/bash + set -e + sleep 10 + if [ ! -f /sys/class/net/$INTERFACE/operstate ]; then + echo "Network interface '$INTERFACE' not found, exiting..." + exit 1 + fi containers: - name: bro image: {{ .Values.images.bro }} imagePullPolicy: Always - env: - {{ if .Values.networks.useHostNetworking }} - - name: INTERFACE - value: "{{ .Values.networks.hostNetworkingInterface }}" - {{ else }} - - name: INTERFACE - value: "net0" - {{ end }} + command: ["bash", "-c", "cp /tmp/bro/* /usr/local/bro/etc/ && /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf"] securityContext: + runAsUser: 2001 + fsGroup: 2001 capabilities: add: - NET_ADMIN - SYS_NICE #Used for CPU pinning - NET_RAW - runAsUser: 2001 - fsGroup: 2001 + env: + - name: INTERFACE + valueFrom: + secretKeyRef: + name: passive-interface + key: interface resources: requests: cpu: "{{ .Values.broConfig.requests.cpu }}" @@ -58,7 +77,7 @@ spec: volumeMounts: - mountPath: /usr/local/bro/logs/ name: bro-logs - - mountPath: /usr/local/bro/etc/ + - mountPath: /tmp/bro/ name: bro-etc-config - mountPath: /usr/local/bro/share/bro/site/local.bro name: bro-site-config @@ -102,8 +121,6 @@ spec: - name: filebeat image: {{ .Values.images.filebeat }} imagePullPolicy: Always - securityContext: - privileged: true volumeMounts: - mountPath: /bro/ name: bro-spool @@ -135,6 +152,5 @@ spec: name: logstash-{{ template "bro.fullname" . }}-pipeline restartPolicy: Always - dnsPolicy: ClusterFirst nodeSelector: {{ .Values.nodeSelector.label }} : "true" diff --git a/bro/templates/bro-etc-config.yaml b/bro/templates/bro-etc-config.yaml old mode 100755 new mode 100644 index 61ca48f..60b00b8 --- a/bro/templates/bro-etc-config.yaml +++ b/bro/templates/bro-etc-config.yaml @@ -91,6 +91,9 @@ data: # changes, and a value of 0 means do not send mail. MailHostUpDown = 1 + # Send Mail + SendMail = /usr/sbin/sendmail + ############################################### # Logging Options @@ -162,11 +165,7 @@ data: [worker-1] type=worker host=localhost - {{ if .Values.networks.useHostNetworking }} - interface=af_packet::{{ .Values.networks.hostNetworkingInterface }} - {{ else }} - interface=af_packet::net0 - {{ end }} + interface=af_packet::${INTERFACE} {{ if .Values.broConfig.setCpuAffinity }}lb_method=custom lb_procs={{ .Values.broConfig.lbProcs }} pin_cpus={{ .Values.broConfig.pinCpus }} diff --git a/bro/templates/bro-site-config.yaml b/bro/templates/bro-site-config.yaml old mode 100755 new mode 100644 diff --git a/bro/templates/filebeat-bro-config.yaml b/bro/templates/filebeat-bro-config.yaml old mode 100755 new mode 100644 diff --git a/bro/templates/logstash-bro-config.yaml b/bro/templates/logstash-bro-config.yaml old mode 100755 new mode 100644 diff --git a/bro/templates/logstash-bro-pipeline.yaml b/bro/templates/logstash-bro-pipeline.yaml old mode 100755 new mode 100644 diff --git a/bro/values.yaml b/bro/values.yaml old mode 100755 new mode 100644 index 8d59893..55f474a --- a/bro/values.yaml +++ b/bro/values.yaml @@ -1,16 +1,16 @@ # EDCOP Bro Chart values images: - bro: gcr.io/edcop-dev/dlohin-bro:23 + bro: gcr.io/edcop-dev/mike-bro:5 logstash: docker.elastic.co/logstash/logstash:6.4.0 redis: redis:4.0.9 filebeat: docker.elastic.co/beats/filebeat:6.4.0 + runner: gcr.io/edcop-public/runner:8 networks: # Overlay is the name of the default cni network overlay: calico # Passive is the name of the sriov interface passive: passive - useHostNetworking: false #If this option is set to true, the container will see all physical interfaces on the physical host it resides. This has some security issues but can be useful in some situations. - hostNetworkingInterface: eth0 #Only used with useHostNetworking is set to true. Set this to the interface name of the adapter to listen on. + useHostNetworking: false nodeSelector: label: sensor broConfig: diff --git a/container/Dockerfile b/container/Dockerfile old mode 100755 new mode 100644 index 77ac451..f413df2 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -1,7 +1,7 @@ FROM centos:latest AS build RUN yum -y install epel-release RUN yum -y update && \ - yum -y install sudo supervisor git cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel GeoIP-devel libpcap gperftools vim-minimal wget kernel-headers kernel-devel kernel hiredis-devel git python-pip cmake librdkafka librdkafka-devel + yum -y install sudo supervisor git cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel GeoIP-devel libpcap gperftools vim-minimal wget kernel-headers kernel-devel kernel hiredis-devel git python-pip cmake librdkafka librdkafka-devel sendmail RUN pip install bro-pkg RUN wget https://www.bro.org/downloads/bro-2.5.5.tar.gz && \ tar xzf bro-2.5.5.tar.gz && \ @@ -21,22 +21,31 @@ RUN echo "********Log files for Bro Packages*********" && \ FROM centos:latest RUN yum -y install epel-release -RUN yum -y install supervisor git wget libpcap GeoIP gperftools tcpdump cmake librdkafka iproute && \ +RUN yum -y install supervisor git wget libpcap GeoIP gperftools tcpdump cmake librdkafka iproute sendmail && \ yum -y clean all && \ - mkdir -p /conf/{plugins,site} + mkdir -p /conf/{plugins,site} + COPY --from=build /usr/local/bro/ /usr/local/bro + ADD startbro.sh /startbro.sh ADD reset-network.sh /reset-network.sh ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf + ENV PATH="/usr/local/bro/bin/:${PATH}" +ENV INTERFACE=eth0 + RUN chmod +x /startbro.sh RUN chmod +x /reset-network.sh + #Used for allowing Bro to run as a regular user RUN /usr/local/bro/bin/broctl deploy RUN groupadd -g 2001 bro && \ useradd -u 2001 -g bro bro -d /usr/local/bro/logs/ && \ - chown -R bro:bro /usr/local/bro/logs/ /usr/local/bro/lib/bro/plugins /usr/local/bro/share/bro/site + chown -R bro:bro /usr/local/bro/logs/ /usr/local/bro/lib/bro/plugins /usr/local/bro/share/bro/site /usr/local/bro/etc/ + #Needed to run as a non-privileged user RUN setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro +RUN setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump + WORKDIR /usr/local/bro/logs/ CMD ["/usr/bin/supervisord","-c","/etc/supervisor/conf.d/supervisord.conf"] diff --git a/container/LICENSE b/container/LICENSE old mode 100755 new mode 100644 diff --git a/container/README.md b/container/README.md old mode 100755 new mode 100644 diff --git a/container/node.cfg b/container/node.cfg old mode 100755 new mode 100644 index 44e5ee3..32bc478 --- a/container/node.cfg +++ b/container/node.cfg @@ -13,7 +13,7 @@ host=localhost [worker-1] type=worker host=localhost -interface=af_packet::net0 +interface=af_packet::${INTERFACE} lb_method=custom lb_procs=6 pin_cpus=0,1,2,3,4,5 diff --git a/container/startbro.sh b/container/startbro.sh index de77e15..23113da 100755 --- a/container/startbro.sh +++ b/container/startbro.sh @@ -8,6 +8,8 @@ #CONTAINERINT is the interface within the Container CONTAINERINT=$INTERFACE +sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/bro/etc/node.cfg + sudo chgrp $USER $(bro-config --site_dir) $(bro-config --plugin_dir) sudo chmod g+rwX $(bro-config --site_dir) $(bro-config --plugin_dir) diff --git a/container/supervisord.conf b/container/supervisord.conf old mode 100755 new mode 100644 index c5d3c70..046b882 --- a/container/supervisord.conf +++ b/container/supervisord.conf @@ -2,4 +2,4 @@ nodaemon=true [program:bro] -command=/usr/local/bro/bin/broctl deploy \ No newline at end of file +command=/bin/bash -c "sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/bro/etc/node.cfg && /usr/local/bro/bin/broctl deploy" \ No newline at end of file