Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#404 MacOS support #419

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

#404 MacOS support #419

wants to merge 6 commits into from

Conversation

vid-pas
Copy link

@vid-pas vid-pas commented Oct 20, 2022

My goal, was to use a locally hosted docker install for threat hunter and read a remote suricata install.
On the way there, I wanted to stand up this SELKS stack on my Mac.

I made the following changes which enabled me to start and run the SELKS stack successfully on MacOS Monterey v12.6 on an M1 MBPro.

This might address #404; though I haven't tested the impact of these changes on a linux box.

Steps:

  1. I tried the easy-setup
  2. When that failed (failed to mount local volume: mount ./containers-data/suricata/logrotate...), I tried the Manual Docker install
    2a. That required several docker-compose edits updating the start of the local volume paths ./ to ${pwd}/ as well as adding required directories (that failed to be created in the easy-setup.
    2b. I also had to bypass the declared name for the suricata-logrotate volume; something about that was still not mac friendly. but it worked below with the explicit path.
  3. I then returned to the docker wiki page and logged in to https://localhost/ with selks-user, selks-user (after accepting the invalid SSL cert)

I have working localhost access to scirius, threat hunting, evebox, kibana, etc...
Basically I've removed the MacOS specific issues with the docker compose and easy-setup.sh.

However; one key remaining issue is the network interface SELKS should listen on. That's a big one.
I tried capturing the macOS equivalent to /sys/class/net; ex: en1; but that's not usable in the container.

if $isMacOS; then
    ifaceSource=$(networksetup -listallhardwareports | grep Device | awk '{ print $2}')
  else
    ifaceSource=$(ls /sys/class/net)
  fi

I tried pulling the shared network iface from a debian container with elevated perms (ex: eth1) but that was a no-go too;

YMMV; This might help address the mac issues with bash (although I am running bash v5.1 and not the default v3).

Testing steps:

cd docker;
docker-compose down; 
git clean -df
docker network prune
docker volume prune
docker container prune
./easy-setup.sh
docker-compose up -d --build --force-recreate

@pevma
Copy link
Member

pevma commented Oct 20, 2022

@vid-pas - thanks for the contribution !

@pevma
Copy link
Member

pevma commented Oct 20, 2022
edited
Loading

With regards to the interface - as long as it is listed or passed - it should be usable by the container - just like in Linux, unless we need to pass a specific option to the containers for MacOS ?

@pevma
Copy link
Member

pevma commented Oct 20, 2022

Passed in here https://github.com/StamusNetworks/SELKS/blob/master/docker/docker-compose.yml#L113

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vid-pas @pevma