From 1b55642c868287bb2bb49d9adbb022bcb9c586a5 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 18 Nov 2025 09:58:14 -0500 Subject: [PATCH] Refactor rules location --- salt/allowed_states.map.jinja | 1 - salt/suricata/config.sls | 8 +++----- salt/suricata/enabled.sls | 2 +- salt/suricata/manager.sls | 30 ------------------------------ salt/suricata/rules/PLACEHOLDER | 0 salt/top.sls | 5 ----- 6 files changed, 4 insertions(+), 42 deletions(-) delete mode 100644 salt/suricata/manager.sls create mode 100644 salt/suricata/rules/PLACEHOLDER diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index c41573522..2393f92d7 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -38,7 +38,6 @@ 'hydra', 'elasticfleet', 'elastic-fleet-package-registry', - 'suricata.manager', 'utility' ] %} diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index 685aa66e7..c7c687bae 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -90,7 +90,7 @@ suridir: suriruledir: file.directory: - - name: /opt/so/conf/suricata/rules + - name: /opt/so/rules/suricata - user: 940 - group: 939 - mode: 775 @@ -118,12 +118,10 @@ suridatadir: - mode: 770 - makedirs: True -# salt:// would resolve to /opt/so/rules/nids because of the defined file_roots and -# not existing under /opt/so/saltstack/local/salt or /opt/so/saltstack/default/salt surirulesync: file.recurse: - - name: /opt/so/conf/suricata/rules/ - - source: salt://suri/ + - name: /opt/so/rules/suricata/ + - source: salt://suricata/rules/ - user: 940 - group: 940 - show_changes: False diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 34e9f2e4c..1576a0629 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -36,7 +36,7 @@ so-suricata: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro + - /opt/so/rules/suricata:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw - /nsm/suricata/extracted:/var/log/suricata//filestore:rw diff --git a/salt/suricata/manager.sls b/salt/suricata/manager.sls deleted file mode 100644 index 3d5183556..000000000 --- a/salt/suricata/manager.sls +++ /dev/null @@ -1,30 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -surilocaldir: - file.directory: - - name: /opt/so/saltstack/local/salt/suricata - - user: socore - - group: socore - - makedirs: True - -ruleslink: - file.symlink: - - name: /opt/so/saltstack/local/salt/suricata/rules - - user: socore - - group: socore - - target: /opt/so/rules/nids/suri - -refresh_salt_master_fileserver_suricata_ruleslink: - salt.runner: - - name: fileserver.update - - onchanges: - - file: ruleslink - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/suricata/rules/PLACEHOLDER b/salt/suricata/rules/PLACEHOLDER new file mode 100644 index 000000000..e69de29bb diff --git a/salt/top.sls b/salt/top.sls index 613878860..d80806564 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -74,7 +74,6 @@ base: - sensoroni - telegraf - firewall - - suricata.manager - healthcheck - elasticsearch - elastic-fleet-package-registry @@ -105,7 +104,6 @@ base: - firewall - sensoroni - telegraf - - suricata.manager - healthcheck - elasticsearch - logstash @@ -140,7 +138,6 @@ base: - sensoroni - telegraf - backup.config_backup - - suricata.manager - elasticsearch - logstash - redis @@ -174,7 +171,6 @@ base: - sensoroni - telegraf - backup.config_backup - - suricata.manager - elasticsearch - logstash - redis @@ -204,7 +200,6 @@ base: - sensoroni - telegraf - firewall - - suricata.manager - pcap - elasticsearch - elastic-fleet-package-registry