diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index 8c7d99cde..181666227 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,8 +1,17 @@ {% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %} {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} -{% set zeek_pillar = salt['pillar.get']('zeek', []) %} -{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} -{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %} +{% set ZEEKMERGED = salt['pillar.get']('zeek', zeek_defaults.zeek, merge=True) %} +{% do ZEEKMERGED.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %} + +{% if ZEEKMERGED.config.local.load is defined %} + {% set LOCALLOAD = ZEEKMERGED.config.local.pop('load') %} + {% do ZEEKMERGED.config.local.update({'@load': LOCALLOAD}) %} +{% endif %} + +{% if ZEEKMERGED.config.local['load-sigs'] is defined %} + {% set LOCALLOADSIGS = ZEEKMERGED.config.local.pop('load-sigs') %} + {% do ZEEKMERGED.config.local.update({'@load-sigs': LOCALLOADSIGS}) %} +{% endif %} {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index a21bf3389..d4ec7c26c 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -22,7 +22,7 @@ zeek: CfgDir: /opt/zeek/etc CompressLogs: 1 local: - '@load': + load: - misc/loaded-scripts - tuning/defaults - misc/capture-loss @@ -68,7 +68,7 @@ zeek: - zeek-plugin-profinet - zeek-spicy-wireguard - zeek-spicy-stun - '@load-sigs': + load-sigs: - frameworks/signatures/detect-windows-shells redef: - LogAscii::use_json = T; diff --git a/salt/zeek/files/local.zeek.jinja b/salt/zeek/files/local.zeek.jinja index 61f5df7d8..1cd15209a 100644 --- a/salt/zeek/files/local.zeek.jinja +++ b/salt/zeek/files/local.zeek.jinja @@ -8,4 +8,4 @@ {{ k }} {{ li }} {%- endfor %} {%- endif %} -{%- endfor %} \ No newline at end of file +{%- endfor %} diff --git a/salt/zeek/files/zeekctl.cfg.jinja b/salt/zeek/files/zeekctl.cfg.jinja index 6d28d4dbd..0a6be371c 100644 --- a/salt/zeek/files/zeekctl.cfg.jinja +++ b/salt/zeek/files/zeekctl.cfg.jinja @@ -6,4 +6,4 @@ {%- if option|lower in ALLOWEDOPTIONS %} {{ option }} = {{ ZEEKCTL[option] }} {%- endif %} -{%- endfor %} \ No newline at end of file +{%- endfor %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 41103f399..71ab35e46 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -78,7 +78,7 @@ zeekpolicysync: - group: 939 - template: jinja - defaults: - FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }} + FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }} # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: @@ -109,7 +109,7 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }} + ZEEKCTL: {{ ZEEKMERGED.config.zeekctl | tojson }} # Sync node.cfg nodecfg: @@ -120,7 +120,7 @@ nodecfg: - group: 939 - template: jinja - defaults: - NODE: {{ ZEEKMERGED.zeek.config.node }} + NODE: {{ ZEEKMERGED.config.node }} networkscfg: file.managed: @@ -130,7 +130,7 @@ networkscfg: - group: 939 - template: jinja - defaults: - NETWORKS: {{ ZEEKMERGED.zeek.config.networks }} + NETWORKS: {{ ZEEKMERGED.config.networks }} #zeekcleanscript: # file.managed: @@ -198,7 +198,7 @@ localzeek: - group: 939 - template: jinja - defaults: - LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }} + LOCAL: {{ ZEEKMERGED.config.local | tojson }} so-zeek: docker_container.{{ ZEEKOPTIONS.status }}: diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 11ad78656..46cae647a 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -5,10 +5,10 @@ zeek: helpLink: zeek.html config: local: - '@load': + load: description: List of Zeek policies to load helpLink: zeek.html - '@load-sigs': + load-sigs: description: List of Zeek signatures to load helpLink: zeek.html node: