CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Strelka Filecheck

Browse Source
This commit is contained in:
Mike Reeves
2022-11-02 09:46:23 -04:00
parent 4187363451
commit 225c33e5c9
1 changed files with 43 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
salt/strelka/init.sls
View File

@@ -105,6 +105,49 @@ strelkaportavailable:
cmd.run: cmd.run:
- name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0
# Filecheck Section
filecheck_logdir:
file.directory:
- name: /opt/so/log/strelka
- user: 939
- group: 939
- makedirs: True
filecheck_history:
file.directory:
- name: /nsm/strelka/history
- user: 939
- group: 939
- makedirs: True
filecheck_conf:
file.managed:
- name: /opt/so/conf/strelka/filecheck.yaml
- source: salt://strelka/filecheck/filecheck.yaml
- template: jinja
filecheck_script:
file.managed:
- name: /opt/so/conf/strelka/filecheck
- source: salt://strelka/filecheck/filecheck
- user: 939
- group: 939
- mode: 755
filecheck_run:
cmd.run:
- name: 'python3 /opt/so/conf/strelka/filecheck'
- bg: True
- runas: socore
- unless: ps -ef | grep filecheck | grep -v grep
filcheck_history_clean:
cron.present:
- name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1>'
- minute: '33'
# End Filecheck Section
strelka_coordinator: strelka_coordinator:
docker_container.running: docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
@@ -190,30 +233,6 @@ append_so-strelka-filestream_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf - name: /opt/so/conf/so-status/so-status.conf
- text: so-strelka-filestream - text: so-strelka-filestream
strelka_zeek_extracted_sync_old:
cron.absent:
- user: root
- name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1'
- minute: '*'
{% if GLOBALS.md_engine == "SURICATA" %}
strelka_suricata_extracted_sync:
cron.present:
- user: root
- identifier: zeek-extracted-strelka-sync
- name: '[ -d /nsm/suricata/extracted/ ] && find /nsm/suricata/extracted/* -not \( -path /nsm/suricata/extracted/tmp -prune \) -type f -print0 | xargs -0 -I {} mv {} /nsm/strelka/unprocessed/ > /dev/null 2>&1'
- minute: '*'
{% else %}
strelka_zeek_extracted_sync:
cron.present:
- user: root
- identifier: zeek-extracted-strelka-sync
- name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1'
- minute: '*'
{% endif %}
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed: