From 18ce9c781943a23f371a722fee96877311518ba8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Oct 2021 07:46:02 -0400 Subject: [PATCH 1/2] disable zeekpacketlosscron and telegraf checks if zeek is diabled via pillar --- salt/telegraf/etc/telegraf.conf | 23 +++++++++++++---------- salt/zeek/init.sls | 2 +- salt/zeek/map.jinja | 4 +++- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 649fcc241..92fcb4106 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -20,6 +20,9 @@ {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} +{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', 'True') %} +{%- set MDENGINE = salt['pillar.get']('global:mdengine', 'ZEEK') %} + # Global tags can be specified here in key="value" format. [global_tags] @@ -740,10 +743,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/raid.sh", "/scripts/beatseps.sh" @@ -757,10 +760,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh", @@ -776,10 +779,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/eps.sh", "/scripts/raid.sh", @@ -794,10 +797,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/influxdbsize.sh", "/scripts/raid.sh", @@ -811,10 +814,10 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", - {% endif %} + {%- endif %} "/scripts/oldpcap.sh", "/scripts/helixeps.sh" ] diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index e4b83a9e1..2c9fb9846 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -146,7 +146,7 @@ plcronscript: - mode: 755 zeekpacketlosscron: - cron.present: + cron.{{ZEEKOPTIONS.pl_cron_state}}: - name: /usr/local/bin/packetloss.sh - user: root - minute: '*/10' diff --git a/salt/zeek/map.jinja b/salt/zeek/map.jinja index b5713c6d5..5ae8894bc 100644 --- a/salt/zeek/map.jinja +++ b/salt/zeek/map.jinja @@ -4,12 +4,14 @@ # don't start the docker container if it is an import node or disabled via pillar {% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} {% do ZEEKOPTIONS.update({'start': False}) %} + {% do ZEEKOPTIONS.update({'pl_cron_state': 'absent'}) %} {% else %} {% do ZEEKOPTIONS.update({'start': True}) %} + {% do ZEEKOPTIONS.update({'pl_cron_state': 'present'}) %} {% endif %} {% if ENABLED is sameas false %} {% do ZEEKOPTIONS.update({'status': 'absent'}) %} {% else %} {% do ZEEKOPTIONS.update({'status': 'running'}) %} -{% endif %} \ No newline at end of file +{% endif %} From 7eb42fa6bdb386562a03970fb94bb20ed316f822 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Oct 2021 08:43:03 -0400 Subject: [PATCH 2/2] change boolean --- salt/telegraf/etc/telegraf.conf | 12 ++++++------ salt/zeek/map.jinja | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 92fcb4106..fa7dabe09 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -20,7 +20,7 @@ {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} -{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', 'True') %} +{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} {%- set MDENGINE = salt['pillar.get']('global:mdengine', 'ZEEK') %} @@ -743,7 +743,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -760,7 +760,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -779,7 +779,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -797,7 +797,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} @@ -814,7 +814,7 @@ "/scripts/stenoloss.sh", "/scripts/suriloss.sh", "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED is sameas true %} + {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} "/scripts/zeekloss.sh", "/scripts/zeekcaptureloss.sh", {%- endif %} diff --git a/salt/zeek/map.jinja b/salt/zeek/map.jinja index 5ae8894bc..a0f92463e 100644 --- a/salt/zeek/map.jinja +++ b/salt/zeek/map.jinja @@ -1,8 +1,8 @@ {% set ZEEKOPTIONS = {} %} -{% set ENABLED = salt['pillar.get']('zeek:enabled', 'True') %} +{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} # don't start the docker container if it is an import node or disabled via pillar -{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} +{% if grains.id.split('_')|last == 'import' or not ENABLED %} {% do ZEEKOPTIONS.update({'start': False}) %} {% do ZEEKOPTIONS.update({'pl_cron_state': 'absent'}) %} {% else %} @@ -10,7 +10,7 @@ {% do ZEEKOPTIONS.update({'pl_cron_state': 'present'}) %} {% endif %} -{% if ENABLED is sameas false %} +{% if not ENABLED %} {% do ZEEKOPTIONS.update({'status': 'absent'}) %} {% else %} {% do ZEEKOPTIONS.update({'status': 'running'}) %}