Merge pull request #6039 from Security-Onion-Solutions/issue/5759

Issue/5759

salt/telegraf/etc/telegraf.conf

@@ -20,6 +20,9 @@
 {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
 {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False)  %}
+{%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}
+{%- set MDENGINE = salt['pillar.get']('global:mdengine', 'ZEEK') %}
+
 
 # Global tags can be specified here in key="value" format.
 [global_tags]
@@ -740,10 +743,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
-  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
+  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
-  {% endif %}
+  {%- endif %}
       "/scripts/oldpcap.sh",
       "/scripts/raid.sh",
       "/scripts/beatseps.sh"
@@ -757,10 +760,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
-  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
+  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
-  {% endif %}
+  {%- endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
       "/scripts/raid.sh",
@@ -776,10 +779,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
-  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
+  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
-  {% endif %}
+  {%- endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
       "/scripts/raid.sh",
@@ -794,10 +797,10 @@
       "/scripts/stenoloss.sh",
       "/scripts/suriloss.sh",
       "/scripts/checkfiles.sh",
-  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
+  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
       "/scripts/zeekloss.sh",
       "/scripts/zeekcaptureloss.sh",
-  {% endif %}
+  {%- endif %}
       "/scripts/oldpcap.sh",
       "/scripts/influxdbsize.sh",
       "/scripts/raid.sh",
@@ -811,10 +814,10 @@
     "/scripts/stenoloss.sh",
     "/scripts/suriloss.sh",
     "/scripts/checkfiles.sh",
-  {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'ZEEK' %}
+  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
     "/scripts/zeekloss.sh",
     "/scripts/zeekcaptureloss.sh",
-  {% endif %}
+  {%- endif %}
     "/scripts/oldpcap.sh",
     "/scripts/helixeps.sh"
   ]

salt/zeek/init.sls

@@ -146,7 +146,7 @@ plcronscript:
     - mode: 755
 
 zeekpacketlosscron:
-  cron.present:
+  cron.{{ZEEKOPTIONS.pl_cron_state}}:
     - name: /usr/local/bin/packetloss.sh
     - user: root
     - minute: '*/10'

salt/zeek/map.jinja

@@ -1,14 +1,16 @@
 {% set ZEEKOPTIONS = {} %}
-{% set ENABLED = salt['pillar.get']('zeek:enabled', 'True') %}
+{% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}
 
 # don't start the docker container if it is an import node or disabled via pillar
-{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %}
+{% if grains.id.split('_')|last == 'import' or not ENABLED %}
   {% do ZEEKOPTIONS.update({'start': False}) %}
+  {% do ZEEKOPTIONS.update({'pl_cron_state': 'absent'}) %}
 {% else %}
   {% do ZEEKOPTIONS.update({'start': True}) %}
+  {% do ZEEKOPTIONS.update({'pl_cron_state': 'present'}) %}
 {% endif %}
 
-{% if ENABLED is sameas false %}
+{% if not ENABLED %}
   {% do ZEEKOPTIONS.update({'status': 'absent'}) %}
 {% else %}
   {% do ZEEKOPTIONS.update({'status': 'running'}) %}