From 3aa48b1a23eceaaac562f4bc32131d8f5e7e8036 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 13:20:48 -0400 Subject: [PATCH] first go at managing zeekctl.cfg - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/97 --- salt/zeek/defaults.yml | 16 +++++++ salt/zeek/files/zeekctl.cfg.jinja | 75 +++++++++++++++++++++++++++++++ salt/zeek/init.sls | 15 +++++++ 3 files changed, 106 insertions(+) create mode 100644 salt/zeek/defaults.yml create mode 100644 salt/zeek/files/zeekctl.cfg.jinja diff --git a/salt/zeek/defaults.yml b/salt/zeek/defaults.yml new file mode 100644 index 000000000..1fb159805 --- /dev/null +++ b/salt/zeek/defaults.yml @@ -0,0 +1,16 @@ +zeek: + zeekctl: + MailTo: root@localhost + MailConnectionSummary: 1 + MinDiskSpace: 5 + MailHostUpDown: 1 + LogRotationInterval: 3600 + LogExpireInterval: 0 + StatsLogEnable: 1 + StatsLogExpireInterval: 0 + StatusCmdShowAll: 0 + CrashExpireInterval: 0 + SitePolicyScripts: local.zeek + LogDir: /nsm/zeek/logs + SpoolDir: /nsm/zeek/spool + CfgDir: /opt/zeek/etc diff --git a/salt/zeek/files/zeekctl.cfg.jinja b/salt/zeek/files/zeekctl.cfg.jinja new file mode 100644 index 000000000..db486a6fd --- /dev/null +++ b/salt/zeek/files/zeekctl.cfg.jinja @@ -0,0 +1,75 @@ +## Global ZeekControl configuration file. + +############################################### +# Mail Options + +# Recipient address for all emails sent out by Zeek and ZeekControl. +MailTo = {{ ZEEKCTL.MailTo }} + +# Mail connection summary reports each log rotation interval. A value of 1 +# means mail connection summaries, and a value of 0 means do not mail +# connection summaries. This option has no effect if the trace-summary +# script is not available. +MailConnectionSummary = {{ ZEEKCTL.MailConnectionSummary }} + +# Lower threshold (in percentage of disk space) for space available on the +# disk that holds SpoolDir. If less space is available, "zeekctl cron" starts +# sending out warning emails. A value of 0 disables this feature. +MinDiskSpace = {{ ZEEKCTL.MinDiskSpace }} + +# Send mail when "zeekctl cron" notices the availability of a host in the +# cluster to have changed. A value of 1 means send mail when a host status +# changes, and a value of 0 means do not send mail. +MailHostUpDown = {{ ZEEKCTL.MailHostUpDown }} + +############################################### +# Logging Options + +# Rotation interval in seconds for log files on manager (or standalone) node. +# A value of 0 disables log rotation. +LogRotationInterval = {{ ZEEKCTL.LogRotationInterval }} + +# Expiration interval for archived log files in LogDir. Files older than this +# will be deleted by "zeekctl cron". The interval is an integer followed by +# one of these time units: day, hr, min. A value of 0 means that logs +# never expire. +LogExpireInterval = {{ ZEEKCTL.LogExpireInterval }} + +# Enable ZeekControl to write statistics to the stats.log file. A value of 1 +# means write to stats.log, and a value of 0 means do not write to stats.log. +StatsLogEnable = {{ ZEEKCTL.StatsLogEnable }} + +# Number of days that entries in the stats.log file are kept. Entries older +# than this many days will be removed by "zeekctl cron". A value of 0 means +# that entries never expire. +StatsLogExpireInterval = {{ ZEEKCTL.StatsLogExpireInterval }} + +############################################### +# Other Options + +# Show all output of the zeekctl status command. If set to 1, then all output +# is shown. If set to 0, then zeekctl status will not collect or show the peer +# information (and the command will run faster). +StatusCmdShowAll = {{ ZEEKCTL.StatusCmdShowAll }} + +# Number of days that crash directories are kept. Crash directories older +# than this many days will be removed by "zeekctl cron". A value of 0 means +# that crash directories never expire. +CrashExpireInterval = {{ ZEEKCTL.CrashExpireInterval }} + +# Site-specific policy script to load. Zeek will look for this in +# $PREFIX/share/zeek/site. A default local.zeek comes preinstalled +# and can be customized as desired. +SitePolicyScripts = {{ ZEEKCTL.SitePolicyScripts }} + +# Location of the log directory where log files will be archived each rotation +# interval. +LogDir = {{ ZEEKCTL.LogDir }} + +# Location of the spool directory where files and data that are currently being +# written are stored. +SpoolDir = {{ ZEEKCTL.SpoolDir }} + +# Location of other configuration files that can be used to customize +# ZeekControl operation (e.g. local networks, nodes). +CfgDir = {{ ZEEKCTL.CfgDir }} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index a7d222717..052841a56 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -3,7 +3,12 @@ {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} + +{% import_yml 'zeek/defaults.yml' as ZEEKDEFAULTS %} +{% set ZEEKCTL = salt['pillar.get']('zeek:zeekctl', default=ZEEKDEFAULTS.zeekctl, merge=True) %} + # Zeek Salt State + # Add Zeek group zeekgroup: group.present: @@ -63,6 +68,16 @@ zeekpolicysync: - group: 939 - template: jinja +zeekctlcfg: + file.managed: + - name: /opt/so/conf/zeek/zeekctl.cfg + - source: salt://zeek/files/zeekctl.cfg.jinja + - user: 937 + - group: 939 + - template: jinja + - defaults: + ZEEKCTL: {{ ZEEKCTL }} + # Sync node.cfg nodecfgsync: file.managed: