diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 2f506863d..541104c4d 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -214,8 +214,8 @@ function add_sensor_to_minion() { echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE - echo "pcap:" >> $PILLARFILE - echo " enabled: True" >> $PILLARFILE +# echo "pcap:" >> $PILLARFILE +# echo " enabled: True" >> $PILLARFILE } function create_fleet_policy() { diff --git a/salt/pcap/config.map.jinja b/salt/pcap/config.map.jinja index f335c9380..88e3a83dd 100644 --- a/salt/pcap/config.map.jinja +++ b/salt/pcap/config.map.jinja @@ -1,3 +1,2 @@ -{% import_yaml 'pcap/defaults.yaml' as pcap_defaults with context %} -{% set pcap_pillar = pillar.pcap %} -{% set PCAPMERGED = salt['defaults.merge'](pcap_defaults, pcap_pillar, in_place=False) %} +{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %} +{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %} diff --git a/salt/pcap/defaults.yaml b/salt/pcap/defaults.yaml index 701cde04d..5c9b141b4 100644 --- a/salt/pcap/defaults.yaml +++ b/salt/pcap/defaults.yaml @@ -1,11 +1,11 @@ pcap: - enabled: True - config: - maxdirectoryfiles: 30000 - diskfreepercentage: 10 - blocks: 2048 - preallocate_file_mb: 4096 - aiops: 128 - pin_to_cpu: False - cpus_to_pin_to: [] - disks: [] \ No newline at end of file + enabled: True + config: + maxdirectoryfiles: 30000 + diskfreepercentage: 10 + blocks: 2048 + preallocate_file_mb: 4096 + aiops: 128 + pin_to_cpu: False + cpus_to_pin_to: [] + disks: [] diff --git a/salt/pcap/disabled.sls b/salt/pcap/disabled.sls new file mode 100644 index 000000000..b9afd6e15 --- /dev/null +++ b/salt/pcap/disabled.sls @@ -0,0 +1,19 @@ +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +so-steno: + docker_container.absent: + - force: True + +so-steno_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-steno$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/pcap/enabled.sls b/salt/pcap/enabled.sls new file mode 100644 index 000000000..803c31e3a --- /dev/null +++ b/salt/pcap/enabled.sls @@ -0,0 +1,131 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from "pcap/config.map.jinja" import PCAPMERGED with context %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF %} + +{% set BPF_COMPILED = "" %} + +# PCAP Section + +stenographergroup: + group.present: + - name: stenographer + - gid: 941 + +stenographer: + user.present: + - uid: 941 + - gid: 941 + - home: /opt/so/conf/steno + +stenoconfdir: + file.directory: + - name: /opt/so/conf/steno + - user: 941 + - group: 939 + - makedirs: True + +{% if PCAPBPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} + {% if BPF_CALC['stderr'] == "" %} + {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} + {% else %} + +bpfcompilationfailure: + test.configurable_test_state: + - changes: False + - result: False + - comment: "BPF Compilation Failed - Discarding Specified BPF" + {% endif %} +{% endif %} + +stenoconf: + file.managed: + - name: /opt/so/conf/steno/config + - source: salt://pcap/files/config.jinja + - user: stenographer + - group: stenographer + - mode: 644 + - template: jinja + - defaults: + PCAPMERGED: {{ PCAPMERGED }} + BPF_COMPILED: "{{ BPF_COMPILED }}" + +stenoca: + file.directory: + - name: /opt/so/conf/steno/certs + - user: 941 + - group: 939 + +pcapdir: + file.directory: + - name: /nsm/pcap + - user: 941 + - group: 941 + - makedirs: True + +pcaptmpdir: + file.directory: + - name: /nsm/pcaptmp + - user: 941 + - group: 941 + - makedirs: True + +pcapoutdir: + file.directory: + - name: /nsm/pcapout + - user: 939 + - group: 939 + - makedirs: True + +pcapindexdir: + file.directory: + - name: /nsm/pcapindex + - user: 941 + - group: 941 + - makedirs: True + +stenolog: + file.directory: + - name: /opt/so/log/stenographer + - user: 941 + - group: 941 + - makedirs: True + +so-steno: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }} + - start: True + - network_mode: host + - privileged: True + - binds: + - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw + - /opt/so/conf/steno/config:/etc/stenographer/config:rw + - /nsm/pcap:/nsm/pcap:rw + - /nsm/pcapindex:/nsm/pcapindex:rw + - /nsm/pcaptmp:/tmp:rw + - /opt/so/log/stenographer:/var/log/stenographer:rw + - watch: + - file: stenoconf + - require: + - file: stenoconf + +delete_so-steno_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-steno$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/pcap/files/config.jinja b/salt/pcap/files/config.jinja index 420d12639..f0a4fc51d 100644 --- a/salt/pcap/files/config.jinja +++ b/salt/pcap/files/config.jinja @@ -1,11 +1,11 @@ { "Threads": [ - { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.pcap.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.pcap.config.diskfreepercentage }} } + { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.config.diskfreepercentage }} } ] , "StenotypePath": "/usr/bin/stenotype" , "Interface": "{{ pillar.sensor.interface }}" , "Port": 1234 , "Host": "127.0.0.1" - , "Flags": ["-v", "--blocks={{ PCAPMERGED.pcap.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.pcap.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.pcap.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] + , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] , "CertPath": "/etc/stenographer/certs" } diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 73b384a53..31ac4dd31 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -1,149 +1,9 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from "pcap/map.jinja" import STENOOPTIONS with context %} -{% from "pcap/config.map.jinja" import PCAPMERGED with context %} -{% from 'bpf/pcap.map.jinja' import PCAPBPF %} - -{% set BPF_COMPILED = "" %} - -# PCAP Section - -stenographergroup: - group.present: - - name: stenographer - - gid: 941 - -stenographer: - user.present: - - uid: 941 - - gid: 941 - - home: /opt/so/conf/steno - -stenoconfdir: - file.directory: - - name: /opt/so/conf/steno - - user: 941 - - group: 939 - - makedirs: True - -{% if PCAPBPF %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} - {% else %} - -bpfcompilationfailure: - test.configurable_test_state: - - changes: False - - result: False - - comment: "BPF Compilation Failed - Discarding Specified BPF" - {% endif %} -{% endif %} - -stenoconf: - file.managed: - - name: /opt/so/conf/steno/config - - source: salt://pcap/files/config.jinja - - user: stenographer - - group: stenographer - - mode: 644 - - template: jinja - - defaults: - PCAPMERGED: {{ PCAPMERGED }} - BPF_COMPILED: "{{ BPF_COMPILED }}" - -stenoca: - file.directory: - - name: /opt/so/conf/steno/certs - - user: 941 - - group: 939 - -pcapdir: - file.directory: - - name: /nsm/pcap - - user: 941 - - group: 941 - - makedirs: True - -pcaptmpdir: - file.directory: - - name: /nsm/pcaptmp - - user: 941 - - group: 941 - - makedirs: True - -pcapoutdir: - file.directory: - - name: /nsm/pcapout - - user: 939 - - group: 939 - - makedirs: True - -pcapindexdir: - file.directory: - - name: /nsm/pcapindex - - user: 941 - - group: 941 - - makedirs: True - -stenolog: - file.directory: - - name: /opt/so/log/stenographer - - user: 941 - - group: 941 - - makedirs: True - -so-steno: - docker_container.{{ STENOOPTIONS.status }}: - {% if STENOOPTIONS.status == 'running' %} - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }} - - start: {{ STENOOPTIONS.start }} - - network_mode: host - - privileged: True - - binds: - - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw - - /opt/so/conf/steno/config:/etc/stenographer/config:rw - - /nsm/pcap:/nsm/pcap:rw - - /nsm/pcapindex:/nsm/pcapindex:rw - - /nsm/pcaptmp:/tmp:rw - - /opt/so/log/stenographer:/var/log/stenographer:rw - - watch: - - file: stenoconf - - require: - - file: stenoconf - {% else %} {# if stenographer isn't enabled, then stop and remove the container #} - - force: True - {% endif %} - -append_so-steno_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-steno - - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf - - {% if not STENOOPTIONS.start %} -so-steno_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-steno$ - {% else %} -delete_so-steno_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-steno$ - {% endif %} +{% from 'pcap/config.map.jinja' import PCAPMERGED %} +include: + - pcap.sostatus +{% if PCAPMERGED.enabled %} + - pcap.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - pcap.disabled {% endif %} diff --git a/salt/pcap/map.jinja b/salt/pcap/map.jinja deleted file mode 100644 index ee939a0b4..000000000 --- a/salt/pcap/map.jinja +++ /dev/null @@ -1,11 +0,0 @@ -{% set STENOOPTIONS = {} %} -{% set ENABLED = salt['pillar.get']('steno:enabled', 'True') %} - -# don't start the docker container if it is an import node or disabled via pillar -{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %} - {% do STENOOPTIONS.update({'start': False}) %} - {% do STENOOPTIONS.update({'status': 'absent'}) %} -{% else %} - {% do STENOOPTIONS.update({'start': True}) %} - {% do STENOOPTIONS.update({'status': 'running'}) %} -{% endif %} diff --git a/salt/pcap/sostatus.sls b/salt/pcap/sostatus.sls new file mode 100644 index 000000000..9e23892c9 --- /dev/null +++ b/salt/pcap/sostatus.sls @@ -0,0 +1,5 @@ +append_so-steno_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-steno + - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf