Merge pull request #13879 from Security-Onion-Solutions/2.4/templaterepos

Add local custom template
2025-12-07 09:42:46 +01:00 · 2024-11-07 15:40:36 -05:00
parent 356236ba4c f5bd8ab585
commit 47f9b0021c
5 changed files with 149 additions and 8 deletions
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -81,14 +81,7 @@ eapackageupgrade:
    - template: jinja

 {%   if GLOBALS.role != "so-fleet" %}
-
-soresourcesrepoconfig:
-  git.config_set:
-    - name: safe.directory
-    - value: /nsm/securityonion-resources
-    - global: True
-    - user: socore
-    
+   
 {% if not GLOBALS.airgap %}
 soresourcesrepoclone:
  git.latest:
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -141,6 +141,16 @@ rules_dir:
    - group: socore
    - makedirs: True

+git_config_set_safe_dirs:
+  git.config_set:
+    - name: safe.directory
+    - global: True
+    - user: socore
+    - multivar:
+      - /nsm/rules/custom-local-repos/local-sigma
+      - /nsm/rules/custom-local-repos/local-yara
+      - /nsm/securityonion-resources
+      - /opt/so/conf/soc/ai_summary_repos/securityonion-resources
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/config.sls
+++ b/salt/soc/config.sls
@@ -198,6 +198,38 @@ socsensoronirepos:
    - mode: 775
    - makedirs: True

+create_custom_local_yara_repo_template:
+  git.present:
+    - name: /nsm/rules/custom-local-repos/local-yara
+    - bare: False
+    - force: True
+
+add_readme_custom_local_yara_repo_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-yara/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "yara"
+
+create_custom_local_sigma_repo_template:
+  git.present:
+    - name: /nsm/rules/custom-local-repos/local-sigma
+    - bare: False
+    - force: True
+
+add_readme_custom_local_sigma_repo_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-sigma/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "sigma"
+  
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1342,11 +1342,17 @@ soc:
                license: Elastic-2.0
                folder: sigma/stable
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-sigma
+                license: Elastic-2.0
+                community: false
            airgap:
              - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
                license: Elastic-2.0
                folder: sigma/stable
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-sigma
+                license: Elastic-2.0
+                community: false
          sigmaRulePackages:
            - core
            - emerging_threats_addon
@@ -1412,10 +1418,16 @@ soc:
              - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
                license: DRL
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-yara
+                license: Elastic-2.0
+                community: false
            airgap:
              - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
                license: DRL
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-yara
+                license: Elastic-2.0
+                community: false
          yaraRulesFolder: /opt/sensoroni/yara/rules
          stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
          integrityCheckFrequencySeconds: 1200
--- a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja
+++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja
@@ -0,0 +1,94 @@
+{% if repo_type == 'yara' %}
+# YARA Local Custom Rules Repository
+
+This folder has already been initialized as a git repo 
+and your Security Onion grid is configured to import any YARA rule files found here. 
+
+Just add your rule file and commit it.
+
+For example:
+
+** Note: If this is your first time making changes to this repo, you may run into the following error:
+
+fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara'
+To add an exception for this directory, call:
+	git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara
+
+This means that the user you are running commands as does not match the user that is used for this git repo (socore).
+You will need to make sure your rule files are accessible to the socore user, so either su to socore 
+or add the exception and then chown the rule files later.
+
+Also, you will be asked to set some configuration:
+```
+Author identity unknown
+*** Please tell me who you are.
+Run
+  git config --global user.email "you@example.com"
+  git config --global user.name "Your Name"
+to set your account's default identity.
+Omit --global to set the identity only in this repository.
+```
+
+Run these commands, ommitting the `--global`.
+
+With that out of the way:
+
+First, create the rule file with a .yar extension:
+`vi my_custom_rule.yar`
+
+Next, use git to stage the new rule to be committed:
+`git add my_custom_rule.yar`
+
+Finally, commit it:
+`git commit -m "Initial commit of my_custom_rule.yar"`
+
+The next time the Strelka / YARA engine syncs, the new rule should be imported
+If there are errors, review the sync log to troubleshoot further.
+
+{% elif repo_type == 'sigma' %}
+# Sigma Local Custom Rules Repository
+
+This folder has already been initialized as a git repo 
+and your Security Onion grid is configured to import any Sigma rule files found here. 
+
+Just add your rule file and commit it.
+
+For example:
+
+** Note: If this is your first time making changes to this repo, you may run into the following error:
+
+fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma'
+To add an exception for this directory, call:
+	git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma
+
+This means that the user you are running commands as does not match the user that is used for this git repo (socore).
+You will need to make sure your rule files are accessible to the socore user, so either su to socore 
+or add the exception and then chown the rule files later.
+
+Also, you will be asked to set some configuration:
+```
+Author identity unknown
+*** Please tell me who you are.
+Run
+  git config --global user.email "you@example.com"
+  git config --global user.name "Your Name"
+to set your account's default identity.
+Omit --global to set the identity only in this repository.
+```
+
+Run these commands, ommitting the `--global`.
+
+With that out of the way:
+
+First, create the rule file with a .yml or .yaml extension:
+`vi my_custom_rule.yml`
+
+Next, use git to stage the new rule to be committed:
+`git add my_custom_rule.yml`
+
+Finally, commit it:
+`git commit -m "Initial commit of my_custom_rule.yml"`
+
+The next time the Elastalert / Sigma engine syncs, the new rule should be imported
+If there are errors, review the sync log to troubleshoot further.
+{% endif %}