Merge pull request #3026 from Security-Onion-Solutions/delta

Delta

salt/common/init.sls

@@ -268,7 +268,7 @@ docker:
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
 dockerapplyports:
     cmd.run:
-      - name: if [ ! -f /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi
+      - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi
 
 # Reserve OS ports for Docker proxy
 dockerreserveports:

salt/idstools/init.sls

@@ -55,12 +55,14 @@ rulesdir:
     - group: 939
     - makedirs: True
 
+# Don't show changes because all.rules can be large
 synclocalnidsrules:
   file.recurse:
     - name: /opt/so/rules/nids/
     - source: salt://idstools/
     - user: 939
     - group: 939
+    - show_changes: False
     - include_pat: 'E@.rules'
 
 so-idstools:

salt/suricata/cron/so-suricata-eve-clean

@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.. /usr/sbin/so-common
+
+APP=so-suricata-eve-clean
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+MAXDAYS={{ salt['pillar.get']('suricata:cleanup:eve_json', 7) }}
+if [ "$MAXDAYS" -lt 1 ]; then
+  MAXDAYS=1
+fi
+
+find /nsm/suricata/ -type f -mtime +$MAXDAYS -name 'eve-*.json*' -execdir rm -- '{}' \;

salt/suricata/cron/surilogcompress

@@ -1,6 +1,6 @@
 #!/bin/bash
 
 # Gzip the eve logs
-find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g |  head -n -1 |  cut -d $'\t' -f 2- | xargs nice gzip
+find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g |  head -n -1 |  cut -d $'\t' -f 2 | xargs nice gzip
 
 # TODO Add stats log

salt/suricata/init.sls

@@ -74,6 +74,7 @@ surirulesync:
     - source: salt://suricata/rules/
     - user: 940
     - group: 940
+    - show_changes: False
 
 surilogscript:
   file.managed:
@@ -177,6 +178,27 @@ disable_so-suricata_so-status.conf:
     - month: '*'
     - dayweek: '*'
 
+so-suricata-eve-clean:
+  file.managed:
+    - name: /usr/sbin/so-suricata-eve-clean
+    - user: root
+    - group: root
+    - mode: 755
+    - template: jinja
+    - source: salt://suricata/cron/so-suricata-eve-clean
+
+# Add eve clean cron
+clean_suricata_eve_files:
+  cron.present:
+    - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
+    - identifier: clean_suricata_eve_files
+    - user: root
+    - minute: '10'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 {% else %}
 
 {{sls}}_state_not_allowed:

setup/so-setup

@@ -708,32 +708,33 @@ set_redirect >> $setup_log 2>&1
 		
 		set_progress_str 60 "$(print_salt_state_apply 'manager')"
 		salt-call state.apply -l info manager >> $setup_log 2>&1
-
-		set_progress_str 61 "$(print_salt_state_apply 'idstools')"
-		create_local_nids_rules >> $setup_log 2>&1
-		salt-call state.apply -l info idstools >> $setup_log 2>&1
-
-		set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')"
-		salt-call state.apply -l info suricata.manager >> $setup_log 2>&1
-
 	fi
 
-	set_progress_str 62 "$(print_salt_state_apply 'firewall')"
+	set_progress_str 61 "$(print_salt_state_apply 'firewall')"
 	salt-call state.apply -l info firewall >> $setup_log 2>&1
 
 	if [ $OS = 'centos' ]; then
-		set_progress_str 63 'Installing Yum utilities'
+		set_progress_str 62 'Installing Yum utilities'
 		salt-call state.apply -l info yum.packages >> $setup_log 2>&1
 	fi
 
-	set_progress_str 63 "$(print_salt_state_apply 'common')"
+	set_progress_str 62 "$(print_salt_state_apply 'common')"
 	salt-call state.apply -l info common >> $setup_log 2>&1
 
 	if [[ ! $is_helix ]]; then
-		set_progress_str 64 "$(print_salt_state_apply 'nginx')"
+		set_progress_str 62 "$(print_salt_state_apply 'nginx')"
 		salt-call state.apply -l info nginx >> $setup_log 2>&1
 	fi
 
+	if [[ $is_manager || $is_helix || $is_import ]]; then
+		set_progress_str 63 "$(print_salt_state_apply 'idstools')"
+		create_local_nids_rules >> $setup_log 2>&1
+		salt-call state.apply -l info idstools >> $setup_log 2>&1
+
+		set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')"
+		salt-call state.apply -l info suricata.manager >> $setup_log 2>&1
+	fi
+
 	if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then
 		set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')"
 		salt-call state.apply -l info elasticsearch >> $setup_log 2>&1