Add support for disabling Zeek and Suricata

2025-12-06 17:22:49 +01:00 · 2021-09-17 13:01:50 -04:00
parent c06668c68e
commit 4d307c53e8
5 changed files with 74 additions and 20 deletions
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -15,13 +15,14 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

+{% from "pcap/map.jinja" import STENOOPTIONS with context %}
+
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}
 {% set BPF_COMPILED = "" %}
-{% from "pcap/map.jinja" import STENOOPTIONS with context %}

 # PCAP Section

--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -15,6 +15,8 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %}

+{% from "suricata/map.jinja" import SURICATAOPTIONS with context %}
+
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -136,9 +138,10 @@ suribpf:
   {% endif %}

 so-suricata:
-  docker_container.running:
+  docker_container.{{ SURICATAOPTIONS.status }}:
+  {% if SURICATAOPTIONS.status == 'running' %}
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }}
-    - start: {{ START }}
+    - start: {{ SURICATAOPTIONS.start }}
    - privileged: True
    - environment:
      - INTERFACE={{ interface }}
@@ -157,18 +160,27 @@ so-suricata:
      - file: /opt/so/conf/suricata/rules/
      - file: /opt/so/conf/suricata/bpf

+  {% else %} {# if Suricata isn't enabled, then stop and remove the container #}
+    - force: True
+  {% endif %}
+
 append_so-suricata_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-suricata
    - unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf

-{% if grains.role == 'so-import' %}
-disable_so-suricata_so-status.conf:
+  {% if not SURICATAOPTIONS.start %}
+so-suricata_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-suricata$
-{% endif %}
+  {% else %}
+delete_so-suricata_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-suricata$
+  {% endif %}

 /usr/local/bin/surirotate:
  cron.absent:
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -1,6 +1,15 @@
-# don't start the docker container if it is an import node
-{% if grains.id.split('_')|last == 'import' %}
-  {% set START = False %}
+{% set SURICATAOPTIONS = {} %}
+{% set ENABLED = salt['pillar.get']('suricata:enabled', 'True') %}
+
+# don't start the docker container if it is an import node or disabled via pillar
+{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %}
+  {% do SURICATAOPTIONS.update({'start': False}) %}
 {% else %}
-  {% set START = True %}
+  {% do SURICATAOPTIONS.update({'start': True}) %}
+{% endif %}
+
+{% if ENABLED is sameas false %}
+  {% do SURICATAOPTIONS.update({'status': 'absent'}) %}
+{% else %}
+  {% do SURICATAOPTIONS.update({'status': 'running'}) %}
 {% endif %}
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,7 +1,21 @@
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

-{% from "zeek/map.jinja" import START with context %}
+{% from "zeek/map.jinja" import ZEEKOPTIONS with context %}

 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -179,9 +193,10 @@ localzeeksync:
        LOCAL: {{ ZEEK.local | tojson }}

 so-zeek:
-  docker_container.running:
+  docker_container.{{ ZEEKOPTIONS.status }}:
+  {% if ZEEKOPTIONS.status == 'running' %}
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
-    - start: {{ START }}
+    - start: {{ ZEEKOPTIONS.start }}
    - privileged: True
    - ulimits:
      - core=0
@@ -204,6 +219,9 @@ so-zeek:
      - file: /opt/so/conf/zeek/zeekctl.cfg
      - file: /opt/so/conf/zeek/policy
      - file: /opt/so/conf/zeek/bpf
+  {% else %} {# if Zeek isn't enabled, then stop and remove the container #}
+    - force: True
+  {% endif %}

 append_so-zeek_so-status.conf:
  file.append:
@@ -211,12 +229,17 @@ append_so-zeek_so-status.conf:
    - text: so-zeek
    - unless: grep -q so-zeek /opt/so/conf/so-status/so-status.conf

-{% if grains.role == 'so-import' %}
-disable_so-zeek_so-status.conf:
+  {% if not ZEEKOPTIONS.start %}
+so-zeek_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-zeek$
-{% endif %}
+  {% else %}
+delete_so-zeek_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-zeek$
+  {% endif %}

 {% else %}

--- a/salt/zeek/map.jinja
+++ b/salt/zeek/map.jinja
@@ -1,6 +1,15 @@
-# don't start the docker container if it is an import node
-{% if grains.id.split('_')|last == 'import' %}
-  {% set START = False %}
+{% set ZEEKOPTIONS = {} %}
+{% set ENABLED = salt['pillar.get']('zeek:enabled', 'True') %}
+
+# don't start the docker container if it is an import node or disabled via pillar
+{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %}
+  {% do ZEEKOPTIONS.update({'start': False}) %}
 {% else %}
-  {% set START = True %}
+  {% do ZEEKOPTIONS.update({'start': True}) %}
+{% endif %}
+
+{% if ENABLED is sameas false %}
+  {% do ZEEKOPTIONS.update({'status': 'absent'}) %}
+{% else %}
+  {% do ZEEKOPTIONS.update({'status': 'running'}) %}
 {% endif %}