Add local custom template

2025-12-06 17:22:49 +01:00 · 2024-10-29 19:42:06 -04:00
parent ac359839e2
commit 5406a263d5
5 changed files with 100 additions and 8 deletions
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -82,13 +82,6 @@ eapackageupgrade:

 {%   if GLOBALS.role != "so-fleet" %}
   
-soresourcesrepoconfig:
-  git.config_set:
-    - name: safe.directory
-    - value: /nsm/securityonion-resources
-    - global: True
-    - user: socore
-    
 {% if not GLOBALS.airgap %}
 soresourcesrepoclone:
  git.latest:
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -141,6 +141,15 @@ rules_dir:
    - group: socore
    - makedirs: True

+git_config_set_safe_dirs:
+  git.config_set:
+    - name: safe.directory
+    - multivar:
+      - /nsm/rules/custom-local-repos/local-sigma
+      - /nsm/rules/custom-local-repos/local-yara
+      - /nsm/securityonion-resources
+      - /opt/so/conf/soc/ai_summary_repos/securityonion-resources
+    - global: True
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/config.sls
+++ b/salt/soc/config.sls
@@ -198,6 +198,38 @@ socsensoronirepos:
    - mode: 775
    - makedirs: True

+create_custom_local_yara_repo_template:
+  git.present:
+    - name: /nsm/rules/custom-local-repos/local-yara
+    - bare: False
+    - force: True
+
+add_readme_custom_local_yara_repo_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-yara/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "yara"
+
+create_custom_local_sigma_repo_template:
+  git.present:
+    - name: /nsm/rules/custom-local-repos/local-sigma
+    - bare: False
+    - force: True
+
+add_readme_custom_local_sigma_repo_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-sigma/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "sigma"
+  
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1342,11 +1342,17 @@ soc:
                license: Elastic-2.0
                folder: sigma/stable
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-sigma
+                license: Elastic-2.0
+                community: false
            airgap:
              - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
                license: Elastic-2.0
                folder: sigma/stable
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-sigma
+                license: Elastic-2.0
+                community: false
          sigmaRulePackages:
            - core
            - emerging_threats_addon
@@ -1412,10 +1418,16 @@ soc:
              - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
                license: DRL
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-yara
+                license: Elastic-2.0
+                community: false
            airgap:
              - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
                license: DRL
                community: true
+              - repo: file:///nsm/rules/custom-local-repos/local-yara
+                license: Elastic-2.0
+                community: false
          yaraRulesFolder: /opt/sensoroni/yara/rules
          stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
          integrityCheckFrequencySeconds: 1200
--- a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja
+++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja
@@ -0,0 +1,46 @@
+{% if repo_type == 'yara' %}
+# YARA Local Custom Rules Repository
+
+This folder has already been initialized as a git repo 
+and your Security Onion grid is configured to import any YARA rule files found here. 
+
+Just add your rule file and commit it.
+
+For example:
+
+First, create the rule file; make sure to create the file with a .yar extension
+`sudo vi my_custom_rule.yar`
+
+Next, use git to stage the new rule to be commited:
+`sudo git add my_custom_rule.yar`
+
+Finally, commit it.
+If this is your first time making changes to this repo, you will be asked to set some configuration.
+`sudo git commit -m "Initial commit of my_custom_rule.yar"`
+
+The next time the Strelka / YARA engine syncs, the new rule should be imported
+If there are errors, review the sync log to troubleshoot further.
+
+{% elif repo_type == 'sigma' %}
+# Sigma Local Custom Rules Repository
+
+This folder has already been initialized as a git repo 
+and your Security Onion grid is configured to import any Sigma rule files found here. 
+
+Just add your rule file and commit it.
+
+For example:
+
+First, create the rule file; make sure to create the file with a .yaml|.yml extension
+`sudo vi my_custom_rule.yml`
+
+Next, use git to stage the new rule to be commited:
+`sudo git add my_custom_rule.yml`
+
+Finally, commit it.
+If this is your first time making changes to this repo, you will be asked to set some configuration.
+`sudo git commit -m "Initial commit of my_custom_rule.yml"`
+
+The next time the Elastalert / Sigma engine syncs, the new rule should be imported
+If there are errors, review the sync log to troubleshoot further.
+{% endif %}