From 58fe25623b6ece773278c293727428059e8944fb Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 8 Aug 2023 17:48:34 -0400
Subject: [PATCH] ensure ownership of /opt/so/log/strelka/filecheck_stdout.log

---
 salt/strelka/filestream/config.sls | 7 +++++++
 salt/strelka/map.jinja             | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls
index 193241f32..c827ff5fb 100644
--- a/salt/strelka/filestream/config.sls
+++ b/salt/strelka/filestream/config.sls
@@ -7,6 +7,7 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'strelka/map.jinja' import STRELKAMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'strelka/map.jinja' import filecheck_runas %}
 
 include:
   - strelka.config
@@ -78,6 +79,12 @@ filecheck_script:
     - group: 939
     - mode: 755
 
+filecheck_stdout.log:
+  file.managed:
+    - name: /opt/so/log/strelka/filecheck_stdout.log
+    - user: {{ filecheck_runas }}
+    - group: {{ filecheck_runas }}
+
 {% if GLOBALS.md_engine == 'ZEEK' %}
 
 filecheck_run_socore:
diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja
index 387036248..646f7a746 100644
--- a/salt/strelka/map.jinja
+++ b/salt/strelka/map.jinja
@@ -24,8 +24,10 @@
 
 {% if GLOBALS.md_engine == "SURICATA" %}
 {%   set extract_path = '/nsm/suricata/extracted' %}
+{%   set filecheck_runas = 'suricata' %}
 {% else %}
 {%   set extract_path = '/nsm/zeek/extracted/complete' %}
+{%   set filecheck_runas = 'socore' %}
 {% endif %}
 
 {% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %}