CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 01:02:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix filecheck for suricata deployments

Browse Source
This commit is contained in:
Jason Ertel
2022-12-05 09:21:08 -05:00
parent eacf6238d8
commit 592bbf4217
2 changed files with 44 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
salt/strelka/filecheck/filecheck
View File

@@ -31,14 +31,21 @@ extract_path = cfg["filecheck"]["extract_path"]
historypath = cfg["filecheck"]["historypath"]
strelkapath = cfg["filecheck"]["strelkapath"]
logfile = cfg["filecheck"]["logfile"]
recycle_secs = cfg["filecheck"].get("recycle_secs", 300)
logging.basicConfig(filename=logfile, filemode='w', format='%(asctime)s - %(message)s', datefmt='%d-%b-%y %H:%M:%S', level=logging.INFO)
def checkexisting():
for file in os.listdir(extract_path):
filename = os.path.join(extract_path, file)
logging.info("Processing existing file " + filename)
checksum(filename)
for root, dirs, files in os.walk(extract_path):
for file in files:
try:
path = os.path.join(root, file)
filename = os.path.join(extract_path, path)
if os.path.isfile(filename):
logging.info("Processing existing file: " + filename)
checksum(filename)
except Exception as err:
logging.error("Failed to process file: " + file)
def checksum(filename):
with open(filename, 'rb') as afile:
@@ -67,24 +74,32 @@ def process(filename, hizash):
class CreatedEventHandler(FileSystemEventHandler):
def on_created(self, event):
filename = event.src_path
logging.info("Found new file")
logging.info("Found new file: " + filename)
checksum(filename)
if __name__ == "__main__":
logging.info("Starting filecheck")
checkexisting()
event_handler =CreatedEventHandler()
event_handler =CreatedEventHandler()
observer = Observer()
logging.info("Starting filecheck")
observer.schedule(event_handler, extract_path, recursive=True)
observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
shutdown = False
while not shutdown:
logging.info("Scheduling observer")
observer.schedule(event_handler, extract_path, recursive=True)
observer.start()
try:
time.sleep(recycle_secs)
except KeyboardInterrupt:
logging.warn("User requested shutdown")
shutdown = True
observer.stop()
observer.join()
observer.join()
if not shutdown:
logging.info("Recycling observer to pick up new subdirectories")
logging.info("Exiting filecheck")

20
salt/strelka/init.sls
View File

@@ -24,6 +24,15 @@
{% import_yaml 'strelka/defaults.yaml' as strelka_config with context %}
{% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %}
{% if ENGINE == "SURICATA" %}
{% set filecheck_runas = 'suricata' %}
{% set filecheck_groupid = 940 %}
{% else %}
{% set filecheck_runas = 'socore' %}
{% set filecheck_groupid = 939 %}
{% endif %}
{% if grains['os'] != 'CentOS' %}
strelkapkgs:
pkg.installed:
@@ -124,7 +133,8 @@ strelkaunprocessed:
file.directory:
- name: /nsm/strelka/unprocessed
- user: 939
- group: 939
- group: {{ filecheck_groupid }}
- mode 775
- makedirs: True
# Check to see if Strelka frontend port is available
@@ -137,14 +147,14 @@ filecheck_logdir:
file.directory:
- name: /opt/so/log/strelka
- user: 939
- group: 939
- group: {{ filecheck_groupid }}
- makedirs: True
filecheck_history:
file.directory:
- name: /nsm/strelka/history
- user: 939
- group: 939
- group: {{ filecheck_groupid }}
- makedirs: True
filecheck_conf:
@@ -158,13 +168,13 @@ filecheck_script:
- name: /opt/so/conf/strelka/filecheck
- source: salt://strelka/filecheck/filecheck
- user: 939
- group: 939
- group: {{ filecheck_groupid }}
- mode: 755
filecheck_run:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- user: socore
- user: {{ filecheck_runas }}
filcheck_history_clean:
cron.present: