diff --git a/salt/strelka/filecheck/filecheck b/salt/strelka/filecheck/filecheck index d91c75900..c6148a953 100644 --- a/salt/strelka/filecheck/filecheck +++ b/salt/strelka/filecheck/filecheck @@ -31,14 +31,21 @@ extract_path = cfg["filecheck"]["extract_path"] historypath = cfg["filecheck"]["historypath"] strelkapath = cfg["filecheck"]["strelkapath"] logfile = cfg["filecheck"]["logfile"] +recycle_secs = cfg["filecheck"].get("recycle_secs", 300) logging.basicConfig(filename=logfile, filemode='w', format='%(asctime)s - %(message)s', datefmt='%d-%b-%y %H:%M:%S', level=logging.INFO) def checkexisting(): - for file in os.listdir(extract_path): - filename = os.path.join(extract_path, file) - logging.info("Processing existing file " + filename) - checksum(filename) + for root, dirs, files in os.walk(extract_path): + for file in files: + try: + path = os.path.join(root, file) + filename = os.path.join(extract_path, path) + if os.path.isfile(filename): + logging.info("Processing existing file: " + filename) + checksum(filename) + except Exception as err: + logging.error("Failed to process file: " + file) def checksum(filename): with open(filename, 'rb') as afile: @@ -67,24 +74,32 @@ def process(filename, hizash): class CreatedEventHandler(FileSystemEventHandler): def on_created(self, event): filename = event.src_path - logging.info("Found new file") + logging.info("Found new file: " + filename) checksum(filename) if __name__ == "__main__": + logging.info("Starting filecheck") checkexisting() - event_handler =CreatedEventHandler() + event_handler =CreatedEventHandler() observer = Observer() - logging.info("Starting filecheck") - observer.schedule(event_handler, extract_path, recursive=True) - observer.start() - try: - while True: - time.sleep(1) - except KeyboardInterrupt: + shutdown = False + while not shutdown: + logging.info("Scheduling observer") + observer.schedule(event_handler, extract_path, recursive=True) + observer.start() + try: + time.sleep(recycle_secs) + except KeyboardInterrupt: + logging.warn("User requested shutdown") + shutdown = True + observer.stop() - observer.join() + observer.join() + + if not shutdown: + logging.info("Recycling observer to pick up new subdirectories") logging.info("Exiting filecheck") diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 24be1852a..9e7adb57e 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -24,6 +24,15 @@ {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} {% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %} +{% if ENGINE == "SURICATA" %} + {% set filecheck_runas = 'suricata' %} + {% set filecheck_groupid = 940 %} +{% else %} + {% set filecheck_runas = 'socore' %} + {% set filecheck_groupid = 939 %} +{% endif %} + + {% if grains['os'] != 'CentOS' %} strelkapkgs: pkg.installed: @@ -124,7 +133,8 @@ strelkaunprocessed: file.directory: - name: /nsm/strelka/unprocessed - user: 939 - - group: 939 + - group: {{ filecheck_groupid }} + - mode 775 - makedirs: True # Check to see if Strelka frontend port is available @@ -137,14 +147,14 @@ filecheck_logdir: file.directory: - name: /opt/so/log/strelka - user: 939 - - group: 939 + - group: {{ filecheck_groupid }} - makedirs: True filecheck_history: file.directory: - name: /nsm/strelka/history - user: 939 - - group: 939 + - group: {{ filecheck_groupid }} - makedirs: True filecheck_conf: @@ -158,13 +168,13 @@ filecheck_script: - name: /opt/so/conf/strelka/filecheck - source: salt://strelka/filecheck/filecheck - user: 939 - - group: 939 + - group: {{ filecheck_groupid }} - mode: 755 filecheck_run: cron.present: - name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - - user: socore + - user: {{ filecheck_runas }} filcheck_history_clean: cron.present: