From 5d50dbb69ea1a3663c37e98d7fec5c062faa58aa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 8 May 2023 10:12:32 -0400 Subject: [PATCH] enabled/disable zeek --- salt/allowed_states.map.jinja | 4 +--- salt/top.sls | 10 ---------- salt/zeek/config.map.jinja | 5 +++++ salt/zeek/config.sls | 2 -- salt/zeek/disabled.sls | 5 +++++ salt/zeek/enabled.sls | 5 +++++ salt/zeek/init.sls | 7 ++++++- salt/zeek/sostatus.sls | 5 +++++ 8 files changed, 27 insertions(+), 16 deletions(-) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 0d88fe034..5e80dfd65 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -3,8 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - -{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} @@ -221,7 +219,7 @@ {% do allowed_states.append('mysql') %} {% endif %} - {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} + {%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} {% do allowed_states.append('zeek') %} {%- endif %} diff --git a/salt/top.sls b/salt/top.sls index 0c644d6bd..b3e4fba6c 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -3,8 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - -{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} @@ -52,9 +50,7 @@ base: - pcap - suricata - healthcheck - {%- if ZEEKVER != 'SURICATA' %} - zeek - {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -89,9 +85,7 @@ base: {%- endif %} - pcap - suricata - {%- if ZEEKVER != 'SURICATA' %} - zeek - {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -183,9 +177,7 @@ base: {%- endif %} - pcap - suricata - {%- if ZEEKVER != 'SURICATA' %} - zeek - {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -278,9 +270,7 @@ base: {%- endif %} - pcap - suricata - {%- if ZEEKVER != 'SURICATA' %} - zeek - {%- endif %} - elasticfleet.install_agent_grid - docker_clean diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index a2e68d825..58f927c11 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,3 +1,8 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + {% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %} {% import_yaml 'zeek/defaults.yaml' as ZEEKDEFAULTS with context %} {% set ZEEKMERGED = salt['pillar.get']('zeek', ZEEKDEFAULTS.zeek, merge=True) %} diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls index ab82bbc57..703da8d85 100644 --- a/salt/zeek/config.sls +++ b/salt/zeek/config.sls @@ -8,9 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "zeek/config.map.jinja" import ZEEKMERGED %} - {% from 'bpf/zeek.map.jinja' import ZEEKBPF %} - {% set BPF_STATUS = 0 %} # Add Zeek group diff --git a/salt/zeek/disabled.sls b/salt/zeek/disabled.sls index 62768b265..3cc3d88b7 100644 --- a/salt/zeek/disabled.sls +++ b/salt/zeek/disabled.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 81a77fcd3..2a179a009 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index f19fcef7e..b2ba36ab1 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,8 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'zeek/config.map.jinja' import ZEEKMERGED %} include: -{% if ZEEKMERGED.enabled and GLOBALS.role != 'so-import'%} +{% if ZEEKMERGED.enabled and GLOBALS.role != 'so-import' and GLOBALS.md_engine != 'SURICATA' %} - zeek.enabled {% elif GLOBALS.role == 'so-import' %} - zeek.config diff --git a/salt/zeek/sostatus.sls b/salt/zeek/sostatus.sls index 15dafa8c0..3a75d217e 100644 --- a/salt/zeek/sostatus.sls +++ b/salt/zeek/sostatus.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %}