From 6cdd88808aef9332eabb562d656eb456ea33c98e Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Thu, 18 Sep 2025 12:07:21 -0400 Subject: [PATCH] Add local custom Playbooks --- salt/manager/init.sls | 1 + salt/soc/config.sls | 16 +++++++ ...tections_custom_repo_template_readme.jinja | 47 +++++++++++++++++++ 3 files changed, 64 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index f59c33652..0ec165db4 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -206,6 +206,7 @@ git_config_set_safe_dirs: - multivar: - /nsm/rules/custom-local-repos/local-sigma - /nsm/rules/custom-local-repos/local-yara + - /nsm/rules/custom-local-repos/local-playbooks - /nsm/securityonion-resources - /opt/so/conf/soc/ai_summary_repos/securityonion-resources - /nsm/airgap-resources/playbooks diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 78a495e0a..ac07ab94b 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -249,6 +249,22 @@ add_readme_custom_local_sigma_repo_template: - context: repo_type: "sigma" +create_custom_local_playbooks_repo_template: + git.present: + - name: /nsm/rules/custom-local-repos/local-playbooks + - bare: False + - force: True + +add_readme_custom_local_playbooks_repo_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-playbooks/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "playbooks" + socore_own_custom_repos: file.directory: - name: /nsm/rules/custom-local-repos/ diff --git a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja index 228a467bf..053286032 100644 --- a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja +++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja @@ -91,4 +91,51 @@ Finally, commit it: The next time the Elastalert / Sigma engine syncs, the new rule should be imported If there are errors, review the sync log to troubleshoot further. + +{% elif repo_type == 'playbooks' %} +# Playbooks Local Custom Repository + +This folder has already been initialized as a git repo +and your Security Onion grid is configured to import any Playbook files found here. + +Just add your playbook file and commit it. + +For example: + +** Note: If this is your first time making changes to this repo, you may run into the following error: + +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-playbooks' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-playbooks + +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your playbook files are accessible to the socore user, so either su to socore +or add the exception and then chown the playbook files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the playbook file with a .yml or .yaml extension: +`vi my_custom_playbook.yml` + +Next, use git to stage the new playbook to be committed: +`git add my_custom_playbook.yml` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_playbook.yml"` + +The next time SOC restarts, the new playbook should be imported +If there are errors, review the SOC log to troubleshoot further. {% endif %} \ No newline at end of file