From 6da2f117f215ee856fe6800ff91c94ff11cea168 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 8 Aug 2023 17:25:08 -0400
Subject: [PATCH] change which user runs filecheck cron based on md engine

---
 salt/strelka/filestream/config.sls | 30 ++++++++++++++++++++++++++----
 salt/strelka/map.jinja             |  2 --
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls
index d4615b174..9c0ef1357 100644
--- a/salt/strelka/filestream/config.sls
+++ b/salt/strelka/filestream/config.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'strelka/map.jinja' import STRELKAMERGED %}
-{%   from 'strelka/map.jinja' import filecheck_runas %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
   - strelka.config
@@ -87,11 +87,33 @@ filecheck_restart:
       - file: filecheck_script
       - file: filecheck_conf
 
-filecheck_run:
+{% if GLOBALS.md_engine == 'ZEEK' %}
+
+filecheck_run_socore:
   cron.present:
     - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
-    - identifier: filecheck_run
-    - user: {{ filecheck_runas }}
+    - identifier: filecheck_run_socore
+    - user: socore
+
+remove_filecheck_run_suricata:
+  cron.absent:
+    - identifier: filecheck_run_suricata
+    - user: suricata
+
+{% elif GLOBALS.md_engine == 'SURICATA'%}
+
+filecheck_run_suricata:
+  cron.present:
+    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run_suricata
+    - user: suricata
+
+remove_filecheck_run_socore:
+  cron.absent:
+    - identifier: filecheck_run_socore
+    - user: socore
+
+{% endif %}
 
 filcheck_history_clean:
   cron.present:
diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja
index 646f7a746..387036248 100644
--- a/salt/strelka/map.jinja
+++ b/salt/strelka/map.jinja
@@ -24,10 +24,8 @@
 
 {% if GLOBALS.md_engine == "SURICATA" %}
 {%   set extract_path = '/nsm/suricata/extracted' %}
-{%   set filecheck_runas = 'suricata' %}
 {% else %}
 {%   set extract_path = '/nsm/zeek/extracted/complete' %}
-{%   set filecheck_runas = 'socore' %}
 {% endif %}
 
 {% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %}