remove steno

2026-04-26 06:27:50 +02:00 · 2026-03-06 15:45:36 -05:00
parent 7ac1e767ab
commit 71839bc87f
44 changed files with 17 additions and 565 deletions
@@ -1,22 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
-
-stenoca:
-  file.directory:
-    - name: /opt/so/conf/steno/certs
-    - user: 941
-    - group: 939
-    - makedirs: True
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,13 +0,0 @@
-{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-   https://securityonion.net/license; you may not use this file except in compliance with the
-   Elastic License 2.0. #}
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
-{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
-
-{# disable stenographer if the pcap engine is set to SURICATA #}
-{% if GLOBALS.pcap_engine == "SURICATA" %}
-{%   do PCAPMERGED.update({'enabled': False}) %}
-{% endif %}
@@ -1,87 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from "pcap/config.map.jinja" import PCAPMERGED %}
-{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %}
-
-# PCAP Section
-stenographergroup:
-  group.present:
-    - name: stenographer
-    - gid: 941
-
-stenographer:
-  user.present:
-    - uid: 941
-    - gid: 941
-    - home: /opt/so/conf/steno
-
-stenoconfdir:
-  file.directory:
-    - name: /opt/so/conf/steno
-    - user: 941
-    - group: 939
-    - makedirs: True
-
-pcap_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://pcap/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-{% if PCAPBPF and not PCAP_BPF_STATUS %}
-stenoPCAPbpfcompilationfailure:
-  test.configurable_test_state:
-   - changes: False
-   - result: False
-  - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}"
-{% endif %}
-
-stenoconf:
-  file.managed:
-    - name: /opt/so/conf/steno/config
-    - source: salt://pcap/files/config.jinja
-    - user: stenographer
-    - group: stenographer
-    - mode: 644
-    - template: jinja
-    - defaults:
-        PCAPMERGED: {{ PCAPMERGED }}
-        STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
-
-pcaptmpdir:
-  file.directory:
-    - name: /nsm/pcaptmp
-    - user: 941
-    - group: 941
-    - makedirs: True
-
-pcapindexdir:
-  file.directory:
-    - name: /nsm/pcapindex
-    - user: 941
-    - group: 941
-    - makedirs: True
-
-stenolog:
-  file.directory:
-    - name: /opt/so/log/stenographer
-    - user: 941
-    - group: 941
-    - makedirs: True
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,11 +0,0 @@
-pcap:
-  enabled: False
-  config:
-    maxdirectoryfiles: 30000
-    diskfreepercentage: 10
-    blocks: 2048
-    preallocate_file_mb: 4096
-    aiops: 128
-    pin_to_cpu: False
-    cpus_to_pin_to: []
-    disks: []
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - pcap.sostatus
-  
-so-steno:
-  docker_container.absent:
-    - force: True
-
-so-steno_so-status.disabled:
-  file.comment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-steno$
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,63 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
-
-
-include:
-  - pcap.ca
-  - pcap.config
-  - pcap.sostatus
-
-so-steno:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }}
-    - start: True
-    - network_mode: host
-    - privileged: True
-    - binds:
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      - /opt/so/conf/steno/config:/etc/stenographer/config:rw
-      - /nsm/pcap:/nsm/pcap:rw
-      - /nsm/pcapindex:/nsm/pcapindex:rw
-      - /nsm/pcaptmp:/tmp:rw
-      - /opt/so/log/stenographer:/var/log/stenographer:rw
-    {% if DOCKER.containers['so-steno'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-steno'].custom_bind_mounts %}
-      - {{ BIND }}
-        {% endfor %}
-      {% endif %}
-    {% if DOCKER.containers['so-steno'].extra_hosts %}
-    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-steno'].extra_hosts %}
-      - {{ XTRAHOST }}
-      {% endfor %}
-    {% endif %}
-    {% if DOCKER.containers['so-steno'].extra_env %}
-    - environment:
-      {% for XTRAENV in DOCKER.containers['so-steno'].extra_env %}
-      - {{ XTRAENV }}
-      {% endfor %}
-    {% endif %}
-    - watch:
-      - file: stenoconf
-    - require:
-      - file: stenoconf
-
-delete_so-steno_so-status.disabled:
-  file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-steno$
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,11 +0,0 @@
-{
-  "Threads": [
-    { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.config.diskfreepercentage }} }
-  ]
-  , "StenotypePath": "/usr/bin/stenotype"
-  , "Interface": "{{ pillar.sensor.interface }}"
-  , "Port": 1234
-  , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}]
-  , "CertPath": "/etc/stenographer/certs"
-}
@@ -1,41 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'pcap/config.map.jinja' import PCAPMERGED %}
-
-include:
-{% if PCAPMERGED.enabled and GLOBALS.role != 'so-import'%}
-  - pcap.enabled
-{% elif GLOBALS.role == 'so-import' %}
-  - pcap.config
-  - pcap.disabled
-{% else %}
-  - pcap.disabled
-{% endif %}
-
-# This directory needs to exist regardless of whether STENO is enabled or not, in order for
-# Sensoroni to be able to look at old steno PCAP data
-
-# if stenographer has never run as the pcap engine no 941 user is created, so we use socore as a placeholder.
-# /nsm/pcap is empty until stenographer is used as pcap engine
-{% set pcap_id = 941 %}
-{% set user_list = salt['user.list_users']() %}
-{% if GLOBALS.pcap_engine == "SURICATA" and 'stenographer' not in user_list %}
-{%   set pcap_id = 939 %}
-{% endif %}
-pcapdir:
-  file.directory:
-    - name: /nsm/pcap
-    - user: {{ pcap_id }}
-    - group: {{ pcap_id }}
-    - makedirs: True
-
-pcapoutdir:
-  file.directory:
-    - name: /nsm/pcapout
-    - user: 939
-    - group: 939
-    - makedirs: True
@@ -1,35 +0,0 @@
-pcap:
-  enabled: 
-    description: Enables or disables the Stenographer packet recording process. This process may already be disabled if Suricata is being used as the packet capture process.
-    helpLink: stenographer.html
-  config:
-    maxdirectoryfiles:
-      description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting.
-      helpLink: stenographer.html
-    diskfreepercentage:
-      description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated Sensor nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and Elasticsearch at the same time (like eval and standalone installations), then you’ll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21.
-      helpLink: stenographer.html
-    blocks:
-      description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
-      advanced: True
-      helpLink: stenographer.html
-    preallocate_file_mb:
-      description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this. 
-      advanced: True
-      helpLink: stenographer.html
-    aiops:
-      description: The max number of async writes to allow for Stenographer at once.
-      advanced: True
-      helpLink: stenographer.html
-    pin_to_cpu:
-      description: Enable CPU pinning for Stenographer PCAP.
-      advanced: True
-      helpLink: stenographer.html
-    cpus_to_pin_to:
-      description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported.
-      advanced: True
-      helpLink: stenographer.html
-    disks:
-      description: List of disks to use for Stenographer PCAP. This is currently not used.
-      advanced: True
-      helpLink: stenographer.html
@@ -1,21 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-append_so-steno_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-steno
-    - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,18 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-if [ $# -lt 2 ]; then
-  echo "Usage: $0 <steno-query> Output-Filename"
-  exit 1
-fi
-
-docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
-
-echo ""
-echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"
@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-restart steno $1
@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start steno $1
@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop steno $1