From 795aa898a30edbacb3d79769d23a0c26b6ad7729 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 1 Jul 2026 15:12:54 -0400 Subject: [PATCH] suricata: only reload rules once the ruleset file exists On a fresh install the surirulesync file.recurse creates .gitkeep before SOC has generated all-rulesets.rules. That change satisfied the surirulereload onchanges requisite, so the reload ran with no ruleset present, failed to stat the file, and reported the state (and install) as failed. Add an onlyif guard so the reload only runs when all-rulesets.rules exists. A .gitkeep-only sync now leaves the state a clean success (onlyif condition false); once SOC writes the ruleset, the reload fires normally. --- salt/suricata/enabled.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index d9d7f32ae..bb31b2c78 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -65,10 +65,11 @@ so-suricata: - file: suriclassifications surirulereload: - cmd.run: + cmd.run: - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1 - - onchanges: + - onchanges: - file: surirulesync + - onlyif: test -f /opt/so/rules/suricata/all-rulesets.rules - require: - docker_container: so-suricata