Merge pull request #888 from Security-Onion-Solutions/feature/strelka_rules

Feature/strelka rules
2025-12-06 09:12:45 +01:00 · 2020-06-24 13:28:52 -04:00
parent 8bd6c067aa f5bb831edf
commit 83ed21314a
5 changed files with 33 additions and 5 deletions
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -15,6 +15,7 @@
 {%- set MASTER = grains['master'] %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%}

 # Strelka config
 strelkaconfdir:
@@ -32,6 +33,9 @@ strelkasync:
    - user: 939
    - group: 939
    - template: jinja
+    {%- if STRELKA_RULES != 1 %}
+    - exclude_pat: rules/
+    {%- endif %}

 strelkadatadir:
   file.directory:
@@ -87,7 +91,7 @@ strelka_backend:
    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }}
    - binds:
      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
-      - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
+      - /opt/so/conf/strelka/rules/:/etc/yara/:ro
    - name: so-strelka-backend
    - command: strelka-backend
    - restart_policy: on-failure
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -7,7 +7,7 @@
 {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%}
+{%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%}


 base:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -953,9 +953,11 @@ master_static() {
 		"  fleet_hostname: N/A"\
 		"  fleet_ip: N/A"\
 		"  sensoronikey: $SENSORONIKEY"\
-		"  strelka: $STRELKA"\
-        "  wazuh: $WAZUH"\
-		"  masterupdate: $MASTERUPDATES"\
+		"  wazuh: $WAZUH"\
+                "  masterupdate: $MASTERUPDATES"\
+		"strelka:"\
+		"  enabled: $STRELKA"\
+		"  rules: $STRELKARULES"\
 		"elastic:"\
 		"  features: False" > "$static_pillar"

--- a/setup/so-setup
+++ b/setup/so-setup
@@ -255,6 +255,9 @@ fi
 if [[ $is_master ]]; then
 	whiptail_components_adv_warning
 	whiptail_enable_components
+	if [[ $STRELKA == 1 ]]; then
+	    whiptail_strelka_rules
+	fi
 	collect_webuser_inputs
 	get_redirect
 fi
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -1028,6 +1028,25 @@ whiptail_shard_count() {

 }

+whiptail_strelka_rules() {
+
+        [ -n "$TESTING" ] && return
+
+        whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75
+
+        local exitstatus=$?
+
+        if [ $exitstatus == 0 ]; then
+                export STRELKARULES=1
+        else
+                local exitstatus=$?
+                whiptail_check_exitstatus $exitstatus
+                export STRELKARULES
+
+        fi
+
+}
+
 whiptail_suricata_pins() {

 	[ -n "$TESTING" ] && return