Merge pull request #507 from Security-Onion-Solutions/issue/90

Issue/90

files/master

@@ -61,5 +61,3 @@ peer:
 reactor:
   - 'so/fleet':
     - salt://reactor/fleet.sls
-  - 'salt/beacon/*/zeek/':
-    - salt://reactor/zeek.sls

pillar/healthcheck/eval.sls

@@ -1,5 +1,5 @@
 healthcheck:
   enabled: False
-  schedule: 60
+  schedule: 300
   checks:
     - zeek

pillar/healthcheck/sensor.sls

@@ -1,5 +1,5 @@
 healthcheck:
   enabled: False
-  schedule: 60
+  schedule: 300
   checks:
     - zeek

salt/_beacons/zeek.py

@@ -5,7 +5,7 @@ def status():
 
  cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
  retval = __salt__['docker.run']('so-zeek', cmd)
- logging.debug('zeekctl_module: zeekctl.status retval: %s' % retval)
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
 
  return retval
 
@@ -15,11 +15,11 @@ def beacon(config):
   retval = []
 
   is_enabled = __salt__['healthcheck.is_enabled']()
-  logging.debug('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
+  logging.info('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
 
   if is_enabled:
     zeekstatus = status().lower().split(' ')
-    logging.debug('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
+    logging.info('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
     if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus:
      zeek_restart = True
     else:

salt/_modules/healthcheck.py

@@ -3,7 +3,7 @@
 import logging
 import sys
 
-allowed_functions = ['is_enabled,zeek']
+allowed_functions = ['is_enabled', 'zeek']
 states_to_apply = []
 
 
@@ -65,14 +65,18 @@ def run(checks=''):
   return retval
 
 
+def send_event(tag, eventdata):
+  __salt__['event.send'](tag, eventdata[0])
+
+
 def zeek():
 
   calling_func = sys._getframe().f_back.f_code.co_name
-  logging.info('healthcheck_module: zeek function caller: %s' % calling_func)
+  logging.debug('healthcheck_module: zeek function caller: %s' % calling_func)
   retval = []
 
   retcode = __salt__['zeekctl.status'](verbose=False)
-  logging.info('healthcheck_module: zeekctl.status retcode: %i' % retcode)
+  logging.debug('healthcheck_module: zeekctl.status retcode: %i' % retcode)
   if retcode:
     zeek_restart = True
     if calling_func != 'beacon':
@@ -86,5 +90,6 @@ def zeek():
   
   retval.append({'zeek_restart': zeek_restart})
 
+  send_event('so/healthcheck/zeek', retval)
   __salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
   return retval

salt/_modules/zeekctl.py

@@ -142,7 +142,7 @@ def status(verbose=True):
  retval = __salt__['docker.run']('so-zeek', cmd)
  if not verbose:
    retval = __context__['retcode']
-   logging.info('zeekctl_module: zeekctl.status_NOTVERBOSE retval: %s' % retval)
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
  return retval
 
 

salt/common/grafana/grafana_dashboards/eval/eval.json

@@ -859,7 +859,7 @@
       "timeFrom": null,
       "timeRegions": [],
       "timeShift": null,
-      "title": "Zeek Restarts",
+      "title": "Zeek Restarts via Healthcheck",
       "tooltip": {
         "shared": true,
         "sort": 0,

salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json

@@ -2256,7 +2256,7 @@
       "timeFrom": null,
       "timeRegions": [],
       "timeShift": null,
-      "title": "Zeek Restarts",
+      "title": "Zeek Restarts via Healthcheck",
       "tooltip": {
         "shared": true,
         "sort": 0,

salt/healthcheck/init.sls

@@ -1,9 +1,6 @@
-### This state isn't used for anything. It was written to handle healthcheck scheduling,
-### but we handle that with beacons now.
-
 {% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %}
 {% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %}
-{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 30) %}
+{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 300) %}
 
 {% if CHECKS and ENABLED %}
   {% set STATUS = ['present','enabled'] %}
@@ -21,7 +18,7 @@ healthcheck_schedule_{{ STATUS[0] }}:
   schedule.{{ STATUS[0] }}:
     - name: healthcheck
     - function: healthcheck.run
-    - minutes: {{ SCHEDULE }}
+    - seconds: {{ SCHEDULE }}
 
 healthcheck_schedule_{{ STATUS[1] }}:
   schedule.{{ STATUS[1] }}:

salt/reactor/zeek.sls

@@ -6,7 +6,7 @@ local = salt.client.LocalClient()
 
 def run():
   minionid = data['id']
-  zeek_restart = data['zeek_restart']
+  zeek_restart = data['data']['zeek_restart']
   
   logging.info('zeek_reactor: zeek_need_restarted:%s on:%s' % (zeek_restart, minionid))
   if zeek_restart:

salt/top.sls

@@ -37,7 +37,7 @@ base:
     - firewall
     - pcap
     - suricata
-    - salt.beacons
+    - healthcheck
     {%- if BROVER != 'SURICATA' %}
     - zeek
     {%- endif %}
@@ -60,7 +60,7 @@ base:
     - soc
     - firewall
     - idstools
-    - salt.beacons
+    - healthcheck
     {%- if FLEETMASTER or FLEETNODE %}
     - mysql
     {%- endif %}