mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #507 from Security-Onion-Solutions/issue/90
Issue/90
This commit is contained in:
Josh Patterson
GitHub
@@ -61,5 +61,3 @@ peer:
|
|||||||
reactor:
|
reactor:
|
||||||
- 'so/fleet':
|
- 'so/fleet':
|
||||||
- salt://reactor/fleet.sls
|
- salt://reactor/fleet.sls
|
||||||
- 'salt/beacon/*/zeek/':
|
|
||||||
- salt://reactor/zeek.sls
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
healthcheck:
|
healthcheck:
|
||||||
enabled: False
|
enabled: False
|
||||||
schedule: 60
|
schedule: 300
|
||||||
checks:
|
checks:
|
||||||
- zeek
|
- zeek
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
healthcheck:
|
healthcheck:
|
||||||
enabled: False
|
enabled: False
|
||||||
schedule: 60
|
schedule: 300
|
||||||
checks:
|
checks:
|
||||||
- zeek
|
- zeek
|
||||||
|
|||||||
@@ -5,7 +5,7 @@ def status():
|
|||||||
|
|
||||||
cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
|
cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
|
||||||
retval = __salt__['docker.run']('so-zeek', cmd)
|
retval = __salt__['docker.run']('so-zeek', cmd)
|
||||||
logging.debug('zeekctl_module: zeekctl.status retval: %s' % retval)
|
logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
|
||||||
|
|
||||||
return retval
|
return retval
|
||||||
|
|
||||||
@@ -15,11 +15,11 @@ def beacon(config):
|
|||||||
retval = []
|
retval = []
|
||||||
|
|
||||||
is_enabled = __salt__['healthcheck.is_enabled']()
|
is_enabled = __salt__['healthcheck.is_enabled']()
|
||||||
logging.debug('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
|
logging.info('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
|
||||||
|
|
||||||
if is_enabled:
|
if is_enabled:
|
||||||
zeekstatus = status().lower().split(' ')
|
zeekstatus = status().lower().split(' ')
|
||||||
logging.debug('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
|
logging.info('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
|
||||||
if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus:
|
if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus:
|
||||||
zeek_restart = True
|
zeek_restart = True
|
||||||
else:
|
else:
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
import logging
|
import logging
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
allowed_functions = ['is_enabled,zeek']
|
allowed_functions = ['is_enabled', 'zeek']
|
||||||
states_to_apply = []
|
states_to_apply = []
|
||||||
|
|
||||||
|
|
||||||
@@ -65,14 +65,18 @@ def run(checks=''):
|
|||||||
return retval
|
return retval
|
||||||
|
|
||||||
|
|
||||||
|
def send_event(tag, eventdata):
|
||||||
|
__salt__['event.send'](tag, eventdata[0])
|
||||||
|
|
||||||
|
|
||||||
def zeek():
|
def zeek():
|
||||||
|
|
||||||
calling_func = sys._getframe().f_back.f_code.co_name
|
calling_func = sys._getframe().f_back.f_code.co_name
|
||||||
logging.info('healthcheck_module: zeek function caller: %s' % calling_func)
|
logging.debug('healthcheck_module: zeek function caller: %s' % calling_func)
|
||||||
retval = []
|
retval = []
|
||||||
|
|
||||||
retcode = __salt__['zeekctl.status'](verbose=False)
|
retcode = __salt__['zeekctl.status'](verbose=False)
|
||||||
logging.info('healthcheck_module: zeekctl.status retcode: %i' % retcode)
|
logging.debug('healthcheck_module: zeekctl.status retcode: %i' % retcode)
|
||||||
if retcode:
|
if retcode:
|
||||||
zeek_restart = True
|
zeek_restart = True
|
||||||
if calling_func != 'beacon':
|
if calling_func != 'beacon':
|
||||||
@@ -86,5 +90,6 @@ def zeek():
|
|||||||
|
|
||||||
retval.append({'zeek_restart': zeek_restart})
|
retval.append({'zeek_restart': zeek_restart})
|
||||||
|
|
||||||
|
send_event('so/healthcheck/zeek', retval)
|
||||||
__salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
|
__salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
|
||||||
return retval
|
return retval
|
||||||
|
|||||||
@@ -142,7 +142,7 @@ def status(verbose=True):
|
|||||||
retval = __salt__['docker.run']('so-zeek', cmd)
|
retval = __salt__['docker.run']('so-zeek', cmd)
|
||||||
if not verbose:
|
if not verbose:
|
||||||
retval = __context__['retcode']
|
retval = __context__['retcode']
|
||||||
logging.info('zeekctl_module: zeekctl.status_NOTVERBOSE retval: %s' % retval)
|
logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
|
||||||
return retval
|
return retval
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -859,7 +859,7 @@
|
|||||||
"timeFrom": null,
|
"timeFrom": null,
|
||||||
"timeRegions": [],
|
"timeRegions": [],
|
||||||
"timeShift": null,
|
"timeShift": null,
|
||||||
"title": "Zeek Restarts",
|
"title": "Zeek Restarts via Healthcheck",
|
||||||
"tooltip": {
|
"tooltip": {
|
||||||
"shared": true,
|
"shared": true,
|
||||||
"sort": 0,
|
"sort": 0,
|
||||||
|
|||||||
@@ -2256,7 +2256,7 @@
|
|||||||
"timeFrom": null,
|
"timeFrom": null,
|
||||||
"timeRegions": [],
|
"timeRegions": [],
|
||||||
"timeShift": null,
|
"timeShift": null,
|
||||||
"title": "Zeek Restarts",
|
"title": "Zeek Restarts via Healthcheck",
|
||||||
"tooltip": {
|
"tooltip": {
|
||||||
"shared": true,
|
"shared": true,
|
||||||
"sort": 0,
|
"sort": 0,
|
||||||
|
|||||||
@@ -1,9 +1,6 @@
|
|||||||
### This state isn't used for anything. It was written to handle healthcheck scheduling,
|
|
||||||
### but we handle that with beacons now.
|
|
||||||
|
|
||||||
{% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %}
|
{% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %}
|
||||||
{% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %}
|
{% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %}
|
||||||
{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 30) %}
|
{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 300) %}
|
||||||
|
|
||||||
{% if CHECKS and ENABLED %}
|
{% if CHECKS and ENABLED %}
|
||||||
{% set STATUS = ['present','enabled'] %}
|
{% set STATUS = ['present','enabled'] %}
|
||||||
@@ -21,7 +18,7 @@ healthcheck_schedule_{{ STATUS[0] }}:
|
|||||||
schedule.{{ STATUS[0] }}:
|
schedule.{{ STATUS[0] }}:
|
||||||
- name: healthcheck
|
- name: healthcheck
|
||||||
- function: healthcheck.run
|
- function: healthcheck.run
|
||||||
- minutes: {{ SCHEDULE }}
|
- seconds: {{ SCHEDULE }}
|
||||||
|
|
||||||
healthcheck_schedule_{{ STATUS[1] }}:
|
healthcheck_schedule_{{ STATUS[1] }}:
|
||||||
schedule.{{ STATUS[1] }}:
|
schedule.{{ STATUS[1] }}:
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ local = salt.client.LocalClient()
|
|||||||
|
|
||||||
def run():
|
def run():
|
||||||
minionid = data['id']
|
minionid = data['id']
|
||||||
zeek_restart = data['zeek_restart']
|
zeek_restart = data['data']['zeek_restart']
|
||||||
|
|
||||||
logging.info('zeek_reactor: zeek_need_restarted:%s on:%s' % (zeek_restart, minionid))
|
logging.info('zeek_reactor: zeek_need_restarted:%s on:%s' % (zeek_restart, minionid))
|
||||||
if zeek_restart:
|
if zeek_restart:
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ base:
|
|||||||
- firewall
|
- firewall
|
||||||
- pcap
|
- pcap
|
||||||
- suricata
|
- suricata
|
||||||
- salt.beacons
|
- healthcheck
|
||||||
{%- if BROVER != 'SURICATA' %}
|
{%- if BROVER != 'SURICATA' %}
|
||||||
- zeek
|
- zeek
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@@ -60,7 +60,7 @@ base:
|
|||||||
- soc
|
- soc
|
||||||
- firewall
|
- firewall
|
||||||
- idstools
|
- idstools
|
||||||
- salt.beacons
|
- healthcheck
|
||||||
{%- if FLEETMASTER or FLEETNODE %}
|
{%- if FLEETMASTER or FLEETNODE %}
|
||||||
- mysql
|
- mysql
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|||||||
Reference in New Issue
Block a user