Merge pull request #12337 from Security-Onion-Solutions/salt3006.6v2

Salt3006.6v2

files/salt/master/master

@@ -41,7 +41,7 @@ file_roots:
   base:
     - /opt/so/saltstack/local/salt
     - /opt/so/saltstack/default/salt
-    - /opt/so/rules
+    - /opt/so/rules/nids
 
 
 # The master_roots setting configures a master-only copy of the file_roots dictionary,

salt/idstools/enabled.sls

@@ -39,7 +39,7 @@ so-idstools:
     {% endif %}
     - binds:
       - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
-      - /opt/so/rules/nids:/opt/so/rules/nids:rw
+      - /opt/so/rules/nids/suri:/opt/so/rules/nids/suri:rw
       - /nsm/rules/:/nsm/rules/:rw
     {% if DOCKER.containers['so-idstools'].custom_bind_mounts %}
       {% for BIND in DOCKER.containers['so-idstools'].custom_bind_mounts %}

salt/idstools/etc/rulecat.conf

@@ -1,10 +1,10 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS -%}
 {%- from 'idstools/map.jinja' import IDSTOOLSMERGED -%}
---merged=/opt/so/rules/nids/all.rules
+--merged=/opt/so/rules/nids/suri/all.rules
---local=/opt/so/rules/nids/local.rules
+--local=/opt/so/rules/nids/suri/local.rules
 {%-   if GLOBALS.md_engine == "SURICATA" %}
---local=/opt/so/rules/nids/extraction.rules
+--local=/opt/so/rules/nids/suri/extraction.rules
---local=/opt/so/rules/nids/filters.rules
+--local=/opt/so/rules/nids/suri/filters.rules
 {%-   endif %}
 --url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules
 --disable=/opt/so/idstools/etc/disable.conf

salt/idstools/sync_files.sls

@@ -21,7 +21,7 @@ idstoolsetcsync:
 
 rulesdir:
   file.directory:
-    - name: /opt/so/rules/nids
+    - name: /opt/so/rules/nids/suri
     - user: 939
     - group: 939
     - makedirs: True
@@ -29,7 +29,7 @@ rulesdir:
 # Don't show changes because all.rules can be large
 synclocalnidsrules:
   file.recurse:
-    - name: /opt/so/rules/nids/
+    - name: /opt/so/rules/nids/suri/
     - source: salt://idstools/rules/
     - user: 939
     - group: 939

salt/manager/tools/sbin/soup

@@ -605,7 +605,11 @@ up_to_2.4.50() {
   # post upgrade changes. POSTVERSION set to INSTALLEDVERSION at start of soup
   cp -v /etc/salt/master "/etc/salt/master.so-$POSTVERSION.bak"
   echo "Adding /opt/so/rules to file_roots in /etc/salt/master using so-yaml"
-  so-yaml.py append /etc/salt/master file_roots.base /opt/so/rules
+  so-yaml.py append /etc/salt/master file_roots.base /opt/so/rules/nids
+  echo "Moving Suricata rules"
+  mkdir /opt/so/rules/nids/suri
+  chown socore:socore /opt/so/rules/nids/suri
+  mv -v /opt/so/rules/nids/*.rules /opt/so/rules/nids/suri/.
 
   INSTALLEDVERSION=2.4.50
 }

salt/suricata/config.sls

@@ -84,12 +84,12 @@ suridatadir:
     - mode: 770
     - makedirs: True
 
-# salt:// would resolve to /opt/so/rules because of the defined file_roots and
+# salt:// would resolve to /opt/so/rules/nids because of the defined file_roots and
-# nids not existing under /opt/so/saltstack/local/salt or /opt/so/saltstack/default/salt
+#  not existing under /opt/so/saltstack/local/salt or /opt/so/saltstack/default/salt
 surirulesync:
   file.recurse:
     - name: /opt/so/conf/suricata/rules/
-    - source: salt://nids/
+    - source: salt://suri/
     - user: 940
     - group: 940
     - show_changes: False

salt/suricata/manager.sls

@@ -13,7 +13,7 @@ ruleslink:
     - name: /opt/so/saltstack/local/salt/suricata/rules
     - user: socore
     - group: socore
-    - target: /opt/so/rules/nids
+    - target: /opt/so/rules/nids/suri
 
 refresh_salt_master_fileserver_suricata_ruleslink:
   salt.runner:
@@ -27,4 +27,4 @@ refresh_salt_master_fileserver_suricata_ruleslink:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
+{% endif %}