diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 2c3b88513..bcef0fd9b 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -526,10 +526,9 @@ strelka: response: log: "/var/log/strelka/strelka.log" manager: - coordinator: - addr: 'HOST:6380' - db: 0 - + coordinator: + addr: 'HOST:6380' + db: 0 rules: enabled: True repos: @@ -552,3 +551,7 @@ strelka: - gen_susp_xor.yar - gen_webshells_ext_vars.yar - configured_vulns_ext_vars.yar + filecheck: + historypath: '/nsm/strelka/history/' + strelkapath: '/nsm/strelka/unprocessed/' + logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja index 95c5abab2..1f5453f93 100644 --- a/salt/strelka/filecheck/filecheck.yaml.jinja +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -1 +1,2 @@ -{{ FILECHECKCONFIG | yaml(false) }} +filecheck: + {{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} diff --git a/salt/strelka/filecheck/map.jinja b/salt/strelka/filecheck/map.jinja deleted file mode 100644 index 670136b45..000000000 --- a/salt/strelka/filecheck/map.jinja +++ /dev/null @@ -1,12 +0,0 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %} - -{% if GLOBALS.md_engine == "SURICATA" %} -{% set extract_path = '/nsm/suricata/extracted' %} -{% set filecheck_runas = 'suricata' %} -{% else %} -{% set extract_path = '/nsm/zeek/extracted/complete' %} -{% set filecheck_runas = 'socore' %} -{% endif %} - -{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index f8b8262b0..bbb2bcaf6 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,8 +9,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} -{% from 'strelka/filecheck/map.jinja' import filecheck_runas %} +{% from 'strelka/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: @@ -99,7 +98,7 @@ manager_config: - defaults: MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} -{% if STRELKAMERGED.rules.enabled %} +{% if STRELKAMERGED.rules.enabled %} strelkarules: file.recurse: @@ -109,7 +108,7 @@ strelkarules: - group: 939 - clean: True -{% if grains['role'] in GLOBALS.manager_roles %} +{% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt @@ -118,8 +117,8 @@ strelkarepos: - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} strelkadatadir: file.directory: @@ -185,7 +184,7 @@ filecheck_conf: - source: salt://strelka/filecheck/filecheck.yaml.jinja - template: jinja - defaults: - FILECHECKCONFIG: {{ FILECHECKDEFAULTS }} + FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }} filecheck_script: file.managed: diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja index bf0a29a17..5df15aa59 100644 --- a/salt/strelka/map.jinja +++ b/salt/strelka/map.jinja @@ -17,4 +17,14 @@ {% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %} {% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %} +{% if GLOBALS.md_engine == "SURICATA" %} +{% set extract_path = '/nsm/suricata/extracted' %} +{% set filecheck_runas = 'suricata' %} +{% else %} +{% set extract_path = '/nsm/zeek/extracted/complete' %} +{% set filecheck_runas = 'socore' %} +{% endif %} + +{% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %} + {% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %} diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml new file mode 100644 index 000000000..dbe949817 --- /dev/null +++ b/salt/strelka/soc_strelka.yaml @@ -0,0 +1,589 @@ +strelka: + config: + backend: + backend: + logging_cfg: + description: Path to the Python logging configuration. + readonly: True + global: False + helpLink: strelka.html + advanced: True + limits: + max_files: + description: Number of files the backend will process before shutting down. + readonly: False + global: False + helpLink: strelka.html + time_to_live: + description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable). + readonly: False + global: False + helpLink: strelka.html + max_depth: + description: Maximum depth that extracted files will be processed by the backend. + readonly: False + global: False + helpLink: strelka.html + distribution: + description: Amount of time (in seconds) that a single file can be distributed to all scanners. + readonly: False + global: False + helpLink: strelka.html + scanner: + description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner). + readonly: False + global: False + helpLink: strelka.html + coordinator: + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + tasting: + mime_db: + description: Location of the MIME database used to taste files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + yara_rules: + description: Location of the directory of YARA files that contains rules used to taste files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + scanners: + 'ScanBase64': &scannerOptions + description: Configuration options for this scanner. + readonly: False + global: False + helpLink: strelka.html + advanced: True + type: json + multiline: True + 'ScanBatch': *scannerOptions + 'ScanBzip2': *scannerOptions + 'ScanDocx': *scannerOptions + 'ScanElf': *scannerOptions + 'ScanEmail': *scannerOptions + 'ScanEntropy': *scannerOptions + 'ScanExiftool': *scannerOptions + 'ScanGif': *scannerOptions + 'ScanGzip': *scannerOptions + 'ScanHash': *scannerOptions + 'ScanHeader': *scannerOptions + 'ScanHtml': *scannerOptions + 'ScanIni': *scannerOptions + 'ScanJarManifest': *scannerOptions + 'ScanJavascript': *scannerOptions + 'ScanJpeg': *scannerOptions + 'ScanJson': *scannerOptions + 'ScanLibarchive': *scannerOptions + 'ScanLzma': *scannerOptions + 'ScanMacho': *scannerOptions + 'ScanOcr': *scannerOptions + 'ScanOle': *scannerOptions + 'ScanPdf': *scannerOptions + 'ScanPe': *scannerOptions + 'ScanPgp': *scannerOptions + 'ScanPhp': *scannerOptions + 'ScanPkcs7': *scannerOptions + 'ScanPlist': *scannerOptions + 'ScanRar': *scannerOptions + 'ScanRpm': *scannerOptions + 'ScanRtf': *scannerOptions + 'ScanRuby': *scannerOptions + 'ScanSwf': *scannerOptions + 'ScanTar': *scannerOptions + 'ScanTnef': *scannerOptions + 'ScanUpx': *scannerOptions + 'ScanUrl': *scannerOptions + 'ScanVb': *scannerOptions + 'ScanVba': *scannerOptions + 'ScanX509': *scannerOptions + 'ScanXml': *scannerOptions + 'ScanYara': *scannerOptions + 'ScanZip': *scannerOptions + 'ScanZlib': *scannerOptions + logging: + version: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + formatters: + simple: + format: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + datefmt: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + handlers: + console: + class: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + formatter: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + stream: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + root: + level: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + handlers: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + loggers: + OpenSSL: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + bs4: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + bz2: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + chardet: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + docx: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + elftools: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + email: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + entropy: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + esprima: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + gzip: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + hashlib: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + json: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + libarchive: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + lxml: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + lzma: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + macholibre: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + olefile: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + oletools: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + pdfminer: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + pefile: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + pgpdump: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + pygments: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + pylzma: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + rarfile: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + requests: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + rpmfile: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + ssdeep: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + tarfile: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + tnefparse: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + yara: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + zipfile: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + zlib: + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + passwords: + description: Passwords that will be stored in the password_file used in scanner options. + readonly: False + global: False + helpLink: strelka.html + multiline: True + filestream: + conn: + server: + description: Network address of the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + cert: + description: Local path to the frontend SSL server certificate. + readonly: False + global: False + helpLink: strelka.html + advanced: True + timeout: + dial: + description: Amount of time to wait for the client to dial the server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + file: + description: Amount of time to wait for an individual file to complete a scan. + readonly: False + global: False + helpLink: strelka.html + advanced: True + throughput: + concurrency: + description: Number of concurrent requests to make. + readonly: False + global: False + helpLink: strelka.html + advanced: True + chunk: + description: Size of file chunks that will be sent to the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delay: + description: Artificial sleep between the submission of each chunk. + readonly: False + global: False + helpLink: strelka.html + advanced: True + files: + patterns: + description: List of glob patterns that determine which files will be sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delete: + description: Boolean that determines if files should be deleted after being sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + gatekeeper: + description: Boolean that determines if events should be pulled from the temporary event cache. + readonly: False + global: False + helpLink: strelka.html + advanced: True + processed: + description: Directory where files will be moved after being submitted for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + response: + report: + description: Frequency at which the frontend reports the number of files processed. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delta: + description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + staging: + description: Directory where files are staged before being sent to the cluster. + readonly: False + global: False + helpLink: strelka.html + advanced: True + frontend: + server: + description: Network address of the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + coordinator: + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + gatekeeper: + addr: + description: Network address of the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + ttl: + description: Time-to-live for events added to the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + response: + log: + description: Location where worker scan results are logged to. + readonly: False + global: False + helpLink: strelka.html + advanced: True + manager: + coordinator: + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + rules: + enabled: + description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. + readonly: False + global: False + helpLink: strelka.html + advanced: False + repos: + description: List of repos for so-yara-update to use to download rules. + readonly: False + global: False + helpLink: strelka.html + advanced: False + excluded: + description: List of rules to exclude so-yara-update from download and propagating to backend nodes. + readonly: False + global: False + helpLink: strelka.html + advanced: False + filecheck: + historypath: + description: The path for previously scanned files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + strelkapath: + description: The path for unprocessed files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + logfile: + description: The path for the filecheck log. + readonly: False + global: False + helpLink: strelka.html + advanced: True +