diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls new file mode 100644 index 000000000..94692ee9f --- /dev/null +++ b/salt/idstools/config.sls @@ -0,0 +1,42 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - idstools.sync_files + +idstoolslogdir: + file.directory: + - name: /opt/so/log/idstools + - user: 939 + - group: 939 + - makedirs: True + +idstools_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://idstools/tools/sbin + - user: 934 + - group: 939 + - file_mode: 755 + +#idstools_sbin_jinja: +# file.recurse: +# - name: /usr/sbin +# - source: salt://idstools/tools/sbin_jinja +# - user: 934 +# - group: 939 +# - file_mode: 755 +# - template: jinja + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index e937ebc2d..1be100cec 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -1,4 +1,5 @@ idstools: + enabled: False config: urls: [] ruleset: ETOPEN @@ -6,4 +7,4 @@ idstools: sids: enabled: [] disabled: [] - modify: [] \ No newline at end of file + modify: [] diff --git a/salt/idstools/disabled.sls b/salt/idstools/disabled.sls new file mode 100644 index 000000000..ab0e10d7a --- /dev/null +++ b/salt/idstools/disabled.sls @@ -0,0 +1,31 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - idstools.sostatus + +so-idstools: + docker_container.absent: + - force: True + +so-idstools_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-idstools$ + +so-rule-update: + cron.absent: + - identifier: so-rule-update + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/idstools/enabled.sls b/salt/idstools/enabled.sls new file mode 100644 index 000000000..b56d6c2e5 --- /dev/null +++ b/salt/idstools/enabled.sls @@ -0,0 +1,55 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% set proxy = salt['pillar.get']('manager:proxy') %} + +include: + - idstools.config + - idstools.sostatus + +so-idstools: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} + - hostname: so-idstools + - user: socore + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} + {% if proxy %} + - environment: + - http_proxy={{ proxy }} + - https_proxy={{ proxy }} + - no_proxy={{ salt['pillar.get']('manager:no_proxy') }} + {% endif %} + - binds: + - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro + - /opt/so/rules/nids:/opt/so/rules/nids:rw + - watch: + - file: idstoolsetcsync + +delete_so-idstools_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-idstools$ + +so-rule-update: + cron.present: + - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1 + - identifier: so-rule-update + - user: root + - minute: '1' + - hour: '7' + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index fad421243..b4142632b 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,5 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} -{%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} -{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %} +{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} {%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules @@ -35,4 +34,4 @@ {%- for URL in IDSTOOLSMERGED.config.urls %} --url={{ URL }} {%- endfor %} -{%- endif %} \ No newline at end of file +{%- endif %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 7ad22e58b..ac1d51717 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -2,78 +2,12 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% set proxy = salt['pillar.get']('manager:proxy') %} + +{% from 'idstools/map.jinja' import IDSTOOLSMERGED %} include: - - idstools.sync_files - -# IDSTools Setup - -idstoolslogdir: - file.directory: - - name: /opt/so/log/idstools - - user: 939 - - group: 939 - - makedirs: True - -idstools_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://idstools/tools/sbin - - user: 934 - - group: 939 - - file_mode: 755 - -#idstools_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://idstools/tools/sbin_jinja -# - user: 934 -# - group: 939 -# - file_mode: 755 -# - template: jinja - -so-rule-update: - cron.present: - - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1 - - identifier: so-rule-update - - user: root - - minute: '1' - - hour: '7' - -so-idstools: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} - - hostname: so-idstools - - user: socore - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} - {% if proxy %} - - environment: - - http_proxy={{ proxy }} - - https_proxy={{ proxy }} - - no_proxy={{ salt['pillar.get']('manager:no_proxy') }} - {% endif %} - - binds: - - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro - - /opt/so/rules/nids:/opt/so/rules/nids:rw - - watch: - - file: idstoolsetcsync - -append_so-idstools_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-idstools - +{% if IDSTOOLSMERGED.enabled %} + - idstools.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif%} + - idstools.disabled +{% endif %} diff --git a/salt/idstools/map.jinja b/salt/idstools/map.jinja new file mode 100644 index 000000000..97d12279b --- /dev/null +++ b/salt/idstools/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS with context %} +{% set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %} diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index e0ad6ba98..2147cec0e 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -1,4 +1,6 @@ idstools: + enabled: + description: You can enable or disable IDSTools. config: oinkcode: description: Enter your registration/oink code for paid NIDS rulesets. diff --git a/salt/idstools/sostatus.sls b/salt/idstools/sostatus.sls new file mode 100644 index 000000000..408b10742 --- /dev/null +++ b/salt/idstools/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-idstools_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-idstools + - unless: grep -q so-idstools /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 8ac8207b7..be423ef2b 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -149,7 +149,6 @@ function add_fleet_to_minion() { " " >> $PILLARFILE } - # Add IDH Services info to the minion file function add_idh_to_minion() { printf '%s\n'\ @@ -346,6 +345,13 @@ function add_kratos_to_minion() { " " >> $PILLARFILE } +function add_idstools_to_minion() { + printf '%s\n'\ + "idstools:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + function create_fleet_policy() { JSON_STRING=$( jq -n \ @@ -404,6 +410,7 @@ function createEVAL() { add_registry_to_minion add_mysql_to_minion add_kratos_to_minion + add_idstools_to_minion } function createSTANDALONE() { @@ -424,6 +431,7 @@ function createSTANDALONE() { add_registry_to_minion add_mysql_to_minion add_kratos_to_minion + add_idstools_to_minion } function createMANAGER() { @@ -442,6 +450,7 @@ function createMANAGER() { add_registry_to_minion add_mysql_to_minion add_kratos_to_minion + add_idstools_to_minion } function createMANAGERSEARCH() { @@ -460,6 +469,7 @@ function createMANAGERSEARCH() { add_registry_to_minion add_mysql_to_minion add_kratos_to_minion + add_idstools_to_minion } function createIMPORT() { @@ -472,6 +482,7 @@ function createIMPORT() { add_soc_to_minion add_registry_to_minion add_kratos_to_minion + add_idstools_to_minion } function createFLEET() {