From 9d4e1cc1499dd6b957bee814b650bb48882857af Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 13 Mar 2023 16:48:21 -0400 Subject: [PATCH] jinja for strelka --- salt/manager/files/so-yara-update.jinja | 2 +- salt/manager/init.sls | 2 +- salt/strelka/defaults.yaml | 58 ++++++++++--------------- salt/strelka/init.sls | 13 ++++-- salt/strelka/repos.txt.jinja | 2 + salt/strelka/rules/ignore.txt | 4 -- salt/strelka/rules/repos.txt | 1 - salt/strelka/rules/repos.txt.jinja | 4 -- 8 files changed, 36 insertions(+), 50 deletions(-) create mode 100644 salt/strelka/repos.txt.jinja delete mode 100644 salt/strelka/rules/ignore.txt delete mode 100644 salt/strelka/rules/repos.txt delete mode 100644 salt/strelka/rules/repos.txt.jinja diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja index ea07f72e4..beaa97ab6 100755 --- a/salt/manager/files/so-yara-update.jinja +++ b/salt/manager/files/so-yara-update.jinja @@ -9,7 +9,7 @@ echo "Starting to check for yara rule updates at $(date)..." output_dir="/opt/so/saltstack/default/salt/strelka/rules" mkdir -p $output_dir -repos="$output_dir/repos.txt" +repos="/opt/so/conf/strelka/repos.txt" newcounter=0 excludedcounter=0 excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 5f2b0005a..a360fb2c5 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -33,7 +33,7 @@ yara_update_script: - template: jinja - defaults: ISAIRGAP: {{ GLOBALS.airgap }} - EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }} + EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} strelka_yara_update: cron.present: diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 12f0edda3..cdd75a22d 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -13,7 +13,7 @@ strelka: addr: 'HOST:6380' db: 0 tasting: - mime_db: '' + mime_db: null yara_rules: '/etc/strelka/taste/' scanners: 'ScanBase64': @@ -535,37 +535,25 @@ strelka: addr: 'HOST:6380' db: 0 - - - - - - - - - - - - - - - - - excluded_rules: - - apt_flame2_orchestrator.yar - - apt_tetris.yar - - gen_susp_js_obfuscatorio.yar - - gen_webshells.yar - - generic_anomalies.yar - - general_cloaking.yar - - thor_inverse_matches.yar - - yara_mixed_ext_vars.yar - - apt_apt27_hyperbro.yar - - apt_turla_gazer.yar - - gen_google_anomaly.yar - - gen_icon_anomalies.yar - - gen_nvidia_leaked_cert.yar - - gen_sign_anomalies.yar - - gen_susp_xor.yar - - gen_webshells_ext_vars.yar - - configured_vulns_ext_vars.yar + rules: + enabled: True + repos: + - https://github.com/Neo23x0/signature-base + excluded: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar + - generic_anomalies.yar + - general_cloaking.yar + - thor_inverse_matches.yar + - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bec22c1fa..bded9ca70 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -7,7 +7,6 @@ {% if sls in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% from 'strelka/map.jinja' import STRELKAMERGED %} {% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} @@ -35,6 +34,7 @@ backend_backend_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }} @@ -65,6 +65,7 @@ filestream_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }} @@ -75,6 +76,7 @@ frontend_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }} @@ -85,10 +87,11 @@ manager_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} -{% if STRELKA_RULES == 1 %} +{% if STRELKAMERGED.rules.enabled %} strelkarules: file.recurse: @@ -101,9 +104,11 @@ strelkarules: {% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - - source: salt://strelka/rules/repos.txt.jinja + - name: /opt/so/conf/strelka/repos.txt + - source: salt://strelka/repos.txt.jinja - template: jinja + - defaults: + STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} {% endif %} {% endif %} diff --git a/salt/strelka/repos.txt.jinja b/salt/strelka/repos.txt.jinja new file mode 100644 index 000000000..043a02203 --- /dev/null +++ b/salt/strelka/repos.txt.jinja @@ -0,0 +1,2 @@ +# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section +{{ STRELKAREPOS | join('\n') }} diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt deleted file mode 100644 index a803f8c28..000000000 --- a/salt/strelka/rules/ignore.txt +++ /dev/null @@ -1,4 +0,0 @@ -generic_anomalies.yar -general_cloaking.yar -thor_inverse_matches.yar -yara_mixed_ext_vars.yar diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt deleted file mode 100644 index e26687ea9..000000000 --- a/salt/strelka/rules/repos.txt +++ /dev/null @@ -1 +0,0 @@ -https://github.com/Neo23x0/signature-base diff --git a/salt/strelka/rules/repos.txt.jinja b/salt/strelka/rules/repos.txt.jinja deleted file mode 100644 index 7d449f18d..000000000 --- a/salt/strelka/rules/repos.txt.jinja +++ /dev/null @@ -1,4 +0,0 @@ -# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section -{%- for repo in salt['pillar.get']('strelka:repos', {}) %} -{{ repo }} -{%- endfor %}