jinja for strelka

2025-12-06 17:22:49 +01:00 · 2023-03-13 16:48:21 -04:00
parent 58343e39fa
commit 9d4e1cc149
8 changed files with 36 additions and 50 deletions
--- a/salt/manager/files/so-yara-update.jinja
+++ b/salt/manager/files/so-yara-update.jinja
@@ -9,7 +9,7 @@ echo "Starting to check for yara rule updates at $(date)..."

 output_dir="/opt/so/saltstack/default/salt/strelka/rules"
 mkdir -p $output_dir
-repos="$output_dir/repos.txt"
+repos="/opt/so/conf/strelka/repos.txt"
 newcounter=0
 excludedcounter=0
 excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -33,7 +33,7 @@ yara_update_script:
    - template: jinja
    - defaults:
        ISAIRGAP: {{ GLOBALS.airgap }}
-        EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }}
+        EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}

 strelka_yara_update:
  cron.present:
--- a/salt/strelka/defaults.yaml
+++ b/salt/strelka/defaults.yaml
@@ -13,7 +13,7 @@ strelka:
          addr: 'HOST:6380'
          db: 0
        tasting:
-          mime_db: ''
+          mime_db: null
          yara_rules: '/etc/strelka/taste/'
        scanners:
          'ScanBase64':
@@ -535,23 +535,11 @@ strelka:
          addr: 'HOST:6380'
          db: 0

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-        
-  excluded_rules:
+  rules:
+    enabled: True
+    repos:
+      - https://github.com/Neo23x0/signature-base
+    excluded:
      - apt_flame2_orchestrator.yar
      - apt_tetris.yar
      - gen_susp_js_obfuscatorio.yar
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -7,7 +7,6 @@
 {% if sls in allowed_states %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}

 {% from 'strelka/map.jinja' import STRELKAMERGED %}
 {% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %}
@@ -35,6 +34,7 @@ backend_backend_config:
    - template: jinja
    - user: 939
    - group: 939
+    - makedirs: True
    - defaults:
        BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }}

@@ -65,6 +65,7 @@ filestream_config:
    - template: jinja
    - user: 939
    - group: 939
+    - makedirs: True
    - defaults:
        FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }}

@@ -75,6 +76,7 @@ frontend_config:
    - template: jinja
    - user: 939
    - group: 939
+    - makedirs: True
    - defaults:
        FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }}

@@ -85,10 +87,11 @@ manager_config:
    - template: jinja
    - user: 939
    - group: 939
+    - makedirs: True
    - defaults:
        MANAGERCONFIG: {{ STRELKAMERGED.config.manager }}

-{% if STRELKA_RULES == 1 %}
+{% if STRELKAMERGED.rules.enabled %}

 strelkarules:
  file.recurse:
@@ -101,9 +104,11 @@ strelkarules:
 {% if grains['role'] in GLOBALS.manager_roles %}
 strelkarepos:
  file.managed:
-    - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt
-    - source: salt://strelka/rules/repos.txt.jinja
+    - name: /opt/so/conf/strelka/repos.txt
+    - source: salt://strelka/repos.txt.jinja
    - template: jinja
+    - defaults:
+        STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}

 {% endif %}
 {% endif %}
--- a/salt/strelka/repos.txt.jinja
+++ b/salt/strelka/repos.txt.jinja
@@ -0,0 +1,2 @@
+# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section
+{{ STRELKAREPOS | join('\n') }}
--- a/salt/strelka/rules/ignore.txt
+++ b/salt/strelka/rules/ignore.txt
@@ -1,4 +0,0 @@
-generic_anomalies.yar
-general_cloaking.yar
-thor_inverse_matches.yar
-yara_mixed_ext_vars.yar
--- a/salt/strelka/rules/repos.txt
+++ b/salt/strelka/rules/repos.txt
@@ -1 +0,0 @@
-https://github.com/Neo23x0/signature-base
--- a/salt/strelka/rules/repos.txt.jinja
+++ b/salt/strelka/rules/repos.txt.jinja
@@ -1,4 +0,0 @@
-# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section
-{%- for repo in salt['pillar.get']('strelka:repos', {}) %}
-{{ repo }}
-{%- endfor %}