From 1be86cdf8eab220461ae0525f6d56c32eacfe543 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 29 Mar 2023 17:21:40 -0400 Subject: [PATCH 1/4] issue 10050 and issue 10062 --- salt/zeek/config.map.jinja | 15 ++++++++++++--- salt/zeek/defaults.yaml | 4 ++-- salt/zeek/files/local.zeek.jinja | 2 +- salt/zeek/files/zeekctl.cfg.jinja | 2 +- salt/zeek/init.sls | 10 +++++----- salt/zeek/soc_zeek.yaml | 4 ++-- 6 files changed, 23 insertions(+), 14 deletions(-) diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index 8c7d99cde..181666227 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,8 +1,17 @@ {% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %} {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} -{% set zeek_pillar = salt['pillar.get']('zeek', []) %} -{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} -{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %} +{% set ZEEKMERGED = salt['pillar.get']('zeek', zeek_defaults.zeek, merge=True) %} +{% do ZEEKMERGED.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %} + +{% if ZEEKMERGED.config.local.load is defined %} + {% set LOCALLOAD = ZEEKMERGED.config.local.pop('load') %} + {% do ZEEKMERGED.config.local.update({'@load': LOCALLOAD}) %} +{% endif %} + +{% if ZEEKMERGED.config.local['load-sigs'] is defined %} + {% set LOCALLOADSIGS = ZEEKMERGED.config.local.pop('load-sigs') %} + {% do ZEEKMERGED.config.local.update({'@load-sigs': LOCALLOADSIGS}) %} +{% endif %} {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index a21bf3389..d4ec7c26c 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -22,7 +22,7 @@ zeek: CfgDir: /opt/zeek/etc CompressLogs: 1 local: - '@load': + load: - misc/loaded-scripts - tuning/defaults - misc/capture-loss @@ -68,7 +68,7 @@ zeek: - zeek-plugin-profinet - zeek-spicy-wireguard - zeek-spicy-stun - '@load-sigs': + load-sigs: - frameworks/signatures/detect-windows-shells redef: - LogAscii::use_json = T; diff --git a/salt/zeek/files/local.zeek.jinja b/salt/zeek/files/local.zeek.jinja index 61f5df7d8..1cd15209a 100644 --- a/salt/zeek/files/local.zeek.jinja +++ b/salt/zeek/files/local.zeek.jinja @@ -8,4 +8,4 @@ {{ k }} {{ li }} {%- endfor %} {%- endif %} -{%- endfor %} \ No newline at end of file +{%- endfor %} diff --git a/salt/zeek/files/zeekctl.cfg.jinja b/salt/zeek/files/zeekctl.cfg.jinja index 6d28d4dbd..0a6be371c 100644 --- a/salt/zeek/files/zeekctl.cfg.jinja +++ b/salt/zeek/files/zeekctl.cfg.jinja @@ -6,4 +6,4 @@ {%- if option|lower in ALLOWEDOPTIONS %} {{ option }} = {{ ZEEKCTL[option] }} {%- endif %} -{%- endfor %} \ No newline at end of file +{%- endfor %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 41103f399..71ab35e46 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -78,7 +78,7 @@ zeekpolicysync: - group: 939 - template: jinja - defaults: - FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }} + FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }} # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: @@ -109,7 +109,7 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }} + ZEEKCTL: {{ ZEEKMERGED.config.zeekctl | tojson }} # Sync node.cfg nodecfg: @@ -120,7 +120,7 @@ nodecfg: - group: 939 - template: jinja - defaults: - NODE: {{ ZEEKMERGED.zeek.config.node }} + NODE: {{ ZEEKMERGED.config.node }} networkscfg: file.managed: @@ -130,7 +130,7 @@ networkscfg: - group: 939 - template: jinja - defaults: - NETWORKS: {{ ZEEKMERGED.zeek.config.networks }} + NETWORKS: {{ ZEEKMERGED.config.networks }} #zeekcleanscript: # file.managed: @@ -198,7 +198,7 @@ localzeek: - group: 939 - template: jinja - defaults: - LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }} + LOCAL: {{ ZEEKMERGED.config.local | tojson }} so-zeek: docker_container.{{ ZEEKOPTIONS.status }}: diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 11ad78656..46cae647a 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -5,10 +5,10 @@ zeek: helpLink: zeek.html config: local: - '@load': + load: description: List of Zeek policies to load helpLink: zeek.html - '@load-sigs': + load-sigs: description: List of Zeek signatures to load helpLink: zeek.html node: From df4bf95b93071be06d5a035ba91bfc1793daf061 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 6 Apr 2023 09:54:59 -0400 Subject: [PATCH 2/4] sort local.zeek so redef is last --- salt/zeek/files/local.zeek.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/zeek/files/local.zeek.jinja b/salt/zeek/files/local.zeek.jinja index 1cd15209a..049cacd12 100644 --- a/salt/zeek/files/local.zeek.jinja +++ b/salt/zeek/files/local.zeek.jinja @@ -2,9 +2,9 @@ {%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %} -{%- for k, v in LOCAL.items() %} +{%- for k, v in LOCAL.items() | sort %} {%- if k|lower in ALLOWEDOPTIONS %} - {%- for li in v|sort %} + {%- for li in v %} {{ k }} {{ li }} {%- endfor %} {%- endif %} From 2589670755f611934f0976a943d0b5878b2ad1c8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 6 Apr 2023 15:16:04 -0400 Subject: [PATCH 3/4] set forceType --- salt/zeek/soc_zeek.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 46cae647a..86c48712a 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -7,9 +7,16 @@ zeek: local: load: description: List of Zeek policies to load + forcedType: "[]string" helpLink: zeek.html load-sigs: description: List of Zeek signatures to load + forcedType: "[]string" + helpLink: zeek.html + redef: + description: List of Zeek variables to redefine + forcedType: "[]string" + advanced: True helpLink: zeek.html node: lb_procs: From 7c8ba04820a7a0dc2e73d290878c51baa2854b7e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 18 Apr 2023 11:30:39 -0400 Subject: [PATCH 4/4] set file limit for zeek container --- salt/zeek/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 71ab35e46..3b8390a77 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -208,6 +208,7 @@ so-zeek: - privileged: True - ulimits: - core=0 + - nofile=1048576:1048576 - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw - /nsm/zeek/spool:/nsm/zeek/spool:rw