Merge pull request #10152 from Security-Onion-Solutions/issue/10050

Issue/10050

salt/zeek/config.map.jinja

@@ -1,8 +1,17 @@
 {% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %}
 {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
-{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
+{% set ZEEKMERGED = salt['pillar.get']('zeek', zeek_defaults.zeek, merge=True) %}
-{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
+{% do ZEEKMERGED.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
-{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
+
+{% if ZEEKMERGED.config.local.load is defined %}
+  {% set LOCALLOAD = ZEEKMERGED.config.local.pop('load') %}
+  {% do ZEEKMERGED.config.local.update({'@load': LOCALLOAD}) %}
+{% endif %}
+
+{% if ZEEKMERGED.config.local['load-sigs'] is defined %}
+  {% set LOCALLOADSIGS = ZEEKMERGED.config.local.pop('load-sigs') %}
+  {% do ZEEKMERGED.config.local.update({'@load-sigs': LOCALLOADSIGS}) %}
+{% endif %}
 
 {% set ZEEKOPTIONS = {} %}
 {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

salt/zeek/defaults.yaml

@@ -23,7 +23,7 @@ zeek:
       CompressLogs: 1
       ZeekPort: 27760
     local:
-      '@load':
+      load:
         - misc/loaded-scripts
         - tuning/defaults
         - misc/capture-loss
@@ -69,7 +69,7 @@ zeek:
         - zeek-plugin-profinet
         - zeek-spicy-wireguard
         - zeek-spicy-stun
-      '@load-sigs':
+      load-sigs:
         - frameworks/signatures/detect-windows-shells
       redef:
         - LogAscii::use_json = T;

salt/zeek/files/local.zeek.jinja

@@ -2,9 +2,9 @@
 
 {%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %}
 
-{%- for k, v in LOCAL.items() %}
+{%- for k, v in LOCAL.items() | sort %}
   {%- if k|lower in ALLOWEDOPTIONS %}
-    {%- for li in v|sort %}
+    {%- for li in v %}
 {{ k }} {{ li }}
     {%- endfor %}
   {%- endif %}

salt/zeek/init.sls

@@ -78,7 +78,7 @@ zeekpolicysync:
     - group: 939
     - template: jinja
     - defaults:
-        FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }}
+        FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }}
 
 # Ensure the zeek spool tree (and state.db) ownership is correct
 zeekspoolownership:
@@ -109,7 +109,7 @@ zeekctlcfg:
     - group: 939
     - template: jinja
     - defaults:
-        ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
+        ZEEKCTL: {{ ZEEKMERGED.config.zeekctl | tojson }}
 
 # Sync node.cfg
 nodecfg:
@@ -120,7 +120,7 @@ nodecfg:
     - group: 939
     - template: jinja
     - defaults:
-        NODE: {{ ZEEKMERGED.zeek.config.node }}
+        NODE: {{ ZEEKMERGED.config.node }}
 
 networkscfg:
   file.managed:
@@ -130,7 +130,7 @@ networkscfg:
     - group: 939
     - template: jinja
     - defaults:
-        NETWORKS: {{ ZEEKMERGED.zeek.config.networks }}
+        NETWORKS: {{ ZEEKMERGED.config.networks }}
 
 #zeekcleanscript:
 #  file.managed:
@@ -198,7 +198,7 @@ localzeek:
     - group: 939
     - template: jinja
     - defaults:
-        LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
+        LOCAL: {{ ZEEKMERGED.config.local | tojson }}
 
 so-zeek:
   docker_container.{{ ZEEKOPTIONS.status }}:
@@ -208,6 +208,7 @@ so-zeek:
     - privileged: True
     - ulimits:
       - core=0
+      - nofile=1048576:1048576
     - binds:
       - /nsm/zeek/logs:/nsm/zeek/logs:rw
       - /nsm/zeek/spool:/nsm/zeek/spool:rw

salt/zeek/soc_zeek.yaml

@@ -5,11 +5,18 @@ zeek:
       helpLink: zeek.html
   config:
     local:
-      '@load':
+      load:
         description: List of Zeek policies to load
+        forcedType: "[]string"
         helpLink: zeek.html
-      '@load-sigs':
+      load-sigs:
         description: List of Zeek signatures to load
+        forcedType: "[]string"
+        helpLink: zeek.html
+      redef:
+        description: List of Zeek variables to redefine
+        forcedType: "[]string"
+        advanced: True
         helpLink: zeek.html
     node:
       lb_procs: