diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 987c599f1..257699c4e 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1069,6 +1069,11 @@ update_airgap_rules() { rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/ } +update_airgap_playbooks() { + # Copy the playbooks over to update them for airgap. + rsync -a --delete --chown=socore:socore $UPDATE_DIR/airgap-resources/playbooks/* /nsm/airgap-resources/playbooks/ +} + update_airgap_repo() { # Update the files in the repo echo "Syncing new updates to /nsm/repo" @@ -1253,6 +1258,7 @@ apply_hotfix() { elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then if [[ $is_airgap -eq 0 ]]; then update_airgap_rules + update_airgap_playbooks fi if [[ -f /etc/pki/managerssl.key.old ]]; then echo "Skipping Certificate Generation" @@ -1418,6 +1424,8 @@ main() { if [[ $is_airgap -eq 0 ]]; then echo "Updating Rule Files to the Latest." update_airgap_rules + echo "Updating Playbooks to the Latest." + update_airgap_playbooks fi # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 24b9aaba2..66355fa24 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1464,7 +1464,9 @@ soc: autoUpdateEnabled: true playbookImportFrequencySeconds: 86400 playbookImportErrorSeconds: 600 - playbookRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks + playbookRepoUrl: + default: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks + airgap: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks playbookRepoBranch: main playbookRepoPath: /opt/sensoroni/playbooks/ playbookPathInRepo: securityonion-normalized diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 25b62683c..c950d8a60 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -61,6 +61,13 @@ {% do SOCMERGED.config.server.update({'airgapEnabled': false}) %} {% endif %} +{# set playbookRepoUrl based on airgap or not #} +{% if GLOBALS.airgap %} +{% do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.airgap}) %} +{% else %} +{% do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.default}) %} +{% endif %} + {# remove these modules if detections is disabled #} {% if not SOCMERGED.config.server.client.detectionsEnabled %} {% do SOCMERGED.config.server.modules.pop('elastalertengine') %} diff --git a/setup/so-functions b/setup/so-functions index 82dd9d375..54fb49f9f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -56,6 +56,12 @@ airgap_detection_summaries() { logCmd "git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources" logCmd "git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published" } +airgap_playbooks() { + # Copy playbooks if using airgap + mkdir -p /nsm/airgap-resources/playbooks + logCmd "rsync -av --chown=socore:socore /root/SecurityOnion/airgap-resources/playbooks/ /nsm/airgap-resources/playbooks/" + logCmd "git config --global --add safe.directory /nsm/airgap-resources/playbooks" +} add_admin_user() { title "Adding $ADMINUSER to the system with sudo rights" diff --git a/setup/so-setup b/setup/so-setup index b7723da37..7f2e87c16 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -769,6 +769,10 @@ if ! [[ -f $install_opt_file ]]; then title "Syncing AI-Generated Detection Summaries" airgap_detection_summaries fi + if [[ $is_airgap ]]; then + title "Syncing Playbooks" + airgap_playbooks + fi title "Setting up Kibana Default Space" logCmd "so-kibana-space-defaults" add_web_user