Add support for Airgap for Playbooks

salt/manager/tools/sbin/soup

@@ -1069,6 +1069,11 @@ update_airgap_rules() {
   rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/
 }
 
+update_airgap_playbooks() {
+  # Copy the playbooks over to update them for airgap.
+  rsync -a --delete --chown=socore:socore $UPDATE_DIR/airgap-resources/playbooks/* /nsm/airgap-resources/playbooks/
+}
+
 update_airgap_repo() {
   # Update the files in the repo
   echo "Syncing new updates to /nsm/repo"
@@ -1253,6 +1258,7 @@ apply_hotfix() {
   elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
     if [[ $is_airgap -eq 0 ]]; then
       update_airgap_rules
+      update_airgap_playbooks
     fi
     if [[ -f /etc/pki/managerssl.key.old ]]; then
       echo "Skipping Certificate Generation"
@@ -1418,6 +1424,8 @@ main() {
     if [[ $is_airgap -eq 0 ]]; then
       echo "Updating Rule Files to the Latest."
       update_airgap_rules
+      echo "Updating Playbooks to the Latest."
+      update_airgap_playbooks
     fi
 
     # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars

salt/soc/defaults.yaml

@@ -1464,7 +1464,9 @@ soc:
           autoUpdateEnabled: true
           playbookImportFrequencySeconds: 86400
           playbookImportErrorSeconds: 600
-          playbookRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
+          playbookRepoUrl:
+            default: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
+            airgap: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
           playbookRepoBranch: main
           playbookRepoPath: /opt/sensoroni/playbooks/
           playbookPathInRepo: securityonion-normalized

salt/soc/merged.map.jinja

@@ -61,6 +61,13 @@
 {%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
 {% endif %}
 
+{# set playbookRepoUrl based on airgap or not #}
+{% if GLOBALS.airgap %}
+{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.airgap}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.default}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}

setup/so-functions

@@ -56,6 +56,12 @@ airgap_detection_summaries() {
 	logCmd "git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources"
 	logCmd "git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published"
 }
+airgap_playbooks() {
+	# Copy playbooks if using airgap
+	mkdir -p /nsm/airgap-resources/playbooks
+	logCmd "rsync -av --chown=socore:socore /root/SecurityOnion/airgap-resources/playbooks/ /nsm/airgap-resources/playbooks/"
+	logCmd "git config --global --add safe.directory /nsm/airgap-resources/playbooks"
+}
 
 add_admin_user() {
 	title "Adding $ADMINUSER to the system with sudo rights"

setup/so-setup

@@ -769,6 +769,10 @@ if ! [[ -f $install_opt_file ]]; then
 			title "Syncing AI-Generated Detection Summaries"
 			airgap_detection_summaries
 		fi
+		if [[ $is_airgap ]]; then
+			title "Syncing Playbooks"
+			airgap_playbooks
+		fi
 		title "Setting up Kibana Default Space"
 		logCmd "so-kibana-space-defaults"
 		add_web_user