From a4dc63f3a4e2c9ec4796647fc2afa6a1310d8145 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Sep 2022 09:53:57 -0400 Subject: [PATCH] Change how zeek and suri are populated in the minion file --- salt/common/tools/sbin/so-minion | 16 +++---- salt/learn/files/logscan.conf | 7 --- salt/learn/init.sls | 19 -------- salt/learn/logscan.sls | 58 ----------------------- salt/suricata/defaults.yaml | 26 ++++++++-- salt/zeek/{map.jinja => config.map.jinja} | 0 salt/zeek/fileextraction_defaults.yaml | 29 ------------ salt/zeek/init.sls | 2 +- 8 files changed, 31 insertions(+), 126 deletions(-) delete mode 100644 salt/learn/files/logscan.conf delete mode 100644 salt/learn/init.sls delete mode 100644 salt/learn/logscan.sls rename salt/zeek/{map.jinja => config.map.jinja} (100%) delete mode 100644 salt/zeek/fileextraction_defaults.yaml diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 858d2706c..24544940c 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -160,16 +160,14 @@ function add_patch_pillar_to_minion() { function add_sensor_to_minion() { echo "sensor:" >> $PILLARFILE echo " interface: '$INTERFACE'" >> $PILLARFILE - echo " zeekpin: False" >> $PILLARFILE - echo " zeekpins:" >> $PILLARFILE - echo " - 1" >> $PILLARFILE - echo " zeek_lbprocs: $CORECOUNT" >> $PILLARFILE - echo " suripin: False" >> $PILLARFILE - echo " suripins:" >> $PILLARFILE - echo " - 2" >> $PILLARFILE - echo " suriprocs: $CORECOUNT" >> $PILLARFILE echo " mtu: 9000" >> $PILLARFILE - echo " uniqueid: $(date '+%s')" >> $PILLARFILE + echo "zeek:" >> $PILLARFILE + echo " config:" >> $PILLARFILE + echo " lb_procs: $CORECOUNT" >> $PILLARFILE + echo "suricata:" >> $PILLARFILE + echo " config:" >> $PILLARFILE + echo " af-packet:" >> $PILLARFILE + echo " threads: $CORECOUNT" >> $PILLARFILE echo "steno:" >> $PILLARFILE echo " stenopin: False" >> $PILLARFILE echo " stenopins:" >> $PILLARFILE diff --git a/salt/learn/files/logscan.conf b/salt/learn/files/logscan.conf deleted file mode 100644 index d7aa30734..000000000 --- a/salt/learn/files/logscan.conf +++ /dev/null @@ -1,7 +0,0 @@ -[global] -ts_format = iso8601 -scan_interval = 30s -log_level = info - -[kratos] -log_path = kratos/kratos.log diff --git a/salt/learn/init.sls b/salt/learn/init.sls deleted file mode 100644 index fb5b89802..000000000 --- a/salt/learn/init.sls +++ /dev/null @@ -1,19 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set module_dict = salt['pillar.get']('learn:modules', {} ) %} - -{% if module_dict.items()|length != 0 %} -include: -{% for module, _ in module_dict.items() %} - - 'learn.{{ module }}' -{% endfor %} -{% endif %} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/learn/logscan.sls b/salt/learn/logscan.sls deleted file mode 100644 index 91f64420a..000000000 --- a/salt/learn/logscan.sls +++ /dev/null @@ -1,58 +0,0 @@ -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set logscan_cpu_period = salt['pillar.get']('learn:modules:logscan:cpu_period', 20000) %} -{% set enabled = salt['pillar.get']('learn:modules:logscan:enabled', False) %} - -{% if enabled %} - {% set container_action = 'running' %} -{% else %} - {% set container_action = 'absent'%} -{% endif %} - - -logscan_data_dir: - file.directory: - - name: /nsm/logscan/data - - user: 939 - - group: 939 - - makedirs: True - -logscan_conf_dir: - file.directory: - - name: /opt/so/conf/logscan - - user: 939 - - group: 939 - - makedirs: True - -logscan_conf: - file.managed: - - name: /opt/so/conf/logscan/logscan.conf - - source: salt://learn/files/logscan.conf - - user: 939 - - group: 939 - - mode: 600 - -logscan_log_dir: - file.directory: - - name: /opt/so/log/logscan - - user: 939 - - group: 939 - -so-logscan: - docker_container.{{ container_action }}: - {% if container_action == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logscan:{{ VERSION }} - - hostname: logscan - - name: so-logscan - - binds: - - /nsm/logscan/data:/logscan/data:rw - - /opt/so/conf/logscan/logscan.conf:/logscan/logscan.conf:ro - - /opt/so/log/logscan:/logscan/output:rw - - /opt/so/log:/logscan/logs:ro - - cpu_period: {{ logscan_cpu_period }} - - require: - - file: logscan_conf - {% else %} - - force: true - {% endif %} diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 0fe3b444f..4e4d28a87 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,5 +1,28 @@ suricata: config: + threading: + set-cpu-affinity: 'no' + detect-thread-ratio: 1.0 + cpu-affinity: + - management-cpu-set: + cpu: [] + - receive-cpu-set: + cpu: [] + - worker-cpu-set: + cpu: [] + mode: exclusive + threads: 1 + prio: + default: high + af-packet: + interface: bond0 + cluster-id: 59 + cluster-type: cluster_flow + defrag: true + use-mmap: true + threads: 1 + tpacket-v3: true + ring-size: 5000 vars: address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" @@ -348,9 +371,6 @@ suricata: include-mpm-stats: false mpm-algo: auto spm-algo: auto - threading: - set-cpu-affinity: "yes" - detect-thread-ratio: 1.0 luajit: states: 128 diff --git a/salt/zeek/map.jinja b/salt/zeek/config.map.jinja similarity index 100% rename from salt/zeek/map.jinja rename to salt/zeek/config.map.jinja diff --git a/salt/zeek/fileextraction_defaults.yaml b/salt/zeek/fileextraction_defaults.yaml deleted file mode 100644 index 3823b8203..000000000 --- a/salt/zeek/fileextraction_defaults.yaml +++ /dev/null @@ -1,29 +0,0 @@ -zeek: - policy: - file_extraction: - - application/x-dosexec: exe - - application/pdf: pdf - - application/msword: doc - - application/vnd.ms-powerpoint: doc - - application/rtf: doc - - application/vnd.ms-word.document.macroenabled.12: doc - - application/vnd.ms-word.template.macroenabled.12: doc - - application/vnd.ms-powerpoint.template.macroenabled.12: doc - - application/vnd.ms-excel: doc - - application/vnd.ms-excel.addin.macroenabled.12: doc - - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - - application/vnd.ms-excel.template.macroenabled.12: doc - - application/vnd.ms-excel.sheet.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - - application/vnd.openxmlformats-officedocument.presentationml.slide: doc - - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - - application/vnd.openxmlformats-officedocument.presentationml.template: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - - application/vnd.ms-powerpoint.addin.macroenabled.12: doc - - application/vnd.ms-powerpoint.slide.macroenabled.12: doc - - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument: doc \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 6185308ac..b6f3231ae 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% from "zeek/map.jinja" import ZEEKOPTIONS with context %} +{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}