Merge pull request #12947 from Security-Onion-Solutions/fix/strelka_yara_distributed

Fix YARA rules for distributed deployments

salt/allowed_states.map.jinja

@@ -65,6 +65,7 @@
           'registry',
           'manager',
           'nginx',
+          'strelka.manager',
           'soc',
           'kratos',
           'influxdb',
@@ -91,6 +92,7 @@
           'nginx',
           'telegraf',
           'influxdb',
+          'strelka.manager',
           'soc',
           'kratos',
           'elasticfleet',
@@ -111,6 +113,7 @@
           'nginx',
           'telegraf',
           'influxdb',
+          'strelka.manager',
           'soc',
           'kratos',
           'elastic-fleet-package-registry',

salt/strelka/compile_yara/compile_yara.py

@@ -20,7 +20,7 @@ def check_syntax(rule_file):
 
 def compile_yara_rules(rules_dir):
     compiled_dir = os.path.join(rules_dir, "compiled")
-    compiled_rules_path = os.path.join(compiled_dir, "rules.compiled")
+    compiled_rules_path = [ os.path.join(compiled_dir, "rules.compiled"), "/opt/so/saltstack/default/salt/strelka/rules/compiled/rules.compiled" ]
     rule_files = glob.glob(os.path.join(rules_dir, '**/*.yar'), recursive=True)
     files_to_compile = {}
     removed_count = 0
@@ -57,10 +57,11 @@ def compile_yara_rules(rules_dir):
     # Compile all remaining valid rules into a single file
     if files_to_compile:
         compiled_rules = yara.compile(filepaths=files_to_compile)
-        compiled_rules.save(compiled_rules_path)
-        print(f"All remaining rules compiled and saved into {compiled_rules_path}")
+        for path in compiled_rules_path:
+          compiled_rules.save(path)
+          print(f"All remaining rules compiled and saved into {path}")
 
     # Print summary of compilation results
     print(f"Summary: {success_count} rules compiled successfully, {removed_count} rules removed due to errors.")
 
-compile_yara_rules("/opt/sensoroni/yara/rules/")
+compile_yara_rules("/opt/sensoroni/yara/rules/")

salt/strelka/config.sls

@@ -29,6 +29,15 @@ strelkarulesdir:
     - group: 939
     - makedirs: True
 
+{%- if grains.role in ['so-sensor', 'so-heavynode'] %}
+strelkasensorrules:
+  file.managed:
+    - name: /opt/so/conf/strelka/rules/compiled/rules.compiled
+    - source: salt://strelka/rules/compiled/rules.compiled
+    - user: 939
+    - group: 939
+{%- endif %}
+
 strelkareposdir:
   file.directory:
     - name: /opt/so/conf/strelka/repos

salt/strelka/manager.sls

@@ -0,0 +1,45 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
+# Strelka config
+strelkaconfdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/rules/compiled/
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkacompileyara:
+  file.managed:
+    - name: /opt/so/conf/strelka/compile_yara.py
+    - source: salt://strelka/compile_yara/compile_yara.py
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkarulesdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/rules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkareposdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/repos
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/top.sls

@@ -87,6 +87,7 @@ base:
     - registry
     - nginx
     - influxdb
+    - strelka.manager
     - soc
     - kratos
     - firewall
@@ -161,6 +162,7 @@ base:
     - registry
     - nginx
     - influxdb
+    - strelka.manager
     - soc
     - kratos
     - firewall
@@ -210,6 +212,7 @@ base:
     - manager
     - nginx
     - influxdb
+    - strelka.manager
     - soc
     - kratos
     - sensoroni