CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12437 from Security-Onion-Solutions/feature/detections-airgap

Browse Source 
Airgap Support - Detections module
This commit is contained in:
Josh Brower
2024-02-26 16:47:26 -05:00
committed by GitHub
parent 52580fb8c4 c6baa4be1b
commit a817bae1e5
4 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
salt/manager/tools/sbin/soup
View File

@@ -603,6 +603,10 @@ update_airgap_rules() {
if [ -d /nsm/repo/rules/sigma ]; then
rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/
fi
# SOC Detections Airgap
rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
}
update_airgap_repo() {
@@ -931,10 +935,8 @@ main() {
preupgrade_changes
echo ""
if [[ $is_airgap -eq 0 ]]; then
echo "Updating Rule Files to the Latest."
update_airgap_rules
fi
echo "Updating Airgap Rule Files to the Latest."
update_airgap_rules
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
if [[ ! "$MINIONID" =~ "_import" ]]; then

2
salt/soc/enabled.sls
View File

@@ -22,7 +22,7 @@ so-soc:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds:
- /nsm/rules:/nsm/rules:rw #Need to tighten this up?
- /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
- /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
- /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw

6
salt/soc/merged.map.jinja
View File

@@ -34,6 +34,12 @@
{% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
{% endif %}
{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
{% if pillar.global.airgap %}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
{% do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
{% endif %}
{% set standard_actions = SOCMERGED.config.pop('actions') %}
{% if pillar.global.endgamehost != '' %}

6
setup/so-setup
View File

@@ -687,10 +687,8 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "so-minion -o=setup"
title "Creating Global SLS"
if [[ $is_airgap ]]; then
# Airgap Rules
airgap_rules
fi
# Airgap Rules
airgap_rules
manager_pillar