From acc9b8062e75808bb8678e2b42aa33514ee46083 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Apr 2026 14:57:22 -0400 Subject: [PATCH] Remove Strelka container infrastructure Removes all Strelka container salt states and infrastructure references, replaced by the native fileanalyze module in sensoroni. Removed: - salt/strelka/ directory (all container states, configs, tools) - Docker container definitions for 6 Strelka containers - Firewall rules for strelka_frontend - Container references in containers.map.jinja - top.sls and allowed_states references to strelka/strelka.manager - so-minion add_strelka_to_minion() function and call sites - so-deny strelka_frontend entry - Logstash strelka bind mount - Logrotate strelka config - Telegraf strelka file monitoring - so-sensor-clean strelka cleanup - so-image-common strelka container images Kept (still needed): - Elasticsearch index/ingest pipeline (ingests fileanalyze output) - Elastic agent/fleet log collection config - SOC strelkaengine (YARA rule management) - Kibana saved objects (dashboards) --- salt/allowed_states.map.jinja | 13 +- salt/common/tools/sbin/so-image-common | 2 - salt/common/tools/sbin/so-sensor-clean | 15 - salt/docker/defaults.yaml | 42 - salt/docker/soc_docker.yaml | 6 - salt/firewall/containers.map.jinja | 18 - salt/firewall/defaults.yaml | 18 - salt/firewall/soc_firewall.yaml | 76 +- salt/logrotate/defaults.yaml | 10 - salt/logrotate/soc_logrotate.yaml | 7 - salt/logstash/enabled.sls | 1 - salt/manager/tools/sbin/so-deny | 2 - salt/manager/tools/sbin/so-minion | 26 - salt/strelka/backend/config.sls | 59 -- salt/strelka/backend/disabled.sls | 27 - salt/strelka/backend/enabled.sls | 69 -- salt/strelka/backend/files/backend.yaml.jinja | 1 - salt/strelka/backend/files/logging.yaml.jinja | 1 - .../strelka/backend/files/passwords.dat.jinja | 1 - salt/strelka/backend/files/taste/taste.yara | 748 ------------------ salt/strelka/backend/init.sls | 13 - salt/strelka/backend/sostatus.sls | 21 - salt/strelka/compile_yara/compile_yara.py | 99 --- salt/strelka/config.sls | 64 -- salt/strelka/coordinator/config.sls | 19 - salt/strelka/coordinator/disabled.sls | 27 - salt/strelka/coordinator/enabled.sls | 64 -- salt/strelka/coordinator/init.sls | 13 - salt/strelka/coordinator/sostatus.sls | 21 - salt/strelka/defaults.yaml | 739 ----------------- salt/strelka/filecheck/filecheck | 98 --- salt/strelka/filecheck/filecheck.yaml.jinja | 2 - salt/strelka/filestream/config.sls | 165 ---- salt/strelka/filestream/disabled.sls | 27 - salt/strelka/filestream/enabled.sls | 64 -- .../filestream/files/filestream.yaml.jinja | 1 - salt/strelka/filestream/init.sls | 13 - salt/strelka/filestream/sostatus.sls | 21 - salt/strelka/frontend/config.sls | 36 - salt/strelka/frontend/disabled.sls | 27 - salt/strelka/frontend/enabled.sls | 69 -- .../frontend/files/frontend.yaml.jinja | 1 - salt/strelka/frontend/init.sls | 13 - salt/strelka/frontend/sostatus.sls | 21 - salt/strelka/gatekeeper/config.sls | 19 - salt/strelka/gatekeeper/disabled.sls | 27 - salt/strelka/gatekeeper/enabled.sls | 65 -- salt/strelka/gatekeeper/init.sls | 13 - salt/strelka/gatekeeper/sostatus.sls | 21 - salt/strelka/init.sls | 43 - salt/strelka/manager.sls | 37 - salt/strelka/manager/config.sls | 31 - salt/strelka/manager/disabled.sls | 27 - salt/strelka/manager/enabled.sls | 63 -- salt/strelka/manager/files/manager.yaml.jinja | 1 - salt/strelka/manager/init.sls | 13 - salt/strelka/manager/sostatus.sls | 21 - salt/strelka/map.jinja | 35 - salt/strelka/rules/compiled/DO.NOT.TOUCH | 0 salt/strelka/soc_strelka.yaml | 627 --------------- salt/strelka/tools/sbin/so-strelka-restart | 18 - salt/strelka/tools/sbin/so-strelka-start | 12 - salt/strelka/tools/sbin/so-strelka-stop | 17 - salt/telegraf/scripts/checkfiles.sh | 3 - salt/top.sls | 7 - 65 files changed, 38 insertions(+), 3842 deletions(-) delete mode 100644 salt/strelka/backend/config.sls delete mode 100644 salt/strelka/backend/disabled.sls delete mode 100644 salt/strelka/backend/enabled.sls delete mode 100644 salt/strelka/backend/files/backend.yaml.jinja delete mode 100644 salt/strelka/backend/files/logging.yaml.jinja delete mode 100644 salt/strelka/backend/files/passwords.dat.jinja delete mode 100644 salt/strelka/backend/files/taste/taste.yara delete mode 100644 salt/strelka/backend/init.sls delete mode 100644 salt/strelka/backend/sostatus.sls delete mode 100644 salt/strelka/compile_yara/compile_yara.py delete mode 100644 salt/strelka/config.sls delete mode 100644 salt/strelka/coordinator/config.sls delete mode 100644 salt/strelka/coordinator/disabled.sls delete mode 100644 salt/strelka/coordinator/enabled.sls delete mode 100644 salt/strelka/coordinator/init.sls delete mode 100644 salt/strelka/coordinator/sostatus.sls delete mode 100644 salt/strelka/defaults.yaml delete mode 100644 salt/strelka/filecheck/filecheck delete mode 100644 salt/strelka/filecheck/filecheck.yaml.jinja delete mode 100644 salt/strelka/filestream/config.sls delete mode 100644 salt/strelka/filestream/disabled.sls delete mode 100644 salt/strelka/filestream/enabled.sls delete mode 100644 salt/strelka/filestream/files/filestream.yaml.jinja delete mode 100644 salt/strelka/filestream/init.sls delete mode 100644 salt/strelka/filestream/sostatus.sls delete mode 100644 salt/strelka/frontend/config.sls delete mode 100644 salt/strelka/frontend/disabled.sls delete mode 100644 salt/strelka/frontend/enabled.sls delete mode 100644 salt/strelka/frontend/files/frontend.yaml.jinja delete mode 100644 salt/strelka/frontend/init.sls delete mode 100644 salt/strelka/frontend/sostatus.sls delete mode 100644 salt/strelka/gatekeeper/config.sls delete mode 100644 salt/strelka/gatekeeper/disabled.sls delete mode 100644 salt/strelka/gatekeeper/enabled.sls delete mode 100644 salt/strelka/gatekeeper/init.sls delete mode 100644 salt/strelka/gatekeeper/sostatus.sls delete mode 100644 salt/strelka/init.sls delete mode 100644 salt/strelka/manager.sls delete mode 100644 salt/strelka/manager/config.sls delete mode 100644 salt/strelka/manager/disabled.sls delete mode 100644 salt/strelka/manager/enabled.sls delete mode 100644 salt/strelka/manager/files/manager.yaml.jinja delete mode 100644 salt/strelka/manager/init.sls delete mode 100644 salt/strelka/manager/sostatus.sls delete mode 100644 salt/strelka/map.jinja delete mode 100644 salt/strelka/rules/compiled/DO.NOT.TOUCH delete mode 100644 salt/strelka/soc_strelka.yaml delete mode 100755 salt/strelka/tools/sbin/so-strelka-restart delete mode 100755 salt/strelka/tools/sbin/so-strelka-start delete mode 100755 salt/strelka/tools/sbin/so-strelka-stop diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 1fac0f0e3..c966fb260 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -41,8 +41,7 @@ 'suricata', 'healthcheck', 'tcpreplay', - 'zeek', - 'strelka' + 'zeek' ] %} {% set kafka_states = [ @@ -84,26 +83,26 @@ ), 'so-import': ( manager_states + - sensor_states | reject('equalto', 'strelka') | reject('equalto', 'healthcheck') | list + - ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'logstash.ssl', 'strelka.manager'] + sensor_states | reject('equalto', 'healthcheck') | list + + ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'logstash.ssl'] ), 'so-manager': ( manager_states + - ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] + + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] + stig_states + kafka_states + elastic_stack_states ), 'so-managerhype': ( manager_states + - ['salt.cloud', 'strelka.manager', 'hypervisor', 'libvirt'] + + ['salt.cloud', 'hypervisor', 'libvirt'] + stig_states + kafka_states + elastic_stack_states ), 'so-managersearch': ( manager_states + - ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] + + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] + stig_states + kafka_states + elastic_stack_states diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 5ce2da241..80ba80dc0 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -57,8 +57,6 @@ container_list() { "so-pcaptools" "so-redis" "so-soc" - "so-strelka-backend" - "so-strelka-manager" "so-suricata" "so-telegraf" "so-zeek" diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 083a316b9..f0f97ec1e 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -42,21 +42,6 @@ clean() { # done #fi - ## Clean up Zeek extracted files processed by Strelka - STRELKA_FILES='/nsm/strelka/processed' - OLDEST_STRELKA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1) - if [ -z "$OLDEST_STRELKA" -o "$OLDEST_STRELKA" == ".." -o "$OLDEST_STRELKA" == "." ]; then - echo "$(date) - No old files available to clean up in $STRELKA_FILES" >>$LOG - else - OLDEST_STRELKA_DATE=$(echo $OLDEST_STRELKA | awk '{print $1}' | cut -d+ -f1) - OLDEST_STRELKA_FILE=$(echo $OLDEST_STRELKA | awk '{print $2}') - echo "$(date) - Removing extracted files for $OLDEST_STRELKA_DATE" >>$LOG - find $STRELKA_FILES -type f -printf '%T+ %p\n' | grep $OLDEST_STRELKA_DATE | awk '{print $2}' | while read FILE; do - echo "$(date) - Removing file: $FILE" >>$LOG - rm -f "$FILE" - done - fi - ## Clean up Suricata log files SURICATA_LOGS='/nsm/suricata' OLDEST_SURICATA=$(find $SURICATA_LOGS -type f -printf '%T+ %p\n' | sort -n | head -n 1) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 044ec98b0..ccbb60479 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -134,48 +134,6 @@ docker: extra_hosts: [] extra_env: [] ulimits: [] - 'so-strelka-backend': - final_octet: 36 - custom_bind_mounts: [] - extra_hosts: [] - extra_env: [] - ulimits: [] - 'so-strelka-filestream': - final_octet: 37 - custom_bind_mounts: [] - extra_hosts: [] - extra_env: [] - ulimits: [] - 'so-strelka-frontend': - final_octet: 38 - port_bindings: - - 0.0.0.0:57314:57314 - custom_bind_mounts: [] - extra_hosts: [] - extra_env: [] - ulimits: [] - 'so-strelka-manager': - final_octet: 39 - custom_bind_mounts: [] - extra_hosts: [] - extra_env: [] - ulimits: [] - 'so-strelka-gatekeeper': - final_octet: 40 - port_bindings: - - 0.0.0.0:6381:6379 - custom_bind_mounts: [] - extra_hosts: [] - extra_env: [] - ulimits: [] - 'so-strelka-coordinator': - final_octet: 41 - port_bindings: - - 0.0.0.0:6380:6379 - custom_bind_mounts: [] - extra_hosts: [] - extra_env: [] - ulimits: [] 'so-elastalert': final_octet: 42 custom_bind_mounts: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index e649700da..b386c0c66 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -89,12 +89,6 @@ docker: so-redis: *dockerOptions so-sensoroni: *dockerOptions so-soc: *dockerOptions - so-strelka-backend: *dockerOptions - so-strelka-filestream: *dockerOptions - so-strelka-frontend: *dockerOptions - so-strelka-manager: *dockerOptions - so-strelka-gatekeeper: *dockerOptions - so-strelka-coordinator: *dockerOptions so-elastalert: *dockerOptions so-elastic-fleet-package-registry: *dockerOptions so-idh: *dockerOptions diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 2d1135e5f..c660bc9c5 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -13,12 +13,6 @@ 'so-nginx', 'so-redis', 'so-soc', - 'so-strelka-coordinator', - 'so-strelka-gatekeeper', - 'so-strelka-frontend', - 'so-strelka-backend', - 'so-strelka-manager', - 'so-strelka-filestream' ] %} {% elif GLOBALS.role in ['so-manager', 'so-standalone','so-managersearch', 'so-managerhype'] %} @@ -36,12 +30,6 @@ 'so-nginx', 'so-redis', 'so-soc', - 'so-strelka-coordinator', - 'so-strelka-gatekeeper', - 'so-strelka-frontend', - 'so-strelka-backend', - 'so-strelka-manager', - 'so-strelka-filestream' ] %} {% elif GLOBALS.role == 'so-searchnode' %} @@ -58,12 +46,6 @@ 'so-logstash', 'so-nginx', 'so-redis', - 'so-strelka-coordinator', - 'so-strelka-gatekeeper', - 'so-strelka-frontend', - 'so-strelka-backend', - 'so-strelka-manager', - 'so-strelka-filestream' ] %} {% elif GLOBALS.role == 'so-import' %} diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index a11492e88..c4e121a63 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -27,7 +27,6 @@ firewall: self: [] sensor: [] standalone: [] - strelka_frontend: [] syslog: [] desktop: [] customhostgroup0: [] @@ -140,10 +139,6 @@ firewall: tcp: - 22 udp: [] - strelka_frontend: - tcp: - - 57314 - udp: [] syslog: tcp: - 514 @@ -222,9 +217,6 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - strelka_frontend: - portgroups: - - strelka_frontend analyst: portgroups: - nginx @@ -1024,7 +1016,6 @@ firewall: - elastic_agent_data - elastic_agent_update - endgame - - strelka_frontend - localrules fleet: portgroups: @@ -1113,9 +1104,6 @@ firewall: - external_suricata external_kafka: portgroups: [] - strelka_frontend: - portgroups: - - strelka_frontend desktop: portgroups: - docker_registry @@ -1309,9 +1297,6 @@ firewall: chain: DOCKER-USER: hostgroups: - strelka_frontend: - portgroups: - - strelka_frontend customhostgroup0: portgroups: [] customhostgroup1: @@ -1401,9 +1386,6 @@ firewall: - syslog - elasticsearch_node - elasticsearch_rest - strelka_frontend: - portgroups: - - strelka_frontend syslog: portgroups: - syslog diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index a5181e50f..37e9f7315 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -47,7 +47,6 @@ firewall: self: *ROhostgroupsettingsadv sensor: *hostgroupsettings standalone: *hostgroupsettings - strelka_frontend: *hostgroupsettings syslog: *hostgroupsettings desktop: *hostgroupsettings customhostgroup0: &customhostgroupsettings @@ -156,9 +155,6 @@ firewall: ssh: tcp: *tcpsettings udp: *udpsettings - strelka_frontend: - tcp: *tcpsettings - udp: *udpsettings syslog: tcp: *tcpsettings udp: *udpsettings @@ -224,9 +220,7 @@ firewall: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker - external_suricata: - portgroups: *portgroupsdocker - strelka_frontend: + external_suricata: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker @@ -236,24 +230,24 @@ firewall: portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker - customhostgroup1: + customhostgroup1: portgroups: *portgroupsdocker - customhostgroup2: + customhostgroup2: portgroups: *portgroupsdocker - customhostgroup3: + customhostgroup3: portgroups: *portgroupsdocker - customhostgroup4: + customhostgroup4: portgroups: *portgroupsdocker - customhostgroup5: + customhostgroup5: portgroups: *portgroupsdocker - customhostgroup6: + customhostgroup6: portgroups: *portgroupsdocker - customhostgroup7: + customhostgroup7: portgroups: *portgroupsdocker - customhostgroup8: + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: portgroups: *portgroupsdocker - customhostgroup9: - portgroups: *portgroupsdocker INPUT: hostgroups: anywhere: @@ -569,9 +563,7 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker - external_suricata: - portgroups: *portgroupsdocker - strelka_frontend: + external_suricata: portgroups: *portgroupsdocker syslog: portgroups: *portgroupsdocker @@ -711,28 +703,26 @@ firewall: hostgroups: self: portgroups: *portgroupsdocker - strelka_frontend: - portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker - customhostgroup1: + customhostgroup1: portgroups: *portgroupsdocker - customhostgroup2: + customhostgroup2: portgroups: *portgroupsdocker - customhostgroup3: + customhostgroup3: portgroups: *portgroupsdocker - customhostgroup4: + customhostgroup4: portgroups: *portgroupsdocker - customhostgroup5: + customhostgroup5: portgroups: *portgroupsdocker - customhostgroup6: + customhostgroup6: portgroups: *portgroupsdocker - customhostgroup7: + customhostgroup7: portgroups: *portgroupsdocker - customhostgroup8: + customhostgroup8: + portgroups: *portgroupsdocker + customhostgroup9: portgroups: *portgroupsdocker - customhostgroup9: - portgroups: *portgroupsdocker INPUT: hostgroups: anywhere: @@ -743,23 +733,23 @@ firewall: portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost - customhostgroup1: + customhostgroup1: portgroups: *portgroupshost - customhostgroup2: + customhostgroup2: portgroups: *portgroupshost - customhostgroup3: + customhostgroup3: portgroups: *portgroupshost - customhostgroup4: + customhostgroup4: portgroups: *portgroupshost - customhostgroup5: + customhostgroup5: portgroups: *portgroupshost - customhostgroup6: + customhostgroup6: portgroups: *portgroupshost - customhostgroup7: + customhostgroup7: portgroups: *portgroupshost - customhostgroup8: + customhostgroup8: portgroups: *portgroupshost - customhostgroup9: + customhostgroup9: portgroups: *portgroupshost heavynode: @@ -774,11 +764,9 @@ firewall: portgroups: *portgroupsdocker self: portgroups: *portgroupsdocker - strelka_frontend: - portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker - customhostgroup1: + customhostgroup1: portgroups: *portgroupsdocker customhostgroup2: portgroups: *portgroupsdocker diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml index 2261bb4f7..49b8af142 100644 --- a/salt/logrotate/defaults.yaml +++ b/salt/logrotate/defaults.yaml @@ -231,16 +231,6 @@ logrotate: - dateext - dateyesterday - su root socore - /nsm/strelka/log/strelka_x_log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday /opt/so/log/sensor_clean_x_log: - daily - rotate 2 diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml index f407ab48d..a5adf0f53 100644 --- a/salt/logrotate/soc_logrotate.yaml +++ b/salt/logrotate/soc_logrotate.yaml @@ -147,13 +147,6 @@ logrotate: multiline: True global: True forcedType: "[]string" - "/nsm/strelka/log/strelka_x_log": - description: List of logrotate options for this file. - title: /nsm/strelka/log/strelka.log - advanced: True - multiline: True - global: True - forcedType: "[]string" "/opt/so/log/sensor_clean_x_log": description: List of logrotate options for this file. title: /opt/so/log/sensor_clean.log diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index d89304144..002462743 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -89,7 +89,6 @@ so-logstash: - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - /opt/so/log/fleet/:/osquery/logs:ro - - /opt/so/log/strelka:/strelka:ro {% endif %} {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} diff --git a/salt/manager/tools/sbin/so-deny b/salt/manager/tools/sbin/so-deny index a8814b7ea..2d7cdd576 100755 --- a/salt/manager/tools/sbin/so-deny +++ b/salt/manager/tools/sbin/so-deny @@ -23,7 +23,6 @@ VALID_ROLES = { 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, - 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, } @@ -91,7 +90,6 @@ def main(): group.add_argument('-a', dest='roles', action='append_const', const=VALID_ROLES['a']['role'], help="Analyst - 80/tcp, 443/tcp") group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") - group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") ip_g = main_parser.add_argument_group(title='allow') diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 2d5ef448e..1d8a3d039 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -511,28 +511,6 @@ function add_redis_to_minion() { fi } -function add_strelka_to_minion() { - printf '%s\n'\ - "strelka:"\ - " backend:"\ - " enabled: True"\ - " filestream:"\ - " enabled: True"\ - " frontend:"\ - " enabled: True"\ - " manager:"\ - " enabled: True"\ - " coordinator:"\ - " enabled: True"\ - " gatekeeper:"\ - " enabled: True"\ - " " >> $PILLARFILE - if [ $? -ne 0 ]; then - log "ERROR" "Failed to add strelka configuration to $PILLARFILE" - return 1 - fi -} - function add_telegraf_to_minion() { printf '%s\n'\ "telegraf:"\ @@ -729,7 +707,6 @@ function createEVAL() { pcapspace || return 1 add_elasticsearch_to_minion || return 1 add_sensor_to_minion || return 1 - add_strelka_to_minion || return 1 add_elastalert_to_minion || return 1 add_kibana_to_minion || return 1 add_telegraf_to_minion || return 1 @@ -748,7 +725,6 @@ function createSTANDALONE() { add_elasticsearch_to_minion || return 1 add_logstash_to_minion || return 1 add_sensor_to_minion || return 1 - add_strelka_to_minion || return 1 add_elastalert_to_minion || return 1 add_kibana_to_minion || return 1 add_redis_to_minion || return 1 @@ -833,7 +809,6 @@ function createHEAVYNODE() { add_elasticsearch_to_minion || return 1 add_elastic_agent_to_minion || return 1 add_sensor_to_minion || return 1 - add_strelka_to_minion || return 1 add_telegraf_to_minion || return 1 } @@ -844,7 +819,6 @@ function createSENSOR() { PCAP_PERCENTAGE=3 pcapspace || return 1 add_sensor_to_minion || return 1 - add_strelka_to_minion || return 1 add_telegraf_to_minion || return 1 } diff --git a/salt/strelka/backend/config.sls b/salt/strelka/backend/config.sls deleted file mode 100644 index b39e06ac8..000000000 --- a/salt/strelka/backend/config.sls +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: - - strelka.config - - strelka.backend.sostatus - -backend_backend_config: - file.managed: - - name: /opt/so/conf/strelka/backend/backend.yaml - - source: salt://strelka/backend/files/backend.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - BACKENDCONFIG: {{ STRELKAMERGED.backend.config.backend }} - -backend_logging_config: - file.managed: - - name: /opt/so/conf/strelka/backend/logging.yaml - - source: salt://strelka/backend/files/logging.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - defaults: - LOGGINGCONFIG: {{ STRELKAMERGED.backend.config.logging }} - -backend_passwords: - file.managed: - - name: /opt/so/conf/strelka/backend/passwords.dat - - source: salt://strelka/backend/files/passwords.dat.jinja - - template: jinja - - user: 939 - - group: 939 - - defaults: - PASSWORDS: {{ STRELKAMERGED.backend.config.passwords }} - -backend_taste: - file.managed: - - name: /opt/so/conf/strelka/backend/taste/taste.yara - - source: salt://strelka/backend/files/taste/taste.yara - - makedirs: True - - user: 939 - - group: 939 - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/backend/disabled.sls b/salt/strelka/backend/disabled.sls deleted file mode 100644 index fcf9136c6..000000000 --- a/salt/strelka/backend/disabled.sls +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -include: - - strelka.backend.sostatus - -so-strelka-backend: - docker_container.absent: - - force: True - -so-strelka-backend_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-backend$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls deleted file mode 100644 index ca3f0e6dc..000000000 --- a/salt/strelka/backend/enabled.sls +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -include: - - strelka.backend.config - - strelka.backend.sostatus - -strelka_backend: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro - {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} - {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} - - {{ BIND }} - {% endfor %} - {% endif %} - - name: so-strelka-backend - - networks: - - sobridge: - - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }} - - command: strelka-backend - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} - {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} - - {{ XTRAHOST }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %} - - environment: - {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %} - - {{ XTRAENV }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - - ulimits: - {% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {% endfor %} - {% endif %} - - restart_policy: on-failure - - watch: - - file: strelkasensorcompiledrules - - file: backend_backend_config - - file: backend_logging_config - - file: backend_passwords - - file: backend_taste - -delete_so-strelka-backend_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-backend$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/backend/files/backend.yaml.jinja b/salt/strelka/backend/files/backend.yaml.jinja deleted file mode 100644 index 151cff550..000000000 --- a/salt/strelka/backend/files/backend.yaml.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ BACKENDCONFIG | yaml(false) }} diff --git a/salt/strelka/backend/files/logging.yaml.jinja b/salt/strelka/backend/files/logging.yaml.jinja deleted file mode 100644 index f3915e9f1..000000000 --- a/salt/strelka/backend/files/logging.yaml.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ LOGGINGCONFIG | yaml(false) }} diff --git a/salt/strelka/backend/files/passwords.dat.jinja b/salt/strelka/backend/files/passwords.dat.jinja deleted file mode 100644 index 45ac9c6e0..000000000 --- a/salt/strelka/backend/files/passwords.dat.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ PASSWORDS | join('\n') }} diff --git a/salt/strelka/backend/files/taste/taste.yara b/salt/strelka/backend/files/taste/taste.yara deleted file mode 100644 index 15d2dffbb..000000000 --- a/salt/strelka/backend/files/taste/taste.yara +++ /dev/null @@ -1,748 +0,0 @@ -// Archive Files - -rule _7zip_file -{ - meta: - type = "archive" - strings: - $a = { 37 7A BC AF 27 1C } - condition: - $a at 0 -} - -rule arj_file -{ - meta: - type = "archive" - condition: - uint16(0) == 0xEA60 -} - -rule cab_file -{ - meta: - type = "archive" - strings: - $a = { 4D 53 43 46 00 00 00 00 } - condition: - $a at 0 or - ( uint16(0) == 0x5A4D and $a ) -} - -rule cpio_file -{ - meta: - type = "archive" - strings: - $a = { 30 37 30 37 30 31 } - condition: - $a at 0 -} - -rule iso_file -{ - meta: - type = "archive" - strings: - $a = { 43 44 30 30 31 } - condition: - $a at 0x8001 and $a at 0x8801 and $a at 0x9001 -} - -rule mhtml_file -{ - meta: - type = "archive" - strings: - $a = "MIME-Version: 1.0" - $b = "This document is a Single File Web Page, also known as a Web Archive file" - condition: - $a at 0 and $b -} - -rule rar_file -{ - meta: - type = "archive" - condition: - uint16(0) == 0x6152 and uint8(2) == 0x72 and uint16(3) == 0x1A21 and uint8(5) == 0x07 -} - -rule tar_file -{ - meta: - type = "archive" - strings: - $a = { 75 73 74 61 72 } - condition: - uint16(0) == 0x9D1F or - uint16(0) == 0xA01F or - $a at 257 -} - -rule xar_file -{ - meta: - type = "archive" - condition: - uint32(0) == 0x21726178 -} - -rule zip_file -{ - meta: - type = "archive" - condition: - ( uint32(0) == 0x04034B50 and not uint32(4) == 0x00060014 ) -} - -// Audio Files - -rule mp3_file -{ - meta: - type = "audio" - condition: - uint16(0) == 0x4449 and uint8(2) == 0x33 -} - -// Certificate Files - -rule pkcs7_file -{ - meta: - type = "certificate" - strings: - $a = "-----BEGIN PKCS7-----" - condition: - (uint16(0) == 0x8230 and uint16(4) == 0x0906) or - uint32(0) == 0x09068030 or - $a at 0 -} - -rule x509_der_file -{ - meta: - type = "certificate" - condition: - uint16(0) == 0x8230 and ( uint16(4) == 0x8230 or uint16(4) == 0x8130 ) -} - -rule x509_pem_file -{ - meta: - type = "certificate" - strings: - $a = "-----BEGIN CERTI" - condition: - $a at 0 -} - -// Compressed Files - -rule bzip2_file -{ - meta: - type = "compressed" - condition: - uint16(0) == 0x5A42 and uint8(2) == 0x68 -} - -rule gzip_file -{ - meta: - type = "compressed" - condition: - uint16(0) == 0x8B1F and uint8(2) == 0x08 -} - -rule lzma_file -{ - meta: - type = "compressed" - condition: - uint16(0) == 0x005D and uint8(2) == 0x00 -} - -rule xz_file -{ - meta: - type = "compressed" - condition: - uint32(0) == 0x587A37FD and uint16(4) == 0x005A -} - -// Document Files - -rule doc_subheader_file -{ - meta: - type = "document" - condition: - uint32(0) == 0x00C1A5EC -} - -rule mso_file -{ - meta: - type = "document" - strings: - $a = { 3C 3F 6D 73 6F 2D 61 70 70 6C 69 63 61 74 69 6F 6E 20 } // - condition: - $a at 0 or - $b at 0 or - $c at 0 or - $d at 0 or - $e at 0 or - $f at 0 or - $g at 0 or - $h at 0 or - $i at 0 or - $j at 0 or - $k at 0 or - $l at 0 or - $m at 0 or - $n at 0 -} - -rule json_file -{ - meta: - type = "text" - strings: - $a = { 7B [0-5] 22 } - condition: - $a at 0 -} - -rule php_file -{ - meta: - type = "text" - strings: - $a = { 3c 3f 70 68 70 } - condition: - $a at 0 -} - -rule soap_file -{ - meta: - description = "Simple Object Access Protocol" - type = "text" - strings: - $a = { 3C 73 6F 61 70 65 6E 76 3A 45 6E 76 65 6C 6F 70 65 } // - $c = { 3C 73 74 79 6C 65 53 68 65 65 74 20 78 6D 6C 6E 73 3D } // 0: - shawnuff.update(buf) - buf = afile.read(8192) - hizash=shawnuff.hexdigest() - process(filename, hizash) - -def process(filename, hizash): - if os.path.exists(historypath + hizash): - logging.info(filename + " Already exists.. removing") - os.remove(filename) - else: - # Write the file - logging.info(filename + " is new. Creating a record and sending to Strelka") - with open(os.path.join(historypath + hizash), 'w') as fp: - pass - head, tail = os.path.split(filename) - - # Move the file - shutil.move(filename, strelkapath + tail) - -class CreatedEventHandler(FileSystemEventHandler): - def on_created(self, event): - logging.info("File create detected: " + event.src_path) - checksum(event.src_path) - - def on_moved(self, event): - logging.info("File move detected: " + event.src_path + " -> " + event.dest_path) - checksum(event.dest_path) - -if __name__ == "__main__": - logging.info("Starting filecheck") - - event_handler =CreatedEventHandler() - - shutdown = False - while not shutdown: - checkexisting() - logging.info("Scheduling observer") - observer = Observer() - observer.schedule(event_handler, extract_path, recursive=True) - observer.start() - try: - time.sleep(recycle_secs) - except KeyboardInterrupt: - logging.warn("User requested shutdown") - shutdown = True - - observer.stop() - observer.join() - - if not shutdown: - logging.info("Recycling observer to pick up new subdirectories") - - logging.info("Exiting filecheck") diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja deleted file mode 100644 index 1f5453f93..000000000 --- a/salt/strelka/filecheck/filecheck.yaml.jinja +++ /dev/null @@ -1,2 +0,0 @@ -filecheck: - {{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls deleted file mode 100644 index 2eaee7b53..000000000 --- a/salt/strelka/filestream/config.sls +++ /dev/null @@ -1,165 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'strelka/map.jinja' import filecheck_runas %} - -include: - - strelka.config - - strelka.filestream.sostatus - -strelkaprocessed: - file.directory: - - name: /nsm/strelka/processed - - user: 939 - - group: 939 - - makedirs: True - -strelkastaging: - file.directory: - - name: /nsm/strelka/staging - - user: 939 - - group: 939 - - makedirs: True - -strelkaunprocessed: - file.directory: - - name: /nsm/strelka/unprocessed - - user: 939 - - group: 939 - - mode: 775 - - makedirs: True - -filestream_config: - file.managed: - - name: /opt/so/conf/strelka/filestream/filestream.yaml - - source: salt://strelka/filestream/files/filestream.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} - -# Filecheck Section -remove_old_watchdog: - pkg.removed: - - name: python3-watchdog - -install_watchdog: - pkg.installed: - - name: securityonion-python39-watchdog - -filecheck_logdir: - file.directory: - - name: /opt/so/log/strelka - - user: 939 - - group: 939 - - mode: 775 - - makedirs: True - -filecheck_history: - file.directory: - - name: /nsm/strelka/history - - user: 939 - - group: 939 - - mode: 775 - - makedirs: True - -filecheck_conf: - file.managed: - - name: /opt/so/conf/strelka/filecheck.yaml - - source: salt://strelka/filecheck/filecheck.yaml.jinja - - template: jinja - - defaults: - FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }} - -filecheck_script: - file.managed: - - name: /opt/so/conf/strelka/filecheck - - source: salt://strelka/filecheck/filecheck - - user: 939 - - group: 939 - - mode: 755 - -filecheck.log: - file.managed: - - name: /opt/so/log/strelka/filecheck.log - - user: {{ filecheck_runas }} - - group: {{ filecheck_runas }} - - replace: False - -filecheck_stdout.log: - file.managed: - - name: /opt/so/log/strelka/filecheck_stdout.log - - user: {{ filecheck_runas }} - - group: {{ filecheck_runas }} - - replace: False - -{% if GLOBALS.md_engine == 'ZEEK' %} - -remove_filecheck_run: - cron.absent: - - identifier: filecheck_run - - user: socore - -filecheck_run_socore: - cron.present: - - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - - identifier: filecheck_run_socore - - user: socore - -remove_filecheck_run_suricata: - cron.absent: - - identifier: filecheck_run_suricata - - user: suricata - -{% elif GLOBALS.md_engine == 'SURICATA'%} - -remove_filecheck_run: - cron.absent: - - identifier: filecheck_run - - user: suricata - -filecheck_run_suricata: - cron.present: - - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - - identifier: filecheck_run_suricata - - user: suricata - -remove_filecheck_run_socore: - cron.absent: - - identifier: filecheck_run_socore - - user: socore - -{% endif %} - -filecheck_restart: - cmd.run: - - name: pkill -f "python3 /opt/so/conf/strelka/filecheck" - - hide_output: True - - success_retcodes: [0,1] - - onchanges: - - file: filecheck_script - - file: filecheck_conf - - pkg: install_watchdog - -filcheck_history_clean: - cron.present: - - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1' - - identifier: filecheck_history_clean - - minute: '33' -# End Filecheck Section - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/filestream/disabled.sls b/salt/strelka/filestream/disabled.sls deleted file mode 100644 index 162e310a9..000000000 --- a/salt/strelka/filestream/disabled.sls +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -include: - - strelka.filestream.sostatus - -so-strelka-filestream: - docker_container.absent: - - force: True - -so-strelka-filestream_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-filestream$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls deleted file mode 100644 index b03faf4b1..000000000 --- a/salt/strelka/filestream/enabled.sls +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -include: - - strelka.filestream.config - - strelka.filestream.sostatus - -strelka_filestream: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - - /nsm/strelka:/nsm/strelka - {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} - {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} - - {{ BIND }} - {% endfor %} - {% endif %} - - name: so-strelka-filestream - - networks: - - sobridge: - - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }} - - command: strelka-filestream - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} - {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} - - {{ XTRAHOST }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} - - environment: - {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} - - {{ XTRAENV }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - - ulimits: - {% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {% endfor %} - {% endif %} - - watch: - - file: filestream_config - -delete_so-strelka-filestream_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-filestream$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/filestream/files/filestream.yaml.jinja b/salt/strelka/filestream/files/filestream.yaml.jinja deleted file mode 100644 index dc435fd9c..000000000 --- a/salt/strelka/filestream/files/filestream.yaml.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ FILESTREAMCONFIG | yaml(false) }} diff --git a/salt/strelka/filestream/init.sls b/salt/strelka/filestream/init.sls deleted file mode 100644 index 79b471891..000000000 --- a/salt/strelka/filestream/init.sls +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: -{% if STRELKAMERGED.filestream.enabled %} - - strelka.filestream.enabled -{% else %} - - strelka.filestream.disabled -{% endif %} diff --git a/salt/strelka/filestream/sostatus.sls b/salt/strelka/filestream/sostatus.sls deleted file mode 100644 index cb292a459..000000000 --- a/salt/strelka/filestream/sostatus.sls +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -append_so-strelka-filestream_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-filestream - - unless: grep -q so-strelka-filestream /opt/so/conf/so-status/so-status.conf - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/frontend/config.sls b/salt/strelka/frontend/config.sls deleted file mode 100644 index e06994b10..000000000 --- a/salt/strelka/frontend/config.sls +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: - - strelka.config - - strelka.frontend.sostatus - -# Check to see if Strelka frontend port is available -strelkaportavailable: - cmd.run: - - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 - -frontend_config: - file.managed: - - name: /opt/so/conf/strelka/frontend/frontend.yaml - - source: salt://strelka/frontend/files/frontend.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - FRONTENDCONFIG: {{ STRELKAMERGED.frontend.config }} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/frontend/disabled.sls b/salt/strelka/frontend/disabled.sls deleted file mode 100644 index 66f6c898c..000000000 --- a/salt/strelka/frontend/disabled.sls +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -include: - - strelka.frontend.sostatus - -so-strelka-frontend: - docker_container.absent: - - force: True - -so-strelka-frontend_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-frontend$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls deleted file mode 100644 index 58e703898..000000000 --- a/salt/strelka/frontend/enabled.sls +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -include: - - strelka.frontend.config - - strelka.frontend.sostatus - -strelka_frontend: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - - /nsm/strelka/log/:/var/log/strelka/:rw - {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} - {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} - - {{ BIND }} - {% endfor %} - {% endif %} - - privileged: True - - name: so-strelka-frontend - - networks: - - sobridge: - - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }} - - command: strelka-frontend - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} - {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} - - {{ XTRAHOST }} - {% endfor %} - {% endif %} - - port_bindings: - {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %} - - {{ BINDING }} - {% endfor %} - {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} - - environment: - {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} - - {{ XTRAENV }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - - ulimits: - {% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {% endfor %} - {% endif %} - - watch: - - file: frontend_config - -delete_so-strelka-frontend_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-frontend$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/frontend/files/frontend.yaml.jinja b/salt/strelka/frontend/files/frontend.yaml.jinja deleted file mode 100644 index 4cb281736..000000000 --- a/salt/strelka/frontend/files/frontend.yaml.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ FRONTENDCONFIG | yaml(false) }} diff --git a/salt/strelka/frontend/init.sls b/salt/strelka/frontend/init.sls deleted file mode 100644 index 980746dfd..000000000 --- a/salt/strelka/frontend/init.sls +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: -{% if STRELKAMERGED.frontend.enabled %} - - strelka.frontend.enabled -{% else %} - - strelka.frontend.disabled -{% endif %} diff --git a/salt/strelka/frontend/sostatus.sls b/salt/strelka/frontend/sostatus.sls deleted file mode 100644 index a1ab76312..000000000 --- a/salt/strelka/frontend/sostatus.sls +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -append_so-strelka-frontend_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-frontend - - unless: grep -q so-strelka-frontend /opt/so/conf/so-status/so-status.conf - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/gatekeeper/config.sls b/salt/strelka/gatekeeper/config.sls deleted file mode 100644 index 069813f9d..000000000 --- a/salt/strelka/gatekeeper/config.sls +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -include: - - strelka.config - - strelka.gatekeeper.sostatus - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/gatekeeper/disabled.sls b/salt/strelka/gatekeeper/disabled.sls deleted file mode 100644 index 8f49d383c..000000000 --- a/salt/strelka/gatekeeper/disabled.sls +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -include: - - strelka.gatekeeper.sostatus - -so-strelka-gatekeeper: - docker_container.absent: - - force: True - -so-strelka-gatekeeper_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-gatekeeper$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls deleted file mode 100644 index 45b6e467e..000000000 --- a/salt/strelka/gatekeeper/enabled.sls +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -include: - - strelka.gatekeeper.config - - strelka.gatekeeper.sostatus - -strelka_gatekeeper: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - - name: so-strelka-gatekeeper - - networks: - - sobridge: - - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }} - - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} - {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} - - {{ XTRAHOST }} - {% endfor %} - {% endif %} - - port_bindings: - {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - binds: - - /nsm/strelka/gk-redis-data:/data:rw - {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - - {{ BIND }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - - environment: - {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - - {{ XTRAENV }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - - ulimits: - {% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {% endfor %} - {% endif %} - -delete_so-strelka-gatekeeper_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-gatekeeper$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/gatekeeper/init.sls b/salt/strelka/gatekeeper/init.sls deleted file mode 100644 index 33ece563a..000000000 --- a/salt/strelka/gatekeeper/init.sls +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: -{% if STRELKAMERGED.gatekeeper.enabled %} - - strelka.gatekeeper.enabled -{% else %} - - strelka.gatekeeper.disabled -{% endif %} diff --git a/salt/strelka/gatekeeper/sostatus.sls b/salt/strelka/gatekeeper/sostatus.sls deleted file mode 100644 index db6c6416e..000000000 --- a/salt/strelka/gatekeeper/sostatus.sls +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -append_so-strelka-gatekeeper_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-gatekeeper - - unless: grep -q so-strelka-gatekeeper /opt/so/conf/so-status/so-status.conf - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls deleted file mode 100644 index a60612087..000000000 --- a/salt/strelka/init.sls +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: -{% if STRELKAMERGED.coordinator.enabled %} - - strelka.coordinator.enabled -{% else %} - - strelka.coordinator.disabled -{% endif %} - -{% if STRELKAMERGED.gatekeeper.enabled %} - - strelka.gatekeeper.enabled -{% else %} - - strelka.gatekeeper.disabled -{% endif %} - -{% if STRELKAMERGED.frontend.enabled %} - - strelka.frontend.enabled -{% else %} - - strelka.frontend.disabled -{% endif %} - -{% if STRELKAMERGED.backend.enabled %} - - strelka.backend.enabled -{% else %} - - strelka.backend.disabled -{% endif %} - -{% if STRELKAMERGED.manager.enabled %} - - strelka.manager.enabled -{% else %} - - strelka.manager.disabled -{% endif %} - -{% if STRELKAMERGED.filestream.enabled %} - - strelka.filestream.enabled -{% else %} - - strelka.filestream.disabled -{% endif %} diff --git a/salt/strelka/manager.sls b/salt/strelka/manager.sls deleted file mode 100644 index 6a4aea416..000000000 --- a/salt/strelka/manager.sls +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{# if strelka.manager or strelka in allowed_states #} -{% if sls in allowed_states or sls.split('.')[0] in allowed_states %} - -# Strelka config -strelkarulesdir: - file.directory: - - name: /opt/so/conf/strelka/rules - - user: 939 - - group: 939 - - makedirs: True - -strelkacompileyara: - file.managed: - - name: /opt/so/conf/strelka/compile_yara.py - - source: salt://strelka/compile_yara/compile_yara.py - - user: 939 - - group: 939 - -strelkareposdir: - file.directory: - - name: /opt/so/conf/strelka/repos - - user: 939 - - group: 939 - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/manager/config.sls b/salt/strelka/manager/config.sls deleted file mode 100644 index a99bdb27a..000000000 --- a/salt/strelka/manager/config.sls +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: - - strelka.config - - strelka.manager.sostatus - -manager_config: - file.managed: - - name: /opt/so/conf/strelka/manager/manager.yaml - - source: salt://strelka/manager/files/manager.yaml.jinja - - template: jinja - - user: 939 - - group: 939 - - makedirs: True - - defaults: - MANAGERCONFIG: {{ STRELKAMERGED.manager.config }} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/manager/disabled.sls b/salt/strelka/manager/disabled.sls deleted file mode 100644 index 0826166ad..000000000 --- a/salt/strelka/manager/disabled.sls +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -include: - - strelka.manager.sostatus - -so-strelka-manager: - docker_container.absent: - - force: True - -so-strelka-manager_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-manager$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls deleted file mode 100644 index 7c73452d8..000000000 --- a/salt/strelka/manager/enabled.sls +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -include: - - strelka.manager.config - - strelka.manager.sostatus - -strelka_manager: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - - binds: - - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} - {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} - - {{ BIND }} - {% endfor %} - {% endif %} - - name: so-strelka-manager - - networks: - - sobridge: - - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }} - - command: strelka-manager - - extra_hosts: - - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} - {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} - - {{ XTRAHOST }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %} - - environment: - {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %} - - {{ XTRAENV }} - {% endfor %} - {% endif %} - {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - - ulimits: - {% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} - {% endfor %} - {% endif %} - - watch: - - file: manager_config - -delete_so-strelka-manager_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-strelka-manager$ - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/manager/files/manager.yaml.jinja b/salt/strelka/manager/files/manager.yaml.jinja deleted file mode 100644 index c91c2e8c8..000000000 --- a/salt/strelka/manager/files/manager.yaml.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ MANAGERCONFIG | yaml(false) }} diff --git a/salt/strelka/manager/init.sls b/salt/strelka/manager/init.sls deleted file mode 100644 index 2b479751c..000000000 --- a/salt/strelka/manager/init.sls +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'strelka/map.jinja' import STRELKAMERGED %} - -include: -{% if STRELKAMERGED.manager.enabled %} - - strelka.manager.enabled -{% else %} - - strelka.manager.disabled -{% endif %} diff --git a/salt/strelka/manager/sostatus.sls b/salt/strelka/manager/sostatus.sls deleted file mode 100644 index 5e42093f5..000000000 --- a/salt/strelka/manager/sostatus.sls +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} - -append_so-strelka-manager_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-strelka-manager - - unless: grep -q so-strelka-manager /opt/so/conf/so-status/so-status.conf - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja deleted file mode 100644 index 646f7a746..000000000 --- a/salt/strelka/map.jinja +++ /dev/null @@ -1,35 +0,0 @@ -{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at - https://securityonion.net/license; you may not use this file except in compliance with the - Elastic License 2.0. #} - -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'strelka/defaults.yaml' as STRELKADEFAULTS %} -{% set HOST = GLOBALS.hostname %} - -{% set backend_coordinator_port = STRELKADEFAULTS.strelka.backend.config.backend.coordinator.addr.split(':')[1] %} -{% do STRELKADEFAULTS.strelka.backend.config.backend.coordinator.update({'addr': HOST ~ ':' ~ backend_coordinator_port}) %} - -{% set filestream_conn_port = STRELKADEFAULTS.strelka.filestream.config.conn.server.split(':')[1] %} -{% do STRELKADEFAULTS.strelka.filestream.config.conn.update({'server': HOST ~ ':' ~ filestream_conn_port}) %} - -{% set frontend_coordinator_port = STRELKADEFAULTS.strelka.frontend.config.coordinator.addr.split(':')[1] %} -{% do STRELKADEFAULTS.strelka.frontend.config.coordinator.update({'addr': HOST ~ ':' ~ frontend_coordinator_port}) %} - -{% set frontend_gatekeeper_port = STRELKADEFAULTS.strelka.frontend.config.gatekeeper.addr.split(':')[1] %} -{% do STRELKADEFAULTS.strelka.frontend.config.gatekeeper.update({'addr': HOST ~ ':' ~ frontend_gatekeeper_port}) %} - -{% set manager_coordinator_port = STRELKADEFAULTS.strelka.manager.config.coordinator.addr.split(':')[1] %} -{% do STRELKADEFAULTS.strelka.manager.config.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %} - -{% if GLOBALS.md_engine == "SURICATA" %} -{% set extract_path = '/nsm/suricata/extracted' %} -{% set filecheck_runas = 'suricata' %} -{% else %} -{% set extract_path = '/nsm/zeek/extracted/complete' %} -{% set filecheck_runas = 'socore' %} -{% endif %} - -{% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %} - -{% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %} diff --git a/salt/strelka/rules/compiled/DO.NOT.TOUCH b/salt/strelka/rules/compiled/DO.NOT.TOUCH deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml deleted file mode 100644 index 0066bd6c3..000000000 --- a/salt/strelka/soc_strelka.yaml +++ /dev/null @@ -1,627 +0,0 @@ -strelka: - backend: - enabled: - description: Enables or disables the Strelka file analysis process. - forcedType: bool - helpLink: strelka - config: - backend: - logging_cfg: - description: Path to the Python logging configuration. - readonly: True - global: False - helpLink: strelka - advanced: True - limits: - max_files: - description: Number of files the backend will process before shutting down. - readonly: False - global: False - helpLink: strelka - time_to_live: - description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable). - readonly: False - global: False - helpLink: strelka - max_depth: - description: Maximum depth that extracted files will be processed by the backend. - readonly: False - global: False - helpLink: strelka - distribution: - description: Amount of time (in seconds) that a single file can be distributed to all scanners. - readonly: False - global: False - helpLink: strelka - scanner: - description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner). - readonly: False - global: False - helpLink: strelka - coordinator: - addr: - description: Network address of the coordinator. - readonly: False - global: False - helpLink: strelka - advanced: True - db: - description: Redis database of the coordinator. - readonly: False - global: False - helpLink: strelka - advanced: True - tasting: - mime_db: - description: Location of the MIME database used to taste files. - readonly: True - global: False - helpLink: strelka - advanced: True - yara_rules: - description: Location of the directory of YARA files that contains rules used to taste files. - readonly: True - global: False - helpLink: strelka - advanced: True - scanners: - 'ScanBase64PE': &scannerOptions - description: Configuration options for this scanner. - readonly: False - global: False - helpLink: strelka - advanced: True - forcedType: "[]{}" - syntax: json - 'ScanBatch': *scannerOptions - 'ScanBmpEof': *scannerOptions - 'ScanBzip2': *scannerOptions - 'ScanDmg': *scannerOptions - 'ScanDocx': *scannerOptions - 'ScanDonut': *scannerOptions - 'ScanElf': *scannerOptions - 'ScanEmail': *scannerOptions - 'ScanEncryptedDoc': *scannerOptions - 'ScanEncryptedZip': *scannerOptions - 'ScanEntropy': *scannerOptions - 'ScanExiftool': *scannerOptions - 'ScanFooter': *scannerOptions - 'ScanGif': *scannerOptions - 'ScanGzip': *scannerOptions - 'ScanHash': *scannerOptions - 'ScanHeader': *scannerOptions - 'ScanHtml': *scannerOptions - 'ScanIni': *scannerOptions - 'ScanIqy': *scannerOptions - 'ScanIso': *scannerOptions - 'ScanJarManifest': *scannerOptions - 'ScanJavascript': *scannerOptions - 'ScanJpeg': *scannerOptions - 'ScanJson': *scannerOptions - 'ScanLibarchive': *scannerOptions - 'ScanLNK': *scannerOptions - 'ScanLsb': *scannerOptions - 'ScanLzma': *scannerOptions - 'ScanMacho': *scannerOptions - 'ScanManifest': *scannerOptions - 'ScanMsi': *scannerOptions - 'ScanOcr': *scannerOptions - 'ScanOle': *scannerOptions - 'ScanOnenote': *scannerOptions - 'ScanPdf': *scannerOptions - 'ScanPe': *scannerOptions - 'ScanPgp': *scannerOptions - 'ScanPhp': *scannerOptions - 'ScanPkcs7': *scannerOptions - 'ScanPlist': *scannerOptions - 'ScanPngEof': *scannerOptions - 'ScanQr': *scannerOptions - 'ScanRar': *scannerOptions - 'ScanRpm': *scannerOptions - 'ScanRtf': *scannerOptions - 'ScanRuby': *scannerOptions - 'ScanSevenZip': *scannerOptions - 'ScanSwf': *scannerOptions - 'ScanTar': *scannerOptions - 'ScanTnef': *scannerOptions - 'ScanUpx': *scannerOptions - 'ScanUrl': *scannerOptions - 'ScanVb': *scannerOptions - 'ScanVba': *scannerOptions - 'ScanVhd': *scannerOptions - 'ScanVsto': *scannerOptions - 'ScanX509': *scannerOptions - 'ScanXml': *scannerOptions - 'ScanYara': *scannerOptions - 'ScanZip': *scannerOptions - 'ScanZlib': *scannerOptions - logging: - version: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - formatters: - simple: - format: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - datefmt: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - handlers: - console: - class: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - formatter: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - stream: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - root: - level: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - handlers: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - loggers: - OpenSSL: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - bs4: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - bz2: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - chardet: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - docx: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - elftools: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - email: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - entropy: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - esprima: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - gzip: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - hashlib: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - json: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - libarchive: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - lxml: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - lzma: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - macholibre: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - olefile: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - oletools: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - pdfminer: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - pefile: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - pgpdump: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - pygments: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - pylzma: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - rarfile: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - requests: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - rpmfile: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - ssdeep: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - tarfile: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - tnefparse: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - yara: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - zipfile: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - zlib: - propagate: - description: This is an advanced option for Strelka logging. - readonly: False - global: False - helpLink: strelka - advanced: True - passwords: - description: Passwords that will be stored in the password_file used in scanner options. - readonly: False - global: False - helpLink: strelka - multiline: True - filestream: - enabled: - description: You can enable or disable Strelka filestream. - forcedType: bool - helpLink: strelka - config: - conn: - server: - description: Network address of the frontend server. - readonly: False - global: False - helpLink: strelka - advanced: True - cert: - description: Local path to the frontend SSL server certificate. - readonly: False - global: False - helpLink: strelka - advanced: True - timeout: - dial: - description: Amount of time to wait for the client to dial the server. - readonly: False - global: False - helpLink: strelka - advanced: True - file: - description: Amount of time to wait for an individual file to complete a scan. - readonly: False - global: False - helpLink: strelka - advanced: True - throughput: - concurrency: - description: Number of concurrent requests to make. - readonly: False - global: False - helpLink: strelka - advanced: True - chunk: - description: Size of file chunks that will be sent to the frontend server. - readonly: False - global: False - helpLink: strelka - advanced: True - delay: - description: Artificial sleep between the submission of each chunk. - readonly: False - global: False - helpLink: strelka - advanced: True - files: - patterns: - description: List of glob patterns that determine which files will be sent for scanning. - readonly: False - global: False - helpLink: strelka - advanced: True - delete: - description: Boolean that determines if files should be deleted after being sent for scanning. - forcedType: bool - readonly: False - global: False - helpLink: strelka - advanced: True - gatekeeper: - description: Boolean that determines if events should be pulled from the temporary event cache. - forcedType: bool - readonly: False - global: False - helpLink: strelka - advanced: True - processed: - description: Directory where files will be moved after being submitted for scanning. - readonly: False - global: False - helpLink: strelka - advanced: True - response: - report: - description: Frequency at which the frontend reports the number of files processed. - readonly: False - global: False - helpLink: strelka - advanced: True - delta: - description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning. - readonly: False - global: False - helpLink: strelka - advanced: True - staging: - description: Directory where files are staged before being sent to the cluster. - readonly: False - global: False - helpLink: strelka - advanced: True - frontend: - enabled: - description: You can enable or disable Strelka frontend. - forcedType: bool - helpLink: strelka - config: - server: - description: Network address of the frontend server. - readonly: False - global: False - helpLink: strelka - advanced: True - coordinator: - addr: - description: Network address of the coordinator. - readonly: False - global: False - helpLink: strelka - advanced: True - db: - description: Redis database of the coordinator. - readonly: False - global: False - helpLink: strelka - advanced: True - gatekeeper: - addr: - description: Network address of the gatekeeper. - readonly: False - global: False - helpLink: strelka - advanced: True - db: - description: Redis database of the gatekeeper. - readonly: False - global: False - helpLink: strelka - advanced: True - ttl: - description: Time-to-live for events added to the gatekeeper. - readonly: False - global: False - helpLink: strelka - advanced: True - response: - log: - description: Location where worker scan results are logged to. - readonly: False - global: False - helpLink: strelka - advanced: True - manager: - enabled: - description: You can enable or disable Strelka manager. - forcedType: bool - helpLink: strelka - config: - coordinator: - addr: - description: Network address of the coordinator. - readonly: False - global: False - helpLink: strelka - advanced: True - db: - description: Redis database of the coordinator. - readonly: False - global: False - helpLink: strelka - advanced: True - coordinator: - enabled: - description: You can enable or disable Strelka coordinator. - forcedType: bool - helpLink: strelka - gatekeeper: - enabled: - description: You can enable or disable Strelka gatekeeper. - forcedType: bool - helpLink: strelka - rules: - enabled: - description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. - forcedType: bool - readonly: False - global: False - helpLink: strelka - advanced: False - filecheck: - historypath: - description: The path for previously scanned files. - readonly: True - global: False - helpLink: strelka - advanced: True - strelkapath: - description: The path for unprocessed files. - readonly: True - global: False - helpLink: strelka - advanced: True - logfile: - description: The path for the filecheck log. - readonly: False - global: False - helpLink: strelka - advanced: True - diff --git a/salt/strelka/tools/sbin/so-strelka-restart b/salt/strelka/tools/sbin/so-strelka-restart deleted file mode 100755 index b2d0ef6fa..000000000 --- a/salt/strelka/tools/sbin/so-strelka-restart +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-stop strelka-filestream $1 -/usr/sbin/so-stop strelka-manager $1 -/usr/sbin/so-stop strelka-frontend $1 -/usr/sbin/so-stop strelka-backend $1 -/usr/sbin/so-stop strelka-gatekeeper $1 -/usr/sbin/so-stop strelka-coordinator $1 -/usr/sbin/so-start strelka $1 diff --git a/salt/strelka/tools/sbin/so-strelka-start b/salt/strelka/tools/sbin/so-strelka-start deleted file mode 100755 index 8f0e76365..000000000 --- a/salt/strelka/tools/sbin/so-strelka-start +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-start strelka $1 diff --git a/salt/strelka/tools/sbin/so-strelka-stop b/salt/strelka/tools/sbin/so-strelka-stop deleted file mode 100755 index 3f71298e7..000000000 --- a/salt/strelka/tools/sbin/so-strelka-stop +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-stop strelka-filestream $1 -/usr/sbin/so-stop strelka-manager $1 -/usr/sbin/so-stop strelka-frontend $1 -/usr/sbin/so-stop strelka-backend $1 -/usr/sbin/so-stop strelka-gatekeeper $1 -/usr/sbin/so-stop strelka-coordinator $1 diff --git a/salt/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh index 6b2f1333d..358a12ae3 100644 --- a/salt/telegraf/scripts/checkfiles.sh +++ b/salt/telegraf/scripts/checkfiles.sh @@ -10,9 +10,6 @@ # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - FILES=$(ls -1x /host/nsm/strelka/unprocessed | wc -l) - echo "faffiles files=$FILES" - fi exit 0 diff --git a/salt/top.sls b/salt/top.sls index c7c6aa65d..1e5415139 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -80,7 +80,6 @@ base: - kibana - suricata - zeek - - strelka - elastalert - utility - elasticfleet @@ -109,7 +108,6 @@ base: - kibana - suricata - zeek - - strelka - elastalert - utility - elasticfleet @@ -123,7 +121,6 @@ base: - registry - nginx - influxdb - - strelka.manager - soc - kratos - hydra @@ -153,7 +150,6 @@ base: - registry - nginx - influxdb - - strelka.manager - soc - kratos - hydra @@ -181,7 +177,6 @@ base: - manager - nginx - influxdb - - strelka.manager - soc - kratos - hydra @@ -219,7 +214,6 @@ base: - suricata - healthcheck - zeek - - strelka - elasticfleet.install_agent_grid - stig - pcap.cleanup @@ -234,7 +228,6 @@ base: - elasticsearch - logstash - redis - - strelka - suricata - zeek - elasticfleet.install_agent_grid