diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 1a4f00f59..a93421b99 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -55,7 +55,7 @@ so-playbooksynccron: so-playbookruleupdatecron: cron.present: - - name /usr/sbin/so-playbook-ruleupdate + - name: /usr/sbin/so-playbook-ruleupdate - user: root - minute: '1' - hour: '6' diff --git a/salt/zeek/defaults.yml b/salt/zeek/defaults.yml new file mode 100644 index 000000000..1fb159805 --- /dev/null +++ b/salt/zeek/defaults.yml @@ -0,0 +1,16 @@ +zeek: + zeekctl: + MailTo: root@localhost + MailConnectionSummary: 1 + MinDiskSpace: 5 + MailHostUpDown: 1 + LogRotationInterval: 3600 + LogExpireInterval: 0 + StatsLogEnable: 1 + StatsLogExpireInterval: 0 + StatusCmdShowAll: 0 + CrashExpireInterval: 0 + SitePolicyScripts: local.zeek + LogDir: /nsm/zeek/logs + SpoolDir: /nsm/zeek/spool + CfgDir: /opt/zeek/etc diff --git a/salt/zeek/files/zeekctl.cfg.jinja b/salt/zeek/files/zeekctl.cfg.jinja new file mode 100644 index 000000000..db486a6fd --- /dev/null +++ b/salt/zeek/files/zeekctl.cfg.jinja @@ -0,0 +1,75 @@ +## Global ZeekControl configuration file. + +############################################### +# Mail Options + +# Recipient address for all emails sent out by Zeek and ZeekControl. +MailTo = {{ ZEEKCTL.MailTo }} + +# Mail connection summary reports each log rotation interval. A value of 1 +# means mail connection summaries, and a value of 0 means do not mail +# connection summaries. This option has no effect if the trace-summary +# script is not available. +MailConnectionSummary = {{ ZEEKCTL.MailConnectionSummary }} + +# Lower threshold (in percentage of disk space) for space available on the +# disk that holds SpoolDir. If less space is available, "zeekctl cron" starts +# sending out warning emails. A value of 0 disables this feature. +MinDiskSpace = {{ ZEEKCTL.MinDiskSpace }} + +# Send mail when "zeekctl cron" notices the availability of a host in the +# cluster to have changed. A value of 1 means send mail when a host status +# changes, and a value of 0 means do not send mail. +MailHostUpDown = {{ ZEEKCTL.MailHostUpDown }} + +############################################### +# Logging Options + +# Rotation interval in seconds for log files on manager (or standalone) node. +# A value of 0 disables log rotation. +LogRotationInterval = {{ ZEEKCTL.LogRotationInterval }} + +# Expiration interval for archived log files in LogDir. Files older than this +# will be deleted by "zeekctl cron". The interval is an integer followed by +# one of these time units: day, hr, min. A value of 0 means that logs +# never expire. +LogExpireInterval = {{ ZEEKCTL.LogExpireInterval }} + +# Enable ZeekControl to write statistics to the stats.log file. A value of 1 +# means write to stats.log, and a value of 0 means do not write to stats.log. +StatsLogEnable = {{ ZEEKCTL.StatsLogEnable }} + +# Number of days that entries in the stats.log file are kept. Entries older +# than this many days will be removed by "zeekctl cron". A value of 0 means +# that entries never expire. +StatsLogExpireInterval = {{ ZEEKCTL.StatsLogExpireInterval }} + +############################################### +# Other Options + +# Show all output of the zeekctl status command. If set to 1, then all output +# is shown. If set to 0, then zeekctl status will not collect or show the peer +# information (and the command will run faster). +StatusCmdShowAll = {{ ZEEKCTL.StatusCmdShowAll }} + +# Number of days that crash directories are kept. Crash directories older +# than this many days will be removed by "zeekctl cron". A value of 0 means +# that crash directories never expire. +CrashExpireInterval = {{ ZEEKCTL.CrashExpireInterval }} + +# Site-specific policy script to load. Zeek will look for this in +# $PREFIX/share/zeek/site. A default local.zeek comes preinstalled +# and can be customized as desired. +SitePolicyScripts = {{ ZEEKCTL.SitePolicyScripts }} + +# Location of the log directory where log files will be archived each rotation +# interval. +LogDir = {{ ZEEKCTL.LogDir }} + +# Location of the spool directory where files and data that are currently being +# written are stored. +SpoolDir = {{ ZEEKCTL.SpoolDir }} + +# Location of other configuration files that can be used to customize +# ZeekControl operation (e.g. local networks, nodes). +CfgDir = {{ ZEEKCTL.CfgDir }} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index a7d222717..7ef39ac53 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -3,7 +3,12 @@ {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} + +{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %} +{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %} + # Zeek Salt State + # Add Zeek group zeekgroup: group.present: @@ -63,6 +68,16 @@ zeekpolicysync: - group: 939 - template: jinja +zeekctlcfg: + file.managed: + - name: /opt/so/conf/zeek/zeekctl.cfg + - source: salt://zeek/files/zeekctl.cfg.jinja + - user: 937 + - group: 939 + - template: jinja + - defaults: + ZEEKCTL: {{ ZEEK.zeekctl }} + # Sync node.cfg nodecfgsync: file.managed: @@ -132,6 +147,7 @@ so-zeek: - /nsm/zeek/extracted:/nsm/zeek/extracted:rw - /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro + - /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro @@ -141,5 +157,6 @@ so-zeek: - watch: - file: /opt/so/conf/zeek/local.zeek - file: /opt/so/conf/zeek/node.cfg + - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf