From 3aa48b1a23eceaaac562f4bc32131d8f5e7e8036 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 13:20:48 -0400 Subject: [PATCH 1/6] first go at managing zeekctl.cfg - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/97 --- salt/zeek/defaults.yml | 16 +++++++ salt/zeek/files/zeekctl.cfg.jinja | 75 +++++++++++++++++++++++++++++++ salt/zeek/init.sls | 15 +++++++ 3 files changed, 106 insertions(+) create mode 100644 salt/zeek/defaults.yml create mode 100644 salt/zeek/files/zeekctl.cfg.jinja diff --git a/salt/zeek/defaults.yml b/salt/zeek/defaults.yml new file mode 100644 index 000000000..1fb159805 --- /dev/null +++ b/salt/zeek/defaults.yml @@ -0,0 +1,16 @@ +zeek: + zeekctl: + MailTo: root@localhost + MailConnectionSummary: 1 + MinDiskSpace: 5 + MailHostUpDown: 1 + LogRotationInterval: 3600 + LogExpireInterval: 0 + StatsLogEnable: 1 + StatsLogExpireInterval: 0 + StatusCmdShowAll: 0 + CrashExpireInterval: 0 + SitePolicyScripts: local.zeek + LogDir: /nsm/zeek/logs + SpoolDir: /nsm/zeek/spool + CfgDir: /opt/zeek/etc diff --git a/salt/zeek/files/zeekctl.cfg.jinja b/salt/zeek/files/zeekctl.cfg.jinja new file mode 100644 index 000000000..db486a6fd --- /dev/null +++ b/salt/zeek/files/zeekctl.cfg.jinja @@ -0,0 +1,75 @@ +## Global ZeekControl configuration file. + +############################################### +# Mail Options + +# Recipient address for all emails sent out by Zeek and ZeekControl. +MailTo = {{ ZEEKCTL.MailTo }} + +# Mail connection summary reports each log rotation interval. A value of 1 +# means mail connection summaries, and a value of 0 means do not mail +# connection summaries. This option has no effect if the trace-summary +# script is not available. +MailConnectionSummary = {{ ZEEKCTL.MailConnectionSummary }} + +# Lower threshold (in percentage of disk space) for space available on the +# disk that holds SpoolDir. If less space is available, "zeekctl cron" starts +# sending out warning emails. A value of 0 disables this feature. +MinDiskSpace = {{ ZEEKCTL.MinDiskSpace }} + +# Send mail when "zeekctl cron" notices the availability of a host in the +# cluster to have changed. A value of 1 means send mail when a host status +# changes, and a value of 0 means do not send mail. +MailHostUpDown = {{ ZEEKCTL.MailHostUpDown }} + +############################################### +# Logging Options + +# Rotation interval in seconds for log files on manager (or standalone) node. +# A value of 0 disables log rotation. +LogRotationInterval = {{ ZEEKCTL.LogRotationInterval }} + +# Expiration interval for archived log files in LogDir. Files older than this +# will be deleted by "zeekctl cron". The interval is an integer followed by +# one of these time units: day, hr, min. A value of 0 means that logs +# never expire. +LogExpireInterval = {{ ZEEKCTL.LogExpireInterval }} + +# Enable ZeekControl to write statistics to the stats.log file. A value of 1 +# means write to stats.log, and a value of 0 means do not write to stats.log. +StatsLogEnable = {{ ZEEKCTL.StatsLogEnable }} + +# Number of days that entries in the stats.log file are kept. Entries older +# than this many days will be removed by "zeekctl cron". A value of 0 means +# that entries never expire. +StatsLogExpireInterval = {{ ZEEKCTL.StatsLogExpireInterval }} + +############################################### +# Other Options + +# Show all output of the zeekctl status command. If set to 1, then all output +# is shown. If set to 0, then zeekctl status will not collect or show the peer +# information (and the command will run faster). +StatusCmdShowAll = {{ ZEEKCTL.StatusCmdShowAll }} + +# Number of days that crash directories are kept. Crash directories older +# than this many days will be removed by "zeekctl cron". A value of 0 means +# that crash directories never expire. +CrashExpireInterval = {{ ZEEKCTL.CrashExpireInterval }} + +# Site-specific policy script to load. Zeek will look for this in +# $PREFIX/share/zeek/site. A default local.zeek comes preinstalled +# and can be customized as desired. +SitePolicyScripts = {{ ZEEKCTL.SitePolicyScripts }} + +# Location of the log directory where log files will be archived each rotation +# interval. +LogDir = {{ ZEEKCTL.LogDir }} + +# Location of the spool directory where files and data that are currently being +# written are stored. +SpoolDir = {{ ZEEKCTL.SpoolDir }} + +# Location of other configuration files that can be used to customize +# ZeekControl operation (e.g. local networks, nodes). +CfgDir = {{ ZEEKCTL.CfgDir }} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index a7d222717..052841a56 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -3,7 +3,12 @@ {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} + +{% import_yml 'zeek/defaults.yml' as ZEEKDEFAULTS %} +{% set ZEEKCTL = salt['pillar.get']('zeek:zeekctl', default=ZEEKDEFAULTS.zeekctl, merge=True) %} + # Zeek Salt State + # Add Zeek group zeekgroup: group.present: @@ -63,6 +68,16 @@ zeekpolicysync: - group: 939 - template: jinja +zeekctlcfg: + file.managed: + - name: /opt/so/conf/zeek/zeekctl.cfg + - source: salt://zeek/files/zeekctl.cfg.jinja + - user: 937 + - group: 939 + - template: jinja + - defaults: + ZEEKCTL: {{ ZEEKCTL }} + # Sync node.cfg nodecfgsync: file.managed: From bc6aab5b221265c1217d766e146781c3ee3b33d9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 13:23:27 -0400 Subject: [PATCH 2/6] add zeekctl.cfg docker file bind --- salt/zeek/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 052841a56..41ab275d2 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -147,6 +147,7 @@ so-zeek: - /nsm/zeek/extracted:/nsm/zeek/extracted:rw - /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro + - /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro From f9cf04e14effd5a1773427a15b7a4b4852a6e1d7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 13:42:28 -0400 Subject: [PATCH 3/6] fix couple minor issue - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/97 --- salt/zeek/init.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 41ab275d2..feedb0099 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -4,8 +4,8 @@ {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} -{% import_yml 'zeek/defaults.yml' as ZEEKDEFAULTS %} -{% set ZEEKCTL = salt['pillar.get']('zeek:zeekctl', default=ZEEKDEFAULTS.zeekctl, merge=True) %} +{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %} +{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS, merge=True) %} # Zeek Salt State @@ -76,7 +76,7 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEKCTL }} + ZEEKCTL: {{ ZEEK.zeek.zeekctl }} # Sync node.cfg nodecfgsync: From 8e826337726868ba47bc9bd150c6b387a0cbc532 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 13:45:29 -0400 Subject: [PATCH 4/6] fix missing : in playbook state --- salt/playbook/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 1a4f00f59..a93421b99 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -55,7 +55,7 @@ so-playbooksynccron: so-playbookruleupdatecron: cron.present: - - name /usr/sbin/so-playbook-ruleupdate + - name: /usr/sbin/so-playbook-ruleupdate - user: root - minute: '1' - hour: '6' From 1b7e22d5bdf0ff044997d12fd8b4ce25ec63e24c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 14:41:16 -0400 Subject: [PATCH 5/6] fix couple minor issue - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/97 --- salt/zeek/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index feedb0099..1f08816d4 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -5,7 +5,7 @@ {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %} -{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS, merge=True) %} +{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %} # Zeek Salt State @@ -76,7 +76,7 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEK.zeek.zeekctl }} + ZEEKCTL: {{ ZEEK.zeekctl }} # Sync node.cfg nodecfgsync: From da8811bc877de3361eb5a4c4c706fad7ffdb5b82 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Mar 2020 14:44:56 -0400 Subject: [PATCH 6/6] restart zeek docker if zeekctl.cfg changes --- salt/zeek/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 1f08816d4..7ef39ac53 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -157,5 +157,6 @@ so-zeek: - watch: - file: /opt/so/conf/zeek/local.zeek - file: /opt/so/conf/zeek/node.cfg + - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf