Merge pull request #421 from Security-Onion-Solutions/issue/97

Issue/97

salt/playbook/init.sls

@@ -55,7 +55,7 @@ so-playbooksynccron:
 
 so-playbookruleupdatecron:
   cron.present:
-    - name /usr/sbin/so-playbook-ruleupdate
+    - name: /usr/sbin/so-playbook-ruleupdate
     - user: root
     - minute: '1'
     - hour: '6'

salt/zeek/defaults.yml

@@ -0,0 +1,16 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc

salt/zeek/files/zeekctl.cfg.jinja

@@ -0,0 +1,75 @@
+## Global ZeekControl configuration file.
+
+###############################################
+# Mail Options
+
+# Recipient address for all emails sent out by Zeek and ZeekControl.
+MailTo = {{ ZEEKCTL.MailTo }}
+
+# Mail connection summary reports each log rotation interval.  A value of 1
+# means mail connection summaries, and a value of 0 means do not mail
+# connection summaries.  This option has no effect if the trace-summary
+# script is not available.
+MailConnectionSummary = {{ ZEEKCTL.MailConnectionSummary }}
+
+# Lower threshold (in percentage of disk space) for space available on the
+# disk that holds SpoolDir. If less space is available, "zeekctl cron" starts
+# sending out warning emails.  A value of 0 disables this feature.
+MinDiskSpace = {{ ZEEKCTL.MinDiskSpace }}
+
+# Send mail when "zeekctl cron" notices the availability of a host in the
+# cluster to have changed.  A value of 1 means send mail when a host status
+# changes, and a value of 0 means do not send mail.
+MailHostUpDown = {{ ZEEKCTL.MailHostUpDown }}
+
+###############################################
+# Logging Options
+
+# Rotation interval in seconds for log files on manager (or standalone) node.
+# A value of 0 disables log rotation.
+LogRotationInterval = {{ ZEEKCTL.LogRotationInterval }}
+
+# Expiration interval for archived log files in LogDir.  Files older than this
+# will be deleted by "zeekctl cron".  The interval is an integer followed by
+# one of these time units:  day, hr, min.  A value of 0 means that logs
+# never expire.
+LogExpireInterval = {{ ZEEKCTL.LogExpireInterval }}
+
+# Enable ZeekControl to write statistics to the stats.log file.  A value of 1
+# means write to stats.log, and a value of 0 means do not write to stats.log.
+StatsLogEnable = {{ ZEEKCTL.StatsLogEnable }}
+
+# Number of days that entries in the stats.log file are kept.  Entries older
+# than this many days will be removed by "zeekctl cron".  A value of 0 means
+# that entries never expire.
+StatsLogExpireInterval = {{ ZEEKCTL.StatsLogExpireInterval }}
+
+###############################################
+# Other Options
+
+# Show all output of the zeekctl status command.  If set to 1, then all output
+# is shown.  If set to 0, then zeekctl status will not collect or show the peer
+# information (and the command will run faster).
+StatusCmdShowAll = {{ ZEEKCTL.StatusCmdShowAll }}
+
+# Number of days that crash directories are kept.  Crash directories older
+# than this many days will be removed by "zeekctl cron".  A value of 0 means
+# that crash directories never expire.
+CrashExpireInterval = {{ ZEEKCTL.CrashExpireInterval }}
+
+# Site-specific policy script to load. Zeek will look for this in
+# $PREFIX/share/zeek/site. A default local.zeek comes preinstalled
+# and can be customized as desired.
+SitePolicyScripts = {{ ZEEKCTL.SitePolicyScripts }}
+
+# Location of the log directory where log files will be archived each rotation
+# interval.
+LogDir = {{ ZEEKCTL.LogDir }}
+
+# Location of the spool directory where files and data that are currently being
+# written are stored.
+SpoolDir = {{ ZEEKCTL.SpoolDir }}
+
+# Location of other configuration files that can be used to customize
+# ZeekControl operation (e.g. local networks, nodes).
+CfgDir = {{ ZEEKCTL.CfgDir }}

salt/zeek/init.sls

@@ -3,7 +3,12 @@
 {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
 {% set BPF_STATUS = 0  %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
+
+{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %}
+{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %}
+
 # Zeek Salt State
+
 # Add Zeek group
 zeekgroup:
   group.present:
@@ -63,6 +68,16 @@ zeekpolicysync:
     - group: 939
     - template: jinja
 
+zeekctlcfg:
+  file.managed:
+    - name: /opt/so/conf/zeek/zeekctl.cfg
+    - source: salt://zeek/files/zeekctl.cfg.jinja
+    - user: 937
+    - group: 939
+    - template: jinja
+    - defaults:
+        ZEEKCTL: {{ ZEEK.zeekctl }}
+
 # Sync node.cfg
 nodecfgsync:
   file.managed:
@@ -132,6 +147,7 @@ so-zeek:
       - /nsm/zeek/extracted:/nsm/zeek/extracted:rw
       - /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
       - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
+      - /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro
       - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
       - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
       - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
@@ -141,5 +157,6 @@ so-zeek:
     - watch:
       - file: /opt/so/conf/zeek/local.zeek
       - file: /opt/so/conf/zeek/node.cfg
+      - file: /opt/so/conf/zeek/zeekctl.cfg
       - file: /opt/so/conf/zeek/policy
       - file: /opt/so/conf/zeek/bpf