pillarize local.zeek and move zeekctl from defaults.yml to zeek pillar - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/585

2026-02-02 13:23:50 +01:00 · 2020-04-28 09:44:37 -04:00
parent 90aabde4c9
commit b6741daca6
7 changed files with 75 additions and 152 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -3,6 +3,10 @@ base:
    - patch.needs_restarting
    - docker.config

+  '*_eval or *_helix or *_heavynode or *_sensor':
+    - match: compound
+    - zeek
+
  '*_mastersearch or *_heavynode':
    - match: compound
    - logstash
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -0,0 +1,55 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc
+    CompressLogs: 1
+  local:
+    load:
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    load-sigs:
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;
--- a/pillar/zeek/stuff.sls
+++ b/pillar/zeek/stuff.sls