CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check to see if Playbook is enabled

Browse Source
This commit is contained in:
DefensiveDepth
2024-03-27 15:43:25 -04:00
parent b571eeb8e6
commit ba262ee01a
1 changed files with 44 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/manager/tools/sbin/soup
View File

@@ -589,6 +589,8 @@ up_to_2.4.70() {
crontab -l | grep -v 'so-playbook-sync_cron' | crontab - crontab -l | grep -v 'so-playbook-sync_cron' | crontab -
crontab -l | grep -v 'so-playbook-ruleupdate_cron' | crontab - crontab -l | grep -v 'so-playbook-ruleupdate_cron' | crontab -
if grep -A 1 'playbook:' /opt/so/saltstack/local/pillar/minions/* | grep -q 'enabled: True'; then
# Check for active Elastalert rules # Check for active Elastalert rules
active_rules_count=$(find /opt/so/rules/elastalert/playbook/ -type f -name "*.yaml" | wc -l) active_rules_count=$(find /opt/so/rules/elastalert/playbook/ -type f -name "*.yaml" | wc -l)
@@ -620,7 +622,7 @@ up_to_2.4.70() {
echo echo
echo "Exporting Sigma rules from Playbook..." echo "Exporting Sigma rules from Playbook..."
MYSQLPW=$(lookup_pillar_secret mysql) MYSQLPW=$(awk '/mysql:/ {print $2}' /opt/so/saltstack/local/pillar/secrets.sls)
docker exec so-mysql sh -c "exec mysql -uroot -p${MYSQLPW} -D playbook -sN -e \"SELECT id, value FROM custom_values WHERE value LIKE '%View Sigma%'\"" | while read -r id value; do docker exec so-mysql sh -c "exec mysql -uroot -p${MYSQLPW} -D playbook -sN -e \"SELECT id, value FROM custom_values WHERE value LIKE '%View Sigma%'\"" | while read -r id value; do
echo -e "$value" > "/nsm/backup/detections-migration/sigma/rules/$id.yaml" echo -e "$value" > "/nsm/backup/detections-migration/sigma/rules/$id.yaml"
@@ -634,6 +636,7 @@ up_to_2.4.70() {
echo "Backing up Playbook database..." echo "Backing up Playbook database..."
docker exec so-mysql sh -c "mysqldump -uroot -p${MYSQLPW} --databases playbook > /tmp/playbook-dump" docker exec so-mysql sh -c "mysqldump -uroot -p${MYSQLPW} --databases playbook > /tmp/playbook-dump"
docker cp so-mysql:/tmp/playbook-dump /nsm/backup/detections-migration/sigma/playbook-dump.sql docker cp so-mysql:/tmp/playbook-dump /nsm/backup/detections-migration/sigma/playbook-dump.sql
fi
echo echo
echo "Stopping Playbook services..." echo "Stopping Playbook services..."