Airgap Support - Detections module

salt/manager/tools/sbin/soup

@@ -603,6 +603,10 @@ update_airgap_rules() {
   if [ -d /nsm/repo/rules/sigma ]; then
     rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/
   fi
+
+  # SOC Detections Airgap
+  rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
+  rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
 }
 
 update_airgap_repo() {
@@ -931,10 +935,8 @@ main() {
     preupgrade_changes
     echo ""
 
-    if [[ $is_airgap -eq 0 ]]; then
+    echo "Updating Airgap Rule Files to the Latest."
-      echo "Updating Rule Files to the Latest."
     update_airgap_rules
-    fi
 
     # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
     if [[ ! "$MINIONID" =~ "_import" ]]; then

salt/soc/enabled.sls

@@ -22,7 +22,7 @@ so-soc:
       - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
     - binds:
-      - /nsm/rules:/nsm/rules:rw #Need to tighten this up?
+      - /nsm/rules:/nsm/rules:rw
       - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
       - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw

salt/soc/merged.map.jinja

@@ -34,6 +34,12 @@
 {%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}
 
+{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
+{% if pillar.global.airgap %}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
+  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
+{% endif %}
+
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
 
 {% if pillar.global.endgamehost != '' %}

setup/so-setup

@@ -687,10 +687,8 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "so-minion -o=setup" 
 		title "Creating Global SLS"
 
-		if [[ $is_airgap ]]; then
 		# Airgap Rules
 		airgap_rules
-		fi
 
 		manager_pillar