From 8be5082b604f9057a8d1159e9ba8017fd3e5ec50 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 7 Jul 2023 16:43:26 -0400 Subject: [PATCH 01/11] yara scripts --- salt/manager/files/so-yara-update.jinja | 99 ------------------- salt/manager/init.sls | 2 +- salt/manager/tools/sbin_jinja/so-yara-update | 39 ++++++++ salt/strelka/defaults.yaml | 3 +- .../strelka/tools/sbin_jinja/so-yara-download | 48 +++++++++ salt/strelka/tools/sbin_jinja/so-yara-update | 21 ---- 6 files changed, 90 insertions(+), 122 deletions(-) delete mode 100755 salt/manager/files/so-yara-update.jinja create mode 100755 salt/manager/tools/sbin_jinja/so-yara-update create mode 100644 salt/strelka/tools/sbin_jinja/so-yara-download delete mode 100644 salt/strelka/tools/sbin_jinja/so-yara-update diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja deleted file mode 100755 index d11ba1a76..000000000 --- a/salt/manager/files/so-yara-update.jinja +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -echo "Starting to check for yara rule updates at $(date)..." - -output_dir="/opt/so/saltstack/local/salt/strelka/rules" -mkdir -p $output_dir -repos="/opt/so/conf/strelka/repos.txt" -newcounter=0 -excludedcounter=0 -excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) - - -{% if ISAIRGAP is sameas true %} - -echo "Airgap mode enabled." - -clone_dir="/nsm/repo/rules/strelka" -repo_name="signature-base" -[ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name -mkdir -p mkdir -p $output_dir/$repo_name -# Ensure a copy of the license is available for the rules -[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name - -# Copy over rules -for i in $(find $clone_dir/yara -name "*.yar*"); do - rule_name=$(echo $i | awk -F '/' '{print $NF}') - if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then - echo "Adding rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) - else - echo "Excluding rule: $rule_name..." - ((excludedcounter++)) - fi -done - -echo "Done!" - -if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then - echo "$newcounter rules added." - echo "$excludedcounter rule(s) excluded." -fi - -{% else %} - -gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) -clone_dir="/tmp" -if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then - - while IFS= read -r repo; do - if ! $(echo "$repo" | grep -qE '^#'); then - # Remove old repo if existing bc of previous error condition or unexpected disruption - repo_name=`echo $repo | awk -F '/' '{print $NF}'` - [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name - - # Clone repo and make appropriate directories for rules - git clone $repo $clone_dir/$repo_name - echo "Analyzing rules from $clone_dir/$repo_name..." - mkdir -p $output_dir/$repo_name - # Ensure a copy of the license is available for the rules - [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name - - # Copy over rules - for i in $(find $clone_dir/$repo_name -name "*.yar*"); do - rule_name=$(echo $i | awk -F '/' '{print $NF}') - - if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then - echo "Adding rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) - else - echo "Excluding rule: $rule_name..." - ((excludedcounter++)) - fi - done - rm -rf $clone_dir/$repo_name - fi - done < $repos - - echo "Done!" - - if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then - echo "$newcounter rule(s) added." - echo "$excludedcounter rule(s) excluded." - fi - -else - echo "Server returned $gh_status status code." - echo "No connectivity to Github...exiting..." - exit 1 -fi -{% endif %} - -echo "Finished rule updates at $(date)..." diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 2eef1259b..816ed22ff 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -96,7 +96,7 @@ strelkarepos: yara_update_script: file.managed: - name: /usr/sbin/so-yara-update - - source: salt://manager/files/so-yara-update.jinja + - source: salt://manager/tools/sbin_jinja/so-yara-update - user: root - group: root - mode: 755 diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update new file mode 100755 index 000000000..fff5bb806 --- /dev/null +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -0,0 +1,39 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +echo "Starting to check for yara rule updates at $(date)..." + +repos="/opt/so/conf/strelka/repos.txt" +newcounter=0 +excludedcounter=0 +excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) + + +# Pull down the SO Rules +SORULEDIR=/nsm/rules/yara +OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules + +mkdir -p $OUTPUTDIR + +for i in $(find $SORUKLEDIR -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $OUTPUTDIR/$rule_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi +done + +if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then + echo "$newcounter rules added." + echo "$excludedcounter rule(s) excluded." +fi + +echo "Finished rule updates at $(date)..." diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index d8b238b03..76110aafe 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -542,7 +542,8 @@ strelka: enabled: False rules: enabled: True - repos: [] + repos: + - https://github.com/Security-Onion-Solutions/securityonion-yara.git excluded: - apt_flame2_orchestrator.yar - apt_tetris.yar diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download new file mode 100644 index 000000000..69c5ffc1d --- /dev/null +++ b/salt/strelka/tools/sbin_jinja/so-yara-download @@ -0,0 +1,48 @@ +#!/bin/bash +NOROOT=1 +. /usr/sbin/so-common + +{%- set proxy = salt['pillar.get']('manager:proxy') %} + +# Download the rules from the internet +{%- if proxy %} +export http_proxy={{ proxy }} +export https_proxy={{ proxy }} +export no_proxy= salt['pillar.get']('manager:no_proxy') +{%- endif %} + +outputdir=/nsm/rules/yara +gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) +clone_dir="/tmp" +if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then + + while IFS= read -r repo; do + if ! $(echo "$repo" | grep -qE '^#'); then + # Remove old repo if existing bc of previous error condition or unexpected disruption + repo_name=`echo $repo | awk -F '/' '{print $NF}'` + [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name + + # Clone repo and make appropriate directories for rules + git clone $repo $clone_dir/$repo_name + echo "Analyzing rules from $clone_dir/$repo_name..." + mkdir -p $output_dir/$repo_name + # Ensure a copy of the license is available for the rules + [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name + + # Copy over rules + for i in $(find $clone_dir/$repo_name -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + cp $i $output_dir/$repo_name + done + rm -rf $clone_dir/$repo_name + fi + done < $repos + + echo "Done!" + + +else + echo "Server returned $gh_status status code." + echo "No connectivity to Github...exiting..." + exit 1 +fi diff --git a/salt/strelka/tools/sbin_jinja/so-yara-update b/salt/strelka/tools/sbin_jinja/so-yara-update deleted file mode 100644 index 9ec6fa41f..000000000 --- a/salt/strelka/tools/sbin_jinja/so-yara-update +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -NOROOT=1 -. /usr/sbin/so-common - -{%- set proxy = salt['pillar.get']('manager:proxy') %} - -# Download the rules from the internet -{%- if proxy %} -export http_proxy={{ proxy }} -export https_proxy={{ proxy }} -export no_proxy= salt['pillar.get']('manager:no_proxy') -{%- endif %} - -mkdir -p /tmp/yara -cd /tmp/yara -git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git -mkdir -p /nsm/rules/yara -rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/ -cd /tmp -rm -rf /tmp/yara - From 6a5ff048049f158da2813216bd4807ac74fa9d0f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 7 Jul 2023 16:45:51 -0400 Subject: [PATCH 02/11] remove unneeded function --- setup/so-functions | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5cdb8f385..4910c662d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1506,18 +1506,6 @@ create_sensoroni_pillar() { } -create_strelka_pillar() { - title "Create the Strelka pillar file" - touch $adv_strelka_pillar_file - printf '%s\n'\ - "strelka:"\ - " enabled: $STRELKA"\ - " rules: 1" > "$strelka_pillar_file" - printf '%s\n'\ - " repos:"\ - " - 'https://$HOSTNAME:7788/yara'" >> "$strelka_pillar_file" -} - backup_pillar() { title "Create the backup pillar file" touch $adv_backup_pillar_file From f4dc73a206af8aa5becbcb0b64a4d90f2c055738 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 09:42:37 -0400 Subject: [PATCH 03/11] yara download and update --- salt/manager/init.sls | 36 ++++++++++++++----- .../tools/sbin_jinja/so-yara-download | 3 +- salt/manager/tools/sbin_jinja/so-yara-update | 4 ++- salt/strelka/soc_strelka.yaml | 2 +- setup/so-setup | 2 +- 5 files changed, 35 insertions(+), 12 deletions(-) rename salt/{strelka => manager}/tools/sbin_jinja/so-yara-download (98%) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 816ed22ff..6b1944521 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -93,25 +93,45 @@ strelkarepos: - makedirs: True {% endif %} -yara_update_script: - file.managed: - - name: /usr/sbin/so-yara-update - - source: salt://manager/tools/sbin_jinja/so-yara-update - - user: root - - group: root +yara_update_scripts: + file.recurse: + - name: /usr/sbin/ + - source: salt://manager/tools/sbin_jinja/ + - user: socore + - group: socore - mode: 755 - template: jinja - defaults: - ISAIRGAP: {{ GLOBALS.airgap }} EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} +{% if GLOBALS.airgap %} +remove_strelka-yara-download: + cron.absent: + - user: socore + - identifier: strelka-yara-download + strelka-yara-update: cron.present: - - user: root + - user: socore - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' - identifier: strelka-yara-update - hour: '7' - minute: '1' +{% else %} +remove_strelka-yara-update: + cron.absent: + - user: socore + - identifier: strelka-yara-update + +strelka-yara-download: + cron.present: + - user: socore + - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1' + - identifier: strelka-yara-download + - hour: '7' + - minute: '1' +{% endif %} + {% else %} diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download similarity index 98% rename from salt/strelka/tools/sbin_jinja/so-yara-download rename to salt/manager/tools/sbin_jinja/so-yara-download index 69c5ffc1d..2fc9c129d 100644 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -39,7 +39,8 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then done < $repos echo "Done!" - + +/usr/sbin/so-yara-update else echo "Server returned $gh_status status code." diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update index fff5bb806..b57bb0d4b 100755 --- a/salt/manager/tools/sbin_jinja/so-yara-update +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -4,6 +4,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +NOROOT=1 +. /usr/sbin/so-common echo "Starting to check for yara rule updates at $(date)..." @@ -19,7 +21,7 @@ OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules mkdir -p $OUTPUTDIR -for i in $(find $SORUKLEDIR -name "*.yar*"); do +for i in $(find $SORULEDIR -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then echo "Adding rule: $rule_name..." diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index 5cdf442d5..e5240b9c9 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -579,7 +579,7 @@ strelka: helpLink: strelka.html advanced: False repos: - description: List of repos for so-yara-update to use to download rules. + description: List of repos for so-yara-download to use to download rules. readonly: False global: False helpLink: strelka.html diff --git a/setup/so-setup b/setup/so-setup index 0471a39fa..2a847bfbd 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -666,7 +666,7 @@ if ! [[ -f $install_opt_file ]]; then title "Restarting Suricata to pick up the new rules" logCmd "so-suricata-restart" title "Downloading YARA rules" - logCmd "runuser -l socore 'so-yara-update'" + logCmd "runuser -l socore 'so-yara-download'" title "Restarting Strelka to use new rules" logCmd "so-strelka-restart" fi From fa933d3f5304ac26371741afae2bb33457fe50e8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 10:26:30 -0400 Subject: [PATCH 04/11] use file_mode --- salt/manager/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 6b1944521..1fc00f3c7 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -99,7 +99,7 @@ yara_update_scripts: - source: salt://manager/tools/sbin_jinja/ - user: socore - group: socore - - mode: 755 + - file_mode: 755 - template: jinja - defaults: EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} From 47b2481cdd168ae1e6931feaa93e5ffcc0482692 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 10:29:19 -0400 Subject: [PATCH 05/11] nothing in strelka/tools/sbin_jinja to file.recurse --- salt/strelka/config.sls | 9 --------- 1 file changed, 9 deletions(-) diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls index 53afb0ea3..bf3ac3dca 100644 --- a/salt/strelka/config.sls +++ b/salt/strelka/config.sls @@ -43,15 +43,6 @@ strelka_sbin: - group: 939 - file_mode: 755 -strelka_sbin_jinja: - file.recurse: - - name: /usr/sbin - - source: salt://strelka/tools/sbin_jinja - - user: 939 - - group: 939 - - file_mode: 755 - - template: jinja - {% else %} {{sls}}_state_not_allowed: From 1ac72e5b24db0dcef1461036c21b2ee3b0517a0f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 11:10:37 -0400 Subject: [PATCH 06/11] ensure /nsm/rules/yara directory exists --- salt/manager/init.sls | 6 ++++++ salt/manager/tools/sbin_jinja/so-yara-download | 1 + salt/manager/tools/sbin_jinja/so-yara-update | 2 -- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 1fc00f3c7..c4fb48b6b 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -104,6 +104,12 @@ yara_update_scripts: - defaults: EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} +rules_dir: + file.directory: + - name: /nsm/rules/yara + - user: socore + - group: socore + {% if GLOBALS.airgap %} remove_strelka-yara-download: cron.absent: diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download index 2fc9c129d..ea369d6ad 100644 --- a/salt/manager/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -11,6 +11,7 @@ export https_proxy={{ proxy }} export no_proxy= salt['pillar.get']('manager:no_proxy') {%- endif %} +repos="/opt/so/conf/strelka/repos.txt" outputdir=/nsm/rules/yara gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) clone_dir="/tmp" diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update index b57bb0d4b..c54997481 100755 --- a/salt/manager/tools/sbin_jinja/so-yara-update +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -9,12 +9,10 @@ NOROOT=1 echo "Starting to check for yara rule updates at $(date)..." -repos="/opt/so/conf/strelka/repos.txt" newcounter=0 excludedcounter=0 excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) - # Pull down the SO Rules SORULEDIR=/nsm/rules/yara OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules From 59233d6550e2e9d9b9eb0f5d1d979c7e5311c94f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 11:43:56 -0400 Subject: [PATCH 07/11] use full path --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 2a847bfbd..23cc5edec 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -666,7 +666,7 @@ if ! [[ -f $install_opt_file ]]; then title "Restarting Suricata to pick up the new rules" logCmd "so-suricata-restart" title "Downloading YARA rules" - logCmd "runuser -l socore 'so-yara-download'" + logCmd "runuser -l socore '/usr/sbin/so-yara-download'" title "Restarting Strelka to use new rules" logCmd "so-strelka-restart" fi From 1f8b7bda89b03a8bb4975f2162ac6bba9163b9a6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 13:39:31 -0400 Subject: [PATCH 08/11] fix output_dir var --- salt/manager/tools/sbin_jinja/so-yara-download | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download index ea369d6ad..adfb8c529 100644 --- a/salt/manager/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -12,7 +12,7 @@ export no_proxy= salt['pillar.get']('manager:no_proxy') {%- endif %} repos="/opt/so/conf/strelka/repos.txt" -outputdir=/nsm/rules/yara +output_dir=/nsm/rules/yara gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) clone_dir="/tmp" if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then From 5069d1163cca569c9651bfab244770f155cd9a39 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 14:36:34 -0400 Subject: [PATCH 09/11] only *.yar files --- salt/manager/tools/sbin_jinja/so-yara-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update index c54997481..c1fea5dcd 100755 --- a/salt/manager/tools/sbin_jinja/so-yara-update +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -19,7 +19,7 @@ OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules mkdir -p $OUTPUTDIR -for i in $(find $SORULEDIR -name "*.yar*"); do +for i in $(find $SORULEDIR -name "*.yar"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then echo "Adding rule: $rule_name..." From f22c61a0a22a8d0d02b794816cf73d1e58c7e11d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 15:19:41 -0400 Subject: [PATCH 10/11] use su instead of runuser since logCmd has issues with runuser --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 23cc5edec..62758d1a0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -666,7 +666,7 @@ if ! [[ -f $install_opt_file ]]; then title "Restarting Suricata to pick up the new rules" logCmd "so-suricata-restart" title "Downloading YARA rules" - logCmd "runuser -l socore '/usr/sbin/so-yara-download'" + logCmd "su socore -c '/usr/sbin/so-yara-download'" title "Restarting Strelka to use new rules" logCmd "so-strelka-restart" fi From f8ed2e6e8e5c01e99689062a8b7cd05f99d44991 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 16:11:45 -0400 Subject: [PATCH 11/11] make parent dirs --- salt/manager/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c4fb48b6b..44b7a662b 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -109,6 +109,7 @@ rules_dir: - name: /nsm/rules/yara - user: socore - group: socore + - makedirs: True {% if GLOBALS.airgap %} remove_strelka-yara-download: