diff --git a/salt/global/map.jinja b/salt/global/map.jinja new file mode 100644 index 000000000..54abb8c79 --- /dev/null +++ b/salt/global/map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'global/defaults.yaml' as GLOBALDEFAULTS %} +{% set GLOBALMERGED = salt['pillar.get']('global', GLOBALDEFAULTS.global, merge=True) %} diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index c5608ba56..f813dad2f 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -24,21 +24,21 @@ "statickeyauth": { "apiKey": "{{ GLOBALS.sensoroni_key }}" {%- if PCAPMERGED.enabled %} -{%- if PCAPENGINE.steno %} +{%- if GLOBALS.pcap_engine == "STENO" %} }, "stenoquery": { "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } -{%- elif PCAPENGINE.suri %} +{%- elif GLOBALS.pcap_engine == "SURICATA" %} }, "suriquery": { "executablePath": "/opt/sensoroni/scripts/suriquery.sh", "pcapInputPath": "/nsm/suripcap", "pcapOutputPath": "/nsm/pcapout" } -{%- endif %} +{%- endif %} {%- else %} } {%- endif %} diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 6dce49c8c..cf871906b 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -12,9 +12,9 @@ include: - suricata.config - suricata.sostatus - if blah +{% if GLOBALS.pcap_engine == "SURICATA" %} - suricata.pcap - endif +{% endif %} so-suricata: docker_container.running: diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls index f677532f0..7a00d8d6a 100644 --- a/salt/suricata/pcap.sls +++ b/salt/suricata/pcap.sls @@ -1,6 +1,5 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %} -{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %} +{% from 'suricata/map.jinja' import SURICATAMERGED %} suripcapdir: file.directory: @@ -10,16 +9,14 @@ suripcapdir: - mode: 755 - makedirs: True -{{ SURICATAMERGED.config['af-packet'].threads }} -for thread in afp.threads +{% for i in range(1, SURICATAMERGED.config['af-packet'].threads) + 1) %} -suripcapthreaddir: +suripcapthread{{i}}dir: file.directory: - - name: /nsm/suripcap/{{thread}} + - name: /nsm/suripcap/{{i}} - user: 940 - group: 939 - mode: 755 - - makedirs: True -endfor \ No newline at end of file +{% endfor %} diff --git a/salt/telegraf/config.sls b/salt/telegraf/config.sls index 0711260b5..a35be55f5 100644 --- a/salt/telegraf/config.sls +++ b/salt/telegraf/config.sls @@ -41,6 +41,8 @@ tgraf_sync_script_{{script}}: - mode: 770 - template: jinja - source: salt://telegraf/scripts/{{script}} + - defaults: + GLOBALS: {{ GLOBALS }} {% endfor %} telegraf_sbin: diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index d3f4b9a93..b68e71539 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -5,13 +5,12 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- if pcap is steno -PCAPLOC=/host/nsm/pcap -{%- else %} +{%- if GLOBALS.pcap_engine == "SURICATA" %} PCAPLOC=/host/nsm/suripcap +{%- else %} +PCAPLOC=/host/nsm/pcap {%- endif %} - # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 3265cde18..990aeb39b 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -1,5 +1,6 @@ {% import 'vars/init.map.jinja' as INIT %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'global/map.jinja' import GLOBALMERGED %} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} @@ -20,6 +21,7 @@ 'influxdb_host': INIT.PILLAR.global.influxdb_host, 'manager_ip': INIT.PILLAR.global.managerip, 'md_engine': INIT.PILLAR.global.mdengine, + 'pcap_engine': GLOBALMERGED.pcapengine 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, 'so_docker_gateway': DOCKER.gateway,