diff --git a/salt/idstools/enabled.sls b/salt/idstools/enabled.sls index bf5650773..966cb6786 100644 --- a/salt/idstools/enabled.sls +++ b/salt/idstools/enabled.sls @@ -69,6 +69,14 @@ so-rule-update: - minute: '1' - hour: '7' +run_so-rule-update: + cmd.run: + - name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1' + - require: + - docker_container: so-idstools + - onchanges: + - file: idstoolsetcsync + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/idstools/sync_files.sls b/salt/idstools/sync_files.sls index 64479e937..e8d5edda6 100644 --- a/salt/idstools/sync_files.sls +++ b/salt/idstools/sync_files.sls @@ -26,6 +26,13 @@ rulesdir: - group: 939 - makedirs: True +SOrulesdir: + file.directory: + - name: /opt/so/rules/nids/sorules + - user: 939 + - group: 939 + - makedirs: True + # Don't show changes because all.rules can be large synclocalnidsrules: file.recurse: @@ -35,3 +42,13 @@ synclocalnidsrules: - group: 939 - show_changes: False - include_pat: 'E@.rules' + +# Don't show changes because all.rules can be large +syncnidsSOrules: + file.recurse: + - name: /opt/so/rules/nids/sorules + - source: salt://idstools/sorules/ + - user: 939 + - group: 939 + - show_changes: False + - include_pat: 'E@.rules' diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index a215967ee..993a59650 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -6,6 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import filecheck_runas %} include: @@ -78,6 +79,46 @@ filecheck_script: - group: 939 - mode: 755 +filecheck.log: + file.managed: + - name: /opt/so/log/strelka/filecheck.log + - user: {{ filecheck_runas }} + - group: {{ filecheck_runas }} + +filecheck_stdout.log: + file.managed: + - name: /opt/so/log/strelka/filecheck_stdout.log + - user: {{ filecheck_runas }} + - group: {{ filecheck_runas }} + +{% if GLOBALS.md_engine == 'ZEEK' %} + +filecheck_run_socore: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - identifier: filecheck_run_socore + - user: socore + +remove_filecheck_run_suricata: + cron.absent: + - identifier: filecheck_run_suricata + - user: suricata + +{% elif GLOBALS.md_engine == 'SURICATA'%} + +filecheck_run_suricata: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - identifier: filecheck_run_suricata + - user: suricata + +remove_filecheck_run_socore: + cron.absent: + - identifier: filecheck_run_socore + - user: socore + +{% endif %} + filecheck_restart: cmd.run: - name: pkill -f "python3 /opt/so/conf/strelka/filecheck" @@ -85,12 +126,7 @@ filecheck_restart: - success_retcodes: [0,1] - onchanges: - file: filecheck_script - -filecheck_run: - cron.present: - - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - - identifier: filecheck_run - - user: {{ filecheck_runas }} + - file: filecheck_conf filcheck_history_clean: cron.present: diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 4651b7268..050efa8f8 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -416,7 +416,6 @@ suricata: enabled: "yes" filename: keyword_perf.log append: "yes" - prefilter: enabled: "yes" filename: prefilter_perf.log