Add salt states for custom Zeek package loading

Create /opt/so/conf/zeek/zkg directory and sync custom packages from the manager via file.recurse. Bind mount the directory into the so-zeek container so the entrypoint can install packages on startup.
2026-03-19 11:15:31 +01:00 · 2026-03-17 13:22:59 -04:00
parent 70597a77ab
commit e6ee7dac7c
3 changed files with 16 additions and 0 deletions
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -32,6 +32,20 @@ zeekpolicydir:
    - group: 939
    - makedirs: True

+zeekzkgdir:
+  file.directory:
+    - name: /opt/so/conf/zeek/zkg
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+zeekzkgsync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/zkg
+    - source: salt://zeek/zkg
+    - user: 937
+    - group: 939
+
 # Zeek Log Directory
 zeeklogdir:
  file.directory:
--- a/salt/zeek/enabled.sls
+++ b/salt/zeek/enabled.sls
@@ -35,6 +35,7 @@ so-zeek:
      - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
      - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
      - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
+      - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
      {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
      - {{ BIND }}
--- a/salt/zeek/zkg/README
+++ b/salt/zeek/zkg/README
@@ -0,0 +1 @@
+# Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/
				`@@ -0,0 +1 @@`
				`# Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/`