diff --git a/pillar/top.sls b/pillar/top.sls index f629558af..d0cea8798 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -3,6 +3,10 @@ base: - patch.needs_restarting - docker.config + '*_eval or *_helix or *_heavynode or *_sensor': + - match: compound + - zeek + '*_mastersearch or *_heavynode': - match: compound - logstash diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls new file mode 100644 index 000000000..10b92bb03 --- /dev/null +++ b/pillar/zeek/init.sls @@ -0,0 +1,55 @@ +zeek: + zeekctl: + MailTo: root@localhost + MailConnectionSummary: 1 + MinDiskSpace: 5 + MailHostUpDown: 1 + LogRotationInterval: 3600 + LogExpireInterval: 0 + StatsLogEnable: 1 + StatsLogExpireInterval: 0 + StatusCmdShowAll: 0 + CrashExpireInterval: 0 + SitePolicyScripts: local.zeek + LogDir: /nsm/zeek/logs + SpoolDir: /nsm/zeek/spool + CfgDir: /opt/zeek/etc + CompressLogs: 1 + local: + '@load': + - misc/loaded-scripts + - tuning/defaults + - misc/capture-loss + - misc/stats + - frameworks/software/vulnerable + - frameworks/software/version-changes + - protocols/ftp/software + - protocols/smtp/software + - protocols/ssh/software + - protocols/http/software + - protocols/dns/detect-external-names + - protocols/ftp/detect + - protocols/conn/known-hosts + - protocols/conn/known-services + - protocols/ssl/known-certs + - protocols/ssl/validate-certs + - protocols/ssl/log-hostcerts-only + - protocols/ssh/geo-data + - protocols/ssh/detect-bruteforcing + - protocols/ssh/interesting-hostnames + - protocols/http/detect-sqli + - frameworks/files/hash-all-files + - frameworks/files/detect-MHR + - policy/frameworks/notice/extend-email/hostnames + - ja3 + - hassh + - intel + - cve-2020-0601 + - securityonion/bpfconf + - securityonion/communityid + - securityonion/file-extraction + '@load-sigs': + - frameworks/signatures/detect-windows-shells + redef: + - LogAscii::use_json = T; + - LogAscii::json_timestamps = JSON::TS_ISO8601; \ No newline at end of file diff --git a/salt/zeek/defaults.yml b/salt/zeek/defaults.yml deleted file mode 100644 index 07393abeb..000000000 --- a/salt/zeek/defaults.yml +++ /dev/null @@ -1,17 +0,0 @@ -zeek: - zeekctl: - MailTo: root@localhost - MailConnectionSummary: 1 - MinDiskSpace: 5 - MailHostUpDown: 1 - LogRotationInterval: 3600 - LogExpireInterval: 0 - StatsLogEnable: 1 - StatsLogExpireInterval: 0 - StatusCmdShowAll: 0 - CrashExpireInterval: 0 - SitePolicyScripts: local.zeek - LogDir: /nsm/zeek/logs - SpoolDir: /nsm/zeek/spool - CfgDir: /opt/zeek/etc - CompressLogs: 1 diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek deleted file mode 100644 index f32052328..000000000 --- a/salt/zeek/files/local.zeek +++ /dev/null @@ -1,132 +0,0 @@ -##! Local site policy. Customize as appropriate. -##! -##! This file will not be overwritten when upgrading or reinstalling! - -# This script logs which scripts were loaded during each run. -@load misc/loaded-scripts - -# Apply the default tuning scripts for common tuning settings. -@load tuning/defaults - -# Estimate and log capture loss. -@load misc/capture-loss - -# Enable logging of memory, packet and lag statistics. -@load misc/stats - -# Load the scan detection script. It's disabled by default because -# it often causes performance issues. -#@load misc/scan - -# Detect traceroute being run on the network. This could possibly cause -# performance trouble when there are a lot of traceroutes on your network. -# Enable cautiously. -#@load misc/detect-traceroute - -# Generate notices when vulnerable versions of software are discovered. -# The default is to only monitor software found in the address space defined -# as "local". Refer to the software framework's documentation for more -# information. -@load frameworks/software/vulnerable - -# Detect software changing (e.g. attacker installing hacked SSHD). -@load frameworks/software/version-changes - -# This adds signatures to detect cleartext forward and reverse windows shells. -@load-sigs frameworks/signatures/detect-windows-shells - -# Load all of the scripts that detect software in various protocols. -@load protocols/ftp/software -@load protocols/smtp/software -@load protocols/ssh/software -@load protocols/http/software -# The detect-webapps script could possibly cause performance trouble when -# running on live traffic. Enable it cautiously. -#@load protocols/http/detect-webapps - -# This script detects DNS results pointing toward your Site::local_nets -# where the name is not part of your local DNS zone and is being hosted -# externally. Requires that the Site::local_zones variable is defined. -@load protocols/dns/detect-external-names - -# Script to detect various activity in FTP sessions. -@load protocols/ftp/detect - -# Scripts that do asset tracking. -@load protocols/conn/known-hosts -@load protocols/conn/known-services -@load protocols/ssl/known-certs - -# This script enables SSL/TLS certificate validation. -@load protocols/ssl/validate-certs - -# This script prevents the logging of SSL CA certificates in x509.log -@load protocols/ssl/log-hostcerts-only - -# Uncomment the following line to check each SSL certificate hash against the ICSI -# certificate notary service; see http://notary.icsi.berkeley.edu . -# @load protocols/ssl/notary - -# If you have GeoIP support built in, do some geographic detections and -# logging for SSH traffic. -@load protocols/ssh/geo-data -# Detect hosts doing SSH bruteforce attacks. -@load protocols/ssh/detect-bruteforcing -# Detect logins using "interesting" hostnames. -@load protocols/ssh/interesting-hostnames - -# Detect SQL injection attacks. -@load protocols/http/detect-sqli - -#### Network File Handling #### - -# Enable MD5 and SHA1 hashing for all files. -@load frameworks/files/hash-all-files - -# Detect SHA1 sums in Team Cymru's Malware Hash Registry. -@load frameworks/files/detect-MHR - -# Extend email alerting to include hostnames -@load policy/frameworks/notice/extend-email/hostnames - -# Uncomment the following line to enable detection of the heartbleed attack. Enabling -# this might impact performance a bit. -# @load policy/protocols/ssl/heartbleed - -# Uncomment the following line to enable logging of connection VLANs. Enabling -# this adds two VLAN fields to the conn.log file. -# @load policy/protocols/conn/vlan-logging - -# Uncomment the following line to enable logging of link-layer addresses. Enabling -# this adds the link-layer address for each connection endpoint to the conn.log file. -# @load policy/protocols/conn/mac-logging - -# JA3 - SSL Detection Goodness -@load ja3 - -# HASSH -@load hassh - -# You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the master -@load intel - -# Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the master -#@load custom/somebropolicy.bro - -# Write logs in JSON -redef LogAscii::use_json = T; -redef LogAscii::json_timestamps = JSON::TS_ISO8601; - -# CVE-2020-0601 -@load cve-2020-0601 - -# BPF Configuration -@load securityonion/bpfconf - -# Community ID -@load securityonion/communityid - -# Extracted files -@load securityonion/file-extraction \ No newline at end of file diff --git a/salt/zeek/files/local.zeek.jinja b/salt/zeek/files/local.zeek.jinja new file mode 100644 index 000000000..61f5df7d8 --- /dev/null +++ b/salt/zeek/files/local.zeek.jinja @@ -0,0 +1,11 @@ +##! Local site policy. + +{%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %} + +{%- for k, v in LOCAL.items() %} + {%- if k|lower in ALLOWEDOPTIONS %} + {%- for li in v|sort %} +{{ k }} {{ li }} + {%- endfor %} + {%- endif %} +{%- endfor %} \ No newline at end of file diff --git a/salt/zeek/files/zeekctl.cfg.jinja b/salt/zeek/files/zeekctl.cfg.jinja index 5da5ab824..6d28d4dbd 100644 --- a/salt/zeek/files/zeekctl.cfg.jinja +++ b/salt/zeek/files/zeekctl.cfg.jinja @@ -2,8 +2,8 @@ {%- set ALLOWEDOPTIONS = ['commtimeout','commandtimeout','compresscmd','compressextension','compresslogs','compresslogsinflight','controltopic','crashexpireinterval','croncmd','debug','env_vars','havenfs','keeplogs','logdir','logexpireinterval','logrotationinterval','mailalarmsinterval','mailalarmsto','mailarchivelogfail','mailconnectionsummary','mailfrom','mailhostupdown','mailreceivingpackets','mailreplyto','mailsubjectprefix','mailto','makearchivename','memlimit','mindiskspace','pfringclusterid','pfringclustertype','pfringfirstappinstance','prefixes','savetraces','sendmail','sitepluginpath','sitepolicypath','sitepolicyscripts','statslogenable','statslogexpireinterval','statuscmdshowall','stoptimeout','stopwait','timefmt','timemachinehost','timemachineport','zeekargs','zeekport','bindir','capstatspath','cfgdir','debuglog','defaultstoredir','helperdir','libdir','libdir64','libdirinternal','localnetscfg','lockfile','logexpireminutes','nodecfg','os','pcapbufsize','pcapsnaplen','plugindir','pluginzeekdir','policydir','policydirsiteinstall','policydirsiteinstallauto','postprocdir','scriptsdir','spooldir','standalone','statefile','staticdir','statsdir','statslog','time','tmpdir','tmpexecdir','tracesummary','version','zeek','zeekbase'] %} -{%- for option in ZEEKCTL %} +{%- for option in ZEEKCTL|sort %} {%- if option|lower in ALLOWEDOPTIONS %} {{ option }} = {{ ZEEKCTL[option] }} {%- endif %} -{%- endfor %} +{%- endfor %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index ea238a162..246b43c90 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -4,8 +4,7 @@ {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} -{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %} -{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %} +{% set ZEEK = salt['pillar.get']('zeek', {}) %} # Zeek Salt State @@ -144,13 +143,16 @@ zeekbpf: - "ip or not ip" {% endif %} + localzeeksync: file.managed: - name: /opt/so/conf/zeek/local.zeek - - source: salt://zeek/files/local.zeek + - source: salt://zeek/files/local.zeek.jinja - user: 937 - group: 939 - template: jinja + - defaults: + LOCAL: {{ ZEEK.local | tojson }} so-zeek: docker_container.running: