Merge pull request #12437 from Security-Onion-Solutions/feature/detec…

…tions-airgap Airgap Support - Detections module
Security-Onion-Solutions · Feb 26, 2024 · a817bae · a817bae
2 parents 52580fb + c6baa4b
commit a817bae
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 9 deletions.
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
@@ -603,6 +603,10 @@ update_airgap_rules() {
   if [ -d /nsm/repo/rules/sigma ]; then
     rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/
   fi
+
+  # SOC Detections Airgap
+  rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
+  rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
 }
 
 update_airgap_repo() {
@@ -931,10 +935,8 @@ main() {
     preupgrade_changes
     echo ""
 
-    if [[ $is_airgap -eq 0 ]]; then
-      echo "Updating Rule Files to the Latest."
-      update_airgap_rules
-    fi
+    echo "Updating Airgap Rule Files to the Latest."
+    update_airgap_rules
 
     # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
     if [[ ! "$MINIONID" =~ "_import" ]]; then

diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls
@@ -22,7 +22,7 @@ so-soc:
       - sobridge:
         - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
     - binds:
-      - /nsm/rules:/nsm/rules:rw #Need to tighten this up?
+      - /nsm/rules:/nsm/rules:rw
       - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
       - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
@@ -34,6 +34,12 @@
 {%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}
 
+{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
+{% if pillar.global.airgap %}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
+  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
+{% endif %}
+
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
 
 {% if pillar.global.endgamehost != '' %}

diff --git a/setup/so-setup b/setup/so-setup
@@ -687,10 +687,8 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "so-minion -o=setup" 
 		title "Creating Global SLS"
 
-		if [[ $is_airgap ]]; then
-			# Airgap Rules
-			airgap_rules
-		fi
+		# Airgap Rules
+		airgap_rules
 
 		manager_pillar