Security-Onion-Solutions · m0duspwnens · May 9, 2024 · May 9, 2024 · May 9, 2024 · May 9, 2024
diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls
@@ -43,7 +43,7 @@ strelka_backend:
     {% endif %}
     - restart_policy: on-failure
     - watch:
-      - file: strelkasensorrules
+      - file: strelkasensorcompiledrules
 
 delete_so-strelka-backend_so-status.disabled:
   file.uncomment:

diff --git a/salt/strelka/compile_yara/compile_yara.py b/salt/strelka/compile_yara/compile_yara.py
@@ -20,7 +20,7 @@ def check_syntax(rule_file):
 
 def compile_yara_rules(rules_dir):
     compiled_dir = os.path.join(rules_dir, "compiled")
-    compiled_rules_path = [ os.path.join(compiled_dir, "rules.compiled"), "/opt/so/saltstack/default/salt/strelka/rules/compiled/rules.compiled" ]
+    compiled_rules_path = "/opt/so/saltstack/local/salt/strelka/rules/compiled/rules.compiled"
     rule_files = glob.glob(os.path.join(rules_dir, '**/*.yar'), recursive=True)
     files_to_compile = {}
     removed_count = 0
@@ -57,9 +57,12 @@ def compile_yara_rules(rules_dir):
     # Compile all remaining valid rules into a single file
     if files_to_compile:
         compiled_rules = yara.compile(filepaths=files_to_compile)
-        for path in compiled_rules_path:
-          compiled_rules.save(path)
-          print(f"All remaining rules compiled and saved into {path}")
+        compiled_rules.save(compiled_rules_path)
+        print(f"All remaining rules compiled and saved into {compiled_rules_path}")
+    # Remove the rules.compiled if there aren't any files to be compiled
+    else:
+        if os.path.exists(compiled_rules_path):
+            os.remove(compiled_rules_path)
 
     # Print summary of compilation results
     print(f"Summary: {success_count} rules compiled successfully, {removed_count} rules removed due to errors.")

diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls
@@ -5,45 +5,21 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
 
-# Strelka config
-strelkaconfdir:
-  file.directory:
-    - name: /opt/so/conf/strelka/rules/compiled/
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkacompileyara:
-  file.managed:
-    - name: /opt/so/conf/strelka/compile_yara.py
-    - source: salt://strelka/compile_yara/compile_yara.py
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkarulesdir:
-  file.directory:
-    - name: /opt/so/conf/strelka/rules
-    - user: 939
-    - group: 939
-    - makedirs: True
+{%   if GLOBALS.is_manager %}
+include:
+  - strelka.manager
+{% endif %}
 
-{%- if grains.role in ['so-sensor', 'so-heavynode'] %}
-strelkasensorrules:
+# Strelka config
+strelkasensorcompiledrules:
   file.recurse:
     - name: /opt/so/conf/strelka/rules/compiled/
     - source: salt://strelka/rules/compiled/
     - user: 939
     - group: 939
     - clean: True
-{%- endif %}
-
-strelkareposdir:
-  file.directory:
-    - name: /opt/so/conf/strelka/repos
-    - user: 939
-    - group: 939
     - makedirs: True
 
 strelkadatadir:
@@ -58,29 +34,26 @@ strelkalogdir:
     - name: /nsm/strelka/log
     - user: 939
     - group: 939
-    - makedirs: True
-
-strelka_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://strelka/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
 
 strelkagkredisdatadir:
   file.directory:
     - name: /nsm/strelka/gk-redis-data
     - user: 939
     - group: 939
-    - makedirs: True
 
 strelkacoordredisdatadir:
   file.directory:
     - name: /nsm/strelka/coord-redis-data
     - user: 939
     - group: 939
-    - makedirs: True
+
+strelka_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://strelka/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
 
 {% else %}
 

diff --git a/salt/strelka/manager.sls b/salt/strelka/manager.sls
@@ -4,12 +4,13 @@
 # Elastic License 2.0.
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
+{# if strelka.manager or strelka in allowed_states #}
+{% if sls in allowed_states or sls.split('.')[0] in allowed_states %}
 
 # Strelka config
-strelkaconfdir:
+strelkarulesdir:
   file.directory:
-    - name: /opt/so/conf/strelka/rules/compiled/
+    - name: /opt/so/conf/strelka/rules
     - user: 939
     - group: 939
     - makedirs: True
@@ -20,21 +21,12 @@ strelkacompileyara:
     - source: salt://strelka/compile_yara/compile_yara.py
     - user: 939
     - group: 939
-    - makedirs: True
-
-strelkarulesdir:
-  file.directory:
-    - name: /opt/so/conf/strelka/rules
-    - user: 939
-    - group: 939
-    - makedirs: True
 
 strelkareposdir:
   file.directory:
     - name: /opt/so/conf/strelka/repos
     - user: 939
     - group: 939
-    - makedirs: True
 
 {% else %}