Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add local custom template #13879

Merged
merged 4 commits into from
Nov 7, 2024
Merged

Add local custom template #13879

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5406a26
Add local custom template
defensivedepth Oct 29, 2024
c509dab
Use socore user
defensivedepth Oct 30, 2024
28d468d
Merge remote-tracking branch 'origin/2.4/dev' into 2.4/templaterepos
defensivedepth Nov 7, 2024
f5bd8ab
Rewrite docs
defensivedepth Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 1 addition & 8 deletions salt/elasticfleet/config.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,7 @@ eapackageupgrade:
- template: jinja

{% if GLOBALS.role != "so-fleet" %}

soresourcesrepoconfig:
git.config_set:
- name: safe.directory
- value: /nsm/securityonion-resources
- global: True
- user: socore


{% if not GLOBALS.airgap %}
soresourcesrepoclone:
git.latest:
Expand Down
10 changes: 10 additions & 0 deletions salt/manager/init.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,16 @@ rules_dir:
- group: socore
- makedirs: True

git_config_set_safe_dirs:
git.config_set:
- name: safe.directory
- global: True
- user: socore
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
{% else %}

{{sls}}_state_not_allowed:
Expand Down
32 changes: 32 additions & 0 deletions salt/soc/config.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,38 @@ socsensoronirepos:
- mode: 775
- makedirs: True

create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
- bare: False
- force: True

add_readme_custom_local_yara_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-yara/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "yara"

create_custom_local_sigma_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-sigma
- bare: False
- force: True

add_readme_custom_local_sigma_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-sigma/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "sigma"

{% else %}

{{sls}}_state_not_allowed:
Expand Down
12 changes: 12 additions & 0 deletions salt/soc/defaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1342,11 +1342,17 @@ soc:
license: Elastic-2.0
folder: sigma/stable
community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
airgap:
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
license: Elastic-2.0
folder: sigma/stable
community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
sigmaRulePackages:
- core
- emerging_threats_addon
Expand Down Expand Up @@ -1412,10 +1418,16 @@ soc:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL
community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
airgap:
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
license: DRL
community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 1200
Expand Down
94 changes: 94 additions & 0 deletions salt/soc/files/soc/detections_custom_repo_template_readme.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{% if repo_type == 'yara' %}
# YARA Local Custom Rules Repository

This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any YARA rule files found here.

Just add your rule file and commit it.

For example:

** Note: If this is your first time making changes to this repo, you may run into the following error:

fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara

This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.

Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "[email protected]"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```

Run these commands, ommitting the `--global`.

With that out of the way:

First, create the rule file with a .yar extension:
`vi my_custom_rule.yar`

Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yar`

Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yar"`

The next time the Strelka / YARA engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.

{% elif repo_type == 'sigma' %}
# Sigma Local Custom Rules Repository

This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Sigma rule files found here.

Just add your rule file and commit it.

For example:

** Note: If this is your first time making changes to this repo, you may run into the following error:

fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma

This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.

Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "[email protected]"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```

Run these commands, ommitting the `--global`.

With that out of the way:

First, create the rule file with a .yml or .yaml extension:
`vi my_custom_rule.yml`

Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yml`

Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yml"`

The next time the Elastalert / Sigma engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% endif %}
Loading