onionsalt: improve ids/bro/ossec updates #519

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 5 comments

Comments

Projects
None yet
1 participant
onionsalt: improve ids/bro/ossec updates

Original issue reported on code.google.com by doug.bu...@gmail.com on 27 Mar 2014 at 6:02

Add the following in backend init.sls for OSSEC rules:

# Create the symlink for OSSEC rules to be synced

/opt/onionsalt/salt/sensor/ossec:
   file.symlink:
      - target: /var/ossec/rules

Original comment by doug.bu...@gmail.com on 27 Mar 2014 at 6:14

  • Added labels: ****
  • Removed labels: ****
[deleted comment]
[deleted comment]
# Watch the NIDS rules and restart when needed

/etc/nsm/rules:
   file.recurse:
     # Don't mess with maxdepth or you will go on a recursed loop of pain
     - maxdepth: 0
     - source: salt://sensor/rules

restart-ids:
  cmd.wait:
    - name: /usr/sbin/nsm_sensor_ps-restart --only-snort-alert
    - cwd: /
    - watch:
      - file: /etc/nsm/rules

restart-barnyard:
  cmd.wait:
    - name: /usr/sbin/nsm_sensor_ps-restart --only-barnyard2
    - cwd: /
    - watch:
      - file: /etc/nsm/rules

# Watch the Bro policy directory and restart when needed

/opt/bro/share/bro/policy:
    file.recurse:
       - source: salt://sensor/bro/policy

# Sometimes Bro restart results in no logging, so disabling this for now
#restart-bro:
#  cmd.wait:
#    - name: /opt/bro/bin/broctl install; /opt/bro/bin/broctl restart
#    - cwd: /
#    - watch:
#      - file: /opt/bro/share/bro/policy

# Watch the OSSEC rules and restart when needed

/var/ossec/rules:
  file.recurse:
    # Don't need to copy subdirectories so set maxdepth to 0
    - maxdepth: 0
    - source: salt://sensor/ossec

restart-ossec:
  cmd.wait:
    - name: service ossec-hids-server restart
    - cwd: /
    - watch:
      - file: /var/ossec/rules

Original comment by doug.bu...@gmail.com on 28 Mar 2014 at 5:39

  • Added labels: ****
  • Removed labels: ****
Published:
http://blog.securityonion.net/2014/04/new-securityonion-onionsalt-package.html

Original comment by doug.bu...@gmail.com on 21 Apr 2014 at 10:52

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment