From 04230e6e4bed8f1e73ff1f943b26205b37bd4bf3 Mon Sep 17 00:00:00 2001 From: Johnathon Date: Sun, 2 Jul 2023 06:18:02 -0500 Subject: [PATCH 1/2] Update playbook to work with zeek 5.0.9 --- playbooks/group_vars/all.yml | 6 +++--- roles/zeek/defaults/main.yml | 6 ------ roles/zeek/tasks/main.yml | 17 +++++++++++++---- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml index 363216162..519ca4cc0 100644 --- a/playbooks/group_vars/all.yml +++ b/playbooks/group_vars/all.yml @@ -152,9 +152,9 @@ rock_offline_gpgcheck: 0 zeek_user: zeek zeek_group: zeek zeek_data_dir: "{{ rock_data_dir }}/zeek" -zeek_prefix: /usr -zeek_sysconfig_dir: /etc/zeek -zeek_site_dir: /usr/share/zeek/site +zeek_prefix: /opt/zeek +zeek_sysconfig_dir: /opt/zeek/etc +zeek_site_dir: /opt/zeek/share/zeek/site zeek_cpu: "{{ (ansible_processor_vcpus|int // 2) if (ansible_processor_vcpus|int <= 16) else 8 }}" zeek_rockscripts_repo: https://github.com/rocknsm/rock-scripts.git zeek_rockscripts_branch: master diff --git a/roles/zeek/defaults/main.yml b/roles/zeek/defaults/main.yml index 8506211d2..e42c7e6f9 100644 --- a/roles/zeek/defaults/main.yml +++ b/roles/zeek/defaults/main.yml @@ -2,9 +2,3 @@ # defaults file for zeek zeek_packages: - zeek - - zeek-aux - - zeekctl - - zeek-plugin-kafka - - zeek-plugin-af_packet - - zeek-plugin-communityid - - zeek-plugin-gquic diff --git a/roles/zeek/tasks/main.yml b/roles/zeek/tasks/main.yml index 2b3211027..8d0db0a1d 100644 --- a/roles/zeek/tasks/main.yml +++ b/roles/zeek/tasks/main.yml @@ -66,6 +66,7 @@ - { src: 'GeoLiteCountry.dat', dest: 'GeoIPCountry.dat' } - { src: 'GeoLiteASNum.dat', dest: 'GeoIPASNum.dat' } - { src: 'GeoLiteCityv6.dat', dest: 'GeoIPCityv6.dat' } + when: false - name: Create zeek group group: @@ -229,7 +230,7 @@ - name: Set zeek capabilities capabilities: - path: /usr/bin/zeek + path: "{{ zeek_prefix }}/bin/zeek" capability: "{{ item }}" state: present loop: @@ -238,7 +239,7 @@ - name: Set capstats capabilities capabilities: - path: /usr/bin/capstats + path: "{{ zeek_prefix }}/bin/capstats" capability: "{{ item }}" state: present loop: @@ -251,10 +252,10 @@ minute: "*/5" cron_file: rocknsm_zeekctl user: "{{ zeek_user }}" - job: "/usr/bin/zeekctl cron >/dev/null 2>&1" + job: "{{ zeek_prefix }}/bin/zeekctl cron >/dev/null 2>&1" - name: Initialize zeek scripts for workers - command: /usr/bin/zeekctl install + command: "{{ zeek_prefix }}/bin/zeekctl install" args: creates: "{{ zeek_data_dir }}/spool/zeekctl-config.sh" become: true @@ -334,6 +335,14 @@ mountpoint: "{{ rock_mounts.mount }}" when: rock_mounts is defined and (prjquota.stdout|length>0) +- name: create zeek service file + template: + src: "zeek.service.j2" + dest: "/usr/lib/systemd/system/zeek.service" + mode: 0644 + owner: root + group: root + - name: Enable and start zeek service: name: zeek From 3c5dfd4b18a6818cb441d55fd5b50e0475dbed15 Mon Sep 17 00:00:00 2001 From: Johnathon Date: Sun, 2 Jul 2023 06:18:17 -0500 Subject: [PATCH 2/2] Create zeek.service.j2 --- roles/zeek/templates/zeek.service.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 roles/zeek/templates/zeek.service.j2 diff --git a/roles/zeek/templates/zeek.service.j2 b/roles/zeek/templates/zeek.service.j2 new file mode 100644 index 000000000..ad614d281 --- /dev/null +++ b/roles/zeek/templates/zeek.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=Zeek Network Intrusion Detection System (NIDS) +After=network.target + +[Service] +Type=forking +User=zeek +Group=zeek +Environment=HOME=/var/spool/zeek +ExecStart={{ zeek_prefix }}bin/zeekctl deploy +ExecStop={{ zeek_prefix }}/bin/zeekctl stop + +[Install] +WantedBy=multi-user.target