fix issue loading zeek intel on startup

cisagov · Dec 4, 2023 · acbe2d3 · acbe2d3
1 parent 7cc9e10
commit acbe2d3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 9 deletions.
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
@@ -65,8 +65,11 @@ spec:
             subPath: "upload"
           - mountPath: "/opt/zeek/share/zeek/site/custom"
             name: zeek-offline-custom-volume
-          - mountPath: "/opt/zeek/share/zeek/site/intel/configmap"
+          - mountPath: "/opt/zeek/share/zeek/site/intel-preseed"
+            name: zeek-offline-intel-preseed-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel"
             name: zeek-offline-intel-volume
+            subPath: "zeek/intel"
       initContainers:
       - name: zeek-offline-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
@@ -78,8 +81,10 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
+          - name: zeek-offline-intel-volume
+            mountPath: "/data/config"
           - name: zeek-offline-pcap-volume
             mountPath: "/data/pcap"
           - name: zeek-offline-zeek-volume
@@ -97,6 +102,9 @@ spec:
         - name: zeek-offline-custom-volume
           configMap:
             name: zeek-custom
-        - name: zeek-offline-intel-volume
+        - name: zeek-offline-intel-preseed-volume
           configMap:
-            name: zeek-intel
+            name: zeek-intel-preseed
+        - name: zeek-offline-intel-volume
+          persistentVolumeClaim:
+            claimName: config-claim
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
@@ -57,8 +57,11 @@ spec:
             subPath: "upload"
           - mountPath: "/opt/zeek/share/zeek/site/custom"
             name: zeek-live-custom-volume
-          - mountPath: "/opt/zeek/share/zeek/site/intel/configmap"
+          - mountPath: "/opt/zeek/share/zeek/site/intel-preseed"
+            name: zeek-live-intel-preseed-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel"
             name: zeek-live-intel-volume
+            subPath: "zeek/intel"
       initContainers:
       - name: zeek-live-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
@@ -70,8 +73,10 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
+          - name: zeek-live-intel-volume
+            mountPath: "/data/config"
           - name: zeek-live-zeek-volume
             mountPath: "/data/zeek-logs"
       volumes:
@@ -84,6 +89,9 @@ spec:
         - name: zeek-live-custom-volume
           configMap:
             name: zeek-custom
-        - name: zeek-live-intel-volume
+        - name: zeek-live-intel-preseed-volume
           configMap:
-            name: zeek-intel
+            name: zeek-intel-preseed
+        - name: zeek-live-intel-volume
+          persistentVolumeClaim:
+            claimName: config-claim
diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py
@@ -165,7 +165,7 @@
             'path': os.path.join(MalcolmPath, os.path.join('zeek', 'custom')),
         },
     ],
-    'zeek-intel': [
+    'zeek-intel-preseed': [
         {
             'secret': False,
             'path': os.path.join(MalcolmPath, os.path.join('zeek', 'intel')),

diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh
@@ -17,6 +17,7 @@ ZEEK_INTEL_ITEM_EXPIRATION=${ZEEK_INTEL_ITEM_EXPIRATION:-"-1min"}
 ZEEK_INTEL_FEED_SINCE=${ZEEK_INTEL_FEED_SINCE:-""}
 ZEEK_INTEL_REFRESH_THREADS=${ZEEK_INTEL_REFRESH_THREADS:-"2"}
 INTEL_DIR=${INTEL_DIR:-"${ZEEK_DIR}/share/zeek/site/intel"}
+INTEL_PRESEED_DIR=${INTEL_PRESEED_DIR:-"${ZEEK_DIR}/share/zeek/site/intel-preseed"}
 THREAT_FEED_TO_ZEEK_SCRIPT=${THREAT_FEED_TO_ZEEK_SCRIPT:-"${ZEEK_DIR}/bin/zeek_intel_from_threat_feed.py"}
 LOCK_DIR="${INTEL_DIR}/lock"
 
@@ -29,6 +30,12 @@ mkdir -p -- "$(dirname "$LOCK_DIR")"
 if mkdir -- "$LOCK_DIR" 2>/dev/null; then
     trap finish EXIT
 
+    # if we have a directory to seed the intel config for the first time, start from a blank slate with just its contents
+    if [[ -d "${INTEL_DIR}" ]] && [[ -d "${INTEL_PRESEED_DIR}" ]]; then
+        rsync -av --delete "${INTEL_PRESEED_DIR}"/ "${INTEL_DIR}"/
+        mkdir -p "${INTEL_DIR}"/MISP "${INTEL_DIR}"/STIX || true
+    fi
+
     # create directive to @load every subdirectory in /opt/zeek/share/zeek/site/intel
     if [[ -d "${INTEL_DIR}" ]] && (( $(find "${INTEL_DIR}" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | wc -l) > 0 )); then
         pushd "${INTEL_DIR}" >/dev/null 2>&1