have threat intel happen once under supervisord on startup, not in co…

…ntainer entrypoint for zeek non-live container, to support cisagov#358

Dockerfiles/zeek.Dockerfile

@@ -203,8 +203,9 @@ ARG ZEEK_PCAP_PROCESSOR=true
 #Whether or not to run "zeek -r XXXXX.pcap local" on each pcap file
 ARG ZEEK_AUTO_ANALYZE_PCAP_FILES=false
 ARG ZEEK_AUTO_ANALYZE_PCAP_THREADS=1
-#Whether or not to refresh intel at various points during processing
-ARG ZEEK_INTEL_REFRESH_ON_ENTRYPOINT=false
+#Whether or not to do first intel refresh under supervisord
+ARG ZEEK_INTEL_REFRESH_ON_STARTUP=false
+#Whether or not to do first intel refresh under zeekdeploy.sh
 ARG ZEEK_INTEL_REFRESH_ON_DEPLOY=false
 ARG ZEEK_INTEL_REFRESH_CRON_EXPRESSION=
 ARG ZEEK_INTEL_ITEM_EXPIRATION=-1min
@@ -227,7 +228,7 @@ ARG PCAP_NODE_NAME=malcolm
 
 ENV AUTO_TAG $AUTO_TAG
 ENV ZEEK_PCAP_PROCESSOR $ZEEK_PCAP_PROCESSOR
-ENV ZEEK_INTEL_REFRESH_ON_ENTRYPOINT $ZEEK_INTEL_REFRESH_ON_ENTRYPOINT
+ENV ZEEK_INTEL_REFRESH_ON_STARTUP $ZEEK_INTEL_REFRESH_ON_STARTUP
 ENV ZEEK_INTEL_REFRESH_ON_DEPLOY $ZEEK_INTEL_REFRESH_ON_DEPLOY
 ENV ZEEK_INTEL_REFRESH_CRON_EXPRESSION $ZEEK_INTEL_REFRESH_CRON_EXPRESSION
 ENV ZEEK_AUTO_ANALYZE_PCAP_FILES $ZEEK_AUTO_ANALYZE_PCAP_FILES

config/zeek-offline.env.example

@@ -11,9 +11,9 @@ ZEEK_ROTATED_PCAP=true
 
 ZEEK_PCAP_PROCESSOR=true
 
-# Specifies whether or not to refresh Zeek Intelligence Framework files in
-#   the container entrypoint
-ZEEK_INTEL_REFRESH_ON_ENTRYPOINT=true
+# Specifies whether or not to refresh Zeek Intelligence Framework files
+#   as soon as the container starts up
+ZEEK_INTEL_REFRESH_ON_STARTUP=true
 # Specifies a cron expression indicating the refresh interval for generating the
 #   Zeek Intelligence Framework files (or blank to disable automatic refresh)
 ZEEK_INTEL_REFRESH_CRON_EXPRESSION=

zeek/scripts/container_health.sh

@@ -5,7 +5,7 @@
 if [[ "${ZEEK_LIVE_CAPTURE:-false}" == "true" ]]; then
     supervisorctl status live-zeek >/dev/null 2>&1
 else
-    if [[ "${ZEEK_INTEL_REFRESH_ON_ENTRYPOINT:-false}" == "true" ]]; then
+    if [[ "${ZEEK_INTEL_REFRESH_ON_STARTUP:-false}" == "true" ]]; then
         ( ps a 2>/dev/null | grep -q '[z]eek_intel_from_threat_feed.py' ) || supervisorctl status pcap-zeek >/dev/null 2>&1
     else
         supervisorctl status pcap-zeek >/dev/null 2>&1

zeek/scripts/docker_entrypoint.sh

@@ -6,16 +6,5 @@ ZEEK_DIR=${ZEEK_DIR:-"/opt/zeek"}
 setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/zeek 2>/dev/null || true
 setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/capstats 2>/dev/null || true
 
-if [[ "${ZEEK_INTEL_REFRESH_ON_ENTRYPOINT:-false}" == "true" ]] && \
-   [[ -x "${ZEEK_DIR}"/bin/zeek_intel_setup.sh ]]; then
-    if [[ "$(id -u)" == "0" ]] && [[ -n "$PUSER" ]]; then
-        su -s /bin/bash -p ${PUSER} << EOF
-            "${ZEEK_DIR}"/bin/zeek_intel_setup.sh /bin/true
-EOF
-    else
-        "${ZEEK_DIR}"/bin/zeek_intel_setup.sh /bin/true
-    fi
-fi
-
 # start supervisor (which will spawn pcap-zeek, cron, etc.) or whatever the default command is
 exec "$@"

zeek/supervisord.conf

@@ -53,6 +53,17 @@ stdout_logfile_maxbytes=0
 redirect_stderr=true
 user=%(ENV_PUSER)s
 
+[program:intel-initialization]
+command="%(ENV_ZEEK_DIR)s"/bin/zeek_intel_setup.sh /bin/true
+autostart=%(ENV_ZEEK_INTEL_REFRESH_ON_STARTUP)s
+autorestart=false
+stopasgroup=true
+killasgroup=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+user=%(ENV_PUSER)s
+
 [program:live-zeek]
 command=/opt/zeek/bin/zeekdeploy.sh
 autostart=%(ENV_ZEEK_LIVE_CAPTURE)s