handle ZEEK_INTEL_REFRESH_CRON_EXPRESSION on Hedgehog Linux installat…

…ions to allow for refreshing zeek intel on hedgehog as well: related (somewhat) to idaholab#456
mmguero-dev · Apr 10, 2024 · 3e18b88 · 3e18b88
1 parent 97ebeef
commit 3e18b88
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/hedgehog-iso/interface/sensor_ctl/control_vars.conf b/hedgehog-iso/interface/sensor_ctl/control_vars.conf
@@ -72,6 +72,7 @@ export ZEEK_LOCAL_NETS=
 export ZEEK_JSON=
 export ZEEK_RULESET=local
 export ZEEK_INTEL_REFRESH_ON_DEPLOY=true
+export ZEEK_INTEL_REFRESH_CRON_EXPRESSION=
 export ZEEK_INTEL_ITEM_EXPIRATION=-1min
 export ZEEK_INTEL_FEED_SINCE=
 export ZEEK_EXTRACTOR_MODE=none

diff --git a/...l/supervisor.init/supercronic_populate.sh → ...rvisor.init/suricata_update_cron_setup.sh b/...l/supervisor.init/supercronic_populate.sh → ...rvisor.init/suricata_update_cron_setup.sh
@@ -4,9 +4,10 @@
 
 if [[ -n $SUPERVISOR_PATH ]] && [[ -d "$SUPERVISOR_PATH"/supercronic ]]; then
 
-    # clear out supercronic crontab and repopulate based on autostart variables
+    # clear out suricata-update from crontab and repopulate based on autostart variables
     CRONTAB_PATH="$SUPERVISOR_PATH"/supercronic/crontab
-    > "$CRONTAB_PATH"
+    touch "$CRONTAB_PATH"
+    sed -i -e "/suricata-update/d" "$CRONTAB_PATH"
 
     # suricata updates
     if [[ "${AUTOSTART_SURICATA_UPDATES:-false}" == "true" ]] && \
@@ -47,4 +48,7 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -d "$SUPERVISOR_PATH"/supercronic ]]; then
 
         echo "${SURICATA_REFRESH_CRON_EXPRESSION:-15 2 * * *} /usr/bin/suricata-update --config \"$SURICATA_UPDATE_CONFIG_FILE\" --suricata-conf \"$SURICATA_CONFIG_FILE\" --data-dir \"${SURICATA_MANAGED_DIR:-/var/lib/suricata}\" $ETOPEN_FLAG" >> "$CRONTAB_PATH"
     fi # suricata updates
+
+    # reload supercronic if it's running
+    killall -s USR2 supercronic >/dev/null 2>&1 || true
 fi
diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh
@@ -131,8 +131,13 @@ fi # singleton lock check
 # write a cron entry to $SUPERCRONIC_CRONTAB using the interval specified in
 # $ZEEK_INTEL_REFRESH_CRON_EXPRESSION (e.g., 15 1 * * *) to execute this script
 set +u
+if [[ -z "${SUPERCRONIC_CRONTAB}" ]] && \
+   [[ -n "${SUPERVISOR_PATH}" ]] && \
+   [[ -d "${SUPERVISOR_PATH}"/supercronic ]]; then
+    SUPERCRONIC_CRONTAB = "${SUPERVISOR_PATH}"/supercronic/crontab
+    touch "${SUPERCRONIC_CRONTAB}" 2>/dev/null || true
+fi
 if [[ -n "${SUPERCRONIC_CRONTAB}" ]] && [[ -f "${SUPERCRONIC_CRONTAB}" ]]; then
-    touch "${SUPERCRONIC_CRONTAB}"
     sed -i -e "/${SCRIPT_FILESPEC_ESCAPED}/d" "${SUPERCRONIC_CRONTAB}"
     if [[ -n "${ZEEK_INTEL_REFRESH_CRON_EXPRESSION}" ]]; then
         echo "${ZEEK_INTEL_REFRESH_CRON_EXPRESSION} ${SCRIPT_FILESPEC} true" >> "${SUPERCRONIC_CRONTAB}"