$OpenBSD: patch-suricata_yaml_in,v 1.11 2021/04/26 09:09:01 gonzalo Exp $

- After reload allow to write log files or use syslog.
- Switch user and group to avoid running as root.
- To remove pid file its directory must be writable by suricata user.
- Comment-out suricata-update rules and add config for bundled rules
so the package can be used directly. See pkg-readme for information
about downloading rules.


Index: suricata.yaml.in
--- suricata.yaml.in.orig
+++ suricata.yaml.in
@@ -77,6 +77,7 @@ outputs:
   - fast:
       enabled: yes
       filename: fast.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -85,6 +86,7 @@ outputs:
       enabled: @e_enable_evelog@
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
+      filemode: 664
       # Enable for multi-threaded eve.json output; output files are amended with
       # with an identifier, e.g., eve.9.json
       #threaded: false
@@ -304,6 +306,7 @@ outputs:
   - http-log:
       enabled: no
       filename: http.log
+      filemode: 664
       append: yes
       #extended: yes     # enable this for extended logging information
       #custom: yes       # enable the custom logging format (defined by customformat)
@@ -314,6 +317,7 @@ outputs:
   - tls-log:
       enabled: no  # Log TLS connections.
       filename: tls.log # File to store TLS logs.
+      filemode: 664
       append: yes
       #extended: yes     # Log extended information like fingerprint
       #custom: yes       # enabled the custom logging format (defined by customformat)
@@ -361,6 +365,7 @@ outputs:
   - pcap-log:
       enabled: no
       filename: log.pcap
+      filemode: 664
 
       # File size limit.  Can be specified in kb, mb, gb.  Just a number
       # is parsed as bytes.
@@ -396,6 +401,7 @@ outputs:
   - alert-debug:
       enabled: no
       filename: alert-debug.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -411,6 +417,7 @@ outputs:
   - stats:
       enabled: yes
       filename: stats.log
+      filemode: 664
       append: yes       # append to file (yes) or overwrite it (no)
       totals: yes       # stats for all threads merged together
       threads: no       # per thread stats
@@ -504,6 +511,7 @@ outputs:
       enabled: no
       type: file
       filename: tcp-data.log
+      filemode: 664
 
   # Log HTTP body data after normalization, de-chunking and unzipping.
   # Two types: file or dir.
@@ -517,6 +525,7 @@ outputs:
       enabled: no
       type: file
       filename: http-data.log
+      filemode: 664
 
   # Lua Output Support - execute lua script to generate alert and event
   # output.
@@ -558,12 +567,12 @@ logging:
       enabled: yes
       # type: json
   - file:
-      enabled: yes
+      enabled: no
       level: info
       filename: suricata.log
       # type: json
   - syslog:
-      enabled: no
+      enabled: yes
       facility: local5
       format: "[%i] <%d> -- "
       # type: json
@@ -990,9 +999,9 @@ asn1-max-frames: 256
 ##
 
 # Run Suricata with a specific user-id and group-id:
-#run-as:
-#  user: suri
-#  group: suri
+run-as:
+  user: _suricata
+  group: _suricata
 
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
@@ -1001,7 +1010,7 @@ asn1-max-frames: 256
 # Default location of the pid file. The pid file is only used in
 # daemon mode (start Suricata with -D). If not running in daemon mode
 # the --pidfile command line option must be used to create a pid file.
-#pid-file: @e_rundir@suricata.pid
+pid-file: @e_rundir@suricata.pid
 
 # Daemon working directory
 # Suricata will change directory to this one if provided
@@ -1857,14 +1866,38 @@ napatech:
     #
     hashmode: hash5tuplesorted
 
+
+## Enable one or other of the two sections:
+
+
 ##
 ## Configure Suricata to load Suricata-Update managed rules.
 ##
+#default-rule-path: ${VARBASE}/suricata/rules
+#rule-files:
+#  - suricata.rules
 
-default-rule-path: @e_defaultruledir@
-
+##
+## Configure Suricata to use basic bundled rules.
+##
+default-rule-path: @e_sysconfdir@rules
 rule-files:
-  - suricata.rules
+  - app-layer-events.rules
+  - decoder-events.rules
+  - dhcp-events.rules
+  - dnp3-events.rules
+  - dns-events.rules
+  - files.rules
+  - http-events.rules
+  - ipsec-events.rules
+  - kerberos-events.rules
+  - modbus-events.rules
+  - nfs-events.rules
+  - ntp-events.rules
+  - smb-events.rules
+  - smtp-events.rules
+  - stream-events.rules
+  - tls-events.rules
 
 ##
 ## Auxiliary configuration files.
