for cisagov#457, signal suricata rules to reload after update

hedgehog-iso/interface/sensor_ctl/supervisor.d/suricata.conf

@@ -1,6 +1,8 @@
 [program:suricata]
 command=/usr/bin/suricata
   -v
+  --unix-socket="%(ENV_SUPERVISOR_PATH)s/suricata/suricata-command.socket"
+  --set unix-command.enabled=true
   -c "%(ENV_SUPERVISOR_PATH)s/suricata/suricata.yaml"
   -l "%(ENV_ZEEK_LOG_PATH)s/suricata"
   --pidfile "%(ENV_SUPERVISOR_PATH)s/suricata/suricata.pid"

suricata/scripts/suricata-socket.sh

@@ -5,8 +5,12 @@ SURICATA_CONFIG_FILE=${SURICATA_CONFIG_FILE:-/etc/suricata/suricata.yaml}
 SURICATA_LOG_DIR=${SURICATA_LOG_DIR:-/var/log/suricata}
 SURICATA_VERBOSE_FLAG=${PCAP_PIPELINE_VERBOSITY:-}
 
+SURICATA_RUN_DIR="${SURICATA_RUN_DIR:-}"
+[[ -z "$SURICATA_RUN_DIR" ]] && SURICATA_RUN_DIR="${SUPERVISOR_PATH:-/var/run}/suricata"
+SURICATA_SOCKET="$SURICATA_RUN_DIR"/suricata-command.socket
+
 "${SURICATA_BIN}" "${SURICATA_VERBOSE_FLAG}" \
-    --unix-socket \
+    --unix-socket="$SURICATA_SOCKET" \
     --set unix-command.enabled=true \
     -c "${SURICATA_CONFIG_FILE}" \
     -l "${SURICATA_LOG_DIR}"

suricata/scripts/suricata-update-rules.sh

@@ -43,6 +43,14 @@ if type suricata-update >/dev/null 2>&1; then
     --suricata-conf "${SURICATA_CONFIG_FILE:-/etc/suricata/suricata.yaml}" \
     --fail 2>&1 | grep $UPDATE_IGNORE_FLAG "$UPDATE_IGNORE"
 
+
+    SURICATA_RUN_DIR="${SURICATA_RUN_DIR:-}"
+    [[ -z "$SURICATA_RUN_DIR" ]] && SURICATA_RUN_DIR="${SUPERVISOR_PATH:-/var/run}/suricata"
+    SURICATA_SOCKET="$SURICATA_RUN_DIR"/suricata-command.socket
+
+    test -S "$SURICATA_SOCKET" >/dev/null 2>&1 && \
+      suricatasc "$SURICATA_SOCKET" -c ruleset-reload-nonblocking >/dev/null 2>&1
+
 else
   exit 1
 fi

suricata/supervisord.conf

@@ -73,6 +73,8 @@ user=%(ENV_PUSER)s
 [program:live-suricata]
 command=/usr/bin/suricata
   -v
+  --unix-socket="%(ENV_SURICATA_RUN_DIR)s/suricata-command.socket"
+  --set unix-command.enabled=true
   -c "%(ENV_SURICATA_CONFIG_FILE)s"
   -l "%(ENV_SURICATA_LOG_DIR)s/live"
   --af-packet