$OpenBSD: patch-suricata_yaml_in,v 1.6 2019/10/02 17:42:24 jasper Exp $

After reload allow to write log files or use syslog.
Switch user and group to avoid running as root.
To remove pid file its directory must be writable by suricata user.
Remove rules files not present by default.

Index: suricata.yaml.in
--- suricata.yaml.in.orig
+++ suricata.yaml.in
@@ -75,6 +75,7 @@ outputs:
   - fast:
       enabled: yes
       filename: fast.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -83,6 +84,7 @@ outputs:
       enabled: @e_enable_evelog@
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
+      filemode: 664
       #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
       #identity: "suricata"
@@ -253,6 +255,7 @@ outputs:
   - unified2-alert:
       enabled: no
       filename: unified2.alert
+      filemode: 664
 
       # File size limit.  Can be specified in kb, mb, gb.  Just a number
       # is parsed as bytes.
@@ -295,6 +298,7 @@ outputs:
   - http-log:
       enabled: no
       filename: http.log
+      filemode: 664
       append: yes
       #extended: yes     # enable this for extended logging information
       #custom: yes       # enabled the custom logging format (defined by customformat)
@@ -305,6 +309,7 @@ outputs:
   - tls-log:
       enabled: no  # Log TLS connections.
       filename: tls.log # File to store TLS logs.
+      filemode: 664
       append: yes
       #extended: yes     # Log extended information like fingerprint
       #custom: yes       # enabled the custom logging format (defined by customformat)
@@ -324,6 +329,7 @@ outputs:
   - dns-log:
       enabled: no
       filename: dns.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -360,6 +366,7 @@ outputs:
   - pcap-log:
       enabled: no
       filename: log.pcap
+      filemode: 664
 
       # File size limit.  Can be specified in kb, mb, gb.  Just a number
       # is parsed as bytes.
@@ -394,6 +401,7 @@ outputs:
   - alert-debug:
       enabled: no
       filename: alert-debug.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -409,6 +417,7 @@ outputs:
   - stats:
       enabled: yes
       filename: stats.log
+      filemode: 664
       append: yes       # append to file (yes) or overwrite it (no)
       totals: yes       # stats for all threads merged together
       threads: no       # per thread stats
@@ -428,6 +437,7 @@ outputs:
   - drop:
       enabled: no
       filename: drop.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -534,6 +544,7 @@ outputs:
   - file-log:
       enabled: no
       filename: files-json.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -552,6 +563,7 @@ outputs:
       enabled: no
       type: file
       filename: tcp-data.log
+      filemode: 664
 
   # Log HTTP body data after normalization, dechunking and unzipping.
   # 2 types: file or dir. File logs into a single logfile. Dir creates
@@ -563,6 +575,7 @@ outputs:
       enabled: no
       type: file
       filename: http-data.log
+      filemode: 664
 
   # Lua Output Support - execute lua script to generate alert and event
   # output.
@@ -604,12 +617,12 @@ logging:
       enabled: yes
       # type: json
   - file:
-      enabled: yes
+      enabled: no
       level: info
       filename: @e_logdir@suricata.log
       # type: json
   - syslog:
-      enabled: no
+      enabled: yes
       facility: local5
       format: "[%i] <%d> -- "
       # type: json
@@ -1047,9 +1060,9 @@ asn1-max-frames: 256
 ##
 
 # Run suricata as user and group.
-#run-as:
-#  user: suri
-#  group: suri
+run-as:
+  user: _suricata
+  group: _suricata
 
 # Some logging module will use that name in event as identifier. The default
 # value is the hostname
@@ -1058,7 +1071,7 @@ asn1-max-frames: 256
 # Default location of the pid file. The pid file is only used in
 # daemon mode (start Suricata with -D). If not running in daemon mode
 # the --pidfile command line option must be used to create a pid file.
-#pid-file: @e_rundir@suricata.pid
+pid-file: @e_rundir@suricata.pid
 
 # Daemon working directory
 # Suricata will change directory to this one if provided
@@ -1862,9 +1875,21 @@ mpipe:
 ## file configuration".
 ##
 
-@no_suricata_update_comment@default-rule-path: @e_defaultruledir@
-@no_suricata_update_comment@rule-files:
-@no_suricata_update_comment@ - suricata.rules
+default-rule-path: @e_sysconfdir@rules
+rule-files:
+
+  - app-layer-events.rules
+  - decoder-events.rules
+  #- dnp3-events.rules
+  - dns-events.rules
+  - files.rules
+  - http-events.rules
+  #- modbus-events.rules
+  #- nfs-events.rules
+  #- ntp-events.rules
+  - smtp-events.rules
+  - stream-events.rules
+  - tls-events.rules
 
 ##
 ## Advanced rule file configuration.
