configure and enable/disable sensoroni via ui

salt/manager/tools/sbin/so-minion

@@ -182,6 +182,8 @@ function add_analyst_to_minion() {
 		"  gui:"\
 		"    enabled: true"\
 		"sensoroni:"\
+		"  enabled: True"\
+		"  config:"\		
 		"    node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE
 }
 
@@ -195,9 +197,22 @@ function add_host_to_minion() {
 
 # Add sensoroni specific information - Can we pull node_adrees from the host pillar?
 function add_sensoroni_to_minion() {
-
 	printf '%s\n'\
     "sensoroni:"\
+	"  enabled: True"\
+	"  config:"\
+	"    node_description: '${NODE_DESCRIPTION//\'/''}'"\
+    "  " >> $PILLARFILE
+}
+
+# Add sensoroni specific information - Can we pull node_adrees from the host pillar?
+function add_sensoroni_with_analyze_to_minion() {
+	printf '%s\n'\
+    "sensoroni:"\
+	"  enabled: True"\
+	"  config:"\
+    "    analyze:"\
+    "      enabled: True"\
 	"    node_description: '${NODE_DESCRIPTION//\'/''}'"\
     "  " >> $PILLARFILE
 }
@@ -506,7 +521,12 @@ if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then
 	fi
 	create_minion_files
 	add_host_to_minion
+	managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH")
+	if echo "${managers[@]}" | grep -qw "$NODETYPE"; then
+		add_sensoroni_with_analyze_to_minion
+	else
 		add_sensoroni_to_minion
+	fi
 	create$NODETYPE
 	echo "Minion file created for $MINION_ID"	
 fi

salt/sensoroni/config.sls

@@ -0,0 +1,60 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+sensoroniconfdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoroniagentconf:
+  file.managed:
+    - name: /opt/so/conf/sensoroni/sensoroni.json
+    - source: salt://sensoroni/files/sensoroni.json
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+analyzersdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni/analyzers
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoronilog:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+analyzerscripts:
+  file.recurse:
+    - name: /opt/so/conf/sensoroni/analyzers
+    - user: 939
+    - group: 939
+    - file_mode: 755
+    - template: jinja
+    - source: salt://sensoroni/files/analyzers
+
+sensoroni_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://sensoroni/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#sensoroni_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://sensoroni/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja

salt/sensoroni/defaults.yaml

@@ -0,0 +1,11 @@
+sensoroni:
+  enabled: False
+  config:
+    analyze:
+      enabled: False
+      analyze_timeout_ms: 900000
+      analyze_parallel_limit: 5
+    node_checkin_interval_ms: 10000
+    node_description:
+    sensoronikey:
+    soc_host:

salt/sensoroni/disabled.sls

@@ -0,0 +1,16 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+include:
+  - sensoroni.sostatus
+  
+so-sensoroni:
+  docker_container.absent:
+    - force: True
+
+so-zeek_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-sensoroni$

salt/sensoroni/enabled.sls

@@ -0,0 +1,32 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - sensoroni.config
+  - sensoroni.sostatus
+
+so-sensoroni:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
+    - network_mode: host
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/import:/nsm/import:rw
+      - /nsm/pcapout:/nsm/pcapout:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
+      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json
+    - require:
+      - file: sensoroniagentconf
+
+delete_so-zeek_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-sensoroni$

salt/sensoroni/files/sensoroni.json

@@ -1,43 +1,29 @@
-{%- from 'vars/globals.map.jinja' import GLOBALS -%}
+{%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %}
+{%- from 'sensoroni/map.jinja' import SENSORONIMERGED %}
-{%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %}
+{%- from 'pcap/config.map.jinja' import PCAPMERGED %}
-{%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %}
-{%- set ROLE = grains.id.split('_') | last %}
-{%- if ROLE in ['eval', 'standalone', 'sensor', 'heavynode'] %}
-{%-   set STENODEFAULT = True %}
-{%- else %}
-{%-   set STENODEFAULT = False %}
-{%- endif %}
-{%- set STENOENABLED = salt['pillar.get']('steno:enabled', STENODEFAULT) %}
-{%- if ROLE in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %}
-{%-   set ANALYZEDEFAULT = True %}
-{%- else %}
-{%-   set ANALYZEDEFAULT = False %}
-{%- endif %}
-{%- set ANALYZEENABLED = salt['pillar.get']('sensoroni:analyze_enabled', ANALYZEDEFAULT) %}
 {
   "logFilename": "/opt/sensoroni/logs/sensoroni.log",
   "logLevel":"info",
   "agent": {
     "nodeId": "{{ GLOBALS.hostname | lower }}",
     "role": "{{ GLOBALS.role }}",
-    "description": {{ GLOBALS.description | tojson }},
+    "description": {{ SENSORONIMERGED.config.node_description | tojson }},
     "address": "{{ GLOBALS.node_ip }}",
     "model": "{{ GLOBALS.so_model }}",
-    "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }},
+    "pollIntervalMs": {{ SENSORONIMERGED.config.node_checkin_interval_ms }},
     "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents",
     "verifyCert": false,
     "modules": {
-{%- if ANALYZEENABLED %} 
+{%- if SENSORONIMERGED.config.analyze.enabled %} 
       "analyze": {
-        "timeoutMs": {{ ANALYZE_TIMEOUT_MS }},
+        "timeoutMs": {{ SENSORONIMERGED.config.analyze_timeout_ms }},
-        "parallelLimit": {{ ANALYZE_PARALLEL_LIMIT }}
+        "parallelLimit": {{ SENSORONIMERGED.config.analyze_parallel_limit }}
       },
 {%- endif %}
       "importer": {},
       "statickeyauth": {
         "apiKey": "{{ GLOBALS.sensoroni_key }}"
-{%- if STENOENABLED %} 
+{%- if PCAPMERGED.enabled %} 
       },     
       "stenoquery": {
         "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",

salt/sensoroni/init.sls

@@ -1,79 +1,13 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
 
-sensoroniconfdir:
+{% from 'sensoroni/map.jinja' import SENSORONIMERGED %}
-  file.directory:
-    - name: /opt/so/conf/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
 
-sensoroniagentconf:
+include:
-  file.managed:
+{% if SENSORONIMERGED.enabled %}
-    - name: /opt/so/conf/sensoroni/sensoroni.json
+  - sensoroni.enabled
-    - source: salt://sensoroni/files/sensoroni.json
+{% else %}
-    - user: 939
+  - sensoroni.disabled
-    - group: 939
+{% endif %}
-    - mode: 600
-    - template: jinja
-
-analyzersdir:
-  file.directory:
-    - name: /opt/so/conf/sensoroni/analyzers
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-sensoronilog:
-  file.directory:
-    - name: /opt/so/log/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-analyzerscripts:
-  file.recurse:
-    - name: /opt/so/conf/sensoroni/analyzers
-    - user: 939
-    - group: 939
-    - file_mode: 755
-    - template: jinja
-    - source: salt://sensoroni/files/analyzers
-
-sensoroni_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://sensoroni/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-#sensoroni_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://sensoroni/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-so-sensoroni:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
-    - network_mode: host
-    - binds:
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      - /nsm/pcap:/nsm/pcap:rw
-      - /nsm/import:/nsm/import:rw
-      - /nsm/pcapout:/nsm/pcapout:rw
-      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
-      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
-    - watch:
-      - file: /opt/so/conf/sensoroni/sensoroni.json
-    - require:
-      - file: sensoroniagentconf
-
-append_so-sensoroni_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-sensoroni

salt/sensoroni/map.jinja

@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'sensoroni/defaults.yaml' as SENSORONIDEFAULTS %}
+{% set SENSORONIMERGED = salt['pillar.get']('sensoroni', SENSORONIDEFAULTS.sensoroni, merge=True) %}

salt/sensoroni/soc_sensoroni.yaml

@@ -1,4 +1,22 @@
 sensoroni:
+  enabled:
+    description: Enable or disable Sensoroni.
+    advanced: True
+    helpLink: sensoroni.html
+  config:
+    analyze:
+      enabled:
+        description: Enable or disable the analyzer.
+        advanced: True
+        helpLink: sensoroni.html
+      analyze_timeout_ms:
+        description: Timeout period for the analyzer.
+        advanced: True
+        helpLink: sensoroni.html
+      analyze_parallel_limit:
+        description: Parallel limit for the analyzer.
+        advanced: True
+        helpLink: sensoroni.html
     node_checkin_interval_ms:
       description: Interval in ms to checkin to the soc_host.
       advanced: True

salt/sensoroni/sostatus.sls

@@ -0,0 +1,10 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+append_so-zeek_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-sensoroni
+    - unless: grep -q so-sensoroni /opt/so/conf/so-status/so-status.conf

salt/vars/globals.map.jinja

@@ -26,8 +26,7 @@
     'so_docker_range': DOCKER.sorange,
     'url_base': INIT.PILLAR.global.url_base,
     'so_model': INIT.GRAINS.get('sosmodel',''),
-    'description': INIT.PILLAR.sensoroni.get('node_description',''),
+    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
-    'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey,
     'os': INIT.GRAINS.os,
     'application_urls': {},
     'manager_roles': [