merge with dev and resolve conflicts

2026-05-03 01:48:00 +02:00 · 2020-09-09 16:23:36 -04:00
parent 770cd6eafc 1e32b32659
commit 01c9f7b2ae
35 changed files with 514 additions and 197 deletions
@@ -0,0 +1,12 @@
+[main]
+cachedir=/var/cache/yum/$basearch/$releasever
+keepcache=0
+debuglevel=2
+logfile=/var/log/yum.log
+exactarch=1
+obsoletes=1
+gpgcheck=1
+plugins=1
+installonly_limit=2
+bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
+distroverpkg=centos-release
@@ -0,0 +1,60 @@
+{% set MANAGER = salt['grains.get']('master') %}
+airgapyum:
+  file.managed:
+    - name: /etc/yum/yum.conf
+    - source: salt://airgap/files/yum.conf
+
+airgap_repo:
+  pkgrepo.managed:
+    - humanname: Airgap Repo
+    - baseurl: https://{{ MANAGER }}/repo
+    - gpgcheck: 0
+    - sslverify: 0
+
+agbase:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Base.repo
+
+agcr:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-CR.repo
+
+agdebug:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
+
+agfasttrack:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
+
+agmedia:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Media.repo
+
+agsources:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Sources.repo
+
+agvault:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Vault.repo
+
+agkernel:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
+
+agepel:
+  file.absent:
+    - name: /etc/yum.repos.d/epel.repo
+
+agtesting:
+  file.absent:
+    - name: /etc/yum.repos.d/epel-testing.repo
+
+agssrepo:
+  file.absent:
+    - name: /etc/yum.repos.d/saltstack.repo
+
+agwazrepo:
+  file.absent:
+    - name: /etc/yum.repos.d/wazuh.repo
@@ -5,6 +5,9 @@
 # to the list predefined by the role / minion id affix
 {% macro append_containers(pillar_name, k, compare )%}
  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% if k == 'enabled' %}
+      {% set k = pillar_name %}
+    {% endif %}
    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
    {% for li in d['containers'] %}
      {{ docker['containers'].append(li) }}
@@ -21,7 +24,7 @@
 {% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
  {{ append_containers('manager', 'grafana', 0) }}
  {{ append_containers('global', 'fleet_manager', 0) }}
-  {{ append_containers('manager', 'wazuh', 0) }}
+  {{ append_containers('global', 'wazuh', 0) }}
  {{ append_containers('manager', 'thehive', 0) }}
  {{ append_containers('manager', 'playbook', 0) }}
  {{ append_containers('manager', 'freq', 0) }}
@@ -29,7 +32,7 @@
 {% endif %}

 {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
-  {{ append_containers('global', 'strelka', 0) }}
+  {{ append_containers('strelka', 'enabled', 0) }}
 {% endif %}

 {% if role in ['heavynode', 'standalone'] %}
@@ -48,6 +48,7 @@ if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully added user to Cortex."
 else
    echo "Unable to add user to Cortex; user might already exist."
+    echo $resp
    exit 2
 fi
    
@@ -51,6 +51,7 @@ if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully updated user in Cortex."
 else
    echo "Failed to update user in Cortex."
+    echo $resp
    exit 2
 fi
    
@@ -54,5 +54,6 @@ if [[ $? -eq 0 ]]; then
    echo "Successfully added user to Fleet."
 else
    echo "Unable to add user to Fleet; user might already exist."
+    echo $resp
    exit 2
 fi
@@ -53,5 +53,6 @@ if [[ $? -eq 0 ]]; then
    echo "Successfully updated user in Fleet."
 else
    echo "Failed to update user in Fleet."
+    echo $resp
    exit 2
 fi
@@ -15,7 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set container_list = docker['containers'] | sort %}
+{%- set container_list = docker['containers'] | sort | unique %}

 if ! [ "$(id -u)" = 0 ]; then
   echo "This command must be run as root"
@@ -71,9 +71,9 @@ compare_lists() {
 # {% endraw %}

 create_expected_container_list() {
-    {% for item in container_list%}
+    {% for item in container_list -%}
        expected_container_list+=("{{ item }}")
-    {% endfor %}
+    {% endfor -%}
 }

 populate_container_lists() {
@@ -47,5 +47,6 @@ if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully added user to TheHive."
 else
    echo "Unable to add user to TheHive; user might already exist."
+    echo $resp
    exit 2
 fi
@@ -11,12 +11,13 @@
 . /usr/sbin/so-common

 if [[ $# < 1 || $# > 2 ]]; then
-  echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
+  echo "Usage: $0 <list|add|update|enable|disable|validate|valemail|valpass> [email]"
  echo ""
  echo "     list: Lists all user email addresses currently defined in the identity system"
  echo "      add: Adds a new user to the identity system; requires 'email' parameter"
  echo "   update: Updates a user's password; requires 'email' parameter"
-  echo "   delete: Deletes an existing user; requires 'email' parameter"
+  echo "   enable: Enables a user; requires 'email' parameter"
+  echo "  disable: Disables a user; requires 'email' parameter"
  echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
  echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter"
  echo "  valpass: Validates that a password is acceptable for defining a new user"
@@ -63,7 +64,7 @@ function findIdByEmail() {
  email=$1

  response=$(curl -Ss ${kratosUrl}/identities)
-  identityId=$(echo "${response}" | jq ".[] | select(.addresses[0].value == \"$email\") | .id")
+  identityId=$(echo "${response}" | jq ".[] | select(.verifiable_addresses[0].value == \"$email\") | .id")
  echo $identityId
 }

@@ -113,7 +114,7 @@ function listUsers() {
  response=$(curl -Ss ${kratosUrl}/identities)
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"

-  echo "${response}" | jq -r ".[] | .addresses[0].value" | sort
+  echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort
 }

 function createUser() {
@@ -122,17 +123,8 @@ function createUser() {
  now=$(date -u +%FT%TZ)
  addUserJson=$(cat <<EOF
 {
-  "addresses": [
-    {
-      "expires_at": "2099-01-31T12:00:00Z",
-      "value": "${email}",
-      "verified": true,
-      "verified_at": "${now}",
-      "via": "so-add-user"
-    }
-  ],
  "traits": {"email":"${email}"},
-  "traits_schema_id": "default"
+  "schema_id": "default"
 }
 EOF
  )
@@ -152,6 +144,36 @@ EOF
  updatePassword $identityId
 }

+function updateStatus() {
+  email=$1
+  status=$2
+
+  identityId=$(findIdByEmail "$email")
+  [[ ${identityId} == "" ]] && fail "User not found"
+
+  response=$(curl -Ss "${kratosUrl}/identities/$identityId")
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+
+  oldConfig=$(echo "select config from identity_credentials where identity_id=${identityId};" | sqlite3 "$databasePath")
+  if [[ "$status" == "locked" ]]; then
+    config=$(echo $oldConfig | sed -e 's/hashed/locked/')
+    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to lock credential record"
+
+    echo "delete from sessions where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to invalidate sessions"    
+  else
+    config=$(echo $oldConfig | sed -e 's/locked/hashed/')
+    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to unlock credential record"
+  fi  
+
+  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url)")
+  response=$(curl -Ss -XPUT ${kratosUrl}/identities/$identityId -d "$updatedJson")
+  [[ $? != 0 ]] && fail "Unable to mark user as locked"
+
+}
+
 function updateUser() {
  email=$1

@@ -179,9 +201,8 @@ case "${operation}" in
    validateEmail "$email"
    createUser "$email"
    echo "Successfully added new user to SOC"
-    check_container thehive && (echo $password | so-thehive-user-add "$email" || so-thehive-user-enable "$email" true)
-    check_container cortex && (echo $password | so-cortex-user-add "$email" || so-cortex-user-enable "$email" true)
-    check_container fleet && (echo $password | so-fleet-user-add "$email" || so-fleet-user-enable "$email" true)
+    check_container thehive && echo $password | so-thehive-user-add "$email"
+    check_container fleet && echo $password | so-fleet-user-add "$email"
    ;;

  "list")
@@ -197,6 +218,26 @@ case "${operation}" in
    echo "Successfully updated user"
    ;;

+  "enable")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateStatus "$email" 'active'
+    echo "Successfully enabled user"
+    check_container thehive && so-thehive-user-enable "$email" true
+    check_container fleet && so-fleet-user-enable "$email" true   
+    ;;
+
+  "disable")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateStatus "$email" 'locked'
+    echo "Successfully disabled user"
+    check_container thehive && so-thehive-user-enable "$email" false
+    check_container fleet && so-fleet-user-enable "$email" false   
+    ;;    
+
  "delete")
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
@@ -204,7 +245,6 @@ case "${operation}" in
    deleteUser "$email"
    echo "Successfully deleted user"
    check_container thehive && so-thehive-user-enable "$email" false
-    check_container cortex && so-cortex-user-enable "$email" false
    check_container fleet && so-fleet-user-enable "$email" false
    ;;

@@ -1,2 +1,2 @@
 #!/bin/bash
-so-user delete $*
+so-user disable $*
@@ -0,0 +1,2 @@
+#!/bin/bash
+so-user enable $*
@@ -117,6 +117,7 @@ role:
              - {{ portgroups.influxdb }}
              - {{ portgroups.wazuh_api }}
              - {{ portgroups.fleet_api }}
+              - {{ portgroups.yum }}
          sensor:
            portgroups:
              - {{ portgroups.sensoroni }}
@@ -200,6 +201,7 @@ role:
              - {{ portgroups.influxdb }}
              - {{ portgroups.wazuh_api }}
              - {{ portgroups.fleet_api }}
+              - {{ portgroups.yum }}
          sensor:
            portgroups:
              - {{ portgroups.sensoroni }}
@@ -282,7 +284,8 @@ role:
              - {{ portgroups.osquery_8080 }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.wazuh_api }}
-              - {{ portgroups.fleet_api }}              
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.yum }}              
          sensor:
            portgroups:
              - {{ portgroups.sensoroni }}
@@ -94,3 +94,6 @@ firewall:
      wazuh_authd:
        tcp:
          - 1515
+      yum:
+        tcp:
+          - 443
@@ -1 +1 @@
-# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/local.rules
+# Put your own custom Snort/Suricata rules in this file! /opt/so/saltstack/local/salt/idstools/localrules/local.rules
@@ -2,6 +2,8 @@
 {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %}
 {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %}
 {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %}
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
+
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -180,7 +182,20 @@ http {
 			proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
 			proxy_set_header      Proxy "";
 			proxy_set_header      X-Forwarded-Proto $scheme;
-		} 
+		}
+
+        {%- if ISAIRGAP is sameas true %}
+        location /repo/ {
+            allow all;
+            sendfile on;
+            sendfile_max_chunk 1m;
+            autoindex on;
+            autoindex_exact_size off;
+            autoindex_format html;
+            autoindex_localtime on;
+        }
+
+		{%- endif %}
 		
 		location /grafana/ {
 			auth_request          /auth/sessions/whoami;
@@ -2,6 +2,8 @@
 {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %}
 {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %}
 {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %}
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
+
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -232,6 +234,19 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}

+		{%- if ISAIRGAP is sameas true %}
+        location /repo/ {
+            allow all;
+            sendfile on;
+            sendfile_max_chunk 1m;
+            autoindex on;
+            autoindex_exact_size off;
+            autoindex_format html;
+            autoindex_localtime on;
+        }
+
+		{%- endif %}
+
 	{%- if FLEET_NODE %}
 		location /fleet/ {
 			return 301 https://{{ FLEET_IP }}/fleet;
@@ -2,6 +2,8 @@
 {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %}
 {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %}
 {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %}
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
+
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -180,6 +182,19 @@ http {
 			proxy_set_header      Proxy "";
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		} 
+
+		{%- if ISAIRGAP is sameas true %}
+        location /repo/ {
+            allow all;
+            sendfile on;
+            sendfile_max_chunk 1m;
+            autoindex on;
+            autoindex_exact_size off;
+            autoindex_format html;
+            autoindex_localtime on;
+        }
+
+		{%- endif %}
 		
 		location /grafana/ {
 			auth_request          /auth/sessions/whoami;
@@ -2,6 +2,7 @@
 {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %}
 {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %}
 {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %}
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -182,6 +183,20 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		} 
 		
+		{%- if ISAIRGAP is sameas true %}
+                location /repo/ {
+                        allow all;
+                        sendfile on;
+                        sendfile_max_chunk 1m;
+                        autoindex on;
+                        autoindex_exact_size off;
+                        autoindex_format html;
+                        autoindex_localtime on;
+                }
+
+		{%- endif %}
+
+		
 		location /grafana/ {
 			auth_request          /auth/sessions/whoami;
 			rewrite               /grafana/(.*) /$1 break;
@@ -8,6 +8,7 @@
 {% set MANAGER = salt['grains.get']('master') %}
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{% set ISAIRGAP = salt['pillar.get']('global:airgap') %}

 # Drop the correct nginx config based on role
 nginxconfdir:
@@ -77,6 +78,9 @@ so-nginx:
      - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
      - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro
      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
+      {% if ISAIRGAP is sameas true %}
+      - /nsm/repo:/opt/socore/html/repo:ro
+      {% endif %}
      # ATT&CK Navigator binds
      - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro
      - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro
@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+
+import logging
+from time import sleep
+from os import remove
+
+log = logging.getLogger(__name__)
+
+def start(interval=30):
+  log.info("checkmine engine started")
+  minionid = __grains__['id']
+  while True:
+    try:
+      ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt']
+      log.info('Successfully queried Salt mine for the CA.')
+    except:
+      log.error('Could not pull CA from the Salt mine.')
+      log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid)
+      try:
+        remove('/var/cache/salt/master/minions/%s/mine.p' % minionid)
+        log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid)
+      except FileNotFoundError:
+        log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid)
+
+      __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt')
+      log.warning('Salt mine repopulated with /etc/pki/ca.crt')
+
+    sleep(interval)
@@ -0,0 +1,6 @@
+engines_dirs:
+  - /etc/salt/engines
+
+engines:
+  - checkmine:
+      interval: 30
@@ -3,6 +3,9 @@

 {% if 'salt.master' in top_states %}

+include:
+  - salt.minion
+
 salt_master_package:
  pkg.installed:
    - pkgs:
@@ -15,4 +18,19 @@ salt_master_service:
    - name: salt-master
    - enable: True

+checkmine_engine:
+  file.managed:
+    - name: /etc/salt/engines/checkmine.py
+    - source: salt://salt/engines/checkmine.py
+    - makedirs: True
+    - watch_in:
+        - service: salt_minion_service
+
+engines_config:
+  file.managed:
+    - name: /etc/salt/minion.d/engines.conf
+    - source: salt://salt/files/engines.conf
+    - watch_in:
+        - service: salt_minion_service
+
 {% endif %}
@@ -6,52 +6,39 @@ selfservice:
    password:
      enabled: true

-  settings:
-    privileged_session_max_age: 1m
-    after:
-      profile:
-        hooks:
-          - hook: verify
-          
-  verify:
-    return_to: https://{{ WEBACCESS }}/
+  flows:
+    settings:
+      ui_url: https://{{ WEBACCESS }}/?r=/settings

-  logout:
-    redirect_to: https://{{ WEBACCESS }}/login/
+    verification:
+      ui_url: https://{{ WEBACCESS }}/

-  login:
-    request_lifespan: 10m
+    login:
+      ui_url: https://{{ WEBACCESS }}/login/

-  registration:
-    request_lifespan: 10m
-    after:
-      password:
-        hooks:
-          - hook: session
-          - hook: verify
+    error:
+      ui_url: https://{{ WEBACCESS }}/login/
+
+    registration:
+      ui_url: https://{{ WEBACCESS }}/login/
+    
+  default_browser_return_url: https://{{ WEBACCESS }}/
+  whitelisted_return_urls:
+    - http://127.0.0.1

 log:
  level: debug
  format: json

 secrets:
-  session:
+  default:
    - {{ KRATOSKEY }}

-urls:
-  login_ui: https://{{ WEBACCESS }}/login/
-  registration_ui: https://{{ WEBACCESS }}/login/
-  error_ui: https://{{ WEBACCESS }}/login/
-  settings_ui: https://{{ WEBACCESS }}/?r=/settings
-  verify_ui: https://{{ WEBACCESS }}/
-  mfa_ui: https://{{ WEBACCESS }}/
-
-  self:
-    public: https://{{ WEBACCESS }}/auth/
-    admin: https://{{ WEBACCESS }}/kratos/
-  default_return_to: https://{{ WEBACCESS }}/
-  whitelisted_return_to_urls:
-    - http://127.0.0.1
+serve:
+  public: 
+    base_url: https://{{ WEBACCESS }}/auth/
+  admin: 
+    base_url: https://{{ WEBACCESS }}/kratos/

 hashers:
  argon2:
@@ -62,8 +49,7 @@ hashers:
    key_length: 32

 identity:
-  traits:
-    default_schema_url: file:///kratos-conf/schema.json
+  default_schema_url: file:///kratos-conf/schema.json

 courier:
  smtp:
@@ -4,37 +4,46 @@
    "title": "Person",
    "type": "object",
    "properties": {
-      "email": {
-        "type": "string",
-        "format": "email",
-        "title": "E-Mail",
-        "minLength": 6,
-        "ory.sh/kratos": {
-          "credentials": {
-            "password": {
-              "identifier": true
+      "traits": {
+        "type": "object",
+        "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 6,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
            }
-          },
-          "verification": {
-            "via": "email"
          }
-        }
+        },
+        "firstName": {
+          "type": "string",
+          "title": "First Name"
+        },
+        "lastName": {
+          "type": "string",
+          "title": "Last Name"
+        },
+        "role": {
+          "type": "string",
+          "title": "Role"
+        },
+        "status": {
+          "type": "string",
+          "title": "Status"
+        }      
      },
-      "firstName": {
-        "type": "string",
-        "title": "First Name"
-      },
-      "lastName": {
-        "type": "string",
-        "title": "Last Name"
-      },
-      "role": {
-        "type": "string",
-        "title": "Role"
-      }
-    },
-    "required": [
-      "email"
-    ],
-    "additionalProperties": false
-  }
+      "required": [
+        "email"
+      ],
+      "additionalProperties": false
+    }
+  }
+}
@@ -141,6 +141,12 @@
          { "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"},
          { "name": "x509", "description": "x.509 grouped by subject", "query": "event.dataset:x509 | groupby x509.certificate.subject"},
          { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"}
+        ],
+        "actions": [
+          { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" },
+          { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" },
+          { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" },
+          { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" }
        ]
      }
    }
@@ -65,6 +65,7 @@ playbook_ext_url = https://{{MANAGER}}/playbook
 playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f
 playbook_verifycert = no
 playbook_unit_test_index = playbook-testing
+playbook_rulesets = windows

 [log]
 logfile = /var/log/SOCtopus/soctopus.log
@@ -13,10 +13,10 @@
 {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %}

 {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import'] %}
-    {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
+    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
    {% set ca_server = grains.id %}
 {% else %}
-    {% set x509dict =  salt['mine.get']('*', 'x509.get_pem_entries') %}
+    {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %}
    {% for host in x509dict %}
      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
@@ -2,8 +2,8 @@ suricata:
  config:
    vars:
      address-groups:
-        HOME_NET: "[192.168.0.0/16]"
-        EXTERNAL_NET: "!$HOME_NET"
+        HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+        EXTERNAL_NET: "any"
        HTTP_SERVERS: "$HOME_NET"
        SMTP_SERVERS: "$HOME_NET"
        SQL_SERVERS: "$HOME_NET"
@@ -590,4 +590,4 @@ suricata:
    # threshold-file: /etc/suricata/threshold.config
    #include: include1.yaml
    #include: include2.yaml
-    
+    
@@ -1,25 +1,32 @@
-{%- set ZEEKVER = salt['pillar.get']('global:zeekversion', '') -%}
-{%- set WAZUH = salt['pillar.get']('global:wazuh', '0') -%}
-{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%}
-{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%}
-{%- set FREQSERVER = salt['pillar.get']('manager:freq', '0') -%}
-{%- set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') -%}
-{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
-{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%}
-{% import_yaml 'salt/minion.defaults.yaml' as salt %}
-{% set saltversion = salt.salt.minion.version %}
-
+{% set ZEEKVER = salt['pillar.get']('global:zeekversion', '') %}
+{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
+{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
+{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
+{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
+{% set saltversion = saltversion.salt.minion.version %}

 base:

  'not G@saltversion:{{saltversion}}':
    - match: compound
+    {% if ISAIRGAP is sameas true %}
+    - airgap
+    {% endif %}
    - salt.minion

  'G@os:CentOS and G@saltversion:{{saltversion}}':
    - match: compound
+    {% if ISAIRGAP is sameas true %}
+    - airgap
+    {% else %}
    - yum
+    {% endif %}
    - yum.packages

  '* and G@saltversion:{{saltversion}}':
@@ -28,9 +35,10 @@ base:
    - common
    - patch.os.schedule
    - motd
-
+  
  '*_helix and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -72,6 +80,7 @@ base:

  '*_eval and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -129,6 +138,7 @@ base:

  '*_manager and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -175,6 +185,7 @@ base:

  '*_standalone and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -195,6 +206,7 @@ base:
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    - elasticsearch
    - logstash
    - redis
    - kibana
@@ -298,6 +310,7 @@ base:

  '*_managersearch and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -388,6 +401,7 @@ base:

  '*_import and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common