Fix Conflicts

pillar/logstash/master.sls

@@ -2,5 +2,6 @@ logstash:
   pipelines:
     master:
       config:
+        - so/0009_input_beats.conf      
         - so/0010_input_hhbeats.conf
         - so/9999_output_redis.conf.jinja

pillar/logstash/search.sls

@@ -12,6 +12,5 @@ logstash:
         - so/9600_output_ossec.conf.jinja
         - so/9700_output_strelka.conf.jinja
   templates:
-    - so/so-beats-template.json
     - so/so-common-template.json
     - so/so-zeek-template.json

salt/common/tools/sbin/so-fleet-setup

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+#so-fleet-setup $FleetEmail $FleetPassword 
+
+if [[ $# -ne 2 ]] ; then
+      echo "Username or Password was not set - exiting now."
+      exit 1
+fi
+
+# Checking to see if required containers are started...
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "Starting Docker Containers..."
+        salt-call state.apply mysql queue=True >> /root/fleet-setup.log
+        salt-call state.apply fleet queue=True >> /root/fleet-setup.log
+        salt-call state.apply redis queue=True >> /root/fleet-setup.log
+fi
+
+docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
+docker exec so-fleet fleetctl setup --email $1 --password $2
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
+docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
+docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
+
+
+# Enable Fleet
+echo "Enabling Fleet..."
+salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+# Generate osquery install packages
+echo "Generating osquery install packages - this will take some time..."
+salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
+sleep 120
+
+echo "Installing launcher via salt..."
+salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
+salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
+docker stop so-nginx
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+echo "Fleet Setup Complete - Login with the username and password you ran the script with."

salt/elasticsearch/files/ingest/beats.common

@@ -0,0 +1,35 @@
+{
+  "description" : "beats.common",
+  "processors" : [
+    {"community_id":   {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}},    
+    { "set":           { "if": "ctx.winlog?.channel != null",   "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true }  },
+    { "set":           { "if": "ctx.agent?.type != null",   "field": "module", "value": "{{agent.type}}", "override": true }  },   
+    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3",   "field": "event.category", "value": "host,process,network", "override": true }  },
+    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1",   "field": "event.category", "value": "host,process", "override": true }  },
+    { "rename": 	   { "field": "agent.hostname", 			            "target_field": "agent.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationHostname", 	  "target_field": "destination.hostname",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationIp", 		      "target_field": "destination.ip",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationPort", 	      "target_field": "destination.port",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Image", 			            "target_field": "process.executable",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ProcessID", 			        "target_field": "process.pid",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ProcessGuid", 			      "target_field": "process.entity_id",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.CommandLine", 			      "target_field": "process.command_line",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.CurrentDirectory", 			"target_field": "process.working_directory",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Description", 			      "target_field": "process.pe.description",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Product", 			          "target_field": "process.pe.product",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.OriginalFileName", 			"target_field": "process.pe.original_file_name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.FileVersion", 			      "target_field": "process.pe.file_version",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentCommandLine", 			"target_field": "process.parent.command_line",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentImage", 			      "target_field": "process.parent.executable",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentProcessGuid", 			"target_field": "process.parent.entity_id",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentProcessId", 			  "target_field": "process.ppid",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Protocol", 	              "target_field": "network.transport",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourceHostname", 	      "target_field": "source.hostname",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourceIp", 		          "target_field": "source.ip",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourcePort", 		        "target_field": "source.port",		"ignore_missing": true 	} },   
+    { "rename": 	   { "field": "winlog.event_data.targetFilename",		      "target_field": "file.target",	"ignore_missing": true 	} },
+    { "pipeline":    { "name": "common" } }
+  ]
+}

salt/fleet/event_enable-fleet.sls

@@ -1,5 +1,6 @@
 {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret') %}
-{%- set MAINIP = salt['pillar.get']('node:mainip') -%}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 
 so/fleet:
   event.send:

salt/fleet/event_gen-packages.sls

@@ -1,15 +1,24 @@
 {% set MASTER = salt['grains.get']('master') %}
 {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}
 {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %}
+{% set VERSION = salt['pillar.get']('static:soversion') %}
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
+
+{% if CUSTOM_FLEET_HOSTNAME != None and CUSTOM_FLEET_HOSTNAME != '' %}
+   {% set HOSTNAME =  CUSTOM_FLEET_HOSTNAME  %}
+{% else %}
+   {% set HOSTNAME = grains.host  %}
+{% endif %}
 
 so/fleet:
   event.send:
     - data:
         action: 'genpackages'
-        hostname: {{ grains.host }}
+        package-hostname: {{ HOSTNAME }}
         role: {{ grains.role }}
         mainip: {{ grains.host }}
         enroll-secret: {{ ENROLLSECRET }}
         current-package-version: {{ CURRENTPACKAGEVERSION }}
         master: {{ MASTER }}
+        version: {{ VERSION }}
         

salt/fleet/event_update-custom-hostname.sls

@@ -0,0 +1,9 @@
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
+
+so/fleet:
+  event.send:
+    - data:
+        action: 'update_custom_hostname'
+        custom_hostname: {{ CUSTOM_FLEET_HOSTNAME }}
+        role: {{ grains.role }}
+        

salt/fleet/files/dedicated-index.html

@@ -1,96 +0,0 @@
-{%- set PACKAGESTS = salt['pillar.get']('static:fleet_packages-timestamp:', 'N/A') -%}
-
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-<style>
-* {
-	box-sizing: border-box;
-	font-family: Arial, Helvetica, sans-serif;
-	padding-left: 30px;
-	padding-right: 30px;
-}
-
-body {
-	font-family: Arial, Helvetica, sans-serif;
-	background-color: #2a2a2a;
-
-}
-a {
-	color: #f2f2f2;
-	text-align: left;
-	padding: 0px;
-}
-
-.center-content {
-	margin: 0 auto;
-}
-
-/* Style the top navigation bar */
-.topnav {
-	overflow: hidden;
-	background-color: #333;
-	width: 1080px;
-	display: flex;
-	align-content: center;
-}
-
-/* Style the topnav links */
-.topnav a {
-	margin: auto;
-	color: #f2f2f2;
-	text-align: center;
-	padding: 14px 16px;
-	text-decoration: none;
-}
-
-/* Change color on hover */
-.topnav a:hover {
-	background-color: #ddd;
-	color: black;
-}
-
-/* Style the content */
-.content {
-	background-color: #2a2a2a;
-	padding: 10px;
-	padding-top: 20px;
-	padding-left: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-
-/* Style the footer */
-.footer {
-	background-color: #2a2a2a;
-	padding: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-</style>
-</head>
-<body>
-	<div class="center-content">
-		<div class="topnav center-content">
-			<a href="/fleet/" target="_blank">Fleet</a>
-			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion" target="_blank">Osquery/Fleet Docs</a>
-			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
-		</div>
-		  
-		<div class="content center-content">
-			<p>
-                <div style="text-align: center;">
-                    <h1>Security Onion - Dedicated Fleet Node</h1>
-				</div>
-				<br/>
-				<br/>
-			  </p>
-		  </div>
-	</div>
-</body>
-</html>

salt/fleet/files/packs/hh/hh-post-login.sh

@@ -1,13 +0,0 @@
-#!/bin/sh
-echo "Applying Post Configuration for Osquery"
-#fleetctl apply -f /packs/hh/osquery.conf
-fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
-fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
-fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
-fleetctl apply -f /packs/hh/hhdefault.yml
-
-for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml;
- do fleetctl apply -f "$pack"
-done
-echo ""
-echo "You can now exit the container by typing exit"

salt/fleet/files/scripts/so-fleet-packages

@@ -1,34 +0,0 @@
-#!/bin/bash
-{% set MAIN_HOSTNAME = salt['grains.get']('host') %}
-{% set MAIN_IP = salt['pillar.get']('node:mainip') %}
-
-local_salt_dir=/opt/so/saltstack/local
-
-#so-fleet-packages $FleetHostname/IP 
-
-#if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
-#        echo "so-fleet container not running... Exiting..."
-#        exit 1
-#fi
-
-#docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >>  /etc/hosts"
-#esecret=$(docker exec so-fleet fleetctl get enroll-secret)
-
-#Concat fleet.crt & ca.crt  - this is required for launcher connectivity
-#cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
-#Actually only need to use /etc/ssl/certs/intca.crt
-
-#Create the output directory
-#mkdir /opt/so/conf/fleet/packages
-
-docker run \
-  --rm \
-  --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
-  --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \
-  docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090
-
-cp /opt/so/conf/fleet/packages/launcher.* $local_salt_dir/salt/launcher/packages/
-
-#Update timestamp on packages webpage
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $local_salt_dir/salt/fleet/files/dedicated-index.html

salt/fleet/files/scripts/so-fleet-setup

@@ -1,48 +0,0 @@
-#!/bin/bash
-{% set MAIN_HOSTNAME = salt['grains.get']('host') %}
-{% set MAIN_IP = salt['pillar.get']('node:mainip') %}
-
-#so-fleet-setup.sh $FleetEmail
-
-# Enable Fleet
-echo "Starting Docker Containers..."
-salt-call state.apply mysql queue=True >> /root/fleet-setup.log
-salt-call state.apply fleet queue=True >> /root/fleet-setup.log
-salt-call state.apply redis queue=True >> /root/fleet-setup.log
-
-if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
-        echo "so-fleet container not running... Exiting..."
-        exit 1
-fi
-
-initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
-
-docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >>  /etc/hosts"
-docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet
-docker exec so-fleet fleetctl setup --email $1 --password $initpw
-
-docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
-docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
-docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
-docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
-docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf
-
-
-# Enable Fleet
-echo "Enabling Fleet..."
-salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
-salt-call state.apply nginx queue=True >> /root/fleet-setup.log
-
-# Generate osquery install packages
-echo "Generating osquery install packages - this will take some time..."
-salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
-sleep 120
-
-echo "Installing launcher via salt..."
-salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
-salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
-docker stop so-nginx
-salt-call state.apply nginx queue=True >> /root/fleet-setup.log
-
-echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}"
-echo "Your username is $2 and your password is $initpw"

salt/fleet/init.sls

@@ -3,12 +3,11 @@
 {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
-{% set MAINIP = salt['pillar.get']('node:mainip') %}
 {% set FLEETARCH = salt['grains.get']('role') %}
 
-
 {% if FLEETARCH == "so-fleet" %}
-  {% set MAINIP = salt['pillar.get']('node:mainip') %}
+  {% set MAININT = salt['pillar.get']('host:mainint') %}
+  {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% else %}
   {% set MAINIP = salt['pillar.get']('static:masterip') %}
 {% endif %}
@@ -16,14 +15,6 @@
 include:
   - mysql
 
-#{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %}
-#so/fleet:
-#  event.send:
-#    - data:
-#        action: 'enablefleet'
-#        hostname: {{ grains.host }}
-#{% endif %}
-
 # Fleet Setup
 fleetcdir:
   file.directory:
@@ -67,21 +58,6 @@ fleetlogdir:
     - group: 939
     - makedirs: True
 
-fleetsetupscripts:
-  file.recurse:
-    - name: /usr/sbin
-    - user: 0
-    - group: 0
-    - file_mode: 755
-    - template: jinja
-    - source: salt://fleet/files/scripts
-
-osquerypackageswebpage:
-  file.managed:
-    - name: /opt/so/conf/fleet/packages/index.html
-    - source: salt://fleet/files/dedicated-index.html
-    - template: jinja
-
 fleetdb:
   mysql_database.present:
     - name: fleet

salt/fleet/install_package.sls

@@ -2,14 +2,24 @@
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 {%- set FLEETHOSTNAME = salt['pillar.get']('static:fleet_hostname', False) -%}
 {%- set FLEETIP = salt['pillar.get']('static:fleet_ip', False) -%}
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
 
-{%- if FLEETMASTER or FLEETNODE %}
+{% if CUSTOM_FLEET_HOSTNAME != (None and '') %}
+
+{{ CUSTOM_FLEET_HOSTNAME }}:
+  host.present:
+    - ip: {{ FLEETIP }}
+    - clean: True
+
+{% elif FLEETNODE and grains['role'] != 'so-fleet' %}
 
 {{ FLEETHOSTNAME }}:
   host.present:
     - ip: {{ FLEETIP }}
     - clean: True
 
+{% endif %}
+
 launcherpkg:
   pkg.installed:
     - sources:
@@ -18,4 +28,3 @@ launcherpkg:
       {% elif grains['os'] == 'Ubuntu' %}
       - launcher-final: salt://fleet/packages/launcher.deb
       {% endif %}
-{%- endif %}

salt/logstash/pipelines/config/so/0009_input_beats.conf

@@ -0,0 +1,6 @@
+input {
+  beats {
+    port => "5044"
+    tags => [ "beat-ext" ]
+  }
+}

salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja

@@ -3,22 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Wes Lambert
+
-# Last Update: 09/14/2018
-filter {
-  if "beat" in [tags] {
-    mutate {
-          ##add_tag => [ "conf_file_9500"]
-        }
-  }
-}
 output {
-  if "beat" in [tags] {
+  if "beat-ext" in [tags] {
     elasticsearch {
+      pipeline => "beats.common" 
       hosts => "{{ ES }}"
       index => "so-beats-%{+YYYY.MM.dd}"
-      template_name => "so-beats"
+      template_name => "so-common"
-      template => "/so-beats-template.json"
+      template => "/so-common-template.json"
       template_overwrite => true
     }
   }

salt/mysql/init.sls

@@ -6,7 +6,8 @@
 {% set FLEETARCH = salt['grains.get']('role') %}
 
 {% if FLEETARCH == "so-fleet" %}
-  {% set MAINIP = salt['pillar.get']('node:mainip') %}
+  {% set MAININT = salt['pillar.get']('host:mainint') %}
+  {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% else %}
   {% set MAINIP = salt['pillar.get']('static:masterip') %}
 {% endif %}

salt/nginx/etc/nginx.conf.so-eval

@@ -119,6 +119,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location / {
@@ -132,6 +133,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location ~ ^/auth/.*?(whoami|login|logout|settings) {
@@ -143,7 +145,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef/ {
@@ -154,6 +156,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef {
@@ -169,6 +172,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         } 
         
         location /grafana/ {
@@ -180,7 +184,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/ {
@@ -193,7 +197,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /nodered/ {
@@ -206,7 +210,7 @@ http {
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /playbook/ {
@@ -217,7 +221,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
 
@@ -230,7 +234,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
       {%- if FLEET_NODE %}
@@ -246,6 +250,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
       {%- endif %}
 
@@ -258,7 +263,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cortex/ {
@@ -270,7 +275,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /soctopus/ {
@@ -281,7 +286,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/app/soc/ {
@@ -304,6 +309,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         error_page 401 = @error401;

salt/nginx/etc/nginx.conf.so-fleet

@@ -1,4 +1,6 @@
-{%- set MAINIP = salt['pillar.get']('node:mainip', '') %}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -83,7 +85,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         #error_page 404 /404.html;

salt/nginx/etc/nginx.conf.so-master

@@ -119,6 +119,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location / {
@@ -132,6 +133,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location ~ ^/auth/.*?(whoami|login|logout|settings) {
@@ -143,7 +145,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef/ {
@@ -154,6 +156,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef {
@@ -169,6 +172,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         } 
         
         location /grafana/ {
@@ -180,7 +184,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/ {
@@ -193,7 +197,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /nodered/ {
@@ -206,7 +210,7 @@ http {
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /playbook/ {
@@ -217,7 +221,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
 
@@ -230,7 +234,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
       {%- if FLEET_NODE %}
@@ -246,6 +250,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
       {%- endif %}
 
@@ -258,7 +263,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cortex/ {
@@ -270,7 +275,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /soctopus/ {
@@ -281,7 +286,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/app/soc/ {
@@ -304,6 +309,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         error_page 401 = @error401;

salt/nginx/etc/nginx.conf.so-mastersearch

@@ -119,6 +119,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location / {
@@ -132,6 +133,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location ~ ^/auth/.*?(whoami|login|logout|settings) {
@@ -143,7 +145,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef/ {
@@ -154,6 +156,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef {
@@ -169,6 +172,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         } 
         
         location /grafana/ {
@@ -180,7 +184,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/ {
@@ -193,7 +197,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /nodered/ {
@@ -206,7 +210,7 @@ http {
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /playbook/ {
@@ -217,7 +221,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
 
@@ -230,7 +234,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
       {%- if FLEET_NODE %}
@@ -246,6 +250,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
       {%- endif %}
 
@@ -258,7 +263,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cortex/ {
@@ -270,7 +275,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /soctopus/ {
@@ -281,7 +286,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/app/soc/ {
@@ -304,6 +309,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         error_page 401 = @error401;

salt/nginx/etc/nginx.conf.so-standalone

@@ -119,6 +119,7 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location / {
@@ -132,9 +133,10 @@ http {
           proxy_set_header      Proxy "";
           proxy_set_header      Upgrade $http_upgrade;
           proxy_set_header      Connection "Upgrade";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
-        location ~ ^/auth/.*?(whoami|login|logout) {
+        location ~ ^/auth/.*?(whoami|login|logout|settings) {
           rewrite               /auth/(.*) /$1 break;
           proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;
@@ -143,7 +145,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef/ {
@@ -154,6 +156,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cyberchef {
@@ -169,6 +172,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         } 
         
         location /grafana/ {
@@ -180,7 +184,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/ {
@@ -193,7 +197,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /nodered/ {
@@ -206,7 +210,7 @@ http {
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /playbook/ {
@@ -217,7 +221,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
 
@@ -230,7 +234,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
       {%- if FLEET_NODE %}
@@ -246,6 +250,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
       {%- endif %}
 
@@ -258,7 +263,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /cortex/ {
@@ -270,7 +275,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
         
         location /soctopus/ {
@@ -281,7 +286,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         location /kibana/app/soc/ {
@@ -304,6 +309,7 @@ http {
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
+          proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
         error_page 401 = @error401;

salt/reactor/fleet.sls

@@ -9,19 +9,19 @@ import subprocess
 def run():
   MINIONID = data['id']
   ACTION = data['data']['action']
-  HOSTNAME = data['data']['hostname']
+  LOCAL_SALT_DIR = "/opt/so/saltstack/local"
-  ROLE = data['data']['role']
+  STATICFILE = f"{LOCAL_SALT_DIR}/pillar/static.sls"  
-  ESECRET = data['data']['enroll-secret']
+  SECRETSFILE = f"{LOCAL_SALT_DIR}/pillar/secrets.sls"
-  MAINIP = data['data']['mainip']
-  local_salt_dir = /opt/so/saltstack/local
-  STATICFILE = local_salt_dir + '/pillar/static.sls'
-  SECRETSFILE = local_salt_dir + '/pillar/secrets.sls'
-
-  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
 
+  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch','standalone']:
     if ACTION == 'enablefleet':
       logging.info('so/fleet enablefleet reactor')
 
+      ESECRET = data['data']['enroll-secret']
+      MAINIP = data['data']['mainip']
+      ROLE = data['data']['role']
+      HOSTNAME = data['data']['hostname']
+
       # Enable Fleet
       for line in fileinput.input(STATICFILE, inplace=True):
         if ROLE == 'so-fleet':
@@ -49,15 +49,18 @@ def run():
       logging.info('so/fleet genpackages reactor')
 
       PACKAGEVERSION = data['data']['current-package-version']
+      PACKAGEHOSTNAME = data['data']['package-hostname']
       MASTER = data['data']['master']
+      VERSION = data['data']['version']
+      ESECRET = data['data']['enroll-secret']
       
       # Increment the package version by 1
       PACKAGEVERSION += 1
 
       # Run Docker container that will build the packages
-      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + local_salt_dir + "/salt/fleet/packages,target=/output", \
+      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \
-         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \
+         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \
-         f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
+         f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
       
       # Update the 'packages-built' timestamp on the webpage (stored in the static pillar)
       for line in fileinput.input(STATICFILE, inplace=True):
@@ -72,4 +75,14 @@ def run():
       # Copy over newly-built packages
       copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii')    
 
+    if ACTION == 'update_custom_hostname':
+      logging.info('so/fleet update_custom_hostname reactor')
+
+      CUSTOMHOSTNAME = data['data']['custom_hostname']
+      
+        # Update the Fleet host in the static pillar
+      for line in fileinput.input(STATICFILE, inplace=True):
+        line = re.sub(r'fleet_custom_hostname: \S*', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip())
+        print(line)  
+
   return {}

salt/ssl/init.sls

@@ -1,9 +1,11 @@
 {% set master = salt['grains.get']('master') %}
 {% set masterip = salt['pillar.get']('static:masterip', '') %}
 {% set HOSTNAME = salt['grains.get']('host') %}
-{% set MAINIP = salt['pillar.get']('node:mainip') %}
 {% set global_ca_text = [] %}
 {% set global_ca_server = [] %}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
 
 {% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %}
     {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
@@ -200,6 +202,7 @@ chownfilebeatp8:
     - signing_policy: masterssl
     - public_key: /etc/pki/masterssl.key
     - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -222,7 +225,7 @@ chownfilebeatp8:
   x509.certificate_managed:
     - signing_private_key: /etc/pki/fleet.key
     - CN: {{ HOSTNAME }}
-    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True

salt/wazuh/init.sls

@@ -37,12 +37,6 @@ ossec:
     - allow_uid_change: True
     - allow_gid_change: True
 
-#wazuhdir:
-#  file.directory:
-#    - name: /opt/so/conf/wazuh
-#    - user: 945
-#    - group: 945
-
 wazuhpkgs:
   pkg.installed:
     - skip_suggestions: False
@@ -51,6 +45,13 @@ wazuhpkgs:
     - hold: True
     - update_holds: True
 
+wazuhdir:
+ file.directory:
+   - name: /opt/so/wazuh
+   - group: 945
+   - recurse:
+     - group
+
 # Add Wazuh agent conf
 wazuhagentconf:
   file.managed:

setup/automation/pm_standalone_defaults

@@ -74,5 +74,5 @@ STRELKA=1
 THEHIVE=1
 WAZUH=1
 WEBUSER=onionuser@somewhere.invalid
-WEBPASSWD1=onionuser
+WEBPASSWD1=0n10nus3r
-WEBPASSWD2=onionuser
+WEBPASSWD2=0n10nus3r

setup/so-functions

@@ -258,6 +258,10 @@ check_soremote_pass() {
 	check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH"
 }
 
+check_fleet_node_pass() {
+	check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH"
+}
+
 check_web_pass() {
 	check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH"
 }
@@ -295,6 +299,30 @@ collect_adminuser_inputs() {
 	done
 }
 
+collect_fleet_custom_hostname_inputs() {
+	whiptail_fleet_custom_hostname
+}
+
+collect_fleetuser_inputs() {
+	# Get a username & password for the Fleet admin user
+	local valid_user=no
+	while [[ $valid_user != yes ]]; do
+		whiptail_create_fleet_node_user		
+		if so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; then
+			valid_user=yes
+		else
+			whiptail_invalid_user_warning
+		fi
+	done
+
+	FPMATCH=no
+	while [[ $FPMATCH != yes ]]; do
+		whiptail_create_fleet_node_user_password1
+		whiptail_create_fleet_node_user_password2
+		check_fleet_node_pass
+	done
+}
+
 
 collect_webuser_inputs() {
 	# Get a password for the web admin user
@@ -390,6 +418,7 @@ check_requirements() {
 		req_mem=8
 		req_cores=4
 		if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
+		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
 	fi
 
 	if [[ $num_nics -lt $req_nics ]]; then
@@ -814,6 +843,17 @@ get_minion_type() {
 	echo "$minion_type"
 }
 
+host_pillar() {
+
+	local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls
+
+	# Create the host pillar
+	printf '%s\n'\
+		"host:"\
+		"  mainint: $MNIC"\
+		"" > "$pillar_file"
+}
+
 install_cleanup() {
 	echo "Installer removing the following files:"
 	ls -lR "$temp_install_dir"
@@ -906,6 +946,7 @@ master_static() {
 		"  cortexorgname: SecurityOnion"\
 		"  cortexorguser: soadmin"\
 		"  cortexorguserkey: $CORTEXORGUSERKEY"\
+		"  fleet_custom_hostname: "\
 		"  fleet_master: False"\
 		"  fleet_node: False"\
 		"  fleet_packages-timestamp: N/A"\
@@ -1194,8 +1235,12 @@ salt_checkin() {
 				sleep 5;
 				systemctl restart salt-minion;
 				sleep 15;
+				echo " Confirming existence of the CA certificate"
+				cat /etc/pki/ca.crt
 				echo " Applyng a mine hack";
 				salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
+				echo " Confirming salt mine now contain the certificate"
+				salt \* mine.get \* x509.get_pem_entries
 				echo " Applying SSL state";
 				salt-call state.apply ssl;
 			} >> "$setup_log" 2>&1

setup/so-setup

@@ -145,6 +145,7 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then
 	is_sensor=true
 elif [ "$install_type" = 'FLEET' ]; then
 	is_minion=true
+	is_fleet_standalone=true
 	OSQUERY=1
 elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
@@ -152,10 +153,12 @@ fi
 
 if [[ $is_eval ]]; then
 	check_requirements "eval"
-elif [[ $is_distmaster || $is_minion ]]; then
+elif [[ $is_fleet_standalone ]]; then
-	check_requirements "dist"
+	check_requirements "dist" "fleet"
 elif [[ $is_sensor && ! $is_eval ]]; then
 	check_requirements "dist" "sensor"
+elif [[ $is_distmaster || $is_minion ]]; then
+	check_requirements "dist"
 fi
 
 whiptail_patch_schedule
@@ -256,7 +259,7 @@ if [[ $is_master ]]; then
 	get_redirect
 fi
 
-if [[ $is_distmaster || ( $is_sensor || $is_node ) && ! $is_eval ]]; then
+if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then
 	whiptail_master_updates
 	if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then
 		whiptail_master_updates_warning
@@ -305,6 +308,14 @@ if [[ $is_node && ! $is_eval ]]; then
 	fi
 fi
 
+if [ "$install_type" == 'FLEET' ]; then
+	collect_fleetuser_inputs
+	collect_fleet_custom_hostname_inputs
+else
+	FLEETNODEUSER=$WEBUSER
+	FLEETNODEPASSWD1=$WEBPASSWD1
+fi
+
 whiptail_make_changes
 
 if [[ -n "$TURBO" ]]; then
@@ -341,6 +352,10 @@ if [[ $is_minion ]]; then
 	copy_ssh_key >> $setup_log 2>&1
 fi
 
+if [[ "$OSQUERY" = 1 ]]; then
+	host_pillar >> $setup_log 2>&1
+fi
+
 # Begin install
 {
 	# Set initial percentage to 0
@@ -500,11 +515,24 @@ fi
 	fi
 	
 	if [[ "$OSQUERY" = 1 ]]; then
+		set_progress_str 73 "$(print_salt_state_apply 'mysql')"
+		salt-call state.apply -l info mysql >> $setup_log 2>&1
+
 		set_progress_str 73 "$(print_salt_state_apply 'fleet')"
 		salt-call state.apply -l info fleet >> $setup_log 2>&1
 
-		set_progress_str 74 "$(print_salt_state_apply 'redis')"
+		set_progress_str 73 "$(print_salt_state_apply 'redis')"
 		salt-call state.apply -l info redis >> $setup_log 2>&1
+
+		if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then
+			set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
+			pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}"
+			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
+		fi
+	
+		set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"	
+		so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1
+
 	fi
 
 	if [[ "$WAZUH" = 1 ]]; then
@@ -513,8 +541,8 @@ fi
 	fi
 
 	if [[ "$THEHIVE" = 1 ]]; then
-		set_progress_str 76 "$(print_salt_state_apply 'hive')"
+		set_progress_str 76 "$(print_salt_state_apply 'thehive')"
-		salt-call state.apply -l info hive >> $setup_log 2>&1
+		salt-call state.apply -l info thehive >> $setup_log 2>&1
 	fi
 
 	if [[ "$STRELKA" = 1 ]]; then

setup/so-whiptail

@@ -165,6 +165,38 @@ whiptail_create_admin_user_password2() {
 
 }
 
+whiptail_create_fleet_node_user() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \
+	"Please enter an email for use as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_create_fleet_node_user_password1() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEPASSWD1=$(whiptail --title "Security Onion Install" --passwordbox \
+	"Enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_create_fleet_node_user_password2() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEPASSWD2=$(whiptail --title "Security Onion Install" --passwordbox \
+	"Re-enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+}
+
 whiptail_create_soremote_user() {
 
 	[ -n "$TESTING" ] && return
@@ -238,6 +270,19 @@ whiptail_create_web_user_password2() {
 
 }
 
+whiptail_fleet_custom_hostname() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \
+	"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+
+
 whiptail_requirements_error() {
 
 	local requirement_needed=$1