From 4ff5fc3b382c0657f86bba43f71c264ce7b9b0e5 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 11 Jan 2022 14:38:38 -0500
Subject: [PATCH 1/7] Remove hive install option

---
 setup/so-whiptail | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/setup/so-whiptail b/setup/so-whiptail
index 62df1b5d9..e23abdbb1 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -213,7 +213,7 @@ whiptail_create_web_user() {
 	[ -n "$TESTING" ] && return
 
 	WEBUSER=$(whiptail --title "$whiptail_title" --inputbox \
-	"Please enter an email address to create an administrator account for the web interface.\n\nThis will also be used for Elasticsearch, Kibana, TheHive, Cortex, and Fleet." 12 60 "$1" 3>&1 1>&2 2>&3)
+	"Please enter an email address to create an administrator account for the web interface.\n\nThis will also be used for Elasticsearch, Kibana, and Fleet." 12 60 "$1" 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -396,7 +396,6 @@ if [[ $is_eval ]]; then
 	GRAFANA "Enable Grafana for system monitoring" ON \
 	OSQUERY "Enable Fleet with osquery" ON \
 	WAZUH "Enable Wazuh" ON \
-	THEHIVE "Enable TheHive" ON \
 	PLAYBOOK "Enable Playbook" ON \
 	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
 else
@@ -404,7 +403,6 @@ else
 	"$description" 20 75 7 \
 	OSQUERY "Enable Fleet with osquery" ON \
 	WAZUH "Enable Wazuh" ON \
-	THEHIVE "Enable TheHive" ON \
 	PLAYBOOK "Enable Playbook" ON \
 	STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
 	export "GRAFANA=1"

From 1d94e3ac69d356e95fea86f196116b3aa9a8205a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Jan 2022 09:38:22 -0500
Subject: [PATCH 2/7] Fix some formatting

---
 salt/soc/files/soc/soc.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index ae28183fd..2d68b2b28 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -3,8 +3,8 @@
 {%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
 {%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
-{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
-{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
 {%- set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
 {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {%- set API_TIMEOUT = salt['pillar.get']('sensoroni:api_timeout_ms', 0) %}
@@ -89,23 +89,23 @@
         "refreshIntervalMs": 30000,
         "offlineThresholdMs": 900000
       },
-{% if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %}
+{%- if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %}
       "thehive": {
         "hostUrl": "http://{{ MANAGERIP }}:9000/thehive",
         "key": "{{ THEHIVEKEY }}",
         "verifyCert": false
       },
-{% elif CASE_MODULE == 'elasticcases' %}
+{%- elif CASE_MODULE == 'elasticcases' %}
       "elasticcases": {
         "hostUrl": "https://{{ MANAGERIP }}:5601",
         "username": "{{ ES_USER }}",
         "password": "{{ ES_PASS }}",
       },
-{% elif CASE_MODULE == 'generichttp' %}
+{%- elif CASE_MODULE == 'generichttp' %}
       "generichttp": {
         {{ GENERIC_CASE_CONFIG }}
       },
-{% endif %}
+{%- endif %}
       "statickeyauth": {
         "anonymousCidr": "{{ DNET }}/24",
         "apiKey": "{{ SENSORONIKEY }}"

From 5b347600e9a3ae2c2fd045329703f9e3c04928fc Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 12 Jan 2022 12:24:52 -0500
Subject: [PATCH 3/7] push ips of mainint to salt mine

---
 salt/common/tools/sbin/soup | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index f5b012bb6..24b13a408 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -735,6 +735,13 @@ update_centos_repo() {
   createrepo /nsm/repo
 }
 
+update_salt_mine() {
+    echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host."
+    set +e
+    salt \* cmd.run cmd='MAININT=$(salt-call pillar.get host:mainint --out=newline_values_only) && salt-call mine.send name=network.ip_addrs interface="$MAININT"'
+    set -e
+}
+
 update_version() {
   # Update the version to the latest
   echo "Updating the Security Onion version file."
@@ -973,6 +980,9 @@ main() {
     echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
     echo ""
 
+    # update mine items prior to stopping salt-minion and salt-master
+    update_salt_mine
+
     echo "Updating dockers to $NEWVERSION."
     if [[ $is_airgap -eq 0 ]]; then
       airgap_update_dockers

From ee44edfe754799296ce9de1b1a965178dd85e0b6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Jan 2022 13:18:44 -0500
Subject: [PATCH 4/7] Add additional highlander settings

---
 salt/elasticsearch/config.map.jinja | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja
index 914bda434..c3f2b2067 100644
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -10,7 +10,7 @@
     {% if salt['pillar.get']('nodestab', {}) %}
       {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %}
       {% if HIGHLANDER %}
-          {% do ESCONFIG.elasticsearch.config.node.roles.append('ml') %}
+          {% do ESCONFIG.elasticsearch.config.node.roles.append('ml', 'transform') %}
       {% endif %}
       {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %}
       {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
@@ -23,7 +23,7 @@
   {% else %}
     {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %}
     {% if HIGHLANDER %}
-          {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master']) %}
+          {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
     {% endif %}
     {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %}
     {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %}

From c525bf310d9f0123795a01cd027035212ebcb489 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 12 Jan 2022 13:19:40 -0500
Subject: [PATCH 5/7] Add additional highlander settings

---
 salt/kibana/config.map.jinja | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja
index 58f1fbf67..d595092de 100644
--- a/salt/kibana/config.map.jinja
+++ b/salt/kibana/config.map.jinja
@@ -1,4 +1,5 @@
 {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %}
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 
 {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %}
   {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass')}) %}
@@ -12,4 +13,8 @@
   {% do KIBANACONFIG.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %}
 {% endif %}
 
+{% if HIGHLANDER %}
+  {% do KIBANACONFIG.kibana.config.xpack.ml.update({'enabled': true}) %}
+{% endif %}
+
 {% set KIBANACONFIG = salt['pillar.get']('kibana:config', default=KIBANACONFIG.kibana.config, merge=True) %}

From da30f6609682c8e86ea5b69e25cee67ea9b503cf Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 12 Jan 2022 13:29:34 -0500
Subject: [PATCH 6/7] remove mine push from 2.3.100 function

---
 salt/common/tools/sbin/soup | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 24b13a408..ff188feb2 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -665,10 +665,6 @@ up_to_2.3.90() {
 
 up_to_2.3.100() {
   echo "Updating to Security Onion to 2.3.100"
-  echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host."
-  set +e
-  salt \* cmd.run cmd='MAININT=$(salt-call pillar.get host:mainint --out=newline_values_only) && salt-call mine.send name=network.ip_addrs interface="$MAININT"'
-  set -e
   fix_wazuh
 }
 

From 776e4c6e1222473be7eb618e6823f56a50535487 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 12 Jan 2022 13:32:46 -0500
Subject: [PATCH 7/7] Update soup

---
 salt/common/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 5afc83cce..71891a57e 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -664,7 +664,7 @@ up_to_2.3.90() {
 }
 
 up_to_2.3.100() {
-  echo "Updating to Security Onion to 2.3.100"
+  echo "Updating to Security Onion 2.3.100"
   fix_wazuh
 }