Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

2025-12-06 17:22:49 +01:00 · 2021-06-17 13:30:58 -04:00
parent 8d6b0e23ce 79aad225a4
commit 0dc4bc3cee
36 changed files with 111 additions and 182 deletions
--- a/salt/common/tools/sbin/so-airgap-hotfixapply
+++ b/salt/common/tools/sbin/so-airgap-hotfixapply
--- a/salt/common/tools/sbin/so-airgap-hotfixdownload
+++ b/salt/common/tools/sbin/so-airgap-hotfixdownload
--- a/salt/common/tools/sbin/so-elastic-auth
+++ b/salt/common/tools/sbin/so-elastic-auth
@@ -15,7 +15,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-. /usr/sbin/so-common
+if [ -f "/usr/sbin/so-common" ]; then
  . /usr/sbin/so-common
 fi
 ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls}
 ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
@@ -27,12 +29,17 @@ if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
  exit 1
 fi
 function restart() {
  so-elastic-stop
  salt-call state.highstate queue=True
 }
 if [[ "$authEnable" == "true" ]]; then
  if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then
    sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR"
    if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
      echo "Applying highstate - this may take a few minutes..."
-      salt-call state.highstate queue=True
+      restart
    fi
    echo "Elastic auth is now enabled."
    if grep -q "argon" "$ES_USERS_FILE"; then
@@ -48,7 +55,7 @@ elif [[ "$authEnable" == "false" ]]; then
    sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR"
    if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
      echo "Applying highstate - this may take a few minutes..."
-      salt-call state.highstate queue=True
+      restart
    fi
    echo "Elastic auth is now disabled."
  else
--- a/salt/common/tools/sbin/so-elasticsearch-query
+++ b/salt/common/tools/sbin/so-elasticsearch-query
--- a/salt/common/tools/sbin/so-elasticsearch-wait
+++ b/salt/common/tools/sbin/so-elasticsearch-wait
@@ -0,0 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
 wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}"
--- a/salt/common/tools/sbin/so-influxdb-clean
+++ b/salt/common/tools/sbin/so-influxdb-clean
--- a/salt/common/tools/sbin/so-influxdb-migrate
+++ b/salt/common/tools/sbin/so-influxdb-migrate
--- a/salt/common/tools/sbin/so-pcap-export
+++ b/salt/common/tools/sbin/so-pcap-export
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -779,12 +779,6 @@ main() {
  verify_latest_update_script
  echo ""
  echo "Stopping Salt Master service."
  systemctl stop salt-master
  echo ""
  upgrade_to_2.3.50_repo
  echo "Generating new repo archive"
  generate_and_clean_tarballs
  if [ -f /usr/sbin/so-image-common ]; then
@@ -837,7 +831,7 @@ main() {
    systemctl stop salt-master
    echo ""
-    preupgrade_changes_2.3.50_repo
+    upgrade_to_2.3.50_repo
    # Does salt need upgraded. If so update it.
    if [[ $UPGRADESALT -eq 1 ]]; then
--- a/salt/curator/files/curator.yml
+++ b/salt/curator/files/curator.yml
@@ -18,8 +18,10 @@ client:
  hosts:
    - {{elasticsearch}}
  port: 9200
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
  username: {{ ES_USER }}
  password: {{ ES_PASS }}
 {% endif %}
  url_prefix:
  use_ssl: True
  certificate:
--- a/salt/elastalert/defaults.yaml
+++ b/salt/elastalert/defaults.yaml
@@ -1,10 +1,5 @@
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 elastalert:
  config:
    rules_folder: /opt/elastalert/rules/
@@ -26,8 +21,10 @@ elastalert:
    use_ssl: true
    verify_certs: false
    #es_send_get_body_as: GET
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
    es_username: {{ ES_USER }}
    es_password: {{ ES_PASS }}
 {%- endif %}
    writeback_index: elastalert_status
    alert_time_limit:
      days: 2
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -103,15 +103,8 @@ elastaconf:
    - template: jinja
 wait_for_elasticsearch:
-  module.run:
+  cmd.run:
-    - http.wait_for_successful_query:
+    - name: so-elasticsearch-wait
      - url: 'https://{{MANAGER}}:9200/_cat/indices/.kibana*'
      - wait_for: 180
      - status:
          - 200
          - 401
      - status_type: list
      - verify_ssl: False
 so-elastalert:
  docker_container.running:
@@ -128,7 +121,7 @@ so-elastalert:
    - extra_hosts:
      - {{MANAGER_URL}}:{{MANAGER_IP}}
    - require:
-      - module: wait_for_elasticsearch
+      - cmd: wait_for_elasticsearch
    - watch:
      - file: elastaconf
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -3,13 +3,8 @@
 {%- else %}
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
@@ -272,8 +267,10 @@ output.{{ type }}:
 output.elasticsearch:
  enabled: true
  hosts: ["https://{{ MANAGER }}:9200"]
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
  username: "{{ ES_USER }}"
  password: "{{ ES_PASS }}"
 {%- endif %}
  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
  pipelines:
    - pipeline: "%{[module]}.%{[dataset]}"
--- a/salt/filebeat/etc/module-setup.yml
+++ b/salt/filebeat/etc/module-setup.yml
@@ -3,17 +3,14 @@
 {%- else %}
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output.elasticsearch:
  enabled: true
  hosts: ["https://{{ MANAGER }}:9200"]
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
  username: "{{ ES_USER }}"
  password: "{{ ES_PASS }}"
 {% endif %}
  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -23,7 +23,7 @@
 {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
 {% from 'filebeat/map.jinja' import THIRDPARTY with context %}
 {% from 'filebeat/map.jinja' import SO with context %}
-{% set ES_INCLUDED_NODES = ['so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
+{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
 #only include elastic state for certain nodes
 {% if grains.role in ES_INCLUDED_NODES %}
@@ -84,7 +84,7 @@ filebeatmoduleconfsync:
    - source: salt://filebeat/etc/module-setup.yml
    - user: root
    - group: root
-    - mode: 660
+    - mode: 640
    - template: jinja
 sodefaults_module_conf:
--- a/salt/kibana/etc/kibana.yml
+++ b/salt/kibana/etc/kibana.yml
@@ -1,21 +1,18 @@
 ---
 # Default Kibana configuration from kibana-docker.
 {%- set ES = salt['pillar.get']('manager:mainip', '') -%}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 server.name: kibana
 server.host: "0"
 server.basePath: /kibana
 elasticsearch.hosts: [ "https://{{ ES }}:9200" ]
 elasticsearch.ssl.verificationMode: none
 #kibana.index: ".kibana"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 elasticsearch.username: {{ ES_USER }}
 elasticsearch.password: {{ ES_PASS }}
 {% endif %}
 #xpack.monitoring.ui.container.elasticsearch.enabled: true
 elasticsearch.requestTimeout: 90000
 logging.dest: /var/log/kibana/kibana.log
--- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [module] =~ "zeek" and "import" not in [tags] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-zeek"
      template_name => "so-zeek"
      template => "/templates/so-zeek-template.json"
--- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if "import" in [tags] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-import"
      template_name => "so-import"
      template => "/templates/so-import-template.json"
--- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
@@ -3,19 +3,16 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [event_type] == "sflow" {
    elasticsearch {
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-flow"
      template_name => "so-flow"
      template => "/templates/so-flow-template.json"
--- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
@@ -3,19 +3,16 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [event_type] == "ids" and "import" not in [tags] {
    elasticsearch {
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-ids"
      template_name => "so-ids"
      template => "/templates/so-ids-template.json"
--- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [module] =~ "syslog" {
    elasticsearch {
      pipeline => "%{module}"
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-syslog"
      template_name => "so-syslog"
      template => "/templates/so-syslog-template.json"
--- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja
@@ -3,21 +3,18 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [metadata][pipeline] {
    elasticsearch {
      id => "filebeat_modules_metadata_pipeline"
      pipeline => "%{[metadata][pipeline]}"
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-%{[event][module]}-%{+YYYY.MM.dd}"
      template_name => "so-common"
      template => "/templates/so-common-template.json"
--- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [module] =~ "osquery" and "live_query" not in [dataset] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}" 
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-osquery"
      template_name => "so-osquery"
      template => "/templates/so-osquery-template.json"
--- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
@@ -4,13 +4,8 @@
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 filter {
  if [type] =~ "live_query" {
@@ -37,8 +32,10 @@ output {
    elasticsearch {
      pipeline => "osquery.live_query" 
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-osquery"
      template_name => "so-osquery"
      template => "/templates/so-osquery-template.json"
--- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
@@ -3,19 +3,16 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [dataset] =~ "firewall" {
    elasticsearch {
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-firewall"
      template_name => "so-firewall"
      template => "/templates/so-firewall-template.json"
--- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [module] =~ "suricata" and "import" not in [tags] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-ids"
      template_name => "so-ids" 
      template => "/templates/so-ids-template.json"
--- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if "beat-ext" in [tags] and "import" not in [tags] {
    elasticsearch {
      pipeline => "beats.common" 
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-beats"
      template_name => "so-beats"
      template => "/templates/so-beats-template.json"
--- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [module] =~ "ossec" {
    elasticsearch {
      pipeline => "%{module}"
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-ossec"
      template_name => "so-ossec"
      template => "/templates/so-ossec-template.json"
--- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
@@ -3,20 +3,17 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 output {
  if [module] =~ "strelka" {
    elasticsearch {
      pipeline => "%{module}.%{dataset}" 
      hosts => "{{ ES }}"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
 {% endif %}
      index => "so-strelka"
      template_name => "so-strelka"
      template => "/templates/so-strelka-template.json"
--- a/salt/salt/helper-packages.sls
+++ b/salt/salt/helper-packages.sls
@@ -1,10 +1,3 @@
 {% from 'salt/map.jinja' import PYINOTIFYPACKAGE with context%}
 {% from 'salt/map.jinja' import PYTHONINSTALLER with context%}
 patch_package:
  pkg.installed:
    - name: patch
 pyinotify:
  {{PYTHONINSTALLER}}.installed:
    - name: {{ PYINOTIFYPACKAGE }}
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -11,7 +11,6 @@
  {% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION  %}
  {% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %}
  {% set PYTHONINSTALLER = 'pip' %}
  {% set PYINOTIFYPACKAGE = 'pyinotify' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
@@ -22,7 +21,6 @@
  {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
  {% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %}
  {% set PYTHONINSTALLER = 'pkg' %}
  {% set PYINOTIFYPACKAGE = 'securityonion-python3-pyinotify' %}
 {% endif %}
 {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
--- a/salt/soctopus/files/templates/es-generic.template
+++ b/salt/soctopus/files/templates/es-generic.template
@@ -1,16 +1,13 @@
 {% set ES = salt['pillar.get']('global:managerip', '') %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 alert: modules.so.playbook-es.PlaybookESAlerter
 elasticsearch_host: "{{ ES }}:9200"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 elasticsearch_user: "{{ ES_USER }}"
 elasticsearch_pass: "{{ ES_PASS }}"
 {% endif %}
 play_title: ""
 play_url: "https://{{ ES }}/playbook/issues/6000"
 sigma_level: ""
--- a/salt/soctopus/files/templates/generic.template
+++ b/salt/soctopus/files/templates/generic.template
@@ -1,18 +1,15 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
 elasticsearch_host: "{{ es }}:9200"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 elasticsearch_user: "{{ ES_USER }}"
 elasticsearch_pass: "{{ ES_PASS }}"
 {% endif %}
 play_title: ""
 play_id: ""
 event.module: "playbook"
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -1,18 +1,15 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
 elasticsearch_host: "{{ es }}:9200"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 elasticsearch_user: "{{ ES_USER }}"
 elasticsearch_pass: "{{ ES_PASS }}"
 {% endif %}
 play_title: ""
 event.module: "playbook"
 event.dataset: "alert"
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -14,13 +14,8 @@
 # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR)
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %}
 {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
@@ -627,8 +622,10 @@
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone']   %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ MANAGER }}:9200"]
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
   username = "{{ ES_USER }}"
   password = "{{ ES_PASS }}"
 {% endif %}
   insecure_skip_verify = true
 {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
 [[inputs.elasticsearch]]
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -751,6 +751,10 @@ echo "1" > /root/accept_changes
 		set_progress_str 60 "$(print_salt_state_apply 'manager')"
 		salt-call state.apply -l info manager >> $setup_log 2>&1
 		echo "Executing so-elastic-auth..." >> $setup_log 2>&1
 		ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth >> $setup_log 2>&1
 		echo "Finished so-elastic-auth..." >> $setup_log 2>&1
 	fi
 	set_progress_str 61 "$(print_salt_state_apply 'firewall')"
@@ -770,10 +774,6 @@ echo "1" > /root/accept_changes
 	fi
 	if [[ $is_manager || $is_helix || $is_import ]]; then
 		echo "Executing so-elastic-auth..." >> $setup_log 2>&1
 		ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /usr/sbin/so-elastic-auth >> $setup_log 2>&1
 		echo "Finished so-elastic-auth..." >> $setup_log 2>&1
 		set_progress_str 63 "$(print_salt_state_apply 'idstools')"
 		create_local_nids_rules >> $setup_log 2>&1
 		salt-call state.apply -l info idstools >> $setup_log 2>&1