merge with dev and resolve conflicts

pillar/logstash/search.sls

@@ -2,7 +2,7 @@ logstash:
   pipelines:
     search:
       config:
-	- so/0900_input_redis.conf.jinja
+        - so/0900_input_redis.conf.jinja
         - so/9000_output_zeek.conf.jinja
         - so/9002_output_import.conf.jinja
         - so/9100_output_osquery.conf.jinja

pillar/top.sls

@@ -21,7 +21,7 @@ base:
     - static
     - firewall.*
     - data.*
-    - auth #Shared secrets
+    - secrets
     - minions.{{ grains.id }}
 
   '*_master':
@@ -33,7 +33,7 @@ base:
     - firewall.*
     - data.*
     - brologs
-    - auth #Shared secrets
+    - secrets
     - logstash
     - logstash.eval
     - healthcheck.eval
@@ -63,5 +63,5 @@ base:
     - static
     - firewall.*
     - data.*
-    - auth #Shared secrets
+    - secrets
     - minions.{{ grains.id }}

salt/auth/init.sls

@@ -1,30 +0,0 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
-{% set MASTER = salt['grains.get']('master') %}
-
-so-auth-api-dir:
-  file.directory:
-    - name: /opt/so/conf/auth/api
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-so-auth-api:
-    docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
-        - hostname: so-auth-api
-        - name: so-auth-api
-        - environment:
-            - BASE_PATH: "/so-auth/api"
-            - AUTH_TOKEN_TIMEOUT: 32400
-        - binds:
-            - /opt/so/conf/auth/api:/data
-        - port_bindings:
-            - 0.0.0.0:5656:5656
-
-so-auth-ui:
-    docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
-        - hostname: so-auth-ui
-        - name: so-auth-ui
-        - port_bindings:
-            - 0.0.0.0:4242:80

salt/common/nginx/index.html

@@ -1,163 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-<style>
-* {
-	box-sizing: border-box;
-	font-family: Arial, Helvetica, sans-serif;
-	padding-left: 30px;
-	padding-right: 30px;
-}
-
-body {
-	font-family: Arial, Helvetica, sans-serif;
-	background-color: #2a2a2a;
-
-}
-a {
-	color: #f2f2f2;
-	text-align: left;
-	padding: 0px;
-}
-
-.center-content {
-	margin: 0 auto;
-}
-
-.center-image {
-	display: block;
-	margin-left: auto;
-	margin-right: auto;
-	width: 50%;
-}
-
-/* Style the top navigation bar */
-.topnav {
-	overflow: hidden;
-	background-color: #333;
-	width: 1080px;
-	display: flex;
-	align-content: center;
-}
-
-/* Style the topnav links */
-.topnav a {
-	margin: auto;
-	color: #f2f2f2;
-	text-align: center;
-	padding: 14px 16px;
-	text-decoration: none;
-}
-
-/* Change color on hover */
-.topnav a:hover {
-	background-color: #ddd;
-	color: black;
-}
-
-/* Style the content */
-.content {
-	background-color: #2a2a2a;
-	padding: 10px;
-	padding-top: 20px;
-	padding-left: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-
-/* Style the footer */
-.footer {
-	background-color: #2a2a2a;
-	padding: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-
-</style>
-</head>
-<body>
-	<div class="center-content">
-		<div class="topnav center-content">
-			<a href="/so-auth/loginpage/create-user" target="_blank">Create New User</a>
-			<a href="/kibana/" target="_blank">Kibana</a>
-			<a href="/grafana/" target="_blank">Grafana</a>
-			<a href="/sensoroni/" target="_blank">Sensoroni</a>
-	  		<a href="/playbook/" target="_blank">Playbook</a>
-			<a href="/fleet/" target="_blank">Fleet</a>
-			<a href="/thehive/" target="_blank">TheHive</a>
-			<a href="/packages/" target="_blank">Osquery Packages</a>
-			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
-			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
-			<a href="https://blog.securityonion.net" target="_blank">Blog</a>
-		</div>
-
-		<div class="content center-content">
-			<div style="text-align: center;">
-				<a href="https://securityonion.net">
-					<img style="border: none;" src="alpha_logo.jpg" alt="Security Onion" class="center-image" target="_blank">
-				</a>
-				<br/>
-			</div>
-			<p>
-				<div style="text-align: center;">
-					<h1>Hybrid Hunter Alpha 1.1.4 - Feature Parity Release</h1>
-				</div>
-				<br/>
-				<h2>Changes:</h2>
-				<ul>
-					<li>Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).</li>
-					<li>Web user creation is done via the browser now instead of so-user-add.</li>
-					<li>New Logstash pipeline setup. Now uses multiple pipelines.</li>
-					<li>New Master + Search node type and well as a Heavy Node type in the install.</li>
-					<li>Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.</li>
-					<li>Zeek 3.0.1</li>
-					<li>Elastic 6.8.6</li>
-					<li>New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).</li>
-					<li>BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).</li>
-					<li>Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.</li>
-					<li>Added so-status script which gives an easy to read look at container status.</li>
-					<li>Manage threshold.conf for Suricata using the thresholding pillar.</li>
-					<li>The ISO now includes all the docker containers for faster install speeds.</li>
-					<li>You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.</li>
-					<li>Updated Helix parsers for better compatibility.</li>
-					<li>Updated telegraf docker to include curl and jq.</li>
-					<li>CVE-2020-0601 Zeek Detection Script.</li>
-					<li>ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.</li>
-					<li>Check out the <a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide" target="_blank">Hybrid Hunter Quick Start Guide</a>.</li>
-				</ul>
-	 		</p>
-		</div>
-
-		<div class="footer center-content">
-			<b>Disclaimer of Warranty</b>
-			<br/>
-			<small>
-				THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 
-				EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM 
-				.AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 
-				THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
-				THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, 
-				YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-			</small>
-			<br/>
-			<br/>
-			<b>Limitation of Liability</b>
-			<br/>
-			<small>
-				IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, 
-				OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 
-				INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM 
-				(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES 
-				OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 
-				POSSIBILITY OF SUCH DAMAGES.
-			</small>
-			<br/>
-		</div>
-	</div>
-</body>
-</html>

salt/common/nginx/nginx.conf.so-eval

@@ -27,6 +27,7 @@ http {
     tcp_nodelay         on;
     keepalive_timeout   65;
     types_hash_max_size 2048;
+    client_max_body_size 1024M;
 
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;

salt/common/nginx/nginx.conf.so-fleet

@@ -86,14 +86,6 @@ http {
 
         }
 
-
-        error_page 401 = @error401;
-
-        location @error401 {
-          add_header    Set-Cookie "NSREDIRECT=http://{{ MAINIP }}$request_uri;Domain={{ MAINIP }};Path=/;Max-Age=60000";
-          return        302 http://{{ MAINIP }}/so-auth/loginpage/;
-        }
-
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/nginx/nginx.conf.so-master

@@ -27,6 +27,7 @@ http {
     tcp_nodelay         on;
     keepalive_timeout   65;
     types_hash_max_size 2048;
+    client_max_body_size 1024M;
 
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;

salt/common/nginx/nginx.conf.so-mastersearch

@@ -27,6 +27,7 @@ http {
     tcp_nodelay         on;
     keepalive_timeout   65;
     types_hash_max_size 2048;
+    client_max_body_size 1024M;
 
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;

salt/common/tools/sbin/so-auth-restart

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-restart auth $1
-

salt/common/tools/sbin/so-auth-start

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start auth $1

salt/common/tools/sbin/so-auth-stop

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop auth $1

salt/common/tools/sbin/so-elastic-download

@@ -2,8 +2,6 @@
 MASTER=MASTER
 VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
-"so-auth-api:$VERSION" \
-"so-auth-ui:$VERSION" \
 "so-core:$VERSION" \
 "so-thehive-cortex:$VERSION" \
 "so-curator:$VERSION" \

salt/common/tools/sbin/so-restart

@@ -32,6 +32,5 @@ fi
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
    "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
-   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
    *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac

salt/common/tools/sbin/so-start

@@ -32,16 +32,5 @@ fi
 case $1 in
    "all") salt-call state.highstate queue=True;;
    "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
-   "auth") 
-      if docker ps | grep -q so-auth-api; then
-         if docker ps | grep -q so-auth-ui; then
-            printf "\n$1 is already running!\n\n"
-         else
-            docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
-         fi
-      else
-         docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
-      fi
-      ;;
    *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac

salt/common/tools/sbin/so-stop

@@ -24,7 +24,6 @@ printf "Stopping $1...\n"
 echo $banner
 
 case $1 in
-    "auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
     *) docker stop so-$1 ; docker rm so-$1 ;;
 esac
 

salt/common/tools/sbin/so-user

@@ -22,8 +22,13 @@ got_root() {
 got_root
 
 if [[ $# < 1 || $# > 2 ]]; then
-  echo "Usage: $0 <list|add|update|delete|checkpw> [email]"
+  echo "Usage: $0 <list|add|update|delete|validate> [email]"
-  echo "Note that checkpw only checks that the given password meets the minimum requirements, it does not test that it matches for an existing user."
+  echo ""
+  echo "     list: Lists all user email addresses currently defined in the identity system"
+  echo "      add: Adds a new user to the identity system; requires 'email' parameter"
+  echo "   update: Updates a user's password; requires 'email' parameter"
+  echo "   delete: Deletes an existing user; requires 'email' parameter"
+  echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
   exit 1
 fi
 
@@ -50,14 +55,16 @@ function require() {
 }
 
 # Verify this environment is capable of running this script
-require "argon2"
+function verifyEnvironment() {
-require "jq"
+  require "argon2"
-require "curl"
+  require "jq"
-require "openssl"
+  require "curl"
-require "sqlite3"
+  require "openssl"
-[[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable"
+  require "sqlite3"
-response=$(curl -Ss ${kratosUrl}/)
+  [[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable"
-[[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable"
+  response=$(curl -Ss ${kratosUrl}/)
+  [[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable"
+}
 
 function findIdByEmail() {
   email=$1
@@ -77,6 +84,15 @@ function validatePassword() {
   fi
 }
 
+function validateEmail() {
+  email=$1
+  # (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])
+  if [[ ! "$email" =~ ^[[:alnum:]._%+-]+@[[:alnum:].-]+\.[[:alpha:]]{2,}$ ]]; then
+    echo "Email address is invalid"
+    exit 3
+  fi
+}
+
 function updatePassword() {
   identityId=$1
   
@@ -164,17 +180,21 @@ function deleteUser() {
 
 case "${operation}" in
   "add")
+    verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
+    validateEmail "$email"
     createUser "$email"
     echo "Successfully added new user"
     ;;
 
   "list")
+    verifyEnvironment
     listUsers
     ;;
 
   "update")
+    verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     updateUser "$email"
@@ -182,13 +202,15 @@ case "${operation}" in
     ;;
 
   "delete")
+    verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
     deleteUser "$email"
     echo "Successfully deleted user"  
     ;;
 
-  "checkpw")
+  "validate")
+    validateEmail "$email"
     updatePassword
     echo "Password is acceptable"
     ;;

salt/fleet/init.sls

@@ -1,6 +1,6 @@
-{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', None) -%}
+{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
-{%- set FLEETPASS = salt['pillar.get']('auth:fleet', None) -%}
+{%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%}
-{%- set FLEETJWT = salt['pillar.get']('auth:fleet_jwt', None) -%}
+{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set MAINIP = salt['pillar.get']('node:mainip') %}

salt/master/files/registry/scripts/so-docker-download

@@ -17,8 +17,6 @@ TRUSTED_CONTAINERS=( \
 "so-thehive-es:$VERSION" \
 "so-wazuh:$VERSION" \
 "so-kibana:$VERSION" \
-"so-auth-ui:$VERSION" \
-"so-auth-api:$VERSION" \
 "so-elastalert:$VERSION" \
 "so-navigator:$VERSION" \
 "so-filebeat:$VERSION" \

salt/mysql/etc/mypass

@@ -1,2 +1,2 @@
-{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', None) -%}
+{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
 {{ MYSQLPASS }}

salt/mysql/init.sls

@@ -1,4 +1,4 @@
-{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', None) %}
+{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}

salt/pcap/files/sensoroni.json

@@ -1,7 +1,7 @@
 {%- set MASTER = grains['master'] -%}
 {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
 {
-  "logFilename": "/opt/sensoroni/log/sensoroni.log",
+  "logFilename": "/opt/sensoroni/logs/sensoroni.log",
   "logLevel":"debug",
   "agent": {
     "pollIntervalMs": 10000,

salt/top.sls

@@ -57,7 +57,6 @@ base:
     - soc
     - firewall
     - idstools
-    - auth #Shared secrets
     - healthcheck
     {%- if FLEETMASTER or FLEETNODE %}
     - mysql
@@ -108,7 +107,6 @@ base:
     - master
     - idstools
     - redis
-    - auth #Shared secrets
     {%- if FLEETMASTER or FLEETNODE %}
     - mysql
     {%- endif %}
@@ -197,7 +195,6 @@ base:
     - firewall
     - sensor
     - master
-    - auth #Shared secrets
     {%- if FLEETMASTER or FLEETNODE %}
     - fleet.install_package
     {%- endif %}
@@ -213,7 +210,6 @@ base:
     - master
     - idstools
     - redis
-    - auth #Shared secrects
     {%- if FLEETMASTER or FLEETNODE %}
     - mysql
     {%- endif %}

setup/so-functions

@@ -29,9 +29,9 @@ accept_salt_key_local() {
 accept_salt_key_remote() {
 	echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1
 	# Delete the key just in case.
-	ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $MINION_ID -y
+	ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -d $MINION_ID -y
 	salt-call state.apply ca
-	ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $MINION_ID -y
+	ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -a $MINION_ID -y
 
 }
 
@@ -65,8 +65,23 @@ add_socore_user_master() {
 	fi
 	groupadd --gid 939 socore
 	$ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore
-	# Set the password for socore that we got during setup
+
-	echo socore:$COREPASS1 | chpasswd --crypt-method=SHA512
+}
+
+add_soremote_user_master() {
+
+	echo "Add soremote on the master" >>~/sosetup.log 2>&1
+	# Add user "soremote" to the master. This will be for things like accepting keys.
+	if [ $OS == 'centos' ]; then
+		local ADDUSER=adduser
+	else
+		local ADDUSER=useradd
+	fi
+	groupadd --gid 947 soremote
+	$ADDUSER --uid 947 --gid 947 soremote
+	
+	# Set the password for soremote that we got during setup
+	echo soremote:$REMOTEPASS1 | chpasswd --crypt-method=SHA512
 
 }
 
@@ -101,17 +116,17 @@ add_web_user() {
   echo "Add user result: $?"
 }
 
-# Create an auth pillar so that passwords survive re-install
+# Create an secrets pillar so that passwords survive re-install
-auth_pillar(){
+secrets_pillar(){
 
-  if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
+  if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
-    echo "Creating Auth Pillar" >> $SETUPLOG 2>&1
+    echo "Creating Secrets Pillar" >> $SETUPLOG 2>&1
     mkdir -p /opt/so/saltstack/pillar
-    echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
+    echo "secrets:" >> /opt/so/saltstack/pillar/secrets.sls
-    echo "  mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
+    echo "  mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/secrets.sls
-    echo "  fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/auth.sls
+    echo "  fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/secrets.sls
-    echo "  fleet_jwt: $FLEETJWT" >> /opt/so/saltstack/pillar/auth.sls
+    echo "  fleet_jwt: $FLEETJWT" >> /opt/so/saltstack/pillar/secrets.sls
-    echo "  fleet_enroll-secret: False" >> /opt/so/saltstack/pillar/auth.sls
+    echo "  fleet_enroll-secret: False" >> /opt/so/saltstack/pillar/secrets.sls
   fi
 
 }
@@ -232,9 +247,9 @@ check_network_manager_conf() {
 	fi
 }
 
-check_socore_pass() {
+check_soremote_pass() {
 
-	if [ $COREPASS1 == $COREPASS2 ]; then
+	if [ $SOREMOTEPASS1 == $SOREMOTEPASS2 ]; then
 		SCMATCH=yes
 	else
 		whiptail_passwords_dont_match
@@ -288,10 +303,10 @@ configure_minion() {
     echo "mysql.host: '$MAINIP'" >> /etc/salt/minion
     echo "mysql.port: 3306" >> /etc/salt/minion
     echo "mysql.user: 'root'" >> /etc/salt/minion
-    if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
+    if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
       echo "mysql.pass: '$MYSQLPASS'" >> /etc/salt/minion
     else
-      OLDPASS=$(cat /opt/so/saltstack/pillar/auth.sls | grep mysql | awk {'print $2'})
+      OLDPASS=$(cat /opt/so/saltstack/pillar/secrets.sls | grep mysql | awk {'print $2'})
       echo "mysql.pass: '$OLDPASS'" >> /etc/salt/minion
     fi
   elif [ $TYPE == 'helix' ]; then
@@ -337,8 +352,8 @@ copy_minion_tmp_files() {
     fi
   else
     echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
-    scp -prv -i /root/.ssh/so.key $TMP/pillar/* socore@$MSRV:/opt/so/saltstack/pillar >> $SETUPLOG 2>&1
+    scp -prv -i /root/.ssh/so.key $TMP/pillar/* soremote@$MSRV:/opt/so/saltstack/pillar >> $SETUPLOG 2>&1
-    scp -prv -i /root/.ssh/so.key $TMP/salt/* socore@$MSRV:/opt/so/saltstack/salt >> $SETUPLOG 2>&1
+    scp -prv -i /root/.ssh/so.key $TMP/salt/* soremote@$MSRV:/opt/so/saltstack/salt >> $SETUPLOG 2>&1
   fi
 
   }
@@ -352,7 +367,7 @@ copy_ssh_key() {
 	chown -R $SUDO_USER:$SUDO_USER /root/.ssh
 	echo "Copying the SSH key to the master"
 	#Copy the key over to the master
-	ssh-copy-id -f -i /root/.ssh/so.key socore@$MSRV
+	ssh-copy-id -f -i /root/.ssh/so.key soremote@$MSRV
 
 }
 
@@ -551,8 +566,6 @@ docker_seed_registry() {
   if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
     TRUSTED_CONTAINERS=( \
     "so-acng:$VERSION" \
-    "so-auth-api:$VERSION" \
-    "so-auth-ui:$VERSION" \
     "so-core:$VERSION" \
     "so-thehive-cortex:$VERSION" \
     "so-curator:$VERSION" \
@@ -1018,6 +1031,7 @@ reserve_group_ids() {
 	groupadd -g 941 stenographer
 	groupadd -g 945 ossec
 	groupadd -g 946 cyberchef
+	groupadd -g 947 soremote
 
 }
 
@@ -1029,6 +1043,7 @@ saltify() {
 
     if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
       reserve_group_ids
+	  yum -y install epel-release
       yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
       cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo
       sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-py3-2019-2.repo
@@ -1262,7 +1277,7 @@ EOF
       # Copy down the gpg keys and install them from the master
       mkdir $TMP/gpg
       echo "scp the gpg keys and install them from the master"
-      scp -v -i /root/.ssh/so.key socore@$MSRV:/opt/so/gpg/* $TMP/gpg
+      scp -v -i /root/.ssh/so.key soremote@$MSRV:/opt/so/gpg/* $TMP/gpg
       echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH"
       apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub
       apt-key add $TMP/gpg/GPG-KEY-WAZUH
@@ -1462,27 +1477,27 @@ set_initial_firewall_policy() {
   fi
 
   if [ $INSTALLTYPE == 'SENSOR' ]; then
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
   fi
 
   if [ $INSTALLTYPE == 'SEARCHNODE' ]; then
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
   if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
   if [ $INSTALLTYPE == 'FLEET' ]; then
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
   fi
 
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
@@ -1558,13 +1573,13 @@ set_version() {
 
 update_sudoers() {
 
-	if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
+	if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
-		# Update Sudoers so that socore can accept keys without a password
+		# Update Sudoers so that soremote can accept keys without a password
-		echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
-		echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
-		echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
 	else
-		echo "User socore already granted sudo privileges"
+		echo "User soremote already granted sudo privileges"
 	fi
 
 }

setup/so-setup

@@ -71,14 +71,6 @@ if (whiptail_you_sure) ; then
     # Set management nic
     whiptail_management_nic
 
-#    whiptail_create_socore_user
-#    SCMATCH=no
-#    while [ $SCMATCH != yes ]; do
-#      whiptail_create_socore_user_password1
-#      whiptail_create_socore_user_password2
-#      check_socore_pass
-#    done
-
   else
 
     # Set the hostname
@@ -169,7 +161,7 @@ if (whiptail_you_sure) ; then
       add_admin_user
       disable_onion_user
     fi
-    #add_socore_user_master
+    
     # Install salt and dependencies
     {
       sleep 0.5
@@ -291,13 +283,13 @@ if (whiptail_you_sure) ; then
       fi
     fi
 
-    # Get a password for the socore user
+    # Get a password for the soremote user
-    whiptail_create_socore_user
+    whiptail_create_soremote_user
     SCMATCH=no
     while [ $SCMATCH != yes ]; do
-      whiptail_create_socore_user_password1
+      whiptail_create_soremote_user_password1
-      whiptail_create_socore_user_password2
+      whiptail_create_soremote_user_password2
-      check_socore_pass
+      check_soremote_pass
     done
 
     # Get a password for the web admin user
@@ -331,10 +323,8 @@ if (whiptail_you_sure) ; then
     fi
 
     # Add the user so we can sit back and relax
-    #echo ""
-    #echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
-    #echo ""
     add_socore_user_master
+    add_soremote_user_master
 
     # Install salt and dependencies
     {
@@ -574,13 +564,13 @@ if (whiptail_you_sure) ; then
     if [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
       # Find out how to handle updates
       whiptail_master_updates
-      # Get a password for the socore user
+      # Get a password for the soremote user
-      whiptail_create_socore_user
+      whiptail_create_soremote_user
       SCMATCH=no
       while [ $SCMATCH != yes ]; do
-        whiptail_create_socore_user_password1
+        whiptail_create_soremote_user_password1
-        whiptail_create_socore_user_password2
+        whiptail_create_soremote_user_password2
-        check_socore_pass
+        check_soremote_pass
       done
     fi
     # Get a password for the web admin user
@@ -610,6 +600,7 @@ if (whiptail_you_sure) ; then
 
     # Add the user so we can sit back and relax
     add_socore_user_master
+    add_soremote_user_master
     {
       sleep 0.5
       if [ $INSTALLTYPE == 'EVAL' ]; then

setup/so-whiptail

@@ -132,26 +132,26 @@ whiptail_create_admin_user_password2() {
 
 }
 
-whiptail_create_socore_user() {
+whiptail_create_soremote_user() {
 
-  whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 75
+  whiptail --title "Security Onion Setup" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75
 
 }
 
-whiptail_create_socore_user_password1() {
+whiptail_create_soremote_user_password1() {
 
-  COREPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
+  REMOTEPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
-  "Enter a password for user socore" 10 75 3>&1 1>&2 2>&3)
+  "Enter a password for user soremote" 10 75 3>&1 1>&2 2>&3)
 
   local exitstatus=$?
   whiptail_check_exitstatus $exitstatus
 
 }
 
-whiptail_create_socore_user_password2() {
+whiptail_create_soremote_user_password2() {
 
-  COREPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
+  REMOTEPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
-  "Re-enter a password for user socore" 10 75 3>&1 1>&2 2>&3)
+  "Re-enter a password for user soremote" 10 75 3>&1 1>&2 2>&3)
 
   local exitstatus=$?
   whiptail_check_exitstatus $exitstatus

upgrade/so-update-functions

@@ -35,8 +35,6 @@ HOSTNAME=$(hostname)
 if [ $MASTERCHECK != 'so-helix' ]; then
     TRUSTED_CONTAINERS=( \
     "so-acng:$BUILD$UPDATEVERSION" \
-    "so-auth-api:$BUILD$UPDATEVERSION" \
-    "so-auth-ui:$BUILD$UPDATEVERSION" \
     "so-core:$BUILD$UPDATEVERSION" \
     "so-thehive-cortex:$BUILD$UPDATEVERSION" \
     "so-curator:$BUILD$UPDATEVERSION" \