From 55ae5fa9f3d2b7997a3361426d8f771249e76358 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 9 Apr 2020 10:04:18 -0400
Subject: [PATCH 1/6] so-status Fleet node

---
 pillar/docker/config.sls | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls
index 423910b4c..a9eebaf2b 100644
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,4 +1,5 @@
-{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
@@ -7,7 +8,6 @@
 {% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 
-
 eval:
   containers:
     - so-core
@@ -20,7 +20,7 @@ eval:
     - so-soc
     - so-kratos
     - so-idstools
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -100,7 +100,7 @@ master_search:
     - so-elastalert
     - so-filebeat
     - so-soctopus
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -143,7 +143,7 @@ master:
     - so-kibana
     - so-elastalert
     - so-filebeat
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -199,4 +199,13 @@ warm_node:
     - so-core
     - so-telegraf
     - so-elasticsearch
-    
+fleet:
+  containers:
+    {% if FLEETNODE %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    - so-filebeat
+    - so-core
+    - so-telegraf
+    {% endif %}
\ No newline at end of file

From 5692f2a6726a998fb0c51740e57bf30c3f1cef2e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 9 Apr 2020 11:16:36 -0400
Subject: [PATCH 2/6] Make Kibana run faster on checkins

---
 salt/elasticsearch/init.sls                  |  4 ++-
 salt/kibana/bin/so-kibana-config-load        |  4 +--
 salt/kibana/{ => files}/saved_objects.ndjson |  0
 salt/kibana/init.sls                         | 26 ++++++++++++++------
 4 files changed, 24 insertions(+), 10 deletions(-)
 rename salt/kibana/{ => files}/saved_objects.ndjson (100%)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 575d8162c..f213ff562 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -148,5 +148,7 @@ so-elasticsearch-pipelines:
 so-elasticsearch-templates:
   cmd.run:
     - name: /usr/sbin/so-elasticsearch-templates
-    - cwd: /
+    - cwd: /opt/so
+    - watch: 
+      - /opt/so/saltstack/salt/logstash/pipelines/templates/so/*.json
 
diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load
index 9f6913c11..de6961c04 100644
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -32,8 +32,8 @@ sleep 30s
 
 # Sub our IP for placholders
 for i in FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER PLACEHOLDER; do
-        sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
+        sed "s/$i/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson.template > /opt/so/conf/kibana/saved_objects.ndjson
 done
 
 # Load saved objects
-curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson
+curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson > /dev/null 2>&1
diff --git a/salt/kibana/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson
similarity index 100%
rename from salt/kibana/saved_objects.ndjson
rename to salt/kibana/files/saved_objects.ndjson
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 8fc5e0683..0f0fa987e 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -59,7 +59,19 @@ synckibanacustom:
     - user: 932
     - group: 939
 
-# File.Recurse for custom saved dashboards
+kibanabin:
+  file.managed:
+    - name: /usr/sbin/so-kibana-config-load
+    - source: salt://kibana/bin/so-kibana-config-load
+    - mode: 755
+    - template: jinja
+
+kibanadashtemplate:
+  file.managed:
+    - name: /opt/so/conf/kibana/saved_objects.ndjson.template
+    - source: salt://kibana/files/saved_objects.ndjson
+    - user: 932
+    - group: 939
 
 # Start the kibana docker
 so-kibana:
@@ -80,12 +92,12 @@ so-kibana:
       - 0.0.0.0:5601:5601
 
 so-kibana-config-load:
-  cmd.script:
-    - shell: /bin/bash
-    - runas: socore
+  cmd.run:
+    - name: /usr/sbin/so-kibana-config-load
     - cwd: /opt/so
-    - source: salt://kibana/bin/so-kibana-config-load
-    - template: jinja
+    - onchanges:
+      - file: kibanadashtemplate
+
 
 # Keep the setting correct
 #KibanaHappy:
@@ -93,4 +105,4 @@ so-kibana-config-load:
 #    - shell: /bin/bash
 #    - runas: socore
 #    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
+#    - template: jinja
\ No newline at end of file

From 0b07d0f25f856bf4ec2f70c1fdad294e49aeb45c Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 9 Apr 2020 11:25:46 -0400
Subject: [PATCH 3/6] Fix ES Watch

---
 salt/elasticsearch/init.sls | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index f213ff562..fe64ff006 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -149,6 +149,5 @@ so-elasticsearch-templates:
   cmd.run:
     - name: /usr/sbin/so-elasticsearch-templates
     - cwd: /opt/so
-    - watch: 
-      - /opt/so/saltstack/salt/logstash/pipelines/templates/so/*.json
-
+    - onchanges:
+        - file: lsetcsync
\ No newline at end of file

From ac52c014d11c196afe8a418c3a01f896e186242c Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 9 Apr 2020 11:30:24 -0400
Subject: [PATCH 4/6] Remove ES watch

---
 salt/elasticsearch/init.sls | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index fe64ff006..47fd6a0a6 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -148,6 +148,4 @@ so-elasticsearch-pipelines:
 so-elasticsearch-templates:
   cmd.run:
     - name: /usr/sbin/so-elasticsearch-templates
-    - cwd: /opt/so
-    - onchanges:
-        - file: lsetcsync
\ No newline at end of file
+    - cwd: /opt/so
\ No newline at end of file

From 8ffeb0a33d595d87188677e42e86ead3e1536d08 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 9 Apr 2020 11:45:45 -0400
Subject: [PATCH 5/6] Fix Wazuh and Strelka

---
 salt/filebeat/etc/filebeat.yml | 4 ++--
 salt/top.sls                   | 4 ++--
 setup/so-functions             | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 1ec78226d..8e6193b42 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -7,8 +7,8 @@
 
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
-{%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %}
-{%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %}
+{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '0') %}
+{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '0') %}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 
diff --git a/salt/top.sls b/salt/top.sls
index 559c33ef9..a03c2e1e2 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,12 +1,12 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
-{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
+{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
 {%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
 {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%}
+{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%}
 
 
 base:
diff --git a/setup/so-functions b/setup/so-functions
index 021f43ed2..00a9c9ac9 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -865,10 +865,8 @@ master_pillar() {
   #echo "  fleetpass: $FLEETPASS" >> $PILLARFILE
   echo "  grafana: $GRAFANA" >> $PILLARFILE
   echo "  osquery: $OSQUERY" >> $PILLARFILE
-  echo "  wazuh: $WAZUH" >> $PILLARFILE
   echo "  thehive: $THEHIVE" >> $PILLARFILE
   echo "  playbook: $PLAYBOOK" >> $PILLARFILE
-  echo "  strelka: $STRELKA" >> $PILLARFILE
   echo "" >> $PILLARFILE
   echo "kratos:" >> $PILLARFILE
   if [[ $REDIRECTINFO == 'OTHER' ]]; then
@@ -913,6 +911,8 @@ master_static() {
   echo "  fleet_hostname: N/A" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleet_ip: N/A" >> /opt/so/saltstack/pillar/static.sls
   echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "  strelka: $STRELKA" >> /opt/so/saltstack/pillar/static.sls
+  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else

From 5a985736e5ef08ecd0bd16a461a8e719527b58e0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 9 Apr 2020 11:49:38 -0400
Subject: [PATCH 6/6] Disable Strelka for all things

---
 salt/filebeat/etc/filebeat.yml | 39 +++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 8e6193b42..7fa8dab3e 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -110,6 +110,26 @@ filebeat.inputs:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+
+  {%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /nsm/strelka/log/strelka.log
+    fields:
+      module: strelka
+      category: file
+      dataset: file
+
+    processors:
+    - drop_fields:
+        fields: ["source", "prospector", "input", "offset", "beat"]    
+
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
+  {%- endif %}
 {%- endif %}
 
 {%- if WAZUHENABLED == '1' %}
@@ -160,25 +180,6 @@ filebeat.inputs:
 
 {%- endif %}
 
-{%- if STRELKAENABLED == '1' %}
-
-  - type: log
-    paths:
-      - /nsm/strelka/log/strelka.log
-    fields:
-      module: strelka
-      category: file
-      dataset: file
-
-    processors:
-    - drop_fields:
-        fields: ["source", "prospector", "input", "offset", "beat"]    
-
-    fields_under_root: true
-    clean_removed: false
-    close_removed: false
-
-{%- endif %}
 #----------------------------- Elasticsearch/Logstash output ---------------------------------
 {%- if grains['role'] == "so-eval" %}
 output.elasticsearch: