Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

pillar/docker/config.sls

@@ -1,4 +1,5 @@
-{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
@@ -7,7 +8,6 @@
 {% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 
-
 eval:
   containers:
     - so-core
@@ -20,7 +20,7 @@ eval:
     - so-soc
     - so-kratos
     - so-idstools
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -100,7 +100,7 @@ master_search:
     - so-elastalert
     - so-filebeat
     - so-soctopus
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -143,7 +143,7 @@ master:
     - so-kibana
     - so-elastalert
     - so-filebeat
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -199,4 +199,13 @@ warm_node:
     - so-core
     - so-telegraf
     - so-elasticsearch
-    
+fleet:
+  containers:
+    {% if FLEETNODE %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    - so-filebeat
+    - so-core
+    - so-telegraf
+    {% endif %}

salt/elasticsearch/init.sls

@@ -148,5 +148,4 @@ so-elasticsearch-pipelines:
 so-elasticsearch-templates:
   cmd.run:
     - name: /usr/sbin/so-elasticsearch-templates
-    - cwd: /
+    - cwd: /opt/so
-

salt/filebeat/etc/filebeat.yml

@@ -7,8 +7,8 @@
 
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
-{%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %}
+{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '0') %}
-{%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %}
+{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '0') %}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 
@@ -110,6 +110,26 @@ filebeat.inputs:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+
+  {%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /nsm/strelka/log/strelka.log
+    fields:
+      module: strelka
+      category: file
+      dataset: file
+
+    processors:
+    - drop_fields:
+        fields: ["source", "prospector", "input", "offset", "beat"]    
+
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
+  {%- endif %}
 {%- endif %}
 
 {%- if WAZUHENABLED == '1' %}
@@ -160,25 +180,6 @@ filebeat.inputs:
 
 {%- endif %}
 
-{%- if STRELKAENABLED == '1' %}
-
-  - type: log
-    paths:
-      - /nsm/strelka/log/strelka.log
-    fields:
-      module: strelka
-      category: file
-      dataset: file
-
-    processors:
-    - drop_fields:
-        fields: ["source", "prospector", "input", "offset", "beat"]    
-
-    fields_under_root: true
-    clean_removed: false
-    close_removed: false
-
-{%- endif %}
 #----------------------------- Elasticsearch/Logstash output ---------------------------------
 {%- if grains['role'] == "so-eval" %}
 output.elasticsearch:

salt/kibana/bin/so-kibana-config-load

@@ -32,8 +32,8 @@ sleep 30s
 
 # Sub our IP for placholders
 for i in FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER PLACEHOLDER; do
-        sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
+        sed "s/$i/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson.template > /opt/so/conf/kibana/saved_objects.ndjson
 done
 
 # Load saved objects
-curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson
+curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson > /dev/null 2>&1

salt/kibana/init.sls

@@ -59,7 +59,19 @@ synckibanacustom:
     - user: 932
     - group: 939
 
-# File.Recurse for custom saved dashboards
+kibanabin:
+  file.managed:
+    - name: /usr/sbin/so-kibana-config-load
+    - source: salt://kibana/bin/so-kibana-config-load
+    - mode: 755
+    - template: jinja
+
+kibanadashtemplate:
+  file.managed:
+    - name: /opt/so/conf/kibana/saved_objects.ndjson.template
+    - source: salt://kibana/files/saved_objects.ndjson
+    - user: 932
+    - group: 939
 
 # Start the kibana docker
 so-kibana:
@@ -80,12 +92,12 @@ so-kibana:
       - 0.0.0.0:5601:5601
 
 so-kibana-config-load:
-  cmd.script:
+  cmd.run:
-    - shell: /bin/bash
+    - name: /usr/sbin/so-kibana-config-load
-    - runas: socore
     - cwd: /opt/so
-    - source: salt://kibana/bin/so-kibana-config-load
+    - onchanges:
-    - template: jinja
+      - file: kibanadashtemplate
+
 
 # Keep the setting correct
 #KibanaHappy:
@@ -93,4 +105,4 @@ so-kibana-config-load:
 #    - shell: /bin/bash
 #    - runas: socore
 #    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
+#    - template: jinja

salt/top.sls

@@ -1,12 +1,12 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
-{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
+{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
 {%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
 {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%}
+{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%}
 
 
 base:

setup/so-functions

@@ -865,10 +865,8 @@ master_pillar() {
   #echo "  fleetpass: $FLEETPASS" >> $PILLARFILE
   echo "  grafana: $GRAFANA" >> $PILLARFILE
   echo "  osquery: $OSQUERY" >> $PILLARFILE
-  echo "  wazuh: $WAZUH" >> $PILLARFILE
   echo "  thehive: $THEHIVE" >> $PILLARFILE
   echo "  playbook: $PLAYBOOK" >> $PILLARFILE
-  echo "  strelka: $STRELKA" >> $PILLARFILE
   echo "" >> $PILLARFILE
   echo "kratos:" >> $PILLARFILE
   if [[ $REDIRECTINFO == 'OTHER' ]]; then
@@ -913,6 +911,8 @@ master_static() {
   echo "  fleet_hostname: N/A" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleet_ip: N/A" >> /opt/so/saltstack/pillar/static.sls
   echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "  strelka: $STRELKA" >> /opt/so/saltstack/pillar/static.sls
+  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else