From 4adaddf13f2e5b42dc16362d4bc24726277ad5bf Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Tue, 1 Aug 2023 10:14:59 -0400
Subject: [PATCH 01/24] Move syslog to the INPUT chain where needed

---
 salt/firewall/defaults.yaml | 79 +++++++++++++++++++++----------------
 1 file changed, 45 insertions(+), 34 deletions(-)

diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml
index 20b966e48..3095c052e 100644
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -198,9 +198,6 @@ firewall:
               portgroups:
                 - redis
                 - elasticsearch_node
-            self:
-              portgroups:
-                - syslog
             beats_endpoint:
               portgroups:
                 - beats_5044
@@ -218,9 +215,6 @@ firewall:
             strelka_frontend:
               portgroups:
                 - strelka_frontend
-            syslog:
-              portgroups:
-                - syslog
             analyst:
               portgroups:
                 - nginx
@@ -255,6 +249,12 @@ firewall:
             localhost:
               portgroups:
                 - all
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -425,12 +425,6 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
-            self:
-              portgroups:
-                - syslog
-            syslog:
-              portgroups:
-                - syslog
             beats_endpoint:
               portgroups:
                 - beats_5044
@@ -497,6 +491,12 @@ firewall:
             receiver:
               portgroups:
                 - salt_manager
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -588,9 +588,6 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
-            self:
-              portgroups:
-                - syslog
             beats_endpoint:
               portgroups:
                 - beats_5044
@@ -608,9 +605,6 @@ firewall:
             endgame:
               portgroups:
                 - endgame
-            syslog:
-              portgroups:
-                - syslog
             analyst:
               portgroups:
                 - nginx
@@ -660,6 +654,12 @@ firewall:
             receiver:
               portgroups:
                 - salt_manager
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -760,9 +760,6 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
-            self:
-              portgroups:
-                - syslog
             beats_endpoint:
               portgroups:
                 - beats_5044
@@ -783,9 +780,6 @@ firewall:
             strelka_frontend:
               portgroups:
                 - strelka_frontend
-            syslog:
-              portgroups:
-                - syslog
             analyst:
               portgroups:
                 - nginx
@@ -838,6 +832,12 @@ firewall:
             receiver:
               portgroups:
                 - salt_manager
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -884,9 +884,6 @@ firewall:
             searchnode:
               portgroups:
                 - elasticsearch_node
-            self:
-              portgroups:
-                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -918,6 +915,12 @@ firewall:
             localhost:
               portgroups:
                 - all
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -942,9 +945,6 @@ firewall:
       chain:
         DOCKER-USER:
           hostgroups:
-            self:
-              portgroups:
-                - syslog
             strelka_frontend:
               portgroups:
                 - strelka_frontend
@@ -979,6 +979,12 @@ firewall:
             localhost:
               portgroups:
                 - all
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -1030,6 +1036,9 @@ firewall:
             strelka_frontend:
               portgroups:
                 - strelka_frontend
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -1189,11 +1198,7 @@ firewall:
             self:
               portgroups:
                 - redis
-                - syslog
                 - beats_5644
-            syslog:
-              portgroups:
-                - syslog
             beats_endpoint:
               portgroups:
                 - beats_5044
@@ -1234,6 +1239,12 @@ firewall:
             localhost:
               portgroups:
                 - all
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
             customhostgroup0:
               portgroups: []
             customhostgroup1:

From 3fa0a98830682de91c80c0eaa862bfd0fa5516a1 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 1 Aug 2023 12:45:09 -0400
Subject: [PATCH 02/24] Update verbiage and links in soc_sensor.yaml

---
 salt/sensor/soc_sensor.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml
index 0774e9bcf..9ab0c236e 100644
--- a/salt/sensor/soc_sensor.yaml
+++ b/salt/sensor/soc_sensor.yaml
@@ -1,9 +1,9 @@
 sensor:
   interface:
     description: Main sensor monitoring interface.
-    helpLink: sensor.html
+    helpLink: network.html
     readonly: True
   mtu:
-    description: Main IP address of the grid host.
-    helpLink: host.html
+    description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
+    helpLink: network.html
     readonly: True

From 2d13bf1a61441f43ee14cfc33e495a32249e3d7c Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Tue, 1 Aug 2023 14:40:12 -0400
Subject: [PATCH 03/24] Present logs to the host

---
 salt/elasticagent/enabled.sls | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls
index b133d94ab..bff4cee6b 100644
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -33,6 +33,7 @@ so-elastic-agent:
         {% endif %}
     - binds:
       - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
+      - /opt/so/log/elastic-agent:/usr/share/elastic-agent/logs
       - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
       - /nsm:/nsm:ro
       - /opt/so/log:/opt/so/log:ro
@@ -40,7 +41,8 @@ so-elastic-agent:
         {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
-      {% endif %}      
+      {% endif %}
+      - LOGS_PATH=logs
     - environment:
       - FLEET_CA=/etc/pki/tls/certs/intca.crt
       {% if DOCKER.containers['so-elastic-agent'].extra_env %}

From 1cbf60825d0f47bc0a7831840fdb7ef6f8bb4d9d Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Tue, 1 Aug 2023 14:40:52 -0400
Subject: [PATCH 04/24] Add log dir

---
 salt/elasticagent/config.sls | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/elasticagent/config.sls b/salt/elasticagent/config.sls
index 8b24f3b22..b0b4321fa 100644
--- a/salt/elasticagent/config.sls
+++ b/salt/elasticagent/config.sls
@@ -28,6 +28,13 @@ elasticagentconfdir:
     - group: 939
     - makedirs: True
 
+elasticagentlogdir:
+   file.directory:
+     - name: /opt/so/log/elastic-agent
+     - user: 949
+     - group: 939
+     - makedirs: True
+
 elasticagent_sbin_jinja:
   file.recurse:
     - name: /usr/sbin

From 4e2eb86b36e4fc2c999bbb0957618f5b78ebda56 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Tue, 1 Aug 2023 20:11:51 +0000
Subject: [PATCH 05/24] Move LOGS_PATH to environment vars

---
 salt/elasticagent/enabled.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls
index bff4cee6b..67d7b975d 100644
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -42,9 +42,9 @@ so-elastic-agent:
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-      - LOGS_PATH=logs
     - environment:
       - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - LOGS_PATH=logs
       {% if DOCKER.containers['so-elastic-agent'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
       - {{ XTRAENV }}

From 44b086a02864415010764d5afe5bae25a4e87461 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Tue, 1 Aug 2023 20:13:50 +0000
Subject: [PATCH 06/24] Change path

---
 salt/elasticagent/config.sls  | 2 +-
 salt/elasticagent/enabled.sls | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elasticagent/config.sls b/salt/elasticagent/config.sls
index b0b4321fa..b54186fab 100644
--- a/salt/elasticagent/config.sls
+++ b/salt/elasticagent/config.sls
@@ -30,7 +30,7 @@ elasticagentconfdir:
 
 elasticagentlogdir:
    file.directory:
-     - name: /opt/so/log/elastic-agent
+     - name: /opt/so/log/elasticagent
      - user: 949
      - group: 939
      - makedirs: True
diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls
index 67d7b975d..963b8549b 100644
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -33,7 +33,7 @@ so-elastic-agent:
         {% endif %}
     - binds:
       - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
-      - /opt/so/log/elastic-agent:/usr/share/elastic-agent/logs
+      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
       - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
       - /nsm:/nsm:ro
       - /opt/so/log:/opt/so/log:ro

From 0e047cffad7d39ed0d3cde192e110c60ffde7242 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Tue, 1 Aug 2023 20:14:53 +0000
Subject: [PATCH 07/24] Add to logrotate

---
 salt/logrotate/defaults.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml
index 311a344b3..4d6a688e4 100644
--- a/salt/logrotate/defaults.yaml
+++ b/salt/logrotate/defaults.yaml
@@ -90,6 +90,26 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
+    /opt/so/log/elasticagent/*_x_log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/elasticagent/*_x_ndjson:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .ndjson
+      - dateext
+      - dateyesterday
     /opt/so/log/elasticfleet/*_x_log:
       - daily
       - rotate 14

From 7037fc52f805623825f3bee9794bd2dab820ed3a Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 1 Aug 2023 16:21:06 -0400
Subject: [PATCH 08/24] sync all modules before running states

---
 setup/so-setup | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup/so-setup b/setup/so-setup
index ce0aa83f7..20a1168c9 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -661,6 +661,7 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "salt-call state.show_top"
 		sleep 2 # Debug RSA Key format errors
 		logCmd "salt-key -ya $MINION_ID"
+		logCmd "salt-call saltutil.sync_all"
 
 		logCmd "salt-call state.apply common.packages"
 		logCmd "salt-call state.apply common"

From 8b3a38f5733aa1ca8920d8c5be33fa3b86c1d91c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 1 Aug 2023 16:30:24 -0400
Subject: [PATCH 09/24] resolve login page flicker

---
 salt/nginx/etc/nginx.conf | 4 +++-
 setup/so-verify           | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf
index 52e3d6d3d..05da0b5d8 100644
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -296,7 +296,9 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
+			if ($request_uri ~* ^/(?!(^/api/.*))) {
+				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
+			}
 			return        302 /auth/self-service/login/browser;
 		}
 
diff --git a/setup/so-verify b/setup/so-verify
index 918610732..07d24d114 100755
--- a/setup/so-verify
+++ b/setup/so-verify
@@ -51,6 +51,7 @@ log_has_errors() {
         grep -vE "/nsm/rules/sigma*" | \
         grep -vE "/nsm/rules/yara*" | \
         grep -vE "Failed to restart snapd" | \
+        grep -vE "Login Failed Details" | \
         grep -vE "Running scope as unit" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then

From 23414599eed535d95ec2a4ba8946b461a7c3644a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 1 Aug 2023 16:53:26 -0400
Subject: [PATCH 10/24] use simple json (w/o template) to resolve sluggishness

---
 salt/common/tools/sbin/so-status | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 4a12d71b4..f4abd8aa3 100755
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -103,7 +103,7 @@ def output(options, console, code, data):
 def check_container_status(options, console):
   code = 0
   cli = "docker"
-  proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8")
+  proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8")
   if proc.returncode != 0:
     fail("Container system error; unable to obtain container process statuses")
 

From 0d5ed2e8359e30642bb6081e070f83e3f526d68a Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Wed, 2 Aug 2023 13:21:03 +0000
Subject: [PATCH 11/24] Set version for Elastic Defend and enable updates

---
 .../endpoints-initial/elastic-defend-endpoints.json         | 4 ++--
 .../tools/sbin/so-elastic-fleet-integration-policy-load     | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
index 7d7f5bb35..6ffb6418e 100644
--- a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
+++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
@@ -5,7 +5,7 @@
 	"package": {
 		"name": "endpoint",
 		"title": "Elastic Defend",
-		"version": ""
+		"version": "8.8.0"
 	},
 	"enabled": true,
 	"policy_id": "endpoints-initial",
@@ -25,4 +25,4 @@
 			}
 		}
 	}]
-}
\ No newline at end of file
+}
diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
index 49bfb69ac..501aafbda 100755
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -15,10 +15,8 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
     printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
     elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
     if [ -n "$INTEGRATION_ID" ]; then
-      if [ "$NAME" != "elastic-defend-endpoints" ]; then
-        printf "\n\nIntegration $NAME exists - Updating integration\n"
-        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
-      fi
+      printf "\n\nIntegration $NAME exists - Updating integration\n"
+      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
     else
       printf "\n\nIntegration does not exist - Creating integration\n"
       elastic_fleet_integration_create "@$INTEGRATION"

From e6940190274bf438e6b1bf33b04cb933bb4675d8 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Wed, 2 Aug 2023 13:50:14 +0000
Subject: [PATCH 12/24] Add package list

---
 .../tools/sbin/so-elastic-fleet-package-list      | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100755 salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list

diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list
new file mode 100755
index 000000000..7e68c6e83
--- /dev/null
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list
@@ -0,0 +1,15 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-elastic-fleet-common
+
+# Let's snag a cookie from Kibana
+SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
+
+# List configured package policies
+curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq
+
+echo

From 407cb2a537f0c19e170e0905d495760fa5fe9ae6 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 10:56:41 -0400
Subject: [PATCH 13/24] force portgroups added to hostgroups in roles to be
 list of strings

---
 salt/firewall/soc_firewall.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml
index d1db56a0b..0011a245e 100644
--- a/salt/firewall/soc_firewall.yaml
+++ b/salt/firewall/soc_firewall.yaml
@@ -191,6 +191,7 @@ firewall:
                 description: Portgroups to add access to the docker containers for this role.
                 advanced: True
                 multiline: True
+                forcedType: "[]string"
                 helpLink: firewall.html
             sensor:
               portgroups: *portgroupsdocker
@@ -241,6 +242,7 @@ firewall:
                 description: Portgroups to add access to the host.
                 advanced: True
                 multiline: True
+                forcedType: "[]string"
                 helpLink: firewall.html
             dockernet: 
               portgroups: *portgroupshost

From 5630b353c4106928f9a7e9debc2d636fd7471243 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 11:20:51 -0400
Subject: [PATCH 14/24] change how pgrep finds salt-master PID

---
 salt/common/packages.sls     | 2 ++
 salt/manager/tools/sbin/soup | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/salt/common/packages.sls b/salt/common/packages.sls
index 0fc067245..9cbfd08bb 100644
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -17,6 +17,7 @@ commonpkgs:
       - netcat-openbsd
       - sqlite3
       - libssl-dev
+      - procps
       - python3-dateutil
       - python3-docker
       - python3-packaging
@@ -70,6 +71,7 @@ commonpkgs:
       - net-tools
       - nmap-ncat
       - openssl
+      - procps
       - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 31f1d0fea..582e4502b 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -436,7 +436,7 @@ stop_salt_master() {
 
     echo ""
     echo "Storing salt-master pid."
-    MASTERPID=$(pgrep salt-master | head -1)
+    MASTERPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master MainProcess')
     echo "Found salt-master PID $MASTERPID"
     systemctl_func "stop" "salt-master"
     timeout 30 tail --pid=$MASTERPID -f /dev/null || echo "salt-master still running at $(date +"%T.%6N") after waiting 30s. We cannot kill due to systemd restart option."

From 98731210003a80cac470db809f665081b963b00f Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 12:54:31 -0400
Subject: [PATCH 15/24] change pgrep for salt-minion PID

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 582e4502b..71f3f7a2a 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -455,7 +455,7 @@ stop_salt_minion() {
     set -e
 
     echo "Storing salt-minion pid."
-    MINIONPID=$(pgrep salt-minion | head -1)
+    MINIONPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion' | head -1)
     echo "Found salt-minion PID $MINIONPID"
     systemctl_func "stop" "salt-minion"
 

From f6c620455556a1edad4b0dbb398a976f591fa424 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 13:05:24 -0400
Subject: [PATCH 16/24] procps to procps-ng

---
 salt/common/packages.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/packages.sls b/salt/common/packages.sls
index 9cbfd08bb..5f4a348e7 100644
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -71,7 +71,7 @@ commonpkgs:
       - net-tools
       - nmap-ncat
       - openssl
-      - procps
+      - procps-ng
       - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto

From ac28f90af3bd66a6f443711fa3be61c8ef4d9f92 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Wed, 2 Aug 2023 13:15:11 -0400
Subject: [PATCH 17/24] Remove override

---
 salt/elasticsearch/files/ingest/filterlog | 1 -
 1 file changed, 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog
index fb197c706..850c15d99 100644
--- a/salt/elasticsearch/files/ingest/filterlog
+++ b/salt/elasticsearch/files/ingest/filterlog
@@ -49,7 +49,6 @@
                 "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
         }
      },
-     { "set":         { "field": "_index",        "value": "so-firewall", "override": true           } },
      { "set":         { "if": "ctx.network?.transport_id == '0'", "field": "network.transport",        "value": "icmp", "override": true           } },
      { "community_id": {} },
      { "set":         { "field": "module",	"value": "pfsense",	"override": true	} },

From f1023510524d5c46a5ebca8acf6cf2293faa6026 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Wed, 2 Aug 2023 13:25:44 -0400
Subject: [PATCH 18/24] Add event

---
 salt/elasticsearch/files/ingest/filterlog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog
index 850c15d99..52d83dd0a 100644
--- a/salt/elasticsearch/files/ingest/filterlog
+++ b/salt/elasticsearch/files/ingest/filterlog
@@ -51,8 +51,8 @@
      },
      { "set":         { "if": "ctx.network?.transport_id == '0'", "field": "network.transport",        "value": "icmp", "override": true           } },
      { "community_id": {} },
-     { "set":         { "field": "module",	"value": "pfsense",	"override": true	} },
-     { "set":         { "field": "dataset",	"value": "firewall",	"override": true	} },
+     { "set":         { "field": "event.module",	"value": "pfsense",	"override": true	} },
+     { "set":         { "field": "event.dataset",	"value": "firewall",	"override": true	} },
      { "set":         { "field": "category",	"value": "network",	"override": true	} },
      { "remove":      { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"],     "ignore_failure": true  } }
   ]

From c17b324108a1ba353b92f6a5cd89d17c2ca18654 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 14:04:19 -0400
Subject: [PATCH 19/24] dont count adv_ sls files for number of minions in
 deployment

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 71f3f7a2a..0a1c9237d 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -859,7 +859,7 @@ main() {
     set +e
 
     echo "Checking the number of minions."
-    NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
+    NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | grep -v adv_ | wc -l)
     if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then
       if [[ $is_airgap -eq 0 ]]; then
         echo ""

From 64776936cc4e50d21e623f874e0ba599adc12b78 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 14:09:43 -0400
Subject: [PATCH 20/24] no longer need so-user migrate in 2.4

---
 salt/manager/tools/sbin/soup | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 0a1c9237d..1b0fb1478 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -875,9 +875,6 @@ main() {
     echo "Checking sudoers file."
     check_sudoers
 
-    echo "Checking for necessary user migrations."
-    so-user migrate
-
     systemctl_func "start" "$cron_service_name"
 
     if [[ -n $lsl_msg ]]; then

From aab55c8cf6d76b3a81e68db7e6f85d864c957ce8 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 2 Aug 2023 15:09:26 -0400
Subject: [PATCH 21/24] Regen Agent Installers

---
 salt/manager/tools/sbin/soup | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 1b0fb1478..85f5b45f4 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -419,7 +419,8 @@ post_to_2.4.4() {
 }
 
 post_to_2.4.5() {
-  echo "Nothing to apply"
+  echo "Regenerating Elastic Agent Installers"
+  /sbin/so-elastic-agent-gen-installers
   POSTVERSION=2.4.5
 }
 

From 8036df4b203d2998f26201a69acdb9c786ba165f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 15:10:31 -0400
Subject: [PATCH 22/24] ensure suri rules are synced for import installs

---
 setup/so-setup | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup/so-setup b/setup/so-setup
index 20a1168c9..ccc9f6f2f 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -695,9 +695,11 @@ if ! [[ -f $install_opt_file ]]; then
 			logCmd "so-rule-update"
 			title "Downloading YARA rules"
 			logCmd "su socore -c '/usr/sbin/so-yara-download'"
-			if [[ $monints ]]; then
+			if [[ $monints || $is_import ]]; then
 				title "Restarting Suricata to pick up the new rules"
 				logCmd "so-suricata-restart"
+			fi
+			if [[ $monints ]]; then
 				title "Restarting Strelka to use new rules"
 				logCmd "so-strelka-restart"
 			fi

From eb512d9aa27c1f8f7db7ede491bdc743d899bf88 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 16:21:23 -0400
Subject: [PATCH 23/24] add mono-devel

---
 salt/desktop/packages.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls
index 401be0cd6..30d2f96e5 100644
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -295,6 +295,7 @@ desktop_packages:
       - mesa-vulkan-drivers
       - microcode_ctl
       - mobile-broadband-provider-info
+      - mono-devel
       - mpfr
       - mpg123-libs
       - mtdev

From 435da77388d2d268166811194652342c915dff24 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Aug 2023 16:53:45 -0400
Subject: [PATCH 24/24] add gtk2

---
 salt/desktop/packages.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls
index 30d2f96e5..3b0d4c8ba 100644
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -181,6 +181,7 @@ desktop_packages:
       - gstreamer1-plugins-good-gtk
       - gstreamer1-plugins-ugly-free
       - gtk-update-icon-cache
+      - gtk2
       - gtk3
       - gtk4
       - gtkmm30