Merge remote-tracking branch 'upstream/master' into fleet-fixes

2025-12-06 17:22:49 +01:00 · 2019-11-26 07:01:08 -05:00
parent 118f4e34f2 c547e6be47
commit 3ac4aa255e
38 changed files with 3100 additions and 200 deletions
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -0,0 +1,24 @@
 from os import path
 import subprocess
 def check():
  os = __grains__['os']
  retval = 'False'
  if os == 'Ubuntu':
    if path.exists('/var/run/reboot-required'):
      retval = 'True'
  elif os == 'CentOS':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      retval = 'True'
  else:
    retval = 'Unsupported OS: %s' % os
  return retval
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -39,10 +39,10 @@ pki_private_key:
    - require:
      - file: /etc/pki
-mine.send:
+send_x509_pem_entries_to_mine:
  module.run:
    - mine.send:
      - func: x509.get_pem_entries
-    - kwargs:
+      - glob_path: /etc/pki/ca.crt
        glob_path: /etc/pki/ca.crt
    - onchanges:
      - x509: /etc/pki/ca.crt
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -141,6 +141,8 @@ so-core:
    - watch:
      - file: /opt/so/conf/nginx/nginx.conf
 # If master or eval, install Grafana/Telegraf/Influx
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
 # Add Telegraf to monitor all the things.
 tgraflogdir:
  file.directory:
@@ -213,9 +215,6 @@ so-telegraf:
      - /opt/so/conf/telegraf/etc/telegraf.conf
      - /opt/so/conf/telegraf/scripts
 # If its a master or eval lets install the back end for now
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
 # Influx DB
 influxconfdir:
  file.directory:
@@ -316,7 +315,7 @@ grafanaconf:
    - source: salt://common/grafana/etc
 {% if salt['pillar.get']('mastertab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('mastertab', {}).iteritems() %}
+{%- for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
 dashboard-master:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
@@ -337,7 +336,7 @@ dashboard-master:
 {% endif %}
 {% if salt['pillar.get']('sensorstab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('sensorstab', {}).iteritems() %}
+{%- for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
 dashboard-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/forward_nodes/{{ SN }}-Sensor.json
@@ -358,7 +357,7 @@ dashboard-{{ SN }}:
 {% endif %}
 {% if salt['pillar.get']('nodestab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).iteritems() %}
+{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 dashboard-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
@@ -379,7 +378,7 @@ dashboard-{{ SN }}:
 {% endif %}
 {% if salt['pillar.get']('evaltab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('evaltab', {}).iteritems() %}
+{%- for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
 dashboard-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -186,6 +186,18 @@ http {
        }
        location /cyberchef/ {
          proxy_pass http://{{ masterip }}:9080/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
          proxy_http_version 1.1; # this is essential for chunked responses to work
          proxy_set_header      Host $host;
          proxy_set_header      X-Real-IP $remote_addr;
          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header      Proxy "";
        }
        location /soctopus/ {
          proxy_pass http://{{ masterip }}:7000/;
          proxy_read_timeout    90;
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -188,6 +188,18 @@ http {
        }
        location /cyberchef/ {
          proxy_pass http://{{ masterip }}:9080/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
          proxy_http_version 1.1; # this is essential for chunked responses to work
          proxy_set_header      Host $host;
          proxy_set_header      X-Real-IP $remote_addr;
          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header      Proxy "";
        }
        location /soctopus/ {
          proxy_pass http://{{ masterip }}:7000/;
          proxy_read_timeout    90;
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -0,0 +1,53 @@
 # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Create the cyberchef group
 cyberchefgroup:
  group.present:
    - name: cyberchef
    - gid: 946
 # Add the cyberchef user
 cyberchef:
  user.present:
    - uid: 946
    - gid: 946
    - home: /opt/so/conf/cyberchef
 cyberchefconfdir:
  file.directory:
    - name: /opt/so/conf/cyberchef
    - user: 946
    - group: 939
    - makedirs: True
 cybercheflog:
  file.directory:
    - name: /opt/so/log/cyberchef
    - user: 946
    - group: 946
    - makedirs: True
 so-cyberchefimage:
 cmd.run:
   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
 so-cyberchef:
  docker_container.running:
    - require:
      - so-cyberchefimage
    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
    - port_bindings:
      - 0.0.0.0:9080:8080
--- a/salt/elastalert/files/elastalert_config.yaml
+++ b/salt/elastalert/files/elastalert_config.yaml
@@ -8,6 +8,11 @@ rules_folder: /etc/elastalert/rules/
 # the rules directory - true or false
 scan_subdirectories: true
 # Do not disable a rule when an uncaught exception is thrown -
 # This setting should be tweaked once the following issue has been fixed
 # https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/98
 disable_rules_on_error: false
 # How often ElastAlert will query Elasticsearch
 # The unit can be anything from weeks to seconds
 run_every:
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ b/salt/elastalert/files/rules/so/nids2hive.yaml
@@ -15,7 +15,7 @@ timeframe:
 buffer_time:
    minutes: 10
 allow_buffer_time_overlap: true
-query_key: alert
+query_key: ["alert", "ips"]
 realert:
    days: 1
@@ -36,11 +36,11 @@ hive_proxies:
 hive_alert_config:
  title: '{match[alert]}'
-  type: 'external'
+  type: 'NIDS'
  source: 'SecurityOnion'
  description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:{match[sid]}')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source_ip]}:{match[source_port]} --> {match[destination_ip]}:{match[destination_port]} \n\n `Signature:` {match[rule_signature]}"
  severity: 2
-  tags: ['elastalert', 'SecurityOnion', 'NIDS','{match[sid]}']
+  tags: ['{match[sid]}','{match[source_ip]}','{match[destination_ip]}']
  tlp: 3
  status: 'New'
  follow: True
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -276,6 +276,18 @@ enable_master_cortex_9001_{{ip}}:
    - position: 1
    - save: True 
 enable_master_cyberchef_9080_{{ip}}:
  iptables.insert:
    - table: filter
    - chain: DOCKER-USER
    - jump: ACCEPT
    - proto: tcp
    - source: {{ ip }}
    - dport: 9080
    - position: 1
    - save: True
 {% endfor %}
 # Make it so all the minions can talk to salt and update etc.
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -61,13 +61,13 @@ fleetdbpriv:
 so-fleetimage:
 cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-fleet:HH1.1.0
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-fleet:HH1.1.3
 so-fleet:
  docker_container.running:
    - require:
      - so-fleetimage
-    - image: docker.io/soshybridhunter/so-fleet:HH1.1.0
+    - image: docker.io/soshybridhunter/so-fleet:HH1.1.3
    - hostname: so-fleet
    - port_bindings:
      - 0.0.0.0:8080:8080
@@ -83,6 +83,7 @@ so-fleet:
      - KOLIDE_AUTH_JWT_KEY=thisisatest
      - KOLIDE_OSQUERY_STATUS_LOG_FILE=/var/log/osquery/status.log
      - KOLIDE_OSQUERY_RESULT_LOG_FILE=/var/log/osquery/result.log
      - KOLIDE_SERVER_URL_PREFIX=/fleet
    - binds:
      - /etc/pki/fleet.key:/ssl/server.key:ro
      - /etc/pki/fleet.crt:/ssl/server.cert:ro
--- a/salt/hive/thehive/etc/application.conf
+++ b/salt/hive/thehive/etc/application.conf
@@ -1,5 +1,5 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
+{%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
 # Secret Key
 # The secret key is used to secure cryptographic functions.
--- a/salt/hive/thehive/scripts/cortex_init.sh
+++ b/salt/hive/thehive/scripts/cortex_init.sh
@@ -3,6 +3,9 @@
 {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %}
 {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %}
 {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
 {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
 {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
 {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
 cortex_init(){
    sleep 60
@@ -10,16 +13,33 @@ cortex_init(){
    CORTEX_USER="{{CORTEXUSER}}"
    CORTEX_PASSWORD="{{CORTEXPASSWORD}}"
    CORTEX_KEY="{{CORTEXKEY}}"    
    CORTEX_ORG_NAME="{{CORTEXORGNAME}}"
    CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup"
    CORTEX_ORG_USER="{{CORTEXORGUSER}}"
    CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}"
    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
    # Migrate DB
    curl -v -k -XPOST "https://$CORTEX_IP:/cortex/api/maintenance/migrate"
-    # Create intial Cortex user
+    # Create intial Cortex superadmin
-    curl -v -k "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"read\",\"analyze\",\"orgadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}"
+    curl -v -k "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}"
    # Create user-supplied org
    curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization" -d "{  \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}"
    # Create user-supplied org user
    curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }"
    # Enable URLScan.io Analyzer
-    curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}'
+    curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}'
    # Enable Cert PassiveDNS Analyzer
    curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}'
    # Revoke $CORTEX_USER key
    curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" "https:///$CORTEX_IP/api/user/$CORTEX_USER/key" 
    # Update SOCtopus config with apikey value
    #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -13,7 +13,7 @@
 #/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 #/usr/share/logstash/pipeline.so/0003_input_syslog.conf
 #/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
 #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -9,23 +9,6 @@ input {
  }
 }
 filter {
  if [type] == "ids" or [type] =~ "bro" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_field => { "sensor_name" => "%{[beat][name]}" }
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
      remove_field => [ "beat", "prospector", "input", "offset" ]
    }
  }
  if [type] =~ "ossec" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
      remove_field => [ "beat", "prospector", "input", "offset" ]
    }
   }
    if [type] == "osquery" {
    mutate {
      rename => { "host" => "beat_host" }
--- a/salt/master/files/registry/scripts/so-docker-download.sh
+++ b/salt/master/files/registry/scripts/so-docker-download.sh
@@ -0,0 +1,48 @@
 #!/bin/bash
 MASTER={{ MASTER }}
 VERSION="HH1.1.3"
 TRUSTED_CONTAINERS=( \
 "so-core:$VERSION" \
 "so-cyberchef:$VERSION" \
 "so-acng:$VERSION" \
 "so-sensoroni:$VERSION" \
 "so-fleet:$VERSION" \
 "so-soctopus:$VERSION" \
 "so-steno:$VERSION" \
 "so-playbook:$VERSION" \
 "so-thehive-cortex:$VERSION" \
 "so-thehive:$VERSION" \
 "so-thehive-es:$VERSION" \
 "so-wazuh:$VERSION" \
 "so-kibana:$VERSION" \
 "so-auth-ui:$VERSION" \
 "so-auth-api:$VERSION" \
 "so-elastalert:$VERSION" \
 "so-navigator:$VERSION" \
 "so-filebeat:$VERSION" \
 "so-suricata:$VERSION" \
 "so-logstash:$VERSION" \
 "so-bro:$VERSION" \
 "so-idstools:$VERSION" \
 "so-fleet-launcher:$VERSION" \
 "so-freqserver:$VERSION" \
 "so-influxdb:$VERSION" \
 "so-grafana:$VERSION" \
 "so-telegraf:$VERSION" \
 "so-redis:$VERSION" \
 "so-mysql:$VERSION" \
 "so-curtor:$VERSION" \
 "so-elasticsearch:$VERSION" \
 "so-domainstats:$VERSION" \
 "so-tcpreplay:$VERSION" \
 )
 for i in "${TRUSTED_CONTAINERS[@]}"
 do
  # Pull down the trusted docker image
  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
  # Tag it with the new registry destination
  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
  docker push $MASTER:5000/soshybridhunter/$i
 done
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -17,6 +17,15 @@
 {% if masterproxy == 1 %}
 socore_own_saltstack:
  file.directory:
    - name: /opt/so/saltstack
    - user: socore
    - group: socore
    - recurse:
      - user
      - group	
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
  file.directory:
--- a/salt/motd/files/package_update_reboot_required.jinja
+++ b/salt/motd/files/package_update_reboot_required.jinja
@@ -0,0 +1,23 @@
 {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%}
 {%- if needs_restarting_check %}
  {%- set minions_need_restarted = [] %}
  {%- for minion, need_restarted in needs_restarting_check | dictsort() %}
    {%- if need_restarted == 'True' %}
      {% do minions_need_restarted.append(minion) %}
    {%- endif %}
  {%- endfor -%}
  {%- if minions_need_restarted | length > 0 %}
 *****************************************************************************************
 * The following nodes in your Security Onion grid need restarted due to package updates *
 *****************************************************************************************
    {% for minion in minions_need_restarted -%}
  {{ minion }}
    {% endfor -%}
  {%- endif -%}
 {%- endif -%}
--- a/salt/motd/init.sls
+++ b/salt/motd/init.sls
@@ -0,0 +1,5 @@
 package_update_reboot_required_motd:
  file.managed:
    - name: /etc/motd
    - source: salt://motd/files/package_update_reboot_required.jinja
    - template: jinja
--- a/salt/patch/needs_restarting.sls
+++ b/salt/patch/needs_restarting.sls
@@ -0,0 +1,5 @@
 needs_restarting:
  module.run:
    - mine.send:
      - func: needs_restarting.check
    - order: last
--- a/salt/patch/os/init.sls
+++ b/salt/patch/os/init.sls
@@ -0,0 +1,10 @@
 include:
  - patch.needs_restarting
 {% if grains.os == "CentOS" %}
  - yum.packages
 {% endif %}
 patch_os:
  pkg.uptodate:
    - name: patch_os
    - refresh: True
--- a/salt/patch/os/schedule.sls
+++ b/salt/patch/os/schedule.sls
@@ -0,0 +1,76 @@
 {% if salt['pillar.get']('patch:os:schedule_name') %}
  {% set patch_os_pillar = salt['pillar.get']('patch:os') %}
  {% set schedule_name = patch_os_pillar.schedule_name %}
  {% set splay = patch_os_pillar.get('splay', 300) %}
  {% if schedule_name != 'manual' and schedule_name != 'auto' %}
    {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %}
    {% if patch_os_pillar.enabled %}
 patch_os_schedule:
  schedule.present:
    - function: state.sls
    - job_args:
      - patch.os
    - when:
      {% for days in os_schedule.patch.os.schedule %}
        {% for day, times in days.items() %}
          {% for time in times %}
        - {{day}} {{time}}
          {% endfor %}
        {% endfor %}
      {% endfor %}
    - splay: {{splay}}
    - return_job: True
    {% else %}
 disable_patch_os_schedule:
  schedule.disabled:
    - name: patch_os_schedule
    {% endif %}
  {% elif schedule_name == 'auto' %}
    {% if patch_os_pillar.enabled %}
 patch_os_schedule:
  schedule.present:
    - function: state.sls
    - job_args:
      - patch.os
    - hours: 8 
    - splay: {{splay}}
    - return_job: True
    {% else %}
 disable_patch_os_schedule:
  schedule.disabled:
    - name: patch_os_schedule
    {% endif %}
  {% elif schedule_name == 'manual' %}
 remove_patch_os_schedule:
  schedule.absent:
    - name: patch_os_schedule
  {% endif %}
 {% else %}
 no_patch_os_schedule_name_set:
  test.fail_without_changes:
    - name: "Set a pillar value for patch:os:schedule_name in this minion's .sls file. If an OS patch schedule is not listed as enabled in show_schedule output below, then OS patches will need to be applied manually until this is corrected."
 show_patch_os_schedule:
  module.run:
    - schedule.is_enabled:
      - name: patch_os_schedule
 {% endif %}
--- a/salt/patch/os/schedules/example_schedule.yml
+++ b/salt/patch/os/schedules/example_schedule.yml
@@ -0,0 +1,10 @@
 patch:
  os:
    schedule:
      - Tuesday:
        - '15:00'
      - Thursday:
        - '03:00'
      - Saturday:
        - '01:00'
        - '15:00'
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -96,13 +96,13 @@ stenolog:
 so-stenoimage:
 cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-steno:HH1.1.1
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-steno:HH1.1.3
 so-steno:
  docker_container.running:
    - require:
      - so-stenoimage
-    - image: docker.io/soshybridhunter/so-steno:HH1.1.1
+    - image: docker.io/soshybridhunter/so-steno:HH1.1.3
    - network_mode: host
    - privileged: True
    - port_bindings:
--- a/salt/playbook/files/redmine.db
+++ b/salt/playbook/files/redmine.db
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -11,7 +11,7 @@ playbookdb:
 playbookwebhook:
  module.run:
-    - name: sqlite3.modify
+    - sqlite3.modify:
      - db: /opt/so/conf/playbook/redmine.db
      - sql: "update webhooks set url = 'http://{{MASTERIP}}:7000/playbook/webhook' where project_id = 1"
@@ -26,13 +26,13 @@ navigatorconfig:
 so-playbookimage:
  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-playbook:HH1.1.1
+    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-playbook:HH1.1.3
 so-playbook:
  docker_container.running:
    - require:
      - so-playbookimage
-    - image: docker.io/soshybridhunter/so-playbook:HH1.1.1
+    - image: docker.io/soshybridhunter/so-playbook:HH1.1.3
    - hostname: playbook
    - name: so-playbook
    - binds:
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -29,19 +29,19 @@ sensoronisync:
 so-sensoroniimage:
  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-sensoroni:HH1.1.1
+    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-sensoroni:HH1.1.3
 so-sensoroni:
  docker_container.running:
    - require:
      - so-sensoroniimage
-    - image: docker.io/soshybridhunter/so-sensoroni:HH1.1.1
+    - image: docker.io/soshybridhunter/so-sensoroni:HH1.1.3
    - hostname: sensoroni
    - name: so-sensoroni
    - binds:
      - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/sensoroni/:/opt/sensoroni/log/:rw
+      - /opt/so/log/sensoroni/:/opt/sensoroni/logs/:rw
    - port_bindings:
      - 0.0.0.0:9822:9822
    - watch:
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -50,4 +50,4 @@ playbook_url = http://{{ip}}:3200/playbook
 playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c
 [log]
-logfile = /tmp/soctopus.log
+logfile = /var/log/SOCtopus/soctopus.log
--- a/salt/soctopus/files/templates/generic.template
+++ b/salt/soctopus/files/templates/generic.template
@@ -1,23 +1,6 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
 es_host: {{es}}
 es_port: 9200
 name: Alert-Name
 type: frequency
 index: "*:logstash-*"
 num_events: 1
 timeframe:
    minutes: 10
 buffer_time:
    minutes: 10
 allow_buffer_time_overlap: true
 filter:
 - query:
   query_string:
      query: 'select from test'
 alert: modules.so.thehive.TheHiveAlerter
 hive_connection:
@@ -30,11 +13,11 @@ hive_proxies:
 hive_alert_config:
  title: '{rule[name]}'
-  type: 'external'
+  type: 'playbook'
  source: 'SecurityOnion'
-  description: '`Data:` {match[message]}'
+  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Raw Data:` {match[message]}"
  severity: 2
-  tags: ['elastalert', 'SecurityOnion']
+  tags: ['playbook']
  tlp: 3
  status: 'New'
  follow: True
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -1,23 +1,6 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
 es_host: {{es}}
 es_port: 9200
 name: Alert-Name
 type: frequency
 index: "*:logstash-*"
 num_events: 1
 timeframe:
    minutes: 10
 buffer_time:
    minutes: 10
 allow_buffer_time_overlap: true
 filter:
 - query:
   query_string:
      query: 'select from test'
 alert: modules.so.thehive.TheHiveAlerter
 hive_connection:
@@ -28,20 +11,22 @@ hive_proxies:
  http: ''
  https: ''
 hive_alert_config:
  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
  type: 'external'
  source: 'SecurityOnion'
  description: '`Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}'
  severity: 2
  tags: ['elastalert', 'SecurityOnion']
  tlp: 3
  status: 'New'
  follow: True
  caseTemplate: '5000'
 hive_observable_data_mapping:
  - ip: '{match[osquery][EndpointIP1]}'
  - ip: '{match[osquery][EndpointIP2]}'
  - other: '{match[osquery][hostIdentifier]}'
  - other: '{match[osquery][hostname]}'
 hive_alert_config:
  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
  type: 'osquery'
  source: 'SecurityOnion'
  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
  severity: 2
  tags: ['playbook','osquery']
  tlp: 3
  status: 'New'
  follow: True
  caseTemplate: '5000'
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -13,6 +13,12 @@ soctopussync:
    - group: 939
    - template: jinja
 soctopuslogdir:
  file.directory:
    - name: /opt/so/log/soctopus
    - user: 939
    - group: 939
 playbookrulesdir:
  file.directory:
    - name: /opt/so/rules/elastalert/playbook
@@ -40,17 +46,18 @@ navigatordefaultlayer:
 so-soctopusimage:
  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-soctopus:HH1.1.1
+    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-soctopus:HH1.1.3
 so-soctopus:
  docker_container.running:
    - require:
      - so-soctopusimage
-    - image: docker.io/soshybridhunter/so-soctopus:HH1.1.1
+    - image: docker.io/soshybridhunter/so-soctopus:HH1.1.3
    - hostname: soctopus
    - name: so-soctopus
    - binds:
      - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro
      - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw
      - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw
      - /opt/so/conf/playbook/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw
    - port_bindings:
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -5,6 +5,11 @@
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
 base:
  '*':
    - patch.os.schedule
    - patch.needs_restarting
    - motd
  'G@role:so-sensor':
    - ca
    - ssl
@@ -40,6 +45,7 @@ base:
    - suricata
    - bro
    - curator
    - cyberchef
    - elastalert
    {%- if OSQUERY != 0 %}
    - fleet
@@ -66,6 +72,7 @@ base:
    - ca
    - ssl
    - common
    - cyberchef
    - sensoroni
    - firewall
    - master
--- a/salt/utility/bin/crossthestreams.sh
+++ b/salt/utility/bin/crossthestreams.sh
@@ -31,6 +31,6 @@ echo "Applying cross cluster search config..."
 # Add all the storage nodes to cross cluster searching.
-{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).iteritems() %}
+{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 curl -XPUT http://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SNDATA.ip }}:9300"]}}}}}'
 {%- endfor %}
--- a/salt/yum/packages.sls
+++ b/salt/yum/packages.sls
@@ -0,0 +1,3 @@
 install_yum_utils:
  pkg.installed:
    - name: yum-utils
--- a/setup/functions.sh
+++ b/setup/functions.sh
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -0,0 +1,627 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Source the other pieces of the setup
 source functions.sh
 source whiplash.sh
 # Global Variables
 HOSTNAME=$(cat /etc/hostname)
 MINION_ID=$(echo $HOSTNAME | awk -F. {'print $1'})
 TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'`
 NICS=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
 CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l)
 LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}')
 RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
 NODE_ES_PORT="9200"
 SETUPLOG="/root/sosetup.log"
 # End Global Variables
 # Reset the Install Log
 date -u >$SETUPLOG 2>&1
 # Check for prerequisites
 got_root
 detect_os
 if [ $OS == ubuntu ]; then
  # Override the Ubuntu whiptail color pallete
  update-alternatives --set newt-palette /etc/newt/palette.original
 fi
 # Question Time
 if (whiptail_you_sure); then
  # Create a temp dir to get started
  install_prep
  # Determine if this is a network install or ISO install
  # Let folks know they need their management interface already set up.
  whiptail_network_notice
  # Set the hostname to reduce errors
  whiptail_set_hostname
  # Go ahead and gen the keys so we can use them for any sensor type - Disabled for now
  #minio_generate_keys
  # What kind of install are we doing?
  whiptail_install_type
  # How do we want to handle OS patching? manual, auto or scheduled days and hours
  whiptail_patch_schedule
  case $PATCHSCHEDULE in
    'New Schedule')
      whiptail_patch_schedule_select_days
      whiptail_patch_schedule_select_hours
      whiptail_patch_name_new_schedule
      patch_schedule_os_new
      ;;
    'Import Schedule')
      whiptail_patch_schedule_import
      ;;
    Automatic)
      PATCHSCHEDULENAME=auto
      ;;
    Manual)
      PATCHSCHEDULENAME=manual
      ;;
  esac
  ####################
  ##     Master     ##
  ####################
  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
    # Would you like to do an advanced install?
    whiptail_master_adv
    # Pick the Management NIC
    whiptail_management_nic
    # Choose Zeek or Community NSM
    whiptail_bro_version
    # Select Snort or Suricata
    whiptail_nids
    # Snag the HOME_NET
    whiptail_homenet_master
    # Pick your Ruleset
    whiptail_rule_setup
    # Get the code if it isn't ET Open
    if [ $RULESETUP != 'ETOPEN' ]; then
      # Get the code
      whiptail_oinkcode
    fi
    # Find out how to handle updates
    whiptail_master_updates
    whiptail_enable_components
    process_components
    # Do Advacned Setup if they chose it
    if [ $MASTERADV == 'ADVANCED' ]; then
      # Ask which bro logs to enable - Need to add Suricata check
      if [ $BROVERSION != 'SURICATA' ]; then
        whiptail_master_adv_service_brologs
      fi
    fi
    whiptail_create_socore_user
    SCMATCH=no
    while [ $SCMATCH != yes ]; do
      whiptail_create_socore_user_password1
      whiptail_create_socore_user_password2
      check_socore_pass
    done
    # Last Chance to back out
    whiptail_make_changes
    set_hostname
    generate_passwords
    auth_pillar
    clear_master
    mkdir -p /nsm
    get_filesystem_root
    get_filesystem_nsm
    # Enable Bro Logs
    bro_logs_enabled
    # Figure out the main IP address
    get_main_ip
    # Add the user so we can sit back and relax
    #echo ""
    #echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
    #echo ""
    add_socore_user_master
    # Install salt and dependencies
    {
      sleep 0.5
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n1\nInstalling and configuring Salt... \nXXX"
      echo " ** Installing Salt and Dependencies **" >> $SETUPLOG
      salt_install_mysql_deps >> $SETUPLOG 2>&1
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling Docker... \nXXX"
      docker_install >> $SETUPLOG 2>&1
      echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
      echo " ** Configuring Minion **" >> $SETUPLOG
      configure_minion master >> $SETUPLOG 2>&1
      echo " ** Installing Salt Master **" >> $SETUPLOG
      install_master >> $SETUPLOG 2>&1
      salt_master_directories >> $SETUPLOG 2>&1
      update_sudoers >> $SETUPLOG 2>&1
      chown_salt_master >> $SETUPLOG 2>&1
      es_heapsize >> $SETUPLOG 2>&1
      ls_heapsize >> $SETUPLOG 2>&1
      echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
      master_static >> $SETUPLOG 2>&1
      echo "** Generating the master pillar **" >> $SETUPLOG
      master_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      # Do a checkin to push the key up
      echo "** Pushing the key up to Master **" >> $SETUPLOG
      salt_firstcheckin >> $SETUPLOG 2>&1
      # Accept the Master Key
      echo "** Accepting the key on the master **" >> $SETUPLOG
      accept_salt_key_local >> $SETUPLOG 2>&1
      echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
      # Open the firewall
      echo "** Setting the initial firewall policy **" >> $SETUPLOG
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      # Do the big checkin but first let them know it will take a bit.
      echo -e "XXX\n40\nGenerating CA... \nXXX"
      salt_checkin >> $SETUPLOG 2>&1
      salt-call state.apply ca >> $SETUPLOG 2>&1
      salt-call state.apply ssl >> $SETUPLOG 2>&1
      echo -e "XXX\n43\nInstalling Common Components... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
      echo -e "XXX\n45\nApplying firewall rules... \nXXX"
      salt-call state.apply firewall >> $SETUPLOG 2>&1
      salt-call state.apply master >> $SETUPLOG 2>&1
      salt-call state.apply idstools >> $SETUPLOG 2>&1
      echo -e "XXX\n40\nInstalling Redis... \nXXX"
      salt-call state.apply redis >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
        echo -e "XXX\n41\nInstalling MySQL... \nXXX"
        salt-call state.apply mysql >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
      salt-call state.apply logstash >> $SETUPLOG 2>&1
      salt-call state.apply kibana >> $SETUPLOG 2>&1
      salt-call state.apply elastalert >> $SETUPLOG 2>&1
      if [[ $WAZUH == '1' ]]; then
        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
        salt-call state.apply wazuh >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
      salt-call state.apply filebeat >> $SETUPLOG 2>&1
      salt-call state.apply utility >> $SETUPLOG 2>&1
      salt-call state.apply schedule >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
        echo -e "XXX\n79\nInstalling Fleet... \nXXX"
        salt-call state.apply fleet >> $SETUPLOG 2>&1
        salt-call state.apply launcher >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
      salt-call state.apply soctopus >> $SETUPLOG 2>&1
      if [[ $THEHIVE == '1' ]]; then
        echo -e "XXX\n87\nInstalling TheHive... \nXXX"
        salt-call state.apply hive >> $SETUPLOG 2>&1
      fi
      if [[ $PLAYBOOK == '1' ]]; then
        echo -e "XXX\n89\nInstalling Playbook... \nXXX"
        salt-call state.apply playbook >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
      checkin_at_boot >> $SETUPLOG 2>&1
      echo -e "XXX\n95\nVerifying Install... \nXXX"
      salt-call state.highstate >> $SETUPLOG 2>&1
    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
    if [[ $GOODSETUP == '0' ]]; then
      whiptail_setup_complete
      if [[ $THEHIVE == '1' ]]; then
        check_hive_init_then_reboot
      else
        shutdown -r now
      fi
    else
      whiptail_setup_failed
      shutdown -r now
    fi
  fi
  ####################
  ##     Sensor     ##
  ####################
  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
    whiptail_management_nic
    filter_nics
    whiptail_bond_nics
    whiptail_management_server
    whiptail_master_updates
    set_updates
    whiptail_homenet_sensor
    whiptail_sensor_config
    # Calculate lbprocs so we can call it in the prompts
    calculate_useable_cores
    if [ $NSMSETUP == 'ADVANCED' ]; then
      whiptail_bro_pins
      whiptail_suricata_pins
      whiptail_bond_nics_mtu
    else
      whiptail_basic_bro
      whiptail_basic_suri
    fi
    whiptail_make_changes
    set_hostname
    clear_master
    mkdir -p /nsm
    get_filesystem_root
    get_filesystem_nsm
    copy_ssh_key
    {
      sleep 0.5
      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      #echo -e "XXX\n1\nInstalling pip3... \nXXX"
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
      network_setup >> $SETUPLOG 2>&1
      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
      sensor_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n20\nInstalling Docker... \nXXX"
      docker_install >> $SETUPLOG 2>&1
      echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
      configure_minion sensor >> $SETUPLOG 2>&1
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
      salt_firstcheckin >> $SETUPLOG 2>&1
      echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
      # Accept the Salt Key
      accept_salt_key_remote >> $SETUPLOG 2>&1
      echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
      salt-call state.apply ca >> $SETUPLOG 2>&1
      salt-call state.apply ssl >> $SETUPLOG 2>&1
      echo -e "XXX\n35\nInstalling Core Components... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
      salt-call state.apply firewall >> $SETUPLOG 2>&1
      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
      salt-call state.apply pcap >> $SETUPLOG 2>&1
      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
      salt-call state.apply suricata >> $SETUPLOG 2>&1
      echo -e "XXX\n80\nVerifying Install... \nXXX"
      salt-call state.highstate >> $SETUPLOG 2>&1
      checkin_at_boot >> $SETUPLOG 2>&1
    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
    if [[ $GOODSETUP == '0' ]]; then
      whiptail_setup_complete
      shutdown -r now
    else
      whiptail_setup_failed
      shutdown -r now
    fi
  fi
  #######################
  ##     Eval Mode     ##
  #######################
  if [ $INSTALLTYPE == 'EVALMODE' ]; then
    # Select the management NIC
    whiptail_management_nic
    # Filter out the management NIC
    filter_nics
    # Select which NICs are in the bond
    whiptail_bond_nics
    # Snag the HOME_NET
    whiptail_homenet_master
    whiptail_eval_adv_warning
    whiptail_enable_components
    # Set a bunch of stuff since this is eval
    es_heapsize
    ls_heapsize
    NODE_ES_HEAP_SIZE="600m"
    NODE_LS_HEAP_SIZE="500m"
    LSPIPELINEWORKERS=1
    LSPIPELINEBATCH=125
    LSINPUTTHREADS=1
    LSINPUTBATCHCOUNT=125
    RULESETUP=ETOPEN
    NSMSETUP=BASIC
    NIDS=Suricata
    BROVERSION=ZEEK
    CURCLOSEDAYS=30
    process_components
    whiptail_create_socore_user
    SCMATCH=no
    while [ $SCMATCH != yes ]; do
      whiptail_create_socore_user_password1
      whiptail_create_socore_user_password2
      check_socore_pass
    done
    whiptail_make_changes
    set_hostname
    generate_passwords
    auth_pillar
    clear_master
    mkdir -p /nsm
    get_filesystem_root
    get_filesystem_nsm
    get_log_size_limit
    get_main_ip
    # Add the user so we can sit back and relax
    add_socore_user_master
    {
      sleep 0.5
      echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
      network_setup >> $SETUPLOG 2>&1
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n1\nInstalling mysql dependencies for saltstack... \nXXX"
      salt_install_mysql_deps >> $SETUPLOG 2>&1
      echo -e "XXX\n1\nInstalling saltstack... \nXXX"
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n3\nInstalling docker... \nXXX"
      docker_install >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling master code... \nXXX"
      install_master >> $SETUPLOG 2>&1
      echo -e "XXX\n6\nCopying salt code... \nXXX"
      salt_master_directories >> $SETUPLOG 2>&1
      echo -e "XXX\n6\nupdating suduers... \nXXX"
      update_sudoers >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nFixing some permissions... \nXXX"
      chown_salt_master >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nCreating the static pillar... \nXXX"
      # Set the static values
      master_static >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nCreating the master pillar... \nXXX"
      master_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nConfiguring minion... \nXXX"
      configure_minion eval >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
      set_node_type >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nStorage node pillar... \nXXX"
      node_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n8\nCreating firewall policies... \nXXX"
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      echo -e "XXX\n10\nRegistering agent... \nXXX"
      salt_firstcheckin >> $SETUPLOG 2>&1
      echo -e "XXX\n11\nAccepting Agent... \nXXX"
      accept_salt_key_local >> $SETUPLOG 2>&1
      echo -e "XXX\n12\nRunning the SSL states... \nXXX"
      salt_checkin >> $SETUPLOG 2>&1
      salt-call state.apply ca >> $SETUPLOG 2>&1
      salt-call state.apply ssl >> $SETUPLOG 2>&1
      echo -e "XXX\n15\nInstalling core components... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
      echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
      salt-call state.apply firewall >> $SETUPLOG 2>&1
      echo -e "XXX\n25\nInstalling master components... \nXXX"
      salt-call state.apply master >> $SETUPLOG 2>&1
      salt-call state.apply idstools >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
        salt-call state.apply mysql >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
      echo -e "XXX\n40\nInstalling Logstash... \nXXX"
      salt-call state.apply logstash >> $SETUPLOG 2>&1
      echo -e "XXX\n45\nInstalling Kibana... \nXXX"
      salt-call state.apply kibana >> $SETUPLOG 2>&1
      echo -e "XXX\n50\nInstalling pcap... \nXXX"
      salt-call state.apply pcap >> $SETUPLOG 2>&1
      echo -e "XXX\n52\nInstalling Suricata... \nXXX"
      salt-call state.apply suricata >> $SETUPLOG 2>&1
      echo -e "XXX\n54\nInstalling Zeek... \nXXX"
      salt-call state.apply bro >> $SETUPLOG 2>&1
      echo -e "XXX\n56\nInstalling curator... \nXXX"
      salt-call state.apply curator >> $SETUPLOG 2>&1
      echo -e "XXX\n58\nInstalling elastalert... \nXXX"
      salt-call state.apply elastalert >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
        echo -e "XXX\n60\nInstalling fleet... \nXXX"
        salt-call state.apply fleet >> $SETUPLOG 2>&1
        salt-call state.apply redis >> $SETUPLOG 2>&1
      fi
      if [[ $WAZUH == '1' ]]; then
        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
        salt-call state.apply wazuh >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n85\nInstalling filebeat... \nXXX"
      salt-call state.apply filebeat >> $SETUPLOG 2>&1
      salt-call state.apply utility >> $SETUPLOG 2>&1
      echo -e "XXX\n95\nInstalling misc components... \nXXX"
      salt-call state.apply schedule >> $SETUPLOG 2>&1
      salt-call state.apply soctopus >> $SETUPLOG 2>&1
      if [[ $THEHIVE == '1' ]]; then
        echo -e "XXX\n96\nInstalling The Hive... \nXXX"
        salt-call state.apply hive >> $SETUPLOG 2>&1
      fi
      if [[ $PLAYBOOK == '1' ]]; then
        echo -e "XXX\n97\nInstalling Playbook... \nXXX"
        salt-call state.apply playbook >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
      checkin_at_boot >> $SETUPLOG 2>&1
      echo -e "XXX\n99\nVerifying Setup... \nXXX"
      salt-call state.highstate >> $SETUPLOG 2>&1
    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
    if [ $OS == 'centos' ]; then
      if [[ $GOODSETUP == '1' ]]; then
        whiptail_setup_complete
        if [[ $THEHIVE == '1' ]]; then
          check_hive_init_then_reboot
        else
          shutdown -r now
        fi
      else
        whiptail_setup_failed
        shutdown -r now
      fi
    else
      if [[ $GOODSETUP == '0' ]]; then
        whiptail_setup_complete
        if [[ $THEHIVE == '1' ]]; then
          check_hive_init_then_reboot
        else
          shutdown -r now
        fi
      else
        whiptail_setup_failed
        shutdown -r now
      fi
    fi
  fi
  ###################
  ##     Nodes     ##
  ###################
  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'PARSINGNODE' ] || [ $INSTALLTYPE == 'HOTNODE' ] || [ $INSTALLTYPE == 'WARMNODE' ]; then
    whiptail_management_nic
    whiptail_management_server
    whiptail_master_updates
    set_updates
    get_log_size_limit
    CURCLOSEDAYS=30
    es_heapsize
    ls_heapsize
    whiptail_node_advanced
    if [ $NODESETUP == 'NODEADVANCED' ]; then
      whiptail_node_es_heap
      whiptail_node_ls_heap
      whiptail_node_ls_pipeline_worker
      whiptail_node_ls_pipline_batchsize
      whiptail_node_ls_input_threads
      whiptail_node_ls_input_batch_count
      whiptail_cur_close_days
      whiptail_log_size_limit
    else
      NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
      LSPIPELINEWORKERS=$CPUCORES
      LSPIPELINEBATCH=125
      LSINPUTTHREADS=1
      LSINPUTBATCHCOUNT=125
    fi
    whiptail_make_changes
    set_hostname
    clear_master
    mkdir -p /nsm
    get_filesystem_root
    get_filesystem_nsm
    copy_ssh_key
    {
      sleep 0.5
      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      #echo -e "XXX\n1\nInstalling pip3... \nXXX"
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n20\nInstalling Docker... \nXXX"
      docker_install >> $SETUPLOG 2>&1
      echo -e "XXX\n30\nInitializing Minion... \nXXX"
      configure_minion node >> $SETUPLOG 2>&1
      set_node_type >> $SETUPLOG 2>&1
      node_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
      salt_firstcheckin >> $SETUPLOG 2>&1
      # Accept the Salt Key
      accept_salt_key_remote >> $SETUPLOG 2>&1
      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
      salt-call state.apply ca >> $SETUPLOG 2>&1
      salt-call state.apply ssl >> $SETUPLOG 2>&1
      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
      salt-call state.apply firewall >> $SETUPLOG 2>&1
      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
      salt-call state.apply logstash >> $SETUPLOG 2>&1
      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
      salt-call state.apply curator >> $SETUPLOG 2>&1
      salt-call state.apply filebeat >> $SETUPLOG 2>&1
      echo -e "XXX\n90\nVerifying Install... \nXXX"
      salt-call state.highstate >> $SETUPLOG 2>&1
      checkin_at_boot >> $SETUPLOG 2>&1
    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
    if [[ $GOODSETUP == '0' ]]; then
      whiptail_setup_complete
      shutdown -r now
    else
      whiptail_setup_failed
      shutdown -r now
    fi
    #set_initial_firewall_policy
    #saltify
    #docker_install
    #configure_minion node
    #set_node_type
    #node_pillar
    #copy_minion_pillar nodes
    #salt_checkin
    # Accept the Salt Key
    #accept_salt_key_remote
    # Do the big checkin but first let them know it will take a bit.
    #salt_checkin_message
    #salt_checkin
    #checkin_at_boot
    #whiptail_setup_complete
  fi
 else
    exit
 fi
--- a/setup/whiplash.sh
+++ b/setup/whiplash.sh
@@ -0,0 +1,611 @@
 ###########################################
 ##                                       ##
 ##         Whiptail Menu Section         ##
 ##                                       ##
 ###########################################
 whiptail_basic_bro() {
  BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the number of bro processes:" 10 60 $LBPROCS 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_basic_suri() {
  BASICSURI=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the number of Suricata Processes:" 10 60 $LBPROCS 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_bro_pins() {
  BROPINS=$(whiptail --noitem --title "Pin Bro CPUS" --checklist "Please Select $LBPROCS cores to pin Bro to:" 20 78 12 ${LISTCORES[@]} 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_bro_version() {
  BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 78 4 "ZEEK" "Install Zeek (aka Bro)"  ON \
  "COMMUNITY" "Install Community NSM" OFF "SURICATA" "SUPER EXPERIMENTAL" OFF 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_bond_nics() {
  BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
  while [ -z "$BNICS" ]
  do
    BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
  done
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_bond_nics_mtu() {
  # Set the MTU on the monitor interface
  MTU=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the MTU for the monitor NICs" 10 60 1500 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_cancel() {
  whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 78
  install_cleanup
  exit
 }
 whiptail_check_exitstatus() {
  if [ $1 == '1' ]; then
    echo "They hit cancel"
    whiptail_cancel
  fi
 }
 whiptail_create_socore_user() {
  whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 78
 }
 whiptail_create_socore_user_password1() {
  COREPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
  "Enter a password for user socore" 10 60 3>&1 1>&2 2>&3)
 }
 whiptail_create_socore_user_password2() {
  COREPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
  "Re-enter a password for user socore" 10 60 3>&1 1>&2 2>&3)
 }
 whiptail_cur_close_days() {
  CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \
  "Please specify the threshold (in days) at which Elasticsearch indices will be closed" 10 60 $CURCLOSEDAYS 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_enable_components() {
  COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
  "Select Components to install" 20 78 8 \
  "GRAFANA" "Enable Grafana for system monitoring" ON \
  "OSQUERY" "Enable Fleet with osquery" ON \
  "WAZUH" "Enable Wazuh" ON \
  "THEHIVE" "Enable TheHive" ON \
  "PLAYBOOK" "Enable Playbook" ON 3>&1 1>&2 2>&3 )
 }
 whiptail_eval_adv() {
  EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose your eval install:" 20 78 4 \
  "BASIC" "Install basic components for evaluation" ON  \
  "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
 }
 whiptail_eval_adv_warning() {
  whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
 }
 whiptail_homenet_master() {
  # Ask for the HOME_NET on the master
  HNMASTER=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_homenet_sensor() {
  # Ask to inherit from master
  whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Master?" 8 78
  local exitstatus=$?
  if [ $exitstatus == 0 ]; then
    HNSENSOR=inherit
  else
    HNSENSOR=$(whiptail --title "Security Onion Setup" --inputbox \
    "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
  fi
 }
 whiptail_install_type() {
  # What kind of install are we doing?
  INSTALLTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose Install Type:" 20 78 14 \
  "SENSORONLY" "Create a forward only sensor" ON \
  "STORAGENODE" "Add a Storage Hot Node with parsing" OFF \
  "MASTERONLY" "Start a new grid" OFF \
  "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
  "HOTNODE" "TODO Add a Hot Node (Storage Node without Parsing)" OFF \
  "WARMNODE" "TODO Add a Warm Node to an existing Hot or Storage node" OFF \
  "EVALMODE" "Evaluate all the things" OFF \
  "WAZUH" "TODO Stand Alone Wazuh Node" OFF \
  "STRELKA" "TODO Stand Alone Strelka Node" OFF \
  "FLEET" "TODO Stand Alone Fleet OSQuery Node" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_log_size_limit() {
   LOG_SIZE_LIMIT=$(whiptail --title "Security Onion Setup" --inputbox \
  "Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage. \
  By default, this is set to 85% of the disk space allotted for /nsm." 10 60 $LOG_SIZE_LIMIT 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_management_nic() {
  MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
  while [ -z "$MNIC" ]
  do
    MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
  done
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_nids() {
  NIDS=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose which IDS to run:" 20 78 4 \
  "Suricata" "Suricata 4.X" ON  \
  "Snort" "Snort 3.0 Beta" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_oinkcode() {
  OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter your oinkcode" 10 60 XXXXXXX 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_make_changes() {
  whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $INSTALLTYPE. Please hit YES to make changes or NO to cancel." 8 78
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_management_server() {
  MSRV=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter your Master Server HOSTNAME. It is CASE SENSITIVE!" 10 60 XXXX 3>&1 1>&2 2>&3)
  # See if it resolves. Otherwise prompt to add to host file
  TESTHOST=$(host $MSRV)
  if [[ $TESTHOST = *"not found"* ]] || [[ $TESTHOST = *"connection timed out"* ]]; then
    add_master_hostfile
  fi
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 # Ask if you want to do advanced setup of the Master
 whiptail_master_adv() {
  MASTERADV=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose what type of master install:" 20 78 4 \
  "BASIC" "Install master with recommended settings" ON  \
  "ADVANCED" "Do additional configuration to the master" OFF 3>&1 1>&2 2>&3 )
 }
 # Ask which additional components to install
 whiptail_master_adv_service_brologs() {
  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
  "conn" "Connection Logging" ON \
  "dce_rpc" "RPC Logs" ON \
  "dhcp" "DHCP Logs" ON \
  "dhcpv6" "DHCP IPv6 Logs" ON \
  "dnp3" "DNP3 Logs" ON \
  "dns" "DNS Logs" ON \
  "dpd" "DPD Logs" ON \
  "files" "Files Logs" ON \
  "ftp" "FTP Logs" ON \
  "http" "HTTP Logs" ON \
  "intel" "Intel Hits Logs" ON \
  "irc" "IRC Chat Logs" ON \
  "kerberos" "Kerberos Logs" ON \
  "modbus" "MODBUS Logs" ON \
  "mqtt" "MQTT Logs" ON \
  "notice" "Zeek Notice Logs" ON \
  "ntlm" "NTLM Logs" ON \
  "openvpn" "OPENVPN Logs" ON \
  "pe" "PE Logs" ON \
  "radius" "Radius Logs" ON \
  "rfb" "RFB Logs" ON \
  "rdp" "RDP Logs" ON \
  "signatures" "Signatures Logs" ON \
  "sip" "SIP Logs" ON \
  "smb_files" "SMB Files Logs" ON \
  "smb_mapping" "SMB Mapping Logs" ON \
  "smtp" "SMTP Logs" ON \
  "snmp" "SNMP Logs" ON \
  "software" "Software Logs" ON \
  "ssh" "SSH Logs" ON \
  "ssl" "SSL Logs" ON \
  "syslog" "Syslog Logs" ON \
  "telnet" "Telnet Logs" ON \
  "tunnel" "Tunnel Logs" ON \
  "weird" "Zeek Weird Logs" ON \
  "mysql" "MySQL Logs" ON \
  "socks" "SOCKS Logs" ON \
  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
 }
 whiptail_network_notice() {
  whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_advanced() {
  NODESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
  "What type of config would you like to use?:" 20 78 4 \
  "NODEBASIC" "Install Storage Node with recommended settings" ON \
  "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_es_heap() {
  es_heapsize
  NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter ES Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $ES_HEAP_SIZE 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_heap() {
  ls_heapsize
  NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $LS_HEAP_SIZE 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_pipeline_worker() {
  LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Pipeline Workers: \n \n(Recommended value is pre-populated)" 10 60 $CPUCORES 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_pipline_batchsize() {
  LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Pipeline Batch Size: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_input_threads() {
  LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \
    "\nEnter LogStash Input Threads: \n \n(Default value is pre-populated)" 10 60 1 3>&1 1>&2 2>&3)
    local exitstatus=$?
    whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_input_batch_count() {
  LSINPUTBATCHCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Input Batch Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_passwords_dont_match() {
  whiptail --title "Security Onion Setup" --msgbox "Passwords don't match. Please re-enter." 8 78
 }
 whiptail_patch_name_new_schedule() {
  PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
  "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 105 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
  while [[ -z "$PATCHSCHEDULENAME"  ]]; do
    whiptail --title "Security Onion Setup" --msgbox "Please enter a name for this OS patch schedule." 8 65
    PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
    "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 105 3>&1 1>&2 2>&3)
    local exitstatus=$?
    whiptail_check_exitstatus $exitstatus
  done
 }
 whiptail_patch_schedule() {
  # What kind of patch schedule are we doing?
  PATCHSCHEDULE=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose OS patch schedule. This will NOT update Security Onion related tools such as Zeek, Elasticsearch, Kibana, SaltStack, etc." 25 115 5 \
  "Automatic" "Package updates will be installed automatically every 8 hours if available" ON \
  "Manual" "Package updates will need to be installed manually" OFF \
  "Import Schedule" "Enter the name of an existing schedule on the following screen and inherit it" OFF \
  "New Schedule" "Configure and name a new schedule on the following screen" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_patch_schedule_import() {
  unset PATCHSCHEDULENAME
  PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 60 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
  while [[ -z "$PATCHSCHEDULENAME"  ]]; do
    whiptail --title "Security Onion Setup" --msgbox "Please enter a name for the OS patch schedule you want to inherit." 8 65
    PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
    "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 60 3>&1 1>&2 2>&3)
    local exitstatus=$?
    whiptail_check_exitstatus $exitstatus
  done
 }
 whiptail_patch_schedule_select_days() {
   # Select the days to patch
  PATCHSCHEDULEDAYS=($(whiptail --title "Security Onion Setup" --checklist \
  "Which days do you want to apply OS patches?" 20 55 9 \
  "Monday" "" OFF \
  "Tuesday" "" ON \
  "Wednesday" "" OFF \
  "Thursday" "" OFF \
  "Friday" "" OFF \
  "Saturday" "" OFF \
  "Sunday" "" OFF 3>&1 1>&2 2>&3 ))
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_patch_schedule_select_hours() {
   # Select the hours to patch
  PATCHSCHEDULEHOURS=($(whiptail --title "Security Onion Setup" --checklist \
  "At which time, UTC, do you want to apply OS patches on the selected days?" 35 55 26 \
  "00:00" "" OFF \
  "01:00" "" OFF \
  "02:00" "" OFF \
  "03:00" "" OFF \
  "04:00" "" OFF \
  "05:00" "" OFF \
  "06:00" "" OFF \
  "07:00" "" OFF \
  "08:00" "" OFF \
  "09:00" "" OFF \
  "10:00" "" OFF \
  "11:00" "" OFF \
  "12:00" "" OFF \
  "13:00" "" OFF \
  "14:00" "" OFF \
  "15:00" "" ON \
  "16:00" "" OFF \
  "17:00" "" OFF \
  "18:00" "" OFF \
  "19:00" "" OFF \
  "20:00" "" OFF \
  "21:00" "" OFF \
  "22:00" "" OFF \
  "23:00" "" OFF 3>&1 1>&2 2>&3 ))
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_rule_setup() {
  # Get pulled pork info
  RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
  "What IDS rules to use?:" 20 140 4 \
  "ETOPEN" "Emerging Threats Open - no oinkcode required" ON \
  "ETPRO" "Emerging Threats PRO - requires ETPRO oinkcode" OFF \
  "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset - requires Snort Subscriber oinkcode" OFF \
  "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy - requires Snort Subscriber oinkcode" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_sensor_config() {
  NSMSETUP=$(whiptail --title "Security Onion Setup" --radiolist \
  "What type of configuration would you like to use?:" 20 78 4 \
  "BASIC" "Install NSM components with recommended settings" ON \
  "ADVANCED" "Configure each component individually" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_set_hostname() {
  HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the Hostname you would like to set." 10 60 $HOSTNAME 3>&1 1>&2 2>&3)
  while [[ "$HOSTNAME" == 'localhost' ]] ; do
    whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that isn't localhost." 8 65
    HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
    "Enter the Hostname you would like to set." 10 60 $HOSTNAME 3>&1 1>&2 2>&3)
  done
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_setup_complete() {
  whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 78
  install_cleanup
 }
 whiptail_setup_failed() {
  whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 78
  install_cleanup
 }
 whiptail_shard_count() {
  SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter ES Shard Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_suricata_pins() {
  FILTEREDCORES=$(echo ${LISTCORES[@]} ${BROPINS[@]} | tr -d '"' | tr ' ' '\n' | sort | uniq -u | awk '{print $1 " \"" "core" "\""}')
  SURIPINS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_master_updates() {
  MASTERUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
  "How would you like to download updates for your grid?:" 20 78 4 \
  "MASTER" "Have the master node act as a proxy for OS/Docker updates." ON \
  "OPEN" "Have each node connect to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_updates() {
  NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
  "How would you like to download updates for this node?:" 20 78 4 \
  "MASTER" "Download OS/Docker updates from the Master." ON \
  "OPEN" "Download updates directly from the Internet" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_you_sure() {
  whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78
 }
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -55,10 +55,6 @@ add_master_hostfile() {
  MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
  # Add the master to the host file if it doesn't resolve
  #if ! grep -q $MSRVIP /etc/hosts; then
  #  echo "$MSRVIP   $MSRV" >> /etc/hosts
  #fi
 }
 add_socore_user_master() {
@@ -77,21 +73,6 @@ add_socore_user_master() {
 }
 #add_socore_user_master() {
 #  echo "Add socore on the master" >> $SETUPLOG 2>&1
 #  if [ $OS == 'centos' ]; then
 #    local ADDUSER=adduser
 #  else
 #    local ADDUSER=useradd
 #  fi
 #  # Add user "socore" to the master. This will be for things like accepting keys.
 #  groupadd --gid 939 socore
 #  $ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore
 #  # Prompt the user to set a password for the user
 #  passwd socore
 #}
 add_socore_user_notmaster() {
  echo "Add socore user on non master" >> $SETUPLOG 2>&1
  # Add socore user to the non master system. Probably not a bad idea to make system user
@@ -255,6 +236,9 @@ configure_minion() {
  fi
  echo "use_superseded:" >> /etc/salt/minion
  echo "  - module.run" >> /etc/salt/minion
  service salt-minion restart
 }
@@ -268,14 +252,15 @@ copy_master_config() {
 }
-copy_minion_pillar() {
+copy_minion_tmp_files() {
-  # Pass the type so it knows where to copy the pillar
+  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-  local TYPE=$1
+    echo "rsyncing all files in $TMP to /opt/so/saltstack" >> $SETUPLOG 2>&1
-
+    rsync -a -v $TMP/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
-  # Copy over the pillar
+  else
-  echo "Copying the pillar over" >> $SETUPLOG 2>&1
+    echo "scp all files in $TMP to master /opt/so/saltstack" >> $SETUPLOG 2>&1
-  scp -v -i /root/.ssh/so.key $TMP/$MINION_ID.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$MINION_ID.sls
+    scp -prv -i /root/.ssh/so.key $TMP/* socore@$MSRV:/opt/so/saltstack >> $SETUPLOG 2>&1
  fi
  }
@@ -351,7 +336,7 @@ docker_install() {
    yum -y install yum-utils device-mapper-persistent-data lvm2 openssl
    yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    yum -y update
-    yum -y install docker-ce docker-python python-docker
+    yum -y install docker-ce python36-docker
    if [ $INSTALLTYPE != 'EVALMODE'  ]; then
      docker_registry
    fi
@@ -377,6 +362,8 @@ docker_install() {
      echo "Restarting Docker" >> $SETUPLOG 2>&1
      systemctl restart docker >> $SETUPLOG 2>&1
    fi
    echo "Using pip3 to install docker-py for salt"
    pip3 install docker
  fi
 }
@@ -428,6 +415,7 @@ generate_passwords(){
  FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  CORTEXKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  CORTEXORGUSERKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
 }
@@ -478,6 +466,18 @@ install_cleanup() {
 }
 install_python3() {
  echo "Installing Python3"
  if [ $OS == 'ubuntu' ]; then
    apt-get -y install python3-pip gcc python3-dev
  elif [ $OS == 'centos' ]; then
    yum -y install epel-release python3
  fi
 }
 install_prep() {
  # Create a tmp space that isn't in /tmp
@@ -490,18 +490,22 @@ install_master() {
  # Install the salt master package
  if [ $OS == 'centos' ]; then
-    yum -y install wget salt-common salt-master >> $SETUPLOG 2>&1
+    #yum -y install wget salt-common salt-master python36-mysql python36-dateutil python36-m2crypto >> $SETUPLOG 2>&1
-
+    echo ""
    # Create a place for the keys for Ubuntu minions
-    mkdir -p /opt/so/gpg
+    #mkdir -p /opt/so/gpg
-    wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
+    #wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
-    wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
+    #wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
-    wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
+    #wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
  else
-    apt-get install -y salt-common=2018.3.4+ds-1 salt-master=2018.3.4+ds-1 salt-minion=2018.3.4+ds-1 python-m2crypto
+    apt-get install -y salt-common=2019.2.2+ds-1 salt-master=2019.2.2+ds-1 salt-minion=2019.2.2+ds-1
    apt-mark hold salt-common salt-master salt-minion
-    apt-get install -y python-m2crypto
+    echo -e "XXX\n11\nInstalling libssl-dev for M2Crypto... \nXXX"
    apt-get -y install libssl-dev
    echo -e "XXX\n12\nUsing pip3 to install M2Crypto for Salt... \nXXX"
    pip3 install M2Crypto
  fi
  copy_master_config
@@ -579,6 +583,9 @@ master_static() {
  echo "  cortexuser: cortexadmin" >> /opt/so/saltstack/pillar/static.sls
  echo "  cortexpassword: cortexchangeme" >> /opt/so/saltstack/pillar/static.sls
  echo "  cortexkey: $CORTEXKEY" >> /opt/so/saltstack/pillar/static.sls
  echo "  cortexorgname: SecurityOnion" >> /opt/so/saltstack/pillar/static.sls
  echo "  cortexorguser: soadmin" >> /opt/so/saltstack/pillar/static.sls
  echo "  cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls
  echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
  echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
  if [[ $MASTERUPDATES == 'MASTER' ]]; then
@@ -599,23 +606,77 @@ minio_generate_keys() {
 node_pillar() {
  NODEPILLARPATH=$TMP/pillar/nodes
  if [ ! -d $NODEPILLARPATH ]; then
    mkdir -p $NODEPILLARPATH
  fi
  # Create the node pillar
-  touch $TMP/$MINION_ID.sls
+  touch $NODEPILLARPATH/$MINION_ID.sls
-  echo "node:" > $TMP/$MINION_ID.sls
+  echo "node:" > $NODEPILLARPATH/$MINION_ID.sls
-  echo "  mainip: $MAINIP" >> $TMP/$MINION_ID.sls
+  echo "  mainip: $MAINIP" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  mainint: $MAININT" >> $TMP/$MINION_ID.sls
+  echo "  mainint: $MAININT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $TMP/$MINION_ID.sls
+  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  esclustername: {{ grains.host }}" >> $TMP/$MINION_ID.sls
+  echo "  esclustername: {{ grains.host }}" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $TMP/$MINION_ID.sls
+  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $TMP/$MINION_ID.sls
+  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $TMP/$MINION_ID.sls
+  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_input_threads: $LSINPUTTHREADS" >> $TMP/$MINION_ID.sls
+  echo "  ls_input_threads: $LSINPUTTHREADS" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_batch_count: $LSINPUTBATCHCOUNT" >> $TMP/$MINION_ID.sls
+  echo "  ls_batch_count: $LSINPUTBATCHCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  es_shard_count: $SHARDCOUNT" >> $TMP/$MINION_ID.sls
+  echo "  es_shard_count: $SHARDCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  node_type: $NODETYPE" >> $TMP/$MINION_ID.sls
+  echo "  node_type: $NODETYPE" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  es_port: $NODE_ES_PORT" >> $TMP/$MINION_ID.sls
+  echo "  es_port: $NODE_ES_PORT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $TMP/$MINION_ID.sls
+  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  cur_close_days: $CURCLOSEDAYS" >> $TMP/$MINION_ID.sls
+  echo "  cur_close_days: $CURCLOSEDAYS" >> $NODEPILLARPATH/$MINION_ID.sls
 }
 patch_pillar() {
  case $INSTALLTYPE in
    MASTERONLY | EVALMODE)
      PATCHPILLARPATH=/opt/so/saltstack/pillar/masters
      ;;
    SENSORONLY)
      PATCHPILLARPATH=$SENSORPILLARPATH
      ;;
    STORAGENODE | PARSINGNODE | HOTNODE | WARMNODE)
      PATCHPILLARPATH=$NODEPILLARPATH
      ;;
  esac
  echo "" >> $PATCHPILLARPATH/$MINION_ID.sls
  echo "patch:" >> $PATCHPILLARPATH/$MINION_ID.sls
  echo "  os:" >> $PATCHPILLARPATH/$MINION_ID.sls
  echo "    schedule_name: $PATCHSCHEDULENAME" >> $PATCHPILLARPATH/$MINION_ID.sls
  echo "    enabled: True" >> $PATCHPILLARPATH/$MINION_ID.sls
  echo "    splay: 300" >> $PATCHPILLARPATH/$MINION_ID.sls
 }
 patch_schedule_os_new() {
  OSPATCHSCHEDULEDIR="$TMP/salt/patch/os/schedules"
  OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml"
  if [ ! -d $OSPATCHSCHEDULEDIR ] ; then
    mkdir -p $OSPATCHSCHEDULEDIR
  fi
  echo "patch:" > $OSPATCHSCHEDULE
      echo "  os:" >> $OSPATCHSCHEDULE
      echo "    schedule:" >> $OSPATCHSCHEDULE
      for psd in "${PATCHSCHEDULEDAYS[@]}"
      do
        psd=$(echo $psd | sed 's/"//g')
        echo "      - $psd:" >> $OSPATCHSCHEDULE
        for psh in "${PATCHSCHEDULEHOURS[@]}"
        do
          psh=$(echo $psh | sed 's/"//g')
          echo "        - '$psh'" >> $OSPATCHSCHEDULE
        done
      done
 }
@@ -641,9 +702,14 @@ saltify() {
    ADDUSER=adduser
    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
+      yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
-      cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2018-3.repo
+      cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2019-2.repo
-      sed -i 's/latest/2018.3/g' /etc/yum.repos.d/salt-2018-3.repo
+      sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-2019-2.repo
      # Download Ubuntu Keys in case master updates = 1
      mkdir -p /opt/so/gpg
      wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
      wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
      wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
      cat > /etc/yum.repos.d/wazuh.repo <<\EOF
 [wazuh_repo]
 gpgcheck=1
@@ -750,20 +816,20 @@ EOF
        # Proxy is hating on me.. Lets just set it manually
        echo "[salt-latest]" > /etc/yum.repos.d/salt-latest.repo
        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-latest.repo
-        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/latest" >> /etc/yum.repos.d/salt-latest.repo
+        echo "baseurl=https://repo.saltstack.com/py3/redhat/7/\$basearch/latest" >> /etc/yum.repos.d/salt-latest.repo
        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-latest.repo
        echo "enabled=1" >> /etc/yum.repos.d/salt-latest.repo
        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-latest.repo
        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-latest.repo
        # Proxy is hating on me.. Lets just set it manually
-        echo "[salt-2018.3]" > /etc/yum.repos.d/salt-2018-3.repo
+        echo "[salt-2019.2]" > /etc/yum.repos.d/salt-2019-2.repo
-        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-2019-2.repo
-        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/2018.3" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "baseurl=https://repo.saltstack.com/py3/redhat/7/\$basearch/2019.2" >> /etc/yum.repos.d/salt-2019-2.repo
-        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-2019-2.repo
-        echo "enabled=1" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "enabled=1" >> /etc/yum.repos.d/salt-2019-2.repo
-        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-2019-2.repo
-        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-2019-2.repo
        cat > /etc/yum.repos.d/wazuh.repo <<\EOF
 [wazuh_repo]
@@ -775,9 +841,9 @@ baseurl=https://packages.wazuh.com/3.x/yum/
 protect=1
 EOF
      else
-        yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
+        yum -y install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
-        cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2018-3.repo
+        cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2019-2.repo
-        sed -i 's/latest/2018.3/g' /etc/yum.repos.d/salt-2018-3.repo
+        sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-2019-2.repo
 cat > /etc/yum.repos.d/wazuh.repo <<\EOF
 [wazuh_repo]
 gpgcheck=1
@@ -791,16 +857,15 @@ EOF
    fi
    yum clean expire-cache
-    yum -y install salt-minion-2018.3.4 yum-utils device-mapper-persistent-data lvm2 openssl
+    yum -y install epel-release salt-minion-2019.2.2 yum-utils device-mapper-persistent-data lvm2 openssl
    yum -y update exclude=salt*
    systemctl enable salt-minion
    # Nasty hack but required for now
    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      yum -y install salt-master-2018.3.4 python-m2crypto salt-minion-2018.3.4 m2crypto
+      yum -y install salt-master-2019.2.2 python3 python36-m2crypto salt-minion-2019.2.2 python36-dateutil python36-mysql python36-docker
      systemctl enable salt-master
    else
-      yum -y install salt-minion-2018.3.4 python-m2m2crypto m2crypto
+      yum -y install salt-minion-2019.2.2 python3 python36-m2crypto python36-dateutil python36-docker
    fi
    echo "exclude=salt*" >> /etc/yum.conf
@@ -817,11 +882,13 @@ EOF
    # Nasty hack but required for now
    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
      #echo "Using pip3 to install python-dateutil for salt"
      #pip3 install python-dateutil
      # Install the repo for salt
      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
-      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2018.3/SALTSTACK-GPG-KEY.pub | apt-key add -
+      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add -
-      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
+      echo "deb http://repo.saltstack.com/py3/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
-      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2018.3 xenial main" > /etc/apt/sources.list.d/saltstack2018.list
+      echo "deb http://repo.saltstack.com/py3/ubuntu/$UVER/amd64/2019.2 xenial main" > /etc/apt/sources.list.d/saltstack2019.list
      # Lets get the docker repo added
      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
@@ -840,7 +907,8 @@ EOF
      # Initialize the new repos
      apt-get update >> $SETUPLOG 2>&1
-      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1
+      # Need to add python packages here
      apt-get -y install salt-minion=2019.2.2+ds-1 salt-common=2019.2.2+ds-1 python3-dateutil >> $SETUPLOG 2>&1
      apt-mark hold salt-minion salt-common
    else
@@ -854,7 +922,8 @@ EOF
      echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
      # Initialize the new repos
      apt-get update >> $SETUPLOG 2>&1
-      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1
+      # Need to add python dateutil here
      apt-get -y install salt-minion=2019.2.2+ds-1 salt-common=2019.2.2+ds-1 >> $SETUPLOG 2>&1
      apt-mark hold salt-minion salt-common
    fi
@@ -924,39 +993,63 @@ salt_master_directories() {
 }
 salt_install_mysql_deps() {
  if [ $OS == 'centos' ]; then
    yum -y install mariadb-devel
  elif [ $OS == 'ubuntu' ]; then
    apt-get -y install libmysqlclient-dev python3-mysqldb
  fi
 }
 sensor_pillar() {
  SENSORPILLARPATH=$TMP/pillar/sensors
  if [ ! -d $SENSORPILLARPATH ]; then
    mkdir -p $SENSORPILLARPATH
  fi
  # Create the sensor pillar
-  touch $TMP/$MINION_ID.sls
+  touch $SENSORPILLARPATH/$MINION_ID.sls
-  echo "sensor:" > $TMP/$MINION_ID.sls
+  echo "sensor:" > $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  interface: bond0" >> $TMP/$MINION_ID.sls
+  echo "  interface: bond0" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  mainip: $MAINIP" >> $TMP/$MINION_ID.sls
+  echo "  mainip: $MAINIP" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  mainint: $MAININT" >> $TMP/$MINION_ID.sls
+  echo "  mainint: $MAININT" >> $SENSORPILLARPATH/$MINION_ID.sls
  if [ $NSMSETUP == 'ADVANCED' ]; then
-    echo "  bro_pins:" >> $TMP/$MINION_ID.sls
+    echo "  bro_pins:" >> $SENSORPILLARPATH/$MINION_ID.sls
    for PIN in $BROPINS; do
      PIN=$(echo $PIN |  cut -d\" -f2)
-    echo "    - $PIN" >> $TMP/$MINION_ID.sls
+    echo "    - $PIN" >> $SENSORPILLARPATH/$MINION_ID.sls
    done
-    echo "  suripins:" >> $TMP/$MINION_ID.sls
+    echo "  suripins:" >> $SENSORPILLARPATH/$MINION_ID.sls
    for SPIN in $SURIPINS; do
      SPIN=$(echo $SPIN |  cut -d\" -f2)
-    echo "    - $SPIN" >> $TMP/$MINION_ID.sls
+    echo "    - $SPIN" >> $SENSORPILLARPATH/$MINION_ID.sls
    done
  else
-    echo "  bro_lbprocs: $BASICBRO" >> $TMP/$MINION_ID.sls
+    echo "  bro_lbprocs: $BASICBRO" >> $SENSORPILLARPATH/$MINION_ID.sls
-    echo "  suriprocs: $BASICSURI" >> $TMP/$MINION_ID.sls
+    echo "  suriprocs: $BASICSURI" >> $SENSORPILLARPATH/$MINION_ID.sls
  fi
-  echo "  brobpf:" >> $TMP/$MINION_ID.sls
+  echo "  brobpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  pcapbpf:" >> $TMP/$MINION_ID.sls
+  echo "  pcapbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  nidsbpf:" >> $TMP/$MINION_ID.sls
+  echo "  nidsbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  master: $MSRV" >> $TMP/$MINION_ID.sls
+  echo "  master: $MSRV" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  mtu: $MTU" >> $TMP/$MINION_ID.sls
+  echo "  mtu: $MTU" >> $SENSORPILLARPATH/$MINION_ID.sls
  if [ $HNSENSOR != 'inherit' ]; then
-  echo "  hnsensor: $HNSENSOR" >> $TMP/$MINION_ID.sls
+  echo "  hnsensor: $HNSENSOR" >> $SENSORPILLARPATH/$MINION_ID.sls
  fi
-  echo "  access_key: $ACCESS_KEY" >> $TMP/$MINION_ID.sls
+  echo "  access_key: $ACCESS_KEY" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  access_secret: $ACCESS_SECRET" >>  $TMP/$MINION_ID.sls
+  echo "  access_secret: $ACCESS_SECRET" >>  $SENSORPILLARPATH/$MINION_ID.sls
 }
 set_environment_var() {
  echo "Setting environment variable: $1"
  export "$1"
  echo "$1" >> /etc/environment
 }
@@ -1469,6 +1562,109 @@ whiptail_passwords_dont_match() {
 }
 whiptail_patch_name_new_schedule() {
  PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
  "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 105 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
  while [[ -z "$PATCHSCHEDULENAME"  ]]; do
    whiptail --title "Security Onion Setup" --msgbox "Please enter a name for this OS patch schedule." 8 65
    PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
    "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 105 3>&1 1>&2 2>&3)
    local exitstatus=$?
    whiptail_check_exitstatus $exitstatus
  done
 }
 whiptail_patch_schedule() {
  # What kind of patch schedule are we doing?
  PATCHSCHEDULE=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose OS patch schedule. This will NOT update Security Onion related tools such as Zeek, Elasticsearch, Kibana, SaltStack, etc." 25 115 5 \
  "Automatic" "Package updates will be installed automatically every 8 hours if available" ON \
  "Manual" "Package updates will need to be installed manually" OFF \
  "Import Schedule" "Enter the name of an existing schedule on the following screen and inherit it" OFF \
  "New Schedule" "Configure and name a new schedule on the following screen" OFF 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_patch_schedule_import() {
  unset PATCHSCHEDULENAME
  PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 60 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
  while [[ -z "$PATCHSCHEDULENAME"  ]]; do
    whiptail --title "Security Onion Setup" --msgbox "Please enter a name for the OS patch schedule you want to inherit." 8 65
    PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
    "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 60 3>&1 1>&2 2>&3)
    local exitstatus=$?
    whiptail_check_exitstatus $exitstatus
  done
 }
 whiptail_patch_schedule_select_days() {
   # Select the days to patch
  PATCHSCHEDULEDAYS=($(whiptail --title "Security Onion Setup" --checklist \
  "Which days do you want to apply OS patches?" 20 55 9 \
  "Monday" "" OFF \
  "Tuesday" "" ON \
  "Wednesday" "" OFF \
  "Thursday" "" OFF \
  "Friday" "" OFF \
  "Saturday" "" OFF \
  "Sunday" "" OFF 3>&1 1>&2 2>&3 ))
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_patch_schedule_select_hours() {
   # Select the hours to patch
  PATCHSCHEDULEHOURS=($(whiptail --title "Security Onion Setup" --checklist \
  "At which time, UTC, do you want to apply OS patches on the selected days?" 35 55 26 \
  "00:00" "" OFF \
  "01:00" "" OFF \
  "02:00" "" OFF \
  "03:00" "" OFF \
  "04:00" "" OFF \
  "05:00" "" OFF \
  "06:00" "" OFF \
  "07:00" "" OFF \
  "08:00" "" OFF \
  "09:00" "" OFF \
  "10:00" "" OFF \
  "11:00" "" OFF \
  "12:00" "" OFF \
  "13:00" "" OFF \
  "14:00" "" OFF \
  "15:00" "" ON \
  "16:00" "" OFF \
  "17:00" "" OFF \
  "18:00" "" OFF \
  "19:00" "" OFF \
  "20:00" "" OFF \
  "21:00" "" OFF \
  "22:00" "" OFF \
  "23:00" "" OFF 3>&1 1>&2 2>&3 ))
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_rule_setup() {
  # Get pulled pork info
@@ -1501,6 +1697,13 @@ whiptail_set_hostname() {
  HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter the Hostname you would like to set." 10 60 $HOSTNAME 3>&1 1>&2 2>&3)
  while [[ "$HOSTNAME" == 'localhost' ]] ; do
    whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that isn't localhost." 8 65
    HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
    "Enter the Hostname you would like to set." 10 60 $HOSTNAME 3>&1 1>&2 2>&3)
  done
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
@@ -1609,6 +1812,26 @@ if (whiptail_you_sure); then
  # What kind of install are we doing?
  whiptail_install_type
  # How do we want to handle OS patching? manual, auto or scheduled days and hours
  whiptail_patch_schedule
  case $PATCHSCHEDULE in
    'New Schedule')
      whiptail_patch_schedule_select_days
      whiptail_patch_schedule_select_hours
      whiptail_patch_name_new_schedule
      patch_schedule_os_new
      ;;
    'Import Schedule')
      whiptail_patch_schedule_import
      ;;
    Automatic)
      PATCHSCHEDULENAME=auto
      ;;
    Manual)
      PATCHSCHEDULENAME=manual
      ;;
  esac
  ####################
  ##     Master     ##
  ####################
@@ -1684,8 +1907,10 @@ if (whiptail_you_sure); then
    # Install salt and dependencies
    {
      sleep 0.5
-      echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
+      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n1\nInstalling and configuring Salt... \nXXX"
      echo " ** Installing Salt and Dependencies **" >> $SETUPLOG
      salt_install_mysql_deps >> $SETUPLOG 2>&1
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling Docker... \nXXX"
      docker_install >> $SETUPLOG 2>&1
@@ -1703,7 +1928,11 @@ if (whiptail_you_sure); then
      master_static >> $SETUPLOG 2>&1
      echo "** Generating the master pillar **" >> $SETUPLOG
      master_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      # Do a checkin to push the key up
      echo "** Pushing the key up to Master **" >> $SETUPLOG
      salt_firstcheckin >> $SETUPLOG 2>&1
@@ -1814,18 +2043,22 @@ if (whiptail_you_sure); then
      sleep 0.5
      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      #echo -e "XXX\n1\nInstalling pip3... \nXXX"
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
      network_setup >> $SETUPLOG 2>&1
      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
      sensor_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n20\nInstalling Docker... \nXXX"
      docker_install >> $SETUPLOG 2>&1
      echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
      configure_minion sensor >> $SETUPLOG 2>&1
-      echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
+      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
-      copy_minion_pillar sensors >> $SETUPLOG 2>&1
+      copy_minion_tmp_files >> $SETUPLOG 2>&1
      echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
      salt_firstcheckin >> $SETUPLOG 2>&1
      echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
@@ -1912,6 +2145,9 @@ if (whiptail_you_sure); then
      sleep 0.5
      echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
      network_setup >> $SETUPLOG 2>&1
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n1\nInstalling mysql dependencies for saltstack... \nXXX"
      salt_install_mysql_deps >> $SETUPLOG 2>&1
      echo -e "XXX\n1\nInstalling saltstack... \nXXX"
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n3\nInstalling docker... \nXXX"
@@ -1929,6 +2165,8 @@ if (whiptail_you_sure); then
      master_static >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nCreating the master pillar... \nXXX"
      master_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nConfiguring minion... \nXXX"
      configure_minion eval >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
@@ -1937,6 +2175,8 @@ if (whiptail_you_sure); then
      node_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n8\nCreating firewall policies... \nXXX"
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      echo -e "XXX\n10\nRegistering agent... \nXXX"
      salt_firstcheckin >> $SETUPLOG 2>&1
      echo -e "XXX\n11\nAccepting Agent... \nXXX"
@@ -2070,6 +2310,8 @@ if (whiptail_you_sure); then
      sleep 0.5
      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
      set_initial_firewall_policy >> $SETUPLOG 2>&1
      #echo -e "XXX\n1\nInstalling pip3... \nXXX"
      #install_pip3 >> $SETUPLOG 2>&1
      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
      saltify >> $SETUPLOG 2>&1
      echo -e "XXX\n20\nInstalling Docker... \nXXX"
@@ -2078,7 +2320,10 @@ if (whiptail_you_sure); then
      configure_minion node >> $SETUPLOG 2>&1
      set_node_type >> $SETUPLOG 2>&1
      node_pillar >> $SETUPLOG 2>&1
-      copy_minion_pillar nodes >> $SETUPLOG 2>&1
+      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
      copy_minion_tmp_files >> $SETUPLOG 2>&1
      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
      salt_firstcheckin >> $SETUPLOG 2>&1
      # Accept the Salt Key