https://github.com/Security-Onion-Solutions/securityonion/issues/404

salt/manager/files/acng/acng.conf

@@ -0,0 +1,91 @@
+# This is a configuration file for apt-cacher-ng, a smart caching proxy for
+CacheDir: /var/cache/apt-cacher-ng
+LogDir: /var/log/apt-cacher-ng
+Port: 3142
+# BindAddress: localhost 192.168.7.254 publicNameOnMainInterface
+Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
+Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu.us # Ubuntu Archives
+Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
+Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
+Remap-centosmirrorlist: mirrorlist.centos.org
+Remap-centos: file:centos_mirrors ; file:backends_centos.us # Fedora Linux
+Remap-fedora: file:fedora_mirrors ; file:backends_fedora.us # Fedora Linux
+Remap-epel:   file:epel_mirrors ; file:backends_epel.us # Fedora EPEL
+Remap-slrep:  file:sl_mirrors # Scientific Linux
+Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
+#Remap-alpine: file:alpine_mirrors /alpine #; dl-cdn.alpinelinux.org # Alpine Archives
+Remap-alpine: dl-cdn.alpinelinux.org
+Remap-yarn:   registry.yarnpkg.com
+Remap-npm:    registry.npmjs.org
+Remap-node:   nodejs.org
+Remap-apache: file:apache_mirrors ; file:backends_apache.us
+Remap-salt:   repo.saltstack.com; https://repo.saltstack.com
+# Remap-secdeb: security.debian.org
+ReportPage: acng-report.html
+# SocketPath:/var/run/apt-cacher-ng/socket
+UnbufferLogs: 1
+VerboseLog: 1
+ForeGround: 1
+# PidFile: /var/run/apt-cacher-ng/pid
+# Offlinemode: 0
+# ForceManaged: 0
+ExTreshold: 8
+# ExAbortOnProblems: 1
+# ExSuppressAdminNotification: 1
+# StupidFs: 0
+# ForwardBtsSoap: 1
+# DnsCacheSeconds: 1800
+# MaxStandbyConThreads: 8
+MaxConThreads: 120
+#
+# - static data that doesn't change silently ont he server (PFilePattern)
+# - volatile data that can be changed like every hour (VFilePattern)
+# - special static data that shared some file names with volatile data,
+#   and in doubt should be identified as static (SPfilePattern)
+# - a "whitelist pattern" with hints for the regular expiration job telling
+#   to keep the files even if they are not referenced by others, like crypto
+#   signatures with which clients begin their downloads (WfilePattern)
+#
+VfilePatternEx: (metalink\?repo=[0-9a-zA-Z-]+&arch=[0-9a-zA-Z_-]+|/\?release=[0-9]+&arch=|repodata/.*\.(xml|sqlite)\.(gz|bz2)|APKINDEX.tar.gz|filelists\.xml\.gz|filelists\.sqlite\.bz2|repomd\.xml|packages\.[a-zA-Z][a-zA-Z]\.gz)
+PfilePatternEx: (/dists/.*/by-hash/.*|\.tgz|\.tar|\.xz|\.bz2|\.rpm|\.apk)$
+# WfilePatternEx:
+# SPfilePatternEx:
+
+Debug:1
+# ExposeOrigin: 0
+# LogSubmittedOrigin: 0
+# UserAgent: Yet Another HTTP Client/1.2.3p4
+# RecompBz2: 0
+# NetworkTimeout: 60
+
+# DontCacheRequested: linux-.*_10\...\.Custo._i386
+# DontCacheRequested: 192.168.0 ^10\..* 172.30
+# DontCacheResolved: ubuntumirror.local.net
+DontCache: mirrorlist.centos.org
+
+# DirPerms: 00755
+# FilePerms: 00664
+
+LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
+# PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages*
+# RequestAppendix: X-Tracking-Choice: do-not-track\r\n
+# ConnectProto: v6 v4
+# KeepExtraVersions: 0
+# UseWrap: 0
+FreshIndexMaxAge: 300
+# AllowUserPorts: 80
+RedirMax: 6
+# VfileUseRangeOps is set for fedora volatile files on mirrors that dont to range
+VfileUseRangeOps: 0
+# PassThroughPattern: private-ppa\.launchpad\.net:443$
+# PassThroughPattern: .* # this would allow CONNECT to everything
+PassThroughPattern: (download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/
+# ResponseFreezeDetectTime: 500
+# ReuseConnections: 1
+# PipelineDepth: 255
+# CApath: /etc/ssl/certs
+# CAfile:
+# OptProxyTimeout: -1
+# MaxDlSpeed: 500
+# MaxInresponsiveDlSize: 64000
+# BadRedirDetectMime: text/html

salt/manager/files/add_minion.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# This script adds pillar and schedule files securely
+local_salt_dir=/opt/so/saltstack/local
+MINION=$1
+
+  echo "Adding $1" 
+  cp /tmp/$MINION/pillar/$MINION.sls $local_salt_dir/pillar/minions/
+  cp --parents /tmp/$MINION/schedules/* $local_salt_dir/salt/patch/os/schedules/
+  rm -rf /tmp/$MINION

salt/manager/files/registry/scripts/so-docker-download

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+MANAGER={{ MANAGER }}
+VERSION="HH1.2.2"
+TRUSTED_CONTAINERS=( \
+"so-nginx:$VERSION" \
+"so-cyberchef:$VERSION" \
+"so-acng:$VERSION" \
+"so-soc:$VERSION" \
+"so-kratos:$VERSION" \
+"so-fleet:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+"so-playbook:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-kibana:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-suricata:$VERSION" \
+"so-logstash:$VERSION" \
+"so-bro:$VERSION" \
+"so-idstools:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-grafana:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-redis:$VERSION" \
+"so-mysql:$VERSION" \
+"so-curtor:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-tcpreplay:$VERSION" \
+)
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i
+  docker push $MANAGER:5000/soshybridhunter/$i
+done

salt/manager/init.sls

@@ -0,0 +1,72 @@
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+{% set MANAGER = salt['grains.get']('manager') %}
+{% set managerproxy = salt['pillar.get']('static:managerupdate', '0') %}
+
+socore_own_saltstack:
+  file.directory:
+    - name: /opt/so/saltstack
+    - user: socore
+    - group: socore
+    - recurse:
+      - user
+      - group
+
+{% if managerproxy == 1 %}
+
+# Create the directories for apt-cacher-ng
+aptcacherconfdir:
+  file.directory:
+    - name: /opt/so/conf/aptcacher-ng/etc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+aptcachercachedir:
+  file.directory:
+    - name: /opt/so/conf/aptcacher-ng/cache
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+aptcacherlogdir:
+  file.directory:
+    - name: /opt/so/log/aptcacher-ng
+    - user: 939
+    - group: 939
+    - makedirs: true
+
+# Copy the config
+
+acngcopyconf:
+  file.managed:
+    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
+    - source: salt://manager/files/acng/acng.conf
+
+# Install the apt-cacher-ng container
+so-aptcacherng:
+  docker_container.running:
+    - image: {{ MANAGER }}:5000/soshybridhunter/so-acng:{{ VERSION }}
+    - hostname: so-acng
+    - restart_policy: always
+    - port_bindings:
+      - 0.0.0.0:3142:3142
+    - binds:
+      - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw
+      - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
+      - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
+
+{% endif %}