Fix annotations and file locations

salt/common/init.sls

@@ -49,12 +49,11 @@ so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - unless: ls /opt/so/conf/so-status/so-status.conf
 
-sosaltstackperms:
+socore_opso_perms:
   file.directory:
-    - name: /opt/so/saltstack
+    - name: /opt/so
     - user: 939
     - group: 939
-    - dir_mode: 770
     
 so_log_perms:
   file.directory:

salt/common/tools/sbin/so-helix-apikey

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-local_salt_dir=/opt/so/saltstack/local
-
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-got_root
-if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
-  echo "This is nto configured for Helix Mode. Please re-install."
-  exit
-else
-  echo "Enter your Helix API Key: "
-  read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
-  docker stop so-logstash
-  docker rm so-logstash
-  echo "Restarting Logstash for updated key"
-  salt-call state.apply logstash queue=True
-fi

salt/firewall/soc_firewall.yaml

@@ -0,0 +1,413 @@
+firewall:
+  hostgroups:
+    analyst: &hostgroupsettings
+      description: List of IP or CIDR blocks to allow access to for this hostgroup.
+      helplink: firewall.html
+      multiline: True
+      regex: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
+      regexFailureMessage: You must enter a properly formatted IP address or CIDR.
+    anywhere: *hostgroupsettings
+    beats_endpoint: *hostgroupsettings
+    beats_endpoint_ssl: *hostgroupsettings
+    dockernet: *hostgroupsettings
+    elastic_agent_endpoint: *hostgroupsettings
+    elasticsearch_rest: *hostgroupsettings
+    endgame: *hostgroupsettings
+    eval: *hostgroupsettings
+    fleet: *hostgroupsettings
+    heavynodes: *hostgroupsettings
+    idh: *hostgroupsettings
+    localhost: *hostgroupsettings
+    manager: *hostgroupsettings
+    receivers: *hostgroupsettings
+    searchnodes: *hostgroupsettings
+    securityonion_desktops: *hostgroupsettings
+    self: *hostgroupsettings
+    sensors: *hostgroupsettings
+    standalone: *hostgroupsettings
+    strelka_frontend: *hostgroupsettings
+    syslog: *hostgroupsettings
+  portgroups:
+    all:
+      tcp:
+      udp:
+    agrules:
+      tcp:
+      udp:
+    beats_5044:
+      tcp:
+      udp:
+    beats_5644:
+      tcp:
+      udp:
+    beats_5066:
+      tcp:
+      udp:
+    beats_5056:
+      tcp:
+      udp:
+    docker_registry:
+      tcp:
+      udp:
+    elasticsearch_node:
+      tcp:
+      udp:
+    elasticsearch_rest:
+      tcp:
+      udp:
+    elastic_agent_control:
+      tcp:
+      udp:
+    elastic_agent_data:
+      tcp:
+      udp:
+    endgame:
+      tcp:
+      udp:
+    influxdb:
+      tcp:
+      udp:
+    kibana:
+      tcp:
+      udp:
+    mysql:
+      tcp:
+      udp:
+    nginx:
+      tcp:
+      udp:
+    playbook:
+      tcp:
+      udp:
+    redis:
+      tcp:
+      udp:
+    salt_manager:
+      tcp:
+      udp:
+    sensoroni:
+      tcp:
+      udp:
+    ssh:
+      tcp:
+      udp:
+    strelka_frontend:
+      tcp:
+      udp:
+    syslog:
+      tcp:
+      udp:
+    yum:
+      tcp:
+      udp:
+  role:
+    eval:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            eval:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+            self:
+              portgroups:
+            beats_endpoint:
+              portgroups:
+            beats_endpoint_ssl:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            elastic_agent_endpoint:
+              portgroups:
+            strelka_frontend:
+              portgroups:
+            syslog:
+              portgroups:
+            analyst:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+    fleet:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            sensors:
+              portgroups:
+            elastic_agent_endpoint:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+            standalone:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+    manager:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            manager:
+              portgroups:                
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+            self:
+              portgroups:
+            syslog:
+              portgroups:
+            beats_endpoint:
+              portgroups:
+            beats_endpoint_ssl:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            elastic_agent_endpoint:
+              portgroups:
+            endgame:
+              portgroups:
+            analyst:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+    managersearch:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            managersearch:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+            self:
+              portgroups:
+            beats_endpoint:
+              portgroups:
+            beats_endpoint_ssl:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            elastic_agent_endpoint:
+              portgroups:
+            endgame:
+              portgroups:
+            syslog:
+              portgroups:
+            analyst:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+    standalone:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            localhost:
+              portgroups:
+            standalone:
+              portgroups:
+            fleet:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+            self:
+              portgroups:
+            beats_endpoint:
+              portgroups:
+            beats_endpoint_ssl:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            elastic_agent_endpoint:
+              portgroups:
+            endgame:
+              portgroups:
+            strelka_frontend:
+              portgroups:
+            syslog:
+              portgroups:
+            analyst:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            fleet:
+              portgroups:
+            localhost:
+              portgroups:
+            standalone:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            heavynodes:
+              portgroups:
+    searchnode:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            manager:
+              portgroups:
+            dockernet:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            searchnodes:
+              portgroups:
+            self:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+    sensor:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            self:
+              portgroups:
+            strelka_frontend:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+    heavynode:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            manager:
+              portgroups:
+            dockernet:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            self:
+              portgroups:
+            strelka_frontend:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+    import:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            manager:
+              portgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            beats_endpoint:
+              portgroups:
+            beats_endpoint_ssl:
+              portgroups:
+            elasticsearch_rest:
+              portgroups:
+            elastic_agent_endpoint:
+              portgroups:
+            analyst:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:
+    receiver:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            sensors:
+              portgroups:
+            searchnodes:
+              portgroups:
+            self:
+              portgroups:
+            syslog:
+              portgroups:
+            beats_endpoint:
+              portgroups:
+            beats_endpoint_ssl:
+              portgroups:
+            endgame:
+              portgroups:
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups:
+            dockernet:
+              portgroups:
+            localhost:
+              portgroups:

salt/manager/sbin/so-saltstack-update

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+default_salt_dir=/opt/so/saltstack/default
+clone_to_tmp() {
+
+  # Make a temp location for the files
+  mkdir /tmp/sogh
+  cd /tmp/sogh
+  git clone https://github.com/Security-Onion-Solutions/securityonion.git
+  cd /tmp
+
+}
+
+copy_new_files() {
+
+  # Copy new files over to the salt dir
+  cd /tmp/sogh/securityonion
+  git checkout $BRANCH
+  VERSION=$(cat VERSION)
+  # We need to overwrite if there is a repo file
+  if [ -d /opt/so/repo ]; then
+    tar -czf /opt/so/repo/"$VERSION".tar.gz -C "$(pwd)/.." .
+  fi
+  rsync -a salt $default_salt_dir/
+  rsync -a pillar $default_salt_dir/
+  chown -R socore:socore $default_salt_dir/salt
+  chown -R socore:socore $default_salt_dir/pillar
+  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
+
+  rm -rf /tmp/sogh
+}
+
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+got_root
+if [ $# -ne 1 ] ; then
+  BRANCH=2.4/main
+else
+  BRANCH=$1
+fi
+clone_to_tmp
+copy_new_files

setup/so-functions

@@ -1341,6 +1341,16 @@ kibana_pillar() {
 	touch $kibana_pillar_file
 }
 
+logrotate_pillar() {
+	touch $adv_logrotate_pillar_file
+	touch $logrotate_pillar_file
+}
+
+patch_pillar() {
+	touch $adv_patch_pillar_file
+	touch $patch_pillar_file
+}
+
 logstash_pillar() {
 	# Create the logstash advanced pillar
 	touch $adv_logstash_pillar_file

setup/so-variables

@@ -201,3 +201,15 @@ export influxdb_pillar_file
 
 adv_influxdb_pillar_file="$local_salt_dir/pillar/influxdb/adv_influxdb.sls"
 export adv_influxdb_pillar_file
+
+logrotate_pillar_file="$local_salt_dir/pillar/logrotate/soc_logrotate.sls"
+export logrotate_pillar_file
+
+adv_logrotate_pillar_file="$local_salt_dir/pillar/logrotate/adv_logrotate.sls"
+export adv_logrotate_pillar_file
+
+patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls"
+export patch_pillar_file
+
+adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls"
+export adv_patch_pillar_file