Merge branch '2.4/dev' into kilo

pillar/logstash/fleet.sls

@@ -1,6 +0,0 @@
-logstash:
-  pipelines:
-    fleet:
-      config:
-        - so/0012_input_elastic_agent.conf     
-        - so/9806_output_lumberjack_fleet.conf.jinja

pillar/logstash/helix.sls

@@ -1,42 +0,0 @@
-logstash:
-  pipelines:
-    helix:
-      config:
-        - so/0010_input_hhbeats.conf
-        - so/1033_preprocess_snort.conf
-        - so/1100_preprocess_bro_conn.conf
-        - so/1101_preprocess_bro_dhcp.conf
-        - so/1102_preprocess_bro_dns.conf
-        - so/1103_preprocess_bro_dpd.conf
-        - so/1104_preprocess_bro_files.conf
-        - so/1105_preprocess_bro_ftp.conf
-        - so/1106_preprocess_bro_http.conf
-        - so/1107_preprocess_bro_irc.conf
-        - so/1108_preprocess_bro_kerberos.conf
-        - so/1109_preprocess_bro_notice.conf
-        - so/1110_preprocess_bro_rdp.conf
-        - so/1111_preprocess_bro_signatures.conf
-        - so/1112_preprocess_bro_smtp.conf
-        - so/1113_preprocess_bro_snmp.conf
-        - so/1114_preprocess_bro_software.conf
-        - so/1115_preprocess_bro_ssh.conf
-        - so/1116_preprocess_bro_ssl.conf
-        - so/1117_preprocess_bro_syslog.conf
-        - so/1118_preprocess_bro_tunnel.conf
-        - so/1119_preprocess_bro_weird.conf
-        - so/1121_preprocess_bro_mysql.conf
-        - so/1122_preprocess_bro_socks.conf
-        - so/1123_preprocess_bro_x509.conf
-        - so/1124_preprocess_bro_intel.conf
-        - so/1125_preprocess_bro_modbus.conf
-        - so/1126_preprocess_bro_sip.conf
-        - so/1127_preprocess_bro_radius.conf
-        - so/1128_preprocess_bro_pe.conf
-        - so/1129_preprocess_bro_rfb.conf
-        - so/1130_preprocess_bro_dnp3.conf
-        - so/1131_preprocess_bro_smb_files.conf
-        - so/1132_preprocess_bro_smb_mapping.conf
-        - so/1133_preprocess_bro_ntlm.conf
-        - so/1134_preprocess_bro_dce_rpc.conf
-        - so/8001_postprocess_common_ip_augmentation.conf
-        - so/9997_output_helix.conf.jinja

pillar/logstash/manager.sls

@@ -1,8 +0,0 @@
-logstash:
-  pipelines:
-    manager:
-      config:
-        - so/0011_input_endgame.conf
-        - so/0012_input_elastic_agent.conf
-        - so/0013_input_lumberjack_fleet.conf
-        - so/9999_output_redis.conf.jinja

pillar/logstash/receiver.sls

@@ -1,8 +0,0 @@
-logstash:
-  pipelines:
-    receiver:
-      config:
-        - so/0011_input_endgame.conf
-        - so/0012_input_elastic_agent.conf
-        - so/9999_output_redis.conf.jinja
-        

pillar/logstash/search.sls

@@ -1,7 +0,0 @@
-logstash:
-  pipelines:
-    search:
-      config:
-        - so/0900_input_redis.conf.jinja
-        - so/9805_output_elastic_agent.conf.jinja
-        - so/9900_output_endgame.conf.jinja

pillar/top.sls

@@ -1,47 +1,26 @@
 base:
   '*':
-    - patch.needs_restarting
-    - ntp.soc_ntp
-    - ntp.adv_ntp
-    - logrotate
+    - global.soc_global
+    - global.adv_global
     - docker.soc_docker
     - docker.adv_docker
     - firewall.soc_firewall
     - firewall.adv_firewall
+    - influxdb.token
+    - logrotate.soc_logrotate
+    - logrotate.adv_logrotate
+    - nginx.soc_nginx
+    - nginx.adv_nginx
+    - node_data.ips
+    - ntp.soc_ntp
+    - ntp.adv_ntp
+    - patch.needs_restarting
+    - patch.soc_patch
+    - patch.adv_patch
     - sensoroni.soc_sensoroni
     - sensoroni.adv_sensoroni
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
-    - influxdb.token
-    - node_data.ips
-
-  '* and not *_eval and not *_import':
-    - logstash.nodes
-
-  '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
-    - match: compound
-    - zeek.soc_zeek
-    - zeek.adv_zeek
-    - bpf.soc_bpf
-    - bpf.adv_bpf
-
-  '*_managersearch or *_heavynode':
-    - match: compound
-    - logstash
-    - logstash.manager
-    - logstash.search
-    - logstash.soc_logstash
-    - logstash.adv_logstash
-    - elasticsearch.index_templates
-    - elasticsearch.soc_elasticsearch
-    - elasticsearch.adv_elasticsearch
-
-  '*_manager':
-    - logstash
-    - logstash.manager
-    - logstash.soc_logstash
-    - logstash.adv_logstash
-    - elasticsearch.index_templates
 
   '*_manager or *_managersearch':
     - match: compound
@@ -52,14 +31,19 @@ base:
     - kibana.secrets
     {% endif %}
     - secrets
-    - global.soc_global
-    - global.adv_global
     - manager.soc_manager
     - manager.adv_manager
     - idstools.soc_idstools
     - idstools.adv_idstools
+    - logstash.nodes
+    - logstash.soc_logstash
+    - logstash.adv_logstash
     - soc.soc_soc
     - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - kibana.soc_kibana
+    - kibana.adv_kibana
     - kratos.soc_kratos
     - kratos.adv_kratos
     - redis.soc_redis
@@ -68,15 +52,29 @@ base:
     - influxdb.adv_influxdb
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - backup.soc_backup
     - backup.adv_backup
+    - curator.soc_curator
+    - curator.adv_curator
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_sensor':
     - healthcheck.sensor
-    - global.soc_global
-    - global.adv_global
+    - strelka.soc_strelka
+    - strelka.adv_strelka
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -90,16 +88,23 @@ base:
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
     - kibana.secrets
     {% endif %}
-    - global.soc_global
-    - global.adv_global
     - kratos.soc_kratos
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
     - idstools.soc_idstools
     - idstools.adv_idstools
     - soc.soc_soc
+    - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - strelka.soc_strelka
+    - strelka.adv_strelka
+    - curator.soc_curator
+    - curator.adv_curator
     - kratos.soc_kratos
     - kratos.adv_kratos
     - redis.soc_redis
@@ -108,13 +113,19 @@ base:
     - influxdb.adv_influxdb
     - backup.soc_backup
     - backup.adv_backup
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_standalone':
-    - logstash
-    - logstash.manager
-    - logstash.search
+    - logstash.nodes
     - logstash.soc_logstash
     - logstash.adv_logstash
     - elasticsearch.index_templates
@@ -126,8 +137,6 @@ base:
     {% endif %}
     - secrets
     - healthcheck.standalone
-    - global.soc_global
-    - global.adv_global
     - idstools.soc_idstools
     - idstools.adv_idstools
     - kratos.soc_kratos
@@ -138,50 +147,77 @@ base:
     - influxdb.adv_influxdb
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
     - soc.soc_soc
+    - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - strelka.soc_strelka
+    - strelka.adv_strelka
+    - curator.soc_curator
+    - curator.adv_curator
     - backup.soc_backup
     - backup.adv_backup
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_heavynode':
     - elasticsearch.auth
-    - global.soc_global
-    - global.adv_global
+    - logstash.nodes
+    - logstash.soc_logstash
+    - logstash.adv_logstash
+    - elasticsearch.soc_elasticsearch
+    - elasticsearch.adv_elasticsearch
+    - curator.soc_curator
+    - curator.adv_curator
     - redis.soc_redis
+    - redis.adv_redis
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
+    - strelka.soc_strelka
+    - strelka.adv_strelka
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_idh':
-    - global.soc_global
-    - global.adv_global
     - idh.soc_idh
     - idh.adv_idh
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_searchnode':
-    - logstash
-    - logstash.search
+    - logstash.nodes
     - logstash.soc_logstash
     - logstash.adv_logstash
-    - elasticsearch.index_templates
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
     {% endif %}
     - redis.soc_redis
-    - global.soc_global
-    - global.adv_global
+    - redis.adv_redis
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_receiver':
-    - logstash
-    - logstash.receiver
+    - logstash.nodes
     - logstash.soc_logstash
     - logstash.adv_logstash
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
@@ -189,8 +225,6 @@ base:
     {% endif %}
     - redis.soc_redis
     - redis.adv_redis
-    - global.soc_global
-    - global.adv_global
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -206,11 +240,16 @@ base:
     - kratos.soc_kratos
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
     - soc.soc_soc
-    - global.soc_global
-    - global.adv_global
+    - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - curator.soc_curator
+    - curator.adv_curator
     - backup.soc_backup
     - backup.adv_backup
     - kratos.soc_kratos
@@ -219,21 +258,28 @@ base:
     - redis.adv_redis
     - influxdb.soc_influxdb
     - influxdb.adv_influxdb
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
+    - strelka.soc_strelka
+    - strelka.adv_strelka
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_fleet':
-    - global.soc_global
-    - global.adv_global
     - backup.soc_backup
     - backup.adv_backup
-    - logstash
-    - logstash.fleet
+    - logstash.nodes
     - logstash.soc_logstash
     - logstash.adv_logstash
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
-  '*_workstation':
+  '*_desktop':
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}

salt/common/init.sls

@@ -49,13 +49,12 @@ so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - unless: ls /opt/so/conf/so-status/so-status.conf
 
-sosaltstackperms:
+socore_opso_perms:
   file.directory:
-    - name: /opt/so/saltstack
+    - name: /opt/so
     - user: 939
     - group: 939
-    - dir_mode: 770
-
+    
 so_log_perms:
   file.directory:
     - name: /opt/so/log
@@ -112,21 +111,23 @@ elastic_curl_config:
   {% endif %}
 {% endif %}
 
-# Sync some Utilities
-utilsyncscripts:
+
+common_sbin:
   file.recurse:
     - name: /usr/sbin
-    - user: root
-    - group: root
+    - source: salt://common/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+common_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://common/tools/sbin_jinja
+    - user: 939
+    - group: 939 
     - file_mode: 755
     - template: jinja
-    - source: salt://common/tools/sbin
-    - exclude_pat:
-        - so-common
-        - so-firewall
-        - so-image-common
-        - soup
-        - so-status
 
 so-status_script:
   file.managed:

salt/common/tools/sbin/so-elastic-restart

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-restart elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-restart kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-restart logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-restart curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-restart elastalert $1
-{%- endif %}

salt/common/tools/sbin/so-elastic-start

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-start elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-start kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-start logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-start curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-start elastalert $1
-{%- endif %}

salt/common/tools/sbin/so-elastic-stop

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-stop elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-stop kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-stop logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-stop curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-stop elastalert $1
-{%- endif %}

salt/common/tools/sbin/so-elasticsearch-indices-rw

@@ -1,15 +0,0 @@
-#!/bin/bash
-#
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
-ESPORT=9200
-
-echo "Removing read only attributes for indices..."
-echo
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;

salt/common/tools/sbin/so-helix-apikey

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-local_salt_dir=/opt/so/saltstack/local
-
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-got_root
-if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
-  echo "This is nto configured for Helix Mode. Please re-install."
-  exit
-else
-  echo "Enter your Helix API Key: "
-  read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
-  docker stop so-logstash
-  docker rm so-logstash
-  echo "Restarting Logstash for updated key"
-  salt-call state.apply logstash queue=True
-fi

salt/common/tools/sbin/so-logstash-events

@@ -1,17 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% set MAININT = salt['pillar.get']('host:mainint') -%}
-{% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%}
-
-. /usr/sbin/so-common
-
-if [ "$1" == "" ]; then
-        for i in $(curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines | jq '. | to_entries | .[].key' | sed 's/\"//g'); do echo ${i^}:; curl -s localhost:9600/_node/stats | jq .pipelines.$i.events; done
-else
-        curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines.$1.events
-fi

salt/common/tools/sbin/so-logstash-get-parsed

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-nodered-start

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start nodered $1
-

salt/common/tools/sbin/so-nodered-stop

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop nodered $1

salt/curator/init.sls

@@ -60,30 +60,21 @@ curconf:
     - template: jinja
     - show_changes: False
 
-curclusterclose: 
-  file.managed:
-    - name: /usr/sbin/so-curator-cluster-close
-    - source: salt://curator/files/bin/so-curator-cluster-close
+curator_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://curator/tools/sbin
     - user: 934
     - group: 939
-    - mode: 755
-    - template: jinja
+    - file_mode: 755
 
-curclusterdelete:
-  file.managed:
-    - name: /usr/sbin/so-curator-cluster-delete
-    - source: salt://curator/files/bin/so-curator-cluster-delete
+curator_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://curator/tools/sbin_jinja
     - user: 934
-    - group: 939
-    - mode: 755
-
-curclusterdeletedelete:
-  file.managed:
-    - name: /usr/sbin/so-curator-cluster-delete-delete
-    - source: salt://curator/files/bin/so-curator-cluster-delete-delete
-    - user: 934
-    - group: 939
-    - mode: 755
+    - group: 939 
+    - file_mode: 755
     - template: jinja
 
 so-curator:

salt/docker/defaults.yaml

@@ -8,30 +8,44 @@ docker:
       final_octet: 20
       port_bindings:
         - 0.0.0.0:5000:5000
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-elastic-fleet':
       final_octet: 21
       port_bindings:
         - 0.0.0.0:8220:8220/tcp
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-elasticsearch':
       final_octet: 22
       port_bindings:
         - 0.0.0.0:9200:9200/tcp
         - 0.0.0.0:9300:9300/tcp
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-idstools':
       final_octet: 25
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-influxdb':
       final_octet: 26
       port_bindings:
         - 0.0.0.0:8086:8086
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-kibana':
       final_octet: 27
       port_bindings:
         - 0.0.0.0:5601:5601
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-kratos':
       final_octet: 28
       port_bindings:
         - 0.0.0.0:4433:4433
         - 0.0.0.0:4434:4434
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-logstash':
       final_octet: 29
       port_bindings:
@@ -45,58 +59,92 @@ docker:
         - 0.0.0.0:6052:6052
         - 0.0.0.0:6053:6053
         - 0.0.0.0:9600:9600
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-mysql':
       final_octet: 30
       port_bindings:
         - 0.0.0.0:3306:3306
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-nginx':
       final_octet: 31
       port_bindings:
         - 80:80
         - 443:443
         - 8443:8443
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-playbook':
       final_octet: 32
       port_bindings:
         - 0.0.0.0:3000:3000
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-redis':
       final_octet: 33
       port_bindings:
         - 0.0.0.0:6379:6379
         - 0.0.0.0:9696:9696
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-soc':
       final_octet: 34
       port_bindings:
         - 0.0.0.0:9822:9822
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-soctopus':
       final_octet: 35
       port_bindings:
         - 0.0.0.0:7000:7000
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-strelka-backend':
       final_octet: 36
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-strelka-filestream':
       final_octet: 37
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-strelka-frontend':
       final_octet: 38
       port_bindings:
         - 0.0.0.0:57314:57314
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-strelka-manager':
       final_octet: 39
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-strelka-gatekeeper':
       final_octet: 40
       port_bindings:
         - 0.0.0.0:6381:6379
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-strelka-coordinator':
       final_octet: 41
       port_bindings:
         - 0.0.0.0:6380:6379
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-elastalert':
       final_octet: 42
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-curator':
       final_octet: 43
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-elastic-fleet-package-registry':
       final_octet: 44
       port_bindings:
         - 0.0.0.0:8080:8080/tcp
+      custom_bind_mounts: []
+      extra_hosts: []
     'so-idh':
-      final_octet: 45
+      final_octet: 45
+      custom_bind_mounts: []
+      extra_hosts: []

salt/docker/init.sls

@@ -26,10 +26,10 @@ dockerheldpackages:
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 1.6.18-3.1.el9
-      - docker-ce: 23.0.1-1.el9
-      - docker-ce-cli: 23.0.1-1.el9
-      - docker-ce-rootless-extras: 23.0.1-1.el9
+      - containerd.io: 1.6.20-3.1.el9
+      - docker-ce: 23.0.5-1.el9
+      - docker-ce-cli: 23.0.5-1.el9
+      - docker-ce-rootless-extras: 23.0.5-1.el9
     - hold: True
     - update_holds: True
 {% endif %}

salt/docker/soc_docker.yaml

@@ -28,6 +28,18 @@ docker:
         helpLink: docker.html
         advanced: True
         multiline: True
+      custom_bind_mounts:
+        description: List of custom local volume bindings.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_hosts:
+        description: List of additional host entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
     so-dockerregistry: *dockerOptions
     so-elastalert: *dockerOptions
     so-elastic-fleet-package-registry: *dockerOptions

salt/elastalert/init.sls

@@ -29,6 +29,23 @@ elastalogdir:
     - group: 933
     - makedirs: True
 
+elastalert_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elastalert/tools/sbin
+    - user: 933
+    - group: 939
+    - file_mode: 755
+
+#elastalert_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://elastalert/tools/sbin_jinja
+#    - user: 933
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 elastarules:
   file.directory:
     - name: /opt/so/rules/elastalert

salt/elasticfleet/init.sls

@@ -25,6 +25,23 @@ elastic-agent:
     - home: /opt/so/conf/elastic-fleet
     - createhome: False
 
+elasticfleet_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticfleet/tools/sbin
+    - user: 947
+    - group: 939
+    - file_mode: 755
+
+elasticfleet_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticfleet/tools/sbin_jinja
+    - user: 947
+    - group: 939 
+    - file_mode: 755
+    - template: jinja
+
 eaconfdir:
   file.directory:
     - name: /opt/so/conf/elastic-fleet

salt/elasticsearch/init.sls

@@ -21,12 +21,33 @@ vm.max_map_count:
   sysctl.present:
     - value: 262144
 
+# Add ES Group
+elasticsearchgroup:
+  group.present:
+    - name: elasticsearch
+    - gid: 930
+
+esconfdir:
+  file.directory:
+    - name: /opt/so/conf/elasticsearch
+    - user: 930
+    - group: 939
+    - makedirs: True
+
+# Add ES user
+elasticsearch:
+  user.present:
+    - uid: 930
+    - gid: 930
+    - home: /opt/so/conf/elasticsearch
+    - createhome: False
+
 {% if GLOBALS.is_manager %}
 # We have to add the Manager CA to the CA list
 cascriptsync:
   file.managed:
     - name: /usr/sbin/so-catrust
-    - source: salt://elasticsearch/tools/sbin/so-catrust
+    - source: salt://elasticsearch/tools/sbin_jinja/so-catrust
     - user: 939
     - group: 939
     - mode: 750
@@ -42,25 +63,34 @@ cascriptfun:
         - file: cascriptsync
 {% endif %}
 
-# Sync some es scripts
-es_sync_scripts:
+elasticsearch_sbin:
   file.recurse:
     - name: /usr/sbin
-    - user: root
-    - group: root
+    - source: salt://elasticsearch/tools/sbin
+    - user: 930
+    - group: 939
+    - file_mode: 755
+    - exclude_pat:
+      - so-catrust
+      - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
+
+elasticsearch_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticsearch/tools/sbin_jinja
+    - user: 939
+    - group: 939 
     - file_mode: 755
     - template: jinja
-    - source: salt://elasticsearch/tools/sbin
     - exclude_pat:
-        - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
-        - so-elasticsearch-ilm-policy-load 
+      - so-elasticsearch-ilm-policy-load # exclude this because we need to watch it for changes, we sync it in another state
     - defaults:
         GLOBALS: {{ GLOBALS }}
 
 so-elasticsearch-ilm-policy-load-script:
   file.managed:
     - name: /usr/sbin/so-elasticsearch-ilm-policy-load
-    - source: salt://elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load
+    - source: salt://elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
     - user: 930
     - group: 939
     - mode: 754
@@ -96,29 +126,6 @@ capemz:
     - user: 939
     - group: 939
 
-
-
-# Add ES Group
-elasticsearchgroup:
-  group.present:
-    - name: elasticsearch
-    - gid: 930
-
-# Add ES user
-elasticsearch:
-  user.present:
-    - uid: 930
-    - gid: 930
-    - home: /opt/so/conf/elasticsearch
-    - createhome: False
-
-esconfdir:
-  file.directory:
-    - name: /opt/so/conf/elasticsearch
-    - user: 930
-    - group: 939
-    - makedirs: True
-
 esingestdir:
   file.directory:
     - name: /opt/so/conf/elasticsearch/ingest
@@ -374,7 +381,7 @@ so-es-cluster-settings:
     - template: jinja
     - require:
       - docker_container: so-elasticsearch
-      - file: es_sync_scripts
+      - file: elasticsearch_sbin_jinja
 
 so-elasticsearch-ilm-policy-load:
   cmd.run:
@@ -393,7 +400,7 @@ so-elasticsearch-templates:
     - template: jinja
     - require:
       - docker_container: so-elasticsearch
-      - file: es_sync_scripts
+      - file: elasticsearch_sbin_jinja
 
 so-elasticsearch-pipelines:
   cmd.run:
@@ -409,7 +416,7 @@ so-elasticsearch-roles-load:
     - template: jinja
     - require:
       - docker_container: so-elasticsearch
-      - file: es_sync_scripts
+      - file: elasticsearch_sbin_jinja
 {% endif %}
 {% else %}
 

salt/elasticsearch/tools/sbin/so-elastic-clear

@@ -5,7 +5,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 
 SKIP=0
@@ -59,7 +58,7 @@ done
 if [ $SKIP -ne 1 ]; then
         # List indices
         echo 
-        curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://{{ NODEIP }}:9200/_cat/indices?v
+        curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://localhost:9200/_cat/indices?v
         echo
         # Inform user we are about to delete all data
         echo

salt/elasticsearch/tools/sbin/so-elasticsearch-component-templates-list

@@ -5,10 +5,9 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_component_template | jq '.component_templates[] |.name'| sort
 else
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_component_template/$1 | jq
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-lifecycle-status

@@ -6,10 +6,8 @@
 
 . /usr/sbin/so-common
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 if [ "$1" == "" ]; then
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_all/_ilm/explain | jq .
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_all/_ilm/explain | jq .
 else
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/$1/_ilm/explain | jq .[]
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/$1/_ilm/explain | jq .[]
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-delete

@@ -6,6 +6,4 @@
 
 . /usr/sbin/so-common
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://{{ NODEIP }}:9200/_ilm/policy/$1
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://localhost:9200/_ilm/policy/$1

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load

@@ -1,21 +0,0 @@
-#!/bin/bash
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-. /usr/sbin/so-common
-
-{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
-{%- for index, settings in ES_INDEX_SETTINGS.items() %}
-  {%- if settings.policy is defined %}
-echo
-echo "Setting up {{ index }}-logs policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
-echo
-  {%- endif %}
-{%- endfor %}
-echo

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-view

@@ -6,10 +6,9 @@
 
 . /usr/sbin/so-common
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 if [ "$1" == "" ]; then
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy | jq .
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ilm/policy | jq .
 else
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy/$1 | jq .[]
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ilm/policy/$1 | jq .[]
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-start

@@ -6,7 +6,6 @@
 
 . /usr/sbin/so-common
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 echo "Starting ILM..."
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/start
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://localhost:9200/_ilm/start

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-status

@@ -1,4 +1,4 @@
-/bin/bash
+#!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
@@ -6,6 +6,4 @@
 
 . /usr/sbin/so-common
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/status | jq .
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ilm/status | jq .

salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-stop

@@ -6,7 +6,5 @@
 
 . /usr/sbin/so-common
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 echo "Stopping ILM..."
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/stop
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://localhost:9200/_ilm/stop

salt/elasticsearch/tools/sbin/so-elasticsearch-index-templates-list

@@ -5,10 +5,9 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_index_template | jq '.index_templates[] |.name'| sort
 else
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_index_template/$1 | jq
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-indices-list

@@ -5,8 +5,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 . /usr/sbin/so-common
 
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index"
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L "https://localhost:9200/_cat/indices?pretty&v&s=index"

salt/elasticsearch/tools/sbin/so-elasticsearch-indices-rw

@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+echo "Removing read only attributes for indices..."
+echo
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -H "Content-Type: application/json" -L https://localhost:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;

salt/elasticsearch/tools/sbin/so-elasticsearch-pipeline-stats

@@ -5,12 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 . /usr/sbin/so-common
 
 if [ "$1" == "" ]; then
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
 else
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-pipeline-view

@@ -5,12 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 . /usr/sbin/so-common
 
 if [ "$1" == "" ]; then
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq .
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ingest/pipeline/* | jq .
 else
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[]
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ingest/pipeline/$1 | jq .[]
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines-list

@@ -5,10 +5,9 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ingest/pipeline/* | jq 'keys'
 else
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_ingest/pipeline/$1 | jq
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load

@@ -7,8 +7,6 @@
 . /usr/sbin/so-common
 
 default_conf_dir=/opt/so/conf
-ELASTICSEARCH_HOST="{{ GLOBALS.node_ip }}"
-ELASTICSEARCH_PORT=9200
 
 # Define a default directory to load roles from
 ELASTICSEARCH_ROLES="$default_conf_dir/elasticsearch/roles/"
@@ -18,7 +16,7 @@ echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
-    curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+    curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://localhost:9200
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"

salt/elasticsearch/tools/sbin/so-elasticsearch-shards-list

@@ -5,8 +5,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 . /usr/sbin/so-common
 
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_cat/shards?pretty

salt/elasticsearch/tools/sbin/so-elasticsearch-template-remove

@@ -5,8 +5,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 . /usr/sbin/so-common
 
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1
+curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -XDELETE https://localhost:9200/_template/$1

salt/elasticsearch/tools/sbin/so-elasticsearch-template-view

@@ -5,12 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-
 . /usr/sbin/so-common
 
 if [ "$1" == "" ]; then
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq .
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_template/* | jq .
 else
-        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq .
+        curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_template/$1 | jq .
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-templates-list

@@ -5,10 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
+
 if [ "$1" == "" ]; then
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_template/* | jq 'keys'
 else
-    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
+    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://localhost:9200/_template/$1 | jq
 fi

salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load

@@ -7,9 +7,6 @@
 . /usr/sbin/so-common
 
 default_conf_dir=/opt/so/conf
-ELASTICSEARCH_HOST="{{ GLOBALS.node_ip }}"
-ELASTICSEARCH_PORT=9200
-#ELASTICSEARCH_AUTH=""
 
 # Define a default directory to load pipelines from
 ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/"

salt/elasticsearch/tools/sbin_jinja/so-elastic-restart

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+. /usr/sbin/so-common
+
+
+{%- if GLOBALS.role in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
+/usr/sbin/so-restart elasticsearch $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
+/usr/sbin/so-restart kibana $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
+/usr/sbin/so-restart logstash $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
+/usr/sbin/so-restart curator $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
+/usr/sbin/so-restart elastalert $1
+{%- endif %}

salt/elasticsearch/tools/sbin_jinja/so-elastic-start

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+. /usr/sbin/so-common
+
+
+{%- if GLOBALS.role in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
+/usr/sbin/so-start elasticsearch $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
+/usr/sbin/so-start kibana $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
+/usr/sbin/so-start logstash $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
+/usr/sbin/so-start curator $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
+/usr/sbin/so-start elastalert $1
+{%- endif %}

salt/elasticsearch/tools/sbin_jinja/so-elastic-stop

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+. /usr/sbin/so-common
+
+
+{%- if GLOBALS.role in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
+/usr/sbin/so-stop elasticsearch $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
+/usr/sbin/so-stop kibana $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
+/usr/sbin/so-stop logstash $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
+/usr/sbin/so-stop curator $1
+{%- endif %}
+
+{%- if GLOBALS.role in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
+/usr/sbin/so-stop elastalert $1
+{%- endif %}

salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load

@@ -8,13 +8,12 @@
 
 {% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
 {%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 {%- for index, settings in ES_INDEX_SETTINGS.items() %}
   {%- if settings.policy is defined %}
 echo
 echo "Setting up {{ index }}-logs policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://localhost:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
 echo
   {%- endif %}
 {%- endfor %}

salt/idh/init.sls

@@ -60,6 +60,23 @@ opencanary_config:
     - defaults:
         OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
 
+idh_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://idh/tools/sbin
+    - user: 934
+    - group: 939
+    - file_mode: 755
+
+#idh_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://idh/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 so-idh:
   docker_container.running:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }}

salt/idstools/init.sls

@@ -20,6 +20,23 @@ idstoolslogdir:
     - group: 939
     - makedirs: True
 
+idstools_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://idstools/tools/sbin
+    - user: 934
+    - group: 939
+    - file_mode: 755
+
+#idstools_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://idstools/tools/sbin_jinja
+#    - user: 934
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 so-rule-update:
   cron.present:
     - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1