enable/disable each strelka container in ui

salt/manager/init.sls

@@ -5,10 +5,11 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'strelka/map.jinja' import STRELKAMERGED %}
-{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
-{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'strelka/map.jinja' import STRELKAMERGED %}
+{%   import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
+{%   set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %}
+{%   from 'strelka/map.jinja' import STRELKAMERGED %}
 
 include:
   - salt.minion
@@ -81,6 +82,16 @@ socore_own_saltstack:
       - user
       - group
 
+{%   if STRELKAMERGED.rules.enabled %}
+strelkarepos:
+  file.managed:
+    - name: /opt/so/conf/strelka/repos.txt
+    - source: salt://strelka/rules/repos.txt.jinja
+    - template: jinja
+    - defaults:
+        STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
+{%   endif %}
+
 yara_update_script:
   file.managed:
     - name: /usr/sbin/so-yara-update

salt/manager/tools/sbin/so-minion

@@ -249,6 +249,54 @@ function add_redis_to_minion() {
 	"  " >> $PILLARFILE
 }
 
+function add_strelka_backend_to_minion() {
+    printf '%s\n'\
+    "strelka:"\
+	"  backend:"\
+    "    enabled: True"\
+	"  " >> $PILLARFILE
+}
+
+function add_strelka_filestream_to_minion() {
+    printf '%s\n'\
+    "strelka:"\
+	"  filestream:"\
+    "    enabled: True"\
+	"  " >> $PILLARFILE
+}
+
+function add_strelka_frontend_to_minion() {
+    printf '%s\n'\
+    "strelka:"\
+	"  frontend:"\
+    "    enabled: True"\
+	"  " >> $PILLARFILE
+}
+
+function add_strelka_manager_to_minion() {
+    printf '%s\n'\
+    "strelka:"\
+	"  manager:"\
+    "    enabled: True"\
+	"  " >> $PILLARFILE
+}
+
+function add_strelka_coordinator_to_minion() {
+    printf '%s\n'\
+    "strelka:"\
+	"  coordinator:"\
+    "    enabled: True"\
+	"  " >> $PILLARFILE
+}
+
+function add_strelka_gatekeeper_to_minion() {
+    printf '%s\n'\
+    "strelka:"\
+	"  gatekeeper:"\
+    "    enabled: True"\
+	"  " >> $PILLARFILE
+}
+
 function create_fleet_policy() {
 
 	JSON_STRING=$( jq -n \
@@ -295,6 +343,12 @@ function apply_ES_state() {
 function createEVAL() {
 	add_elasticsearch_to_minion
 	add_sensor_to_minion
+	add_strelka_backend_to_minion
+    add_strelka_filestream_to_minion
+    add_strelka_frontend_to_minion
+    add_strelka_manager_to_minion
+    add_strelka_coordinator_to_minion
+    add_strelka_gatekeeper_to_minion
 	add_elastalert_to_minion
 	add_kibana_to_minion
 }
@@ -303,6 +357,12 @@ function createSTANDALONE() {
 	add_elasticsearch_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
+	add_strelka_backend_to_minion
+    add_strelka_filestream_to_minion
+    add_strelka_frontend_to_minion
+    add_strelka_manager_to_minion
+    add_strelka_coordinator_to_minion
+    add_strelka_gatekeeper_to_minion
 	add_playbook_to_minion
 	add_elastalert_to_minion
 	add_kibana_to_minion
@@ -349,11 +409,23 @@ function createHEAVYNODE() {
 	add_elasticsearch_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
+	add_strelka_backend_to_minion
+    add_strelka_filestream_to_minion
+    add_strelka_frontend_to_minion
+    add_strelka_manager_to_minion
+    add_strelka_coordinator_to_minion
+    add_strelka_gatekeeper_to_minion
 	add_redis_to_minion
 }
 
 function createSENSOR() {
 	add_sensor_to_minion
+	add_strelka_backend_to_minion
+    add_strelka_filestream_to_minion
+    add_strelka_frontend_to_minion
+    add_strelka_manager_to_minion
+    add_strelka_coordinator_to_minion
+    add_strelka_gatekeeper_to_minion
 }
 
 function createSEARCHNODE() {

salt/strelka/backend/config.sls

@@ -0,0 +1,69 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+  - strelka.config
+  - strelka.backend.sostatus
+
+backend_backend_config:
+  file.managed:
+    - name: /opt/so/conf/strelka/backend/backend.yaml
+    - source: salt://strelka/backend/files/backend.yaml.jinja
+    - template: jinja
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - defaults:
+        BACKENDCONFIG: {{ STRELKAMERGED.backend.config.backend }}
+
+backend_logging_config:
+  file.managed:
+    - name: /opt/so/conf/strelka/backend/logging.yaml
+    - source: salt://strelka/backend/files/logging.yaml.jinja
+    - template: jinja
+    - user: 939
+    - group: 939
+    - defaults:
+        LOGGINGCONFIG: {{ STRELKAMERGED.backend.config.logging }}
+
+backend_passwords:
+  file.managed:
+    - name: /opt/so/conf/strelka/backend/passwords.dat
+    - source: salt://strelka/backend/files/passwords.dat.jinja
+    - template: jinja
+    - user: 939
+    - group: 939
+    - defaults:
+        PASSWORDS: {{ STRELKAMERGED.backend.config.passwords }}
+
+backend_taste:
+  file.managed:
+    - name: /opt/so/conf/strelka/backend/taste/taste.yara
+    - source: salt://strelka/backend/files/taste/taste.yara
+    - makedirs: True
+    - user: 939
+    - group: 939
+
+{%   if STRELKAMERGED.rules.enabled %}
+strelkarules:
+  file.recurse:
+    - name: /opt/so/conf/strelka/rules
+    - source: salt://strelka/rules
+    - user: 939
+    - group: 939
+    - clean: True
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/backend/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.backend.sostatus
+  
+so-strelka-backend:
+  docker_container.absent:
+    - force: True
+
+so-strelka-backend_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-backend$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/backend/enabled.sls

@@ -0,0 +1,41 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - strelka.backend.config
+  - strelka.backend.sostatus
+
+strelka_backend:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }}
+    - binds:
+      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
+      - /opt/so/conf/strelka/rules/:/etc/yara/:ro
+    - name: so-strelka-backend
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
+    - command: strelka-backend
+    - extra_hosts:
+      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+    - restart_policy: on-failure
+
+delete_so-strelka-backend_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-backend$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/backend/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+{% if STRELKAMERGED.backend.enabled %}
+  - strelka.backend.enabled
+{% else %}
+  - strelka.backend.disabled
+{% endif %}

salt/strelka/backend/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-strelka-backend_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-backend
+    - unless: grep -q so-strelka-backend /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/config.sls

@@ -0,0 +1,61 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+# Strelka config
+strelkaconfdir:
+  file.directory:
+    - name: /opt/so/conf/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkarulesdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/rules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkadatadir:
+   file.directory:
+    - name: /nsm/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkalogdir:
+  file.directory:
+    - name: /nsm/strelka/log
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelka_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://strelka/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#strelka_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://strelka/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/coordinator/config.sls

@@ -0,0 +1,19 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.config
+  - strelka.coordinator.sostatus
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/coordinator/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.coordinator.sostatus
+  
+so-strelka-coordinator:
+  docker_container.absent:
+    - force: True
+
+so-strelka-coordinator_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-coordinator$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/coordinator/enabled.sls

@@ -0,0 +1,41 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - strelka.coordinator.config
+  - strelka.coordinator.sostatus
+
+strelka_coordinator:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
+    - name: so-strelka-coordinator
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
+    - entrypoint: redis-server --save "" --appendonly no
+    - extra_hosts:
+      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+
+delete_so-strelka-coordinator_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-coordinator$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/coordinator/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+{% if STRELKAMERGED.coordinator.enabled %}
+  - strelka.coordinator.enabled
+{% else %}
+  - strelka.coordinator.disabled
+{% endif %}

salt/strelka/coordinator/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-strelka-coordinator_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-coordinator
+    - unless: grep -q so-strelka-coordinator /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/defaults.yaml

@@ -1,6 +1,7 @@
 strelka:
-  config:
-    backend:
+  backend:
+    enabled: False
+    config:
       backend:
         logging_cfg: '/etc/strelka/logging.yaml'
         limits:
@@ -493,7 +494,9 @@ strelka:
       passwords:
         - infected
         - password
-    filestream:
+  filestream:
+    enabled: False
+    config:
       conn:
         server: 'HOST:57314'
         cert: ''
@@ -514,7 +517,9 @@ strelka:
         report: 5s
       delta: 5s
       staging: '/nsm/strelka/staging'
-    frontend:
+  frontend:
+    enabled: False
+    config:
       server: ":57314"
       coordinator:
         addr: 'HOST:6380'
@@ -525,10 +530,16 @@ strelka:
         ttl: 1h
       response:
         log: "/var/log/strelka/strelka.log"
-    manager:
+  manager:
+    enabled: False
+    config:
       coordinator:
         addr: 'HOST:6380'
         db: 0
+  coordinator:
+    enabled: False
+  gatekeeper:
+    enabled: False
   rules:
     enabled: True
     repos:

salt/strelka/filestream/config.sls

@@ -0,0 +1,108 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'strelka/map.jinja' import STRELKAMERGED %}
+{%   from 'strelka/map.jinja' import filecheck_runas %}
+
+include:
+  - strelka.config
+  - strelka.filestream.sostatus
+
+strelkaprocessed:
+   file.directory:
+    - name: /nsm/strelka/processed
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkastaging:
+   file.directory:
+    - name: /nsm/strelka/staging
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkaunprocessed:
+   file.directory:
+    - name: /nsm/strelka/unprocessed
+    - user: 939
+    - group: 939
+    - mode: 775
+    - makedirs: True
+
+filestream_config:
+  file.managed:
+    - name: /opt/so/conf/strelka/filestream/filestream.yaml
+    - source: salt://strelka/filestream/files/filestream.yaml.jinja
+    - template: jinja
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - defaults:
+        FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }}
+
+# Filecheck Section
+filecheck_logdir:
+  file.directory:
+    - name: /opt/so/log/strelka
+    - user: 939
+    - group: 939
+    - mode: 775
+    - makedirs: True
+
+filecheck_history:
+  file.directory:
+    - name: /nsm/strelka/history
+    - user: 939
+    - group: 939
+    - mode: 775
+    - makedirs: True
+
+filecheck_conf:
+  file.managed:
+    - name: /opt/so/conf/strelka/filecheck.yaml
+    - source: salt://strelka/filecheck/filecheck.yaml.jinja
+    - template: jinja
+    - defaults:
+        FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }}
+
+filecheck_script:
+  file.managed:
+    - name: /opt/so/conf/strelka/filecheck
+    - source: salt://strelka/filecheck/filecheck
+    - user: 939
+    - group: 939
+    - mode: 755
+
+filecheck_restart:
+  cmd.run:
+    - name: pkill -f "python3 /opt/so/conf/strelka/filecheck"
+    - hide_output: True
+    - success_retcodes: [0,1]
+    - onchanges:
+      - file: filecheck_script
+
+filecheck_run:
+  cron.present:
+    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run
+    - user: {{ filecheck_runas }}
+
+filcheck_history_clean:
+  cron.present:
+    - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1'
+    - identifier: filecheck_history_clean
+    - minute: '33'
+# End Filecheck Section
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/filestream/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.filestream.sostatus
+  
+so-strelka-filestream:
+  docker_container.absent:
+    - force: True
+
+so-strelka-filestream_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-filestream$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/filestream/enabled.sls

@@ -0,0 +1,38 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.filestream.config
+  - strelka.filestream.sostatus
+
+strelka_filestream:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-filestream:{{ GLOBALS.so_version }}
+    - binds:
+      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
+      - /nsm/strelka:/nsm/strelka
+    - name: so-strelka-filestream
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
+    - command: strelka-filestream
+    - extra_hosts:
+      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+
+delete_so-strelka-filestream_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-filestream$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/filestream/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+{% if STRELKAMERGED.filestream.enabled %}
+  - strelka.filestream.enabled
+{% else %}
+  - strelka.filestream.disabled
+{% endif %}

salt/strelka/filestream/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-strelka-filestream_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-filestream
+    - unless: grep -q so-strelka-filestream /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/frontend/config.sls

@@ -0,0 +1,36 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+  - strelka.config
+  - strelka.frontend.sostatus
+
+# Check to see if Strelka frontend port is available
+strelkaportavailable:
+    cmd.run:
+      - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314.  Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0
+
+frontend_config:
+  file.managed:
+    - name: /opt/so/conf/strelka/frontend/frontend.yaml
+    - source: salt://strelka/frontend/files/frontend.yaml.jinja
+    - template: jinja
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - defaults:
+        FRONTENDCONFIG: {{ STRELKAMERGED.frontend.config }}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/frontend/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.frontend.sostatus
+  
+so-strelka-frontend:
+  docker_container.absent:
+    - force: True
+
+so-strelka-frontend_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-frontend$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/frontend/enabled.sls

@@ -0,0 +1,45 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - strelka.frontend.config
+  - strelka.frontend.sostatus
+
+strelka_frontend:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-frontend:{{ GLOBALS.so_version }}
+    - binds:
+      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
+      - /nsm/strelka/log/:/var/log/strelka/:rw
+    - privileged: True
+    - name: so-strelka-frontend
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
+    - command: strelka-frontend
+    - extra_hosts:
+      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+
+delete_so-strelka-frontend_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-frontend$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/frontend/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+{% if STRELKAMERGED.frontend.enabled %}
+  - strelka.frontend.enabled
+{% else %}
+  - strelka.frontend.disabled
+{% endif %}

salt/strelka/frontend/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-strelka-frontend_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-frontend
+    - unless: grep -q so-strelka-frontend /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/gatekeeper/config.sls

@@ -0,0 +1,19 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.config
+  - strelka.gatekeeper.sostatus
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/gatekeeper/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.gatekeeper.sostatus
+  
+so-strelka-gatekeeper:
+  docker_container.absent:
+    - force: True
+
+so-strelka-gatekeeper_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-gatekeeper$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/gatekeeper/enabled.sls

@@ -0,0 +1,41 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - strelka.gatekeeper.config
+  - strelka.gatekeeper.sostatus
+
+strelka_gatekeeper:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
+    - name: so-strelka-gatekeeper
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
+    - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
+    - extra_hosts:
+      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+
+delete_so-strelka-gatekeeper_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-gatekeeper$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/gatekeeper/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+{% if STRELKAMERGED.gatekeeper.enabled %}
+  - strelka.gatekeeper.enabled
+{% else %}
+  - strelka.gatekeeper.disabled
+{% endif %}

salt/strelka/gatekeeper/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-strelka-gatekeeper_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-gatekeeper
+    - unless: grep -q so-strelka-gatekeeper /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/init.sls

@@ -3,361 +3,41 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {% from 'strelka/map.jinja' import STRELKAMERGED %}
-{% from 'strelka/map.jinja' import filecheck_runas %}
-
-# Strelka config
-strelkaconfdir:
-  file.directory:
-    - name: /opt/so/conf/strelka
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkarulesdir:
-  file.directory:
-    - name: /opt/so/conf/strelka/rules
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-backend_backend_config:
-  file.managed:
-    - name: /opt/so/conf/strelka/backend/backend.yaml
-    - source: salt://strelka/files/backend/backend.yaml.jinja
-    - template: jinja
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - defaults:
-        BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }}
-
-backend_logging_config:
-  file.managed:
-    - name: /opt/so/conf/strelka/backend/logging.yaml
-    - source: salt://strelka/files/backend/logging.yaml.jinja
-    - template: jinja
-    - user: 939
-    - group: 939
-    - defaults:
-        LOGGINGCONFIG: {{ STRELKAMERGED.config.backend.logging }}
-
-backend_passwords:
-  file.managed:
-    - name: /opt/so/conf/strelka/backend/passwords.dat
-    - source: salt://strelka/files/backend/passwords.dat.jinja
-    - template: jinja
-    - user: 939
-    - group: 939
-    - defaults:
-        PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }}
-
-strelka_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://strelka/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-#strelka_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://strelka/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-backend_taste:
-  file.managed:
-    - name: /opt/so/conf/strelka/backend/taste/taste.yara
-    - source: salt://strelka/files/backend/taste/taste.yara
-    - makedirs: True
-    - user: 939
-    - group: 939
-
-filestream_config:
-  file.managed:
-    - name: /opt/so/conf/strelka/filestream/filestream.yaml
-    - source: salt://strelka/files/filestream/filestream.yaml.jinja
-    - template: jinja
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - defaults:
-        FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }}
-
-frontend_config:
-  file.managed:
-    - name: /opt/so/conf/strelka/frontend/frontend.yaml
-    - source: salt://strelka/files/frontend/frontend.yaml.jinja
-    - template: jinja
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - defaults:
-        FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }}
-
-manager_config:
-  file.managed:
-    - name: /opt/so/conf/strelka/manager/manager.yaml
-    - source: salt://strelka/files/manager/manager.yaml.jinja
-    - template: jinja
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - defaults:
-        MANAGERCONFIG: {{ STRELKAMERGED.config.manager }}
-
-{%   if STRELKAMERGED.rules.enabled %}
-
-strelkarules:
-  file.recurse:
-    - name: /opt/so/conf/strelka/rules
-    - source: salt://strelka/rules
-    - user: 939
-    - group: 939
-    - clean: True
-
-{%     if grains['role'] in GLOBALS.manager_roles %}
-strelkarepos:
-  file.managed:
-    - name: /opt/so/conf/strelka/repos.txt
-    - source: salt://strelka/rules/repos.txt.jinja
-    - template: jinja
-    - defaults:
-        STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
-
-{%     endif %}
-{%   endif %}
-
-strelkadatadir:
-   file.directory:
-    - name: /nsm/strelka
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkalogdir:
-  file.directory:
-    - name: /nsm/strelka/log
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkaprocessed:
-   file.directory:
-    - name: /nsm/strelka/processed
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkastaging:
-   file.directory:
-    - name: /nsm/strelka/staging
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-strelkaunprocessed:
-   file.directory:
-    - name: /nsm/strelka/unprocessed
-    - user: 939
-    - group: 939
-    - mode: 775
-    - makedirs: True
-
-# Check to see if Strelka frontend port is available
-strelkaportavailable:
-    cmd.run:
-      - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314.  Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0
-
-# Filecheck Section
-filecheck_logdir:
-  file.directory:
-    - name: /opt/so/log/strelka
-    - user: 939
-    - group: 939
-    - mode: 775
-    - makedirs: True
-
-filecheck_history:
-  file.directory:
-    - name: /nsm/strelka/history
-    - user: 939
-    - group: 939
-    - mode: 775
-    - makedirs: True
-
-filecheck_conf:
-  file.managed:
-    - name: /opt/so/conf/strelka/filecheck.yaml
-    - source: salt://strelka/filecheck/filecheck.yaml.jinja
-    - template: jinja
-    - defaults:
-        FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }}
-
-filecheck_script:
-  file.managed:
-    - name: /opt/so/conf/strelka/filecheck
-    - source: salt://strelka/filecheck/filecheck
-    - user: 939
-    - group: 939
-    - mode: 755
-
-filecheck_restart:
-  cmd.run:
-    - name: pkill -f "python3 /opt/so/conf/strelka/filecheck"
-    - hide_output: True
-    - success_retcodes: [0,1]
-    - onchanges:
-      - file: filecheck_script
-
-filecheck_run:
-  cron.present:
-    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
-    - identifier: filecheck_run
-    - user: {{ filecheck_runas }}
-
-filcheck_history_clean:
-  cron.present:
-    - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1'
-    - identifier: filecheck_history_clean
-    - minute: '33'
-# End Filecheck Section
-
-
-strelka_coordinator:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
-    - name: so-strelka-coordinator
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
-    - entrypoint: redis-server --save "" --appendonly no
-    - extra_hosts:
-      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-
-append_so-strelka-coordinator_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-strelka-coordinator
-
-strelka_gatekeeper:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }}
-    - name: so-strelka-gatekeeper
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
-    - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
-    - extra_hosts:
-      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-
-append_so-strelka-gatekeeper_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-strelka-gatekeeper
-
-strelka_frontend:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-frontend:{{ GLOBALS.so_version }}
-    - binds:
-      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
-      - /nsm/strelka/log/:/var/log/strelka/:rw
-    - privileged: True
-    - name: so-strelka-frontend
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
-    - command: strelka-frontend
-    - extra_hosts:
-      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-
-append_so-strelka-frontend_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-strelka-frontend
-
-strelka_backend:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-backend:{{ GLOBALS.so_version }}
-    - binds:
-      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
-      - /opt/so/conf/strelka/rules/:/etc/yara/:ro
-    - name: so-strelka-backend
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
-    - command: strelka-backend
-    - extra_hosts:
-      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-    - restart_policy: on-failure
-
-append_so-strelka-backend_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-strelka-backend
-
-strelka_manager:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
-    - binds:
-      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
-    - name: so-strelka-manager
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
-    - command: strelka-manager
-    - extra_hosts:
-      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-
-append_so-strelka-manager_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-strelka-manager
-
-strelka_filestream:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-filestream:{{ GLOBALS.so_version }}
-    - binds:
-      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
-      - /nsm/strelka:/nsm/strelka
-    - name: so-strelka-filestream
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
-    - command: strelka-filestream
-    - extra_hosts:
-      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-
-append_so-strelka-filestream_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-strelka-filestream
 
+include:
+{% if STRELKAMERGED.coordinator.enabled %}
+  - strelka.coordinator.enabled
 {% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
+  - strelka.coordinator.disabled
+{% endif %}
+
+{% if STRELKAMERGED.gatekeeper.enabled %}
+  - strelka.gatekeeper.enabled
+{% else %}
+  - strelka.gatekeeper.disabled
+{% endif %}
+
+{% if STRELKAMERGED.frontend.enabled %}
+  - strelka.frontend.enabled
+{% else %}
+  - strelka.frontend.disabled
+{% endif %}
+
+{% if STRELKAMERGED.backend.enabled %}
+  - strelka.backend.enabled
+{% else %}
+  - strelka.backend.disabled
+{% endif %}
+
+{% if STRELKAMERGED.manager.enabled %}
+  - strelka.manager.enabled
+{% else %}
+  - strelka.manager.disabled
+{% endif %}
+
+{% if STRELKAMERGED.filestream.enabled %}
+  - strelka.filestream.enabled
+{% else %}
+  - strelka.filestream.disabled
 {% endif %}

salt/strelka/manager/config.sls

@@ -0,0 +1,31 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+  - strelka.config
+  - strelka.manager.sostatus
+
+manager_config:
+  file.managed:
+    - name: /opt/so/conf/strelka/manager/manager.yaml
+    - source: salt://strelka/manager/files/manager.yaml.jinja
+    - template: jinja
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - defaults:
+        MANAGERCONFIG: {{ STRELKAMERGED.manager.config }}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/manager/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - strelka.manager.sostatus
+  
+so-strelka-manager:
+  docker_container.absent:
+    - force: True
+
+so-strelka-manager_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-manager$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/manager/enabled.sls

@@ -0,0 +1,39 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - strelka.manager.config
+  - strelka.manager.sostatus
+
+strelka_manager:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
+    - binds:
+      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
+    - name: so-strelka-manager
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
+    - command: strelka-manager
+    - extra_hosts:
+      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+
+delete_so-strelka-manager_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-strelka-manager$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/manager/init.sls

@@ -0,0 +1,13 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'strelka/map.jinja' import STRELKAMERGED %}
+
+include:
+{% if STRELKAMERGED.manager.enabled %}
+  - strelka.manager.enabled
+{% else %}
+  - strelka.manager.disabled
+{% endif %}

salt/strelka/manager/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-strelka-manager_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-manager
+    - unless: grep -q so-strelka-manager /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/strelka/soc_strelka.yaml

@@ -1,6 +1,9 @@
 strelka:
-  config:
-    backend:
+  backend:
+    enabled: 
+      description: You can enable or disable Strelka backend.
+      helpLink: strelka.html
+    config:
       backend:
         logging_cfg:
           description: Path to the Python logging configuration.
@@ -398,7 +401,11 @@ strelka:
         global: False
         helpLink: strelka.html
         multiline: True
-    filestream:
+  filestream:
+    enabled: 
+      description: You can enable or disable Strelka filestream.
+      helpLink: strelka.html
+    config:
       conn:
         server: 
           description: Network address of the frontend server.
@@ -488,7 +495,11 @@ strelka:
         global: False
         helpLink: strelka.html
         advanced: True
-    frontend:
+  frontend:
+    enabled: 
+      description: You can enable or disable Strelka frontend.
+      helpLink: strelka.html
+    config:
       server:
         description: Network address of the frontend server.
         readonly: False
@@ -534,7 +545,11 @@ strelka:
           global: False
           helpLink: strelka.html
           advanced: True
-    manager:
+  manager:
+    enabled: 
+      description: You can enable or disable Strelka manager.
+      helpLink: strelka.html
+    config:
       coordinator:
         addr:
           description: Network address of the coordinator.
@@ -548,6 +563,14 @@ strelka:
           global: False
           helpLink: strelka.html
           advanced: True
+  coordinator:
+    enabled: 
+      description: You can enable or disable Strelka coordinator.
+      helpLink: strelka.html
+  gatekeeper:
+    enabled: 
+      description: You can enable or disable Strelka gatekeeper.
+      helpLink: strelka.html
   rules:
     enabled:
       description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.