Merge pull request #10363 from Security-Onion-Solutions/issue/10229

Issue/10229
2025-12-06 17:22:49 +01:00 · 2023-05-16 09:36:31 -04:00
parent 1724565331 6325f6db16
commit 56a7fdcfcd
250 changed files with 8882 additions and 6003 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -101,6 +101,8 @@ base:
    - soc.adv_soc
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
@@ -155,6 +157,8 @@ base:
    - soc.adv_soc
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
@@ -248,6 +252,8 @@ base:
    - soc.adv_soc
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -3,16 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
 {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
 {% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
 {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
 {% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
 {% set REDIS = salt['pillar.get']('redis:enabled', True) %}
 {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
 {% set saltversion = saltversion.salt.minion.version %}
@@ -217,27 +207,27 @@
          ],
  }, grain='role') %}
-  {% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
    {% do allowed_states.append('mysql') %}
  {% endif %}
-  {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
+  {%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('zeek') %}
  {%- endif %}
-  {% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
+  {% if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('strelka') %}
  {% endif %}
-  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
    {% do allowed_states.append('elasticsearch') %}
  {% endif %}
-  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
    {% do allowed_states.append('elasticsearch.auth') %}
  {% endif %}
-  {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
    {% do allowed_states.append('kibana') %}
    {% do allowed_states.append('kibana.secrets') %}
  {% endif %}
@@ -246,23 +236,19 @@
    {% do allowed_states.append('curator') %}
  {% endif %}
-  {% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}
-  {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('playbook') %}
  {% endif %}
-  {% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %}
+  {% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}
  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}
-  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
+  {% if grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver', 'so-eval'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}
--- a/salt/curator/config.sls
+++ b/salt/curator/config.sls
@@ -0,0 +1,81 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from "curator/map.jinja" import CURATORMERGED %}
 # Create the group
 curatorgroup:
  group.present:
    - name: curator
    - gid: 934
 # Add user
 curator:
  user.present:
    - uid: 934
    - gid: 934
    - home: /opt/so/conf/curator
    - createhome: False
 # Create the log directory
 curlogdir:
  file.directory:
    - name: /opt/so/log/curator
    - user: 934
    - group: 939
 curactiondir:
  file.directory:
    - name: /opt/so/conf/curator/action
    - user: 934
    - group: 939
    - makedirs: True
 actionconfs:
  file.recurse:
    - name: /opt/so/conf/curator/action
    - source: salt://curator/files/action
    - user: 934
    - group: 939
    - template: jinja
    - defaults:
        CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
 curconf:
  file.managed:
    - name: /opt/so/conf/curator/curator.yml
    - source: salt://curator/files/curator.yml
    - user: 934
    - group: 939
    - mode: 660
    - template: jinja
    - show_changes: False
 curator_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 curator_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin_jinja
    - user: 934
    - group: 939 
    - file_mode: 755
    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/defaults.yaml
+++ b/salt/curator/defaults.yaml
@@ -1,98 +1,100 @@
-elasticsearch:
+curator:
-  index_settings:
+  enabled: False
-    logs-import-so:
+  elasticsearch:
-      close: 73000
+    index_settings:
-      delete: 73001
+      logs-import-so:
-    logs-strelka-so:
+        close: 73000
-      close: 30
+        delete: 73001
-      delete: 365
+      logs-strelka-so:
-    logs-suricata-so:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-suricata-so:
-    logs-syslog-so:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-syslog-so:
-    logs-zeek-so:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-zeek-so:
-    logs-elastic_agent-metricbeat-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-metricbeat-default:
-    logs-elastic_agent-osquerybeat-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-osquerybeat-default:
-    logs-elastic_agent-fleet_server-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-fleet_server-default:
-    logs-elastic_agent-filebeat-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-filebeat-default:
-    logs-elastic_agent-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-default:
-    logs-system-auth-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-auth-default:
-    logs-system-application-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-application-default:
-    logs-system-security-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-security-default:
-    logs-system-system-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-system-default:
-    logs-system-syslog-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-syslog-default:
-    logs-windows-powershell-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-windows-powershell-default:
-    logs-windows-sysmon_operational-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-windows-sysmon_operational-default:
-    so-beats:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-beats:
-    so-elasticsearch:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-elasticsearch:
-    so-firewall:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-firewall:
-    so-ids:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-ids:
-    so-import:
+        close: 30
-      close: 73000
+        delete: 365
-      delete: 73001
+      so-import:
-    so-kratos:
+        close: 73000
-      close: 30
+        delete: 73001
-      delete: 365
+      so-kratos:
-    so-kibana:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-kibana:
-    so-logstash:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-logstash:
-    so-netflow:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-netflow:
-    so-osquery:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-osquery:
-    so-ossec:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-ossec:
-    so-redis:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-redis:
-    so-strelka:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-strelka:
-    so-syslog:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-syslog:
-    so-zeek:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-zeek:
        close: 30
        delete: 365
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -0,0 +1,35 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - curator.sostatus
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
 so-curator-cluster-close:
  cron.absent:
    - identifier: so-curator-cluster-close
 so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/enabled.sls
+++ b/salt/curator/enabled.sls
@@ -0,0 +1,71 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - curator.config
  - curator.sostatus
 so-curator:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
    - start: True
    - hostname: curator
    - name: so-curator
    - user: curator
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
    - require:
      - file: actionconfs
      - file: curconf
      - file: curlogdir
    - watch:
      - file: curconf
 delete_so-curator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
 so-curator-cluster-close:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
    - identifier: so-curator-cluster-close
    - user: root
    - minute: '2'
    - hour: '*/1'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 so-curator-cluster-delete:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
    - identifier: so-curator-cluster-delete
    - user: root
    - minute: '*/5'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/files/curator.yml
+++ b/salt/curator/files/curator.yml
@@ -4,9 +4,9 @@
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if grains['role'] in ['so-searchnode', 'so-heavynode'] %}
+{% if GLOBALS.role in ['so-searchnode', 'so-heavynode'] %}
  {%- set elasticsearch = GLOBALS.node_ip -%}
-{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
+{% elif GLOBALS.role in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
  {%- set elasticsearch = GLOBALS.manager_ip -%}
 {%- endif %}
 {%-   set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
@@ -30,10 +30,8 @@ elasticsearch:
      id:
      api_key:
    master_only: False
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
    username: "{{ ES_USER }}"
    password: "{{ ES_PASS }}"
 {%- endif %}
 logging:
  loglevel: INFO
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -3,146 +3,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'curator/map.jinja' import CURATORMERGED %}
 {% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from "curator/map.jinja" import CURATOROPTIONS %}
 {% from "curator/map.jinja" import CURATORMERGED %}
 {% set REMOVECURATORCRON = False %}
 # Curator
 # Create the group
 curatorgroup:
  group.present:
    - name: curator
    - gid: 934
 # Add user
 curator:
  user.present:
    - uid: 934
    - gid: 934
    - home: /opt/so/conf/curator
    - createhome: False
 # Create the log directory
 curlogdir:
  file.directory:
    - name: /opt/so/log/curator
    - user: 934
    - group: 939
 curactiondir:
  file.directory:
    - name: /opt/so/conf/curator/action
    - user: 934
    - group: 939
    - makedirs: True
 actionconfs:
  file.recurse:
    - name: /opt/so/conf/curator/action
    - source: salt://curator/files/action
    - user: 934
    - group: 939
    - template: jinja
    - defaults:
        CURATORMERGED: {{ CURATORMERGED }}
 curconf:
  file.managed:
    - name: /opt/so/conf/curator/curator.yml
    - source: salt://curator/files/curator.yml
    - user: 934
    - group: 939
    - mode: 660
    - template: jinja
    - show_changes: False
 curator_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 curator_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin_jinja
    - user: 934
    - group: 939 
    - file_mode: 755
    - template: jinja
 so-curator:
  docker_container.{{ CURATOROPTIONS.status }}:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
    - start: {{ CURATOROPTIONS.start }}
    - hostname: curator
    - name: so-curator
    - user: curator
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
    - require:
      - file: actionconfs
      - file: curconf
      - file: curlogdir
    - watch:
      - file: curconf
 append_so-curator_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-curator
    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
  {% if not CURATOROPTIONS.start %}
 so-curator_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
  {% else %}
 delete_so-curator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
  {% endif %}
 so-curator-cluster-close:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
    - identifier: so-curator-cluster-close
    - user: root
    - minute: '2'
    - hour: '*/1'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 so-curator-cluster-delete:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
    - identifier: so-curator-cluster-delete
    - user: root
    - minute: '*/5'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 include:
 {% if CURATORMERGED.enabled %}
  - curator.enabled
 {% else %}
-
+  - curator.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/map.jinja
+++ b/salt/curator/map.jinja
@@ -1,18 +1,7 @@
-{% set CURATOROPTIONS = {} %}
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-{% set ENABLED = salt['pillar.get']('curator:enabled', True) %}
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-{% do CURATOROPTIONS.update({'manage_sostatus': True}) %}
+   https://securityonion.net/license; you may not use this file except in compliance with the
-
+   Elastic License 2.0. #}
 # don't start the docker container if curator is disabled via pillar
 {% if not ENABLED %}
  {% do CURATOROPTIONS.update({'start': False}) %}
  {% do CURATOROPTIONS.update({'status': 'absent'}) %}
  {% if (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %}
    {% do CURATOROPTIONS.update({'manage_sostatus': False}) %}
  {% endif %}
 {% else %}
  {% do CURATOROPTIONS.update({'start': True}) %}
  {% do CURATOROPTIONS.update({'status': 'running'}) %}
 {% endif %}
 {% import_yaml 'curator/defaults.yaml' as CURATORDEFAULTS %}
-{% set CURATORMERGED = salt['pillar.get']('elasticsearch:index_settings', CURATORDEFAULTS.elasticsearch.index_settings, merge=true) %}
+{% set CURATORMERGED = salt['pillar.get']('curator', CURATORDEFAULTS.curator, merge=true) %}
--- a/salt/curator/soc_curator.yaml
+++ b/salt/curator/soc_curator.yaml
@@ -0,0 +1,108 @@
 curator:
  enabled:
    description: You can enable or disable Curator.
    helpLink: curator.html
  elasticsearch:
    index_settings:
      logs-import-so:
        close: &close
          description: Age, in days, when Curator closes the index.
          helpLink: curator.html
          forcedType: int
        delete: &delete
          description: Age, in days, when Curator deletes the index.
          helpLink: curator.html
          forcedType: int
      logs-strelka-so:
        close: *close
        delete: *delete
      logs-suricata-so:
        close: *close
        delete: *delete
      logs-syslog-so:
        close: *close
        delete: *delete
      logs-zeek-so:
        close: *close
        delete: *delete
      logs-elastic_agent-metricbeat-default:
        close: *close
        delete: *delete
      logs-elastic_agent-osquerybeat-default:
        close: *close
        delete: *delete
      logs-elastic_agent-fleet_server-default:
        close: *close
        delete: *delete
      logs-elastic_agent-filebeat-default:
        close: *close
        delete: *delete
      logs-elastic_agent-default:
        close: *close
        delete: *delete
      logs-system-auth-default:
        close: *close
        delete: *delete
      logs-system-application-default:
        close: *close
        delete: *delete
      logs-system-security-default:
        close: *close
        delete: *delete
      logs-system-system-default:
        close: *close
        delete: *delete
      logs-system-syslog-default:
        close: *close
        delete: *delete
      logs-windows-powershell-default:
        close: *close
        delete: *delete
      logs-windows-sysmon_operational-default:
        close: *close
        delete: *delete
      so-beats:
        close: *close
        delete: *delete
      so-elasticsearch:
        close: *close
        delete: *delete
      so-firewall:
        close: *close
        delete: *delete
      so-ids:
        close: *close
        delete: *delete
      so-import:
        close: *close
        delete: *delete
      so-kratos:
        close: *close
        delete: *delete
      so-kibana:
        close: *close
        delete: *delete
      so-logstash:
        close: *close
        delete: *delete
      so-netflow:
        close: *close
        delete: *delete
      so-osquery:
        close: *close
        delete: *delete
      so-ossec:
        close: *close
        delete: *delete
      so-redis:
        close: *close
        delete: *delete
      so-strelka:
        close: *close
        delete: *delete
      so-syslog:
        close: *close
        delete: *delete
      so-zeek:
        close: *close
        delete: *delete
--- a/salt/curator/sostatus.sls
+++ b/salt/curator/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-curator_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-curator
    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastalert/config.sls
+++ b/salt/elastalert/config.sls
@@ -0,0 +1,103 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'elastalert/map.jinja' import ELASTALERTMERGED %}
 # Create the group
 elastagroup:
  group.present:
    - name: elastalert
    - gid: 933
 # Add user
 elastalert:
  user.present:
    - uid: 933
    - gid: 933
    - home: /opt/so/conf/elastalert
    - createhome: False
 elastalogdir:
  file.directory:
    - name: /opt/so/log/elastalert
    - user: 933
    - group: 933
    - makedirs: True
 elastalert_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elastalert/tools/sbin
    - user: 933
    - group: 939
    - file_mode: 755
 #elastalert_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://elastalert/tools/sbin_jinja
 #    - user: 933
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 elastarules:
  file.directory:
    - name: /opt/so/rules/elastalert
    - user: 933
    - group: 933
    - makedirs: True
 elastaconfdir:
  file.directory:
    - name: /opt/so/conf/elastalert
    - user: 933
    - group: 933
    - makedirs: True
 elastasomodulesdir:
  file.directory:
    - name: /opt/so/conf/elastalert/modules/so
    - user: 933
    - group: 933
    - makedirs: True
 elastacustmodulesdir:
  file.directory:
    - name: /opt/so/conf/elastalert/modules/custom
    - user: 933
    - group: 933
    - makedirs: True
 elastasomodulesync:
  file.recurse:
    - name: /opt/so/conf/elastalert/modules/so
    - source: salt://elastalert/files/modules/so
    - user: 933
    - group: 933
    - makedirs: True
 elastaconf:
  file.managed:
    - name: /opt/so/conf/elastalert/elastalert_config.yaml
    - source: salt://elastalert/files/elastalert_config.yaml.jinja
    - context:
        elastalert_config: {{ ELASTALERTMERGED.config }}
    - user: 933
    - group: 933
    - mode: 660
    - template: jinja
    - show_changes: False
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastalert/defaults.yaml
+++ b/salt/elastalert/defaults.yaml
@@ -1,4 +1,5 @@
 elastalert:
  enabled: False
  config:
    rules_folder: /opt/elastalert/rules/
    scan_subdirectories: true
--- a/salt/elastalert/disabled.sls
+++ b/salt/elastalert/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - elastalert.sostatus
 so-elastalert:
  docker_container.absent:
    - force: True
 so-elastalert_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastalert$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastalert/elastalert_config.map.jinja
+++ b/salt/elastalert/elastalert_config.map.jinja
@@ -1,11 +0,0 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elastalert/defaults.yaml' as ELASTALERT %}
 {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
 {% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager}) %}
 {% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
 {% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
 {% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %}
--- a/salt/elastalert/enabled.sls
+++ b/salt/elastalert/enabled.sls
@@ -0,0 +1,58 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - elastalert.config
  - elastalert.sostatus
 wait_for_elasticsearch:
  cmd.run:
    - name: so-elasticsearch-wait
 so-elastalert:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
    - hostname: elastalert
    - name: so-elastalert
    - user: so-elastalert
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
      - /opt/so/log/elastalert:/var/log/elastalert:rw
      - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
      - file: elastalogdir
      - file: elastacustmodulesdir
      - file: elastaconf
    - watch:
      - file: elastaconf
    - onlyif:
      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
 delete_so-elastalert_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastalert$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -1,141 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# this file except in compliance with the Elastic License 2.0.
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Elastic License 2.0.
 {% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'elastalert/map.jinja' import ELASTALERTMERGED %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %}
 # Create the group
 elastagroup:
  group.present:
    - name: elastalert
    - gid: 933
 # Add user
 elastalert:
  user.present:
    - uid: 933
    - gid: 933
    - home: /opt/so/conf/elastalert
    - createhome: False
 elastalogdir:
  file.directory:
    - name: /opt/so/log/elastalert
    - user: 933
    - group: 933
    - makedirs: True
 elastalert_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elastalert/tools/sbin
    - user: 933
    - group: 939
    - file_mode: 755
 #elastalert_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://elastalert/tools/sbin_jinja
 #    - user: 933
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 elastarules:
  file.directory:
    - name: /opt/so/rules/elastalert
    - user: 933
    - group: 933
    - makedirs: True
 elastaconfdir:
  file.directory:
    - name: /opt/so/conf/elastalert
    - user: 933
    - group: 933
    - makedirs: True
 elastasomodulesdir:
  file.directory:
    - name: /opt/so/conf/elastalert/modules/so
    - user: 933
    - group: 933
    - makedirs: True
 elastacustmodulesdir:
  file.directory:
    - name: /opt/so/conf/elastalert/modules/custom
    - user: 933
    - group: 933
    - makedirs: True
 elastasomodulesync:
  file.recurse:
    - name: /opt/so/conf/elastalert/modules/so
    - source: salt://elastalert/files/modules/so
    - user: 933
    - group: 933
    - makedirs: True
 elastaconf:
  file.managed:
    - name: /opt/so/conf/elastalert/elastalert_config.yaml
    - source: salt://elastalert/files/elastalert_config.yaml.jinja
    - context:
        elastalert_config: {{ elastalert_config.elastalert.config }}
    - user: 933
    - group: 933
    - mode: 660
    - template: jinja
    - show_changes: False
 wait_for_elasticsearch:
  cmd.run:
    - name: so-elasticsearch-wait
 so-elastalert:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
    - hostname: elastalert
    - name: so-elastalert
    - user: so-elastalert
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
      - /opt/so/log/elastalert:/var/log/elastalert:rw
      - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
      - file: elastalogdir
      - file: elastacustmodulesdir
      - file: elastaconf
    - watch:
      - file: elastaconf
    - onlyif:
      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
 append_so-elastalert_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastalert
 include:
 {% if ELASTALERTMERGED.enabled %}
  - elastalert.enabled
 {% else %}
-
+  - elastalert.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastalert/map.jinja
+++ b/salt/elastalert/map.jinja
@@ -0,0 +1,15 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elastalert/defaults.yaml' as ELASTALERTDEFAULTS %}
 {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
 {% set ELASTALERTMERGED = salt['pillar.get']('elastalert', ELASTALERTDEFAULTS.elastalert, merge=True) %}
--- a/salt/elastalert/soc_elastalert.yaml
+++ b/salt/elastalert/soc_elastalert.yaml
@@ -1,4 +1,7 @@
 elastalert:
  enabled:
    description: You can enable or disable Elastalert.
    helpLink: elastalert.html
  config:
    disable_rules_on_error:
      description: Disable rules on failure.
--- a/salt/elastalert/sostatus.sls
+++ b/salt/elastalert/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-elastalert_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastalert
    - unless: grep -q so-elastalert /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastic-fleet-package-registry/config.sls
+++ b/salt/elastic-fleet-package-registry/config.sls
@@ -0,0 +1,29 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 # Add Group
 elasticsagentprgroup:
  group.present:
    - name: elastic-agent-pr
    - gid: 948
 # Add user
 elastic-agent-pr:
  user.present:
    - uid: 948
    - gid: 948
    - home: /opt/so/conf/elastic-fleet-pr
    - createhome: False
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastic-fleet-package-registry/defaults.yaml
+++ b/salt/elastic-fleet-package-registry/defaults.yaml
@@ -0,0 +1,2 @@
 elastic_fleet_package_registry:
  enabled: False
--- a/salt/elastic-fleet-package-registry/disabled.sls
+++ b/salt/elastic-fleet-package-registry/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - elastic-fleet-package-registry.sostatus
 so-elastic-fleet-package-registry:
  docker_container.absent:
    - force: True
 so-elastic-fleet-package-registry_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastic-fleet-package-registry$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastic-fleet-package-registry/enabled.sls
+++ b/salt/elastic-fleet-package-registry/enabled.sls
@@ -0,0 +1,43 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - elastic-fleet-package-registry.config
  - elastic-fleet-package-registry.sostatus
 so-elastic-fleet-package-registry:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
    - name: so-elastic-fleet-package-registry
    - hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
    - detach: True
    - user: 948
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastic-fleet-package-registry$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastic-fleet-package-registry/init.sls
+++ b/salt/elastic-fleet-package-registry/init.sls
@@ -1,52 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# this file except in compliance with the Elastic License 2.0.
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Elastic License 2.0.
 {% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
-# Add Group
+{% from 'elastic-fleet-package-registry/map.jinja' import ELASTICFLEETPACKAGEREGISTRYMERGED %}
 elasticsagentprgroup:
  group.present:
    - name: elastic-agent-pr
    - gid: 948
 # Add user
 elastic-agent-pr:
  user.present:
    - uid: 948
    - gid: 948
    - home: /opt/so/conf/elastic-fleet-pr
    - createhome: False
 so-elastic-fleet-package-registry:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
    - name: so-elastic-fleet-package-registry
    - hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
    - detach: True
    - user: 948
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
 append_so-elastic-fleet-package-registry_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastic-fleet-package-registry
 include:
 {% if ELASTICFLEETPACKAGEREGISTRYMERGED.enabled %}
  - elastic-fleet-package-registry.enabled
 {% else %}
-
+  - elastic-fleet-package-registry.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elastic-fleet-package-registry/map.jinja
+++ b/salt/elastic-fleet-package-registry/map.jinja
@@ -0,0 +1,7 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% import_yaml 'elastic-fleet-package-registry/defaults.yaml' as ELASTICFLEETPACKAGEREGISTRYDEFAULTS %}
 {% set ELASTICFLEETPACKAGEREGISTRYMERGED = salt['pillar.get']('elastic_fleet_package_registry', ELASTICFLEETPACKAGEREGISTRYDEFAULTS.elastic_fleet_package_registry, merge=True) %}
--- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml
+++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml
@@ -0,0 +1,4 @@
 elastic_fleet_package_registry:
  enabled:
    description: You can enable or disable Elastic Fleet Package Registry.
    advanced: True
--- a/salt/elastic-fleet-package-registry/sostatus.sls
+++ b/salt/elastic-fleet-package-registry/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-elastic-fleet-package-registry_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastic-fleet-package-registry
    - unless: grep -q so-elastic-fleet-package-registry /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -0,0 +1,60 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 # Add EA Group
 elasticsagentgroup:
  group.present:
    - name: elastic-agent
    - gid: 947
 # Add EA user
 elastic-agent:
  user.present:
    - uid: 947
    - gid: 947
    - home: /opt/so/conf/elastic-fleet
    - createhome: False
 elasticfleet_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticfleet/tools/sbin
    - user: 947
    - group: 939
    - file_mode: 755
 elasticfleet_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticfleet/tools/sbin_jinja
    - user: 947
    - group: 939 
    - file_mode: 755
    - template: jinja
 eaconfdir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet
    - user: 947
    - group: 939
    - makedirs: True
 eastatedir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/state
    - user: 947
    - group: 939
    - makedirs: True
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -0,0 +1,8 @@
 elasticfleet:
  enabled: False
  config:
    server:
      endpoints_enrollment: ''
      es_token: ''
      grid_enrollment: ''
      url: ''
--- a/salt/elasticfleet/disabled.sls
+++ b/salt/elasticfleet/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - elasticfleet.sostatus
 so-elastic-fleet:
  docker_container.absent:
    - force: True
 so-elastic-fleet_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastic-fleet$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -0,0 +1,62 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {#   This value is generated during node install and stored in minion pillar #}
 {%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
 include:
  - elasticfleet.config
  - elasticfleet.sostatus
 {%   if SERVICETOKEN != '' %}
 so-elastic-fleet:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
    - name: so-elastic-fleet
    - hostname: FleetServer-{{ GLOBALS.hostname }}
    - detach: True
    - user: 947
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /etc/pki:/etc/pki:ro
      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
    - environment:
      - FLEET_SERVER_ENABLE=true
      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
 {%   endif %}
 delete_so-elastic-fleet_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastic-fleet$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticfleet/init.sls
+++ b/salt/elasticfleet/init.sls
@@ -1,104 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# this file except in compliance with the Elastic License 2.0.
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Elastic License 2.0.
 {% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
-# These values are generated during node install and stored in minion pillar
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %}
 #{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %}
 #{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %}
 # Add EA Group
 elasticsagentgroup:
  group.present:
    - name: elastic-agent
    - gid: 947
 # Add EA user
 elastic-agent:
  user.present:
    - uid: 947
    - gid: 947
    - home: /opt/so/conf/elastic-fleet
    - createhome: False
 elasticfleet_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticfleet/tools/sbin
    - user: 947
    - group: 939
    - file_mode: 755
 elasticfleet_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticfleet/tools/sbin_jinja
    - user: 947
    - group: 939 
    - file_mode: 755
    - template: jinja
 eaconfdir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet
    - user: 947
    - group: 939
    - makedirs: True
 eastatedir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/state
    - user: 947
    - group: 939
    - makedirs: True
  {% if SERVICETOKEN != '' %}
 so-elastic-fleet:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
    - name: so-elastic-fleet
    - hostname: FleetServer-{{ GLOBALS.hostname }}
    - detach: True
    - user: 947
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /etc/pki:/etc/pki:ro
      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
    - environment:
      - FLEET_SERVER_ENABLE=true
      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
  {% endif %}
 append_so-elastic-fleet_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastic-fleet
 include:
 {% if ELASTICFLEETMERGED.enabled %}
  - elasticfleet.enabled
 {% else %}
-
+  - elasticfleet.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticfleet/map.jinja
+++ b/salt/elasticfleet/map.jinja
@@ -0,0 +1,7 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
 {% set ELASTICFLEETMERGED = salt['pillar.get']('elasticfleet', ELASTICFLEETDEFAULTS.elasticfleet, merge=True) %}
--- a/salt/elasticfleet/soc_elasticfleet.yaml
+++ b/salt/elasticfleet/soc_elasticfleet.yaml
@@ -1,25 +1,30 @@
 elasticfleet:
-  server:
+  enabled:
-    endpoints_enrollment:
+    description: You can enable or disable Elastic Fleet.
-      description: Endpoint enrollment key.
+    advanced: True
-      global: True
+    helpLink: elastic-fleet.html
-      helpLink: elastic-fleet.html
+  config:
-      sensitive: True
+    server:
-      advanced: True
+      endpoints_enrollment:
-    es_token:
+        description: Endpoint enrollment key.
-      description: Elastic auth token.
+        global: True
-      global: True
+        helpLink: elastic-fleet.html
-      helpLink: elastic-fleet.html
+        sensitive: True
-      sensitive: True
+        advanced: True
-      advanced: True
+      es_token:
-    grid_enrollment:
+        description: Elastic auth token.
-      description: Grid enrollment key.
+        global: True
-      global: True
+        helpLink: elastic-fleet.html
-      helpLink: elastic-fleet.html
+        sensitive: True
-      sensitive: True
+        advanced: True
-      advanced: True
+      grid_enrollment:
-    url:
+        description: Grid enrollment key.
-      description: Agent connection URL.
+        global: True
-      global: True
+        helpLink: elastic-fleet.html
-      helpLink: elastic-fleet.html
+        sensitive: True
-      advanced: True
+        advanced: True
      url:
        description: Agent connection URL.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
--- a/salt/elasticfleet/sostatus.sls
+++ b/salt/elasticfleet/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-elastic-fleet_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastic-fleet
    - unless: grep -q ^so-elastic-fleet$ /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -81,10 +81,12 @@ GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "loc
 pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls
 printf '%s\n'\
    "elasticfleet:"\
-    "  server:"\
+    "  enabled: True"\
-    "    es_token: '$ESTOKEN'"\
+    "  config:"\
-    "    endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\
+    "    server:"\
-    "    grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\
+    "      es_token: '$ESTOKEN'"\
    "      endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\
    "      grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\
    "" >> "$pillar_file"
 #Store Grid Nodes Enrollment token in Global pillar
--- a/salt/elasticsearch/ca.sls
+++ b/salt/elasticsearch/ca.sls
@@ -0,0 +1,50 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 # Move our new CA over so Elastic and Logstash can use SSL with the internal CA
 catrustdir:
  file.directory:
    - name: /opt/so/conf/ca
    - user: 939
    - group: 939
    - makedirs: True
 {%   if GLOBALS.is_manager %}
 # We have to add the Manager CA to the CA list
 cascriptsync:
  cmd.script:
    - source: salt://elasticsearch/tools/sbin_jinja/so-catrust
    - template: jinja
    - defaults:
        GLOBALS: {{ GLOBALS }}
 {%   endif %}
 {%   if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %}
 cacertz:
  file.managed:
    - name: /opt/so/conf/ca/cacerts
    - source: salt://elasticsearch/cacerts
    - user: 939
    - group: 939
 capemz:
  file.managed:
    - name: /opt/so/conf/ca/tls-ca-bundle.pem
    - source: salt://elasticsearch/tls-ca-bundle.pem
    - user: 939
    - group: 939
 {%   endif %}
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -1,44 +1,43 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
+{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {% if grains.id.split('_') | last in ['manager','managersearch','standalone'] %}
    {% if LOGSTASH_NODES | length > 1 %}
-      {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %}
+      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %}
      {% for NODE in LOGSTASH_NODES %}
-        {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
      {% endfor %}
      {% if grains.id.split('_') | last == 'manager' %}
-        {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
      {% else %}
-        {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
      {% endif %}
    {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
-  {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
+  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
  {% if HIGHLANDER %}
-        {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
  {% endif %}
-  {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
+  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
 {% if HIGHLANDER %}
-      {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
+      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
 {% endif %}
-{% do ESCONFIG.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
+{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
-{% do ESCONFIG.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
+{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
-{% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': GLOBALS.hostname}) %}
+{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.transport.update({'publish_host': GLOBALS.hostname}) %}
-{# merge with the elasticsearch pillar #}
+{% set ELASTICSEARCHMERGED = salt['pillar.get']('elasticsearch', default=ELASTICSEARCHDEFAULTS.elasticsearch, merge=True) %}
 {% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %}
 {% if salt['pillar.get']('elasticsearch:config:path:repo', False) %}
  {% for repo in pillar.elasticsearch.config.path.repo %}
    {# remove elasticsearch.config.path.repo value if the directory doesn't exist on the node #}
    {% if not salt['file.directory_exists'](repo) %}
-      {% do ESCONFIG.path.repo.remove(repo) %}
+      {% do ELASTICSEARCHMERGED.config.path.repo.remove(repo) %}
    {% endif %}
  {% endfor %}
 {% endif %}
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -0,0 +1,219 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - ssl
  - elasticsearch.ca
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
 vm.max_map_count:
  sysctl.present:
    - value: 262144
 # Add ES Group
 elasticsearchgroup:
  group.present:
    - name: elasticsearch
    - gid: 930
 esconfdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch
    - user: 930
    - group: 939
    - makedirs: True
 # Add ES user
 elasticsearch:
  user.present:
    - uid: 930
    - gid: 930
    - home: /opt/so/conf/elasticsearch
    - createhome: False
 elasticsearch_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticsearch/tools/sbin
    - user: 930
    - group: 939
    - file_mode: 755
    - exclude_pat:
      - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
 elasticsearch_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticsearch/tools/sbin_jinja
    - user: 939
    - group: 939 
    - file_mode: 755
    - template: jinja
    - exclude_pat:
      - so-elasticsearch-ilm-policy-load # exclude this because we need to watch it for changes, we sync it in another state
    - defaults:
        GLOBALS: {{ GLOBALS }}
 so-elasticsearch-ilm-policy-load-script:
  file.managed:
    - name: /usr/sbin/so-elasticsearch-ilm-policy-load
    - source: salt://elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
    - user: 930
    - group: 939
    - mode: 754
    - template: jinja
 so-elasticsearch-pipelines-script:
  file.managed:
    - name: /usr/sbin/so-elasticsearch-pipelines
    - source: salt://elasticsearch/tools/sbin/so-elasticsearch-pipelines
    - user: 930
    - group: 939
    - mode: 754
 esingestdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/ingest
    - user: 930
    - group: 939
    - makedirs: True
 estemplatedir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/templates/index
    - user: 930
    - group: 939
    - makedirs: True
 esrolesdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/roles
    - user: 930
    - group: 939
    - makedirs: True
 eslibdir:
  file.absent:
    - name: /opt/so/conf/elasticsearch/lib
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
    - source: salt://elasticsearch/files/ingest-dynamic
    - user: 930
    - group: 939
    - template: jinja
 esingestconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
    - source: salt://elasticsearch/files/ingest
    - user: 930
    - group: 939
 eslog4jfile:
  file.managed:
    - name: /opt/so/conf/elasticsearch/log4j2.properties
    - source: salt://elasticsearch/files/log4j2.properties
    - user: 930
    - group: 939
    - template: jinja
 esyml:
  file.managed:
    - name: /opt/so/conf/elasticsearch/elasticsearch.yml
    - source: salt://elasticsearch/files/elasticsearch.yaml.jinja
    - user: 930
    - group: 939
    - defaults:
        ESCONFIG: {{ ELASTICSEARCHMERGED.config }}
    - template: jinja
 esroles:
  file.recurse:
    - source: salt://elasticsearch/roles/
    - name: /opt/so/conf/elasticsearch/roles/
    - clean: True
    - template: jinja
    - user: 930
    - group: 939
 nsmesdir:
  file.directory:
    - name: /nsm/elasticsearch
    - user: 930
    - group: 939
    - makedirs: True
 eslogdir:
  file.directory:
    - name: /opt/so/log/elasticsearch
    - user: 930
    - group: 939
    - makedirs: True
 es_repo_dir:
  file.directory:
    - name: /nsm/elasticsearch/repo/
    - user: 930
    - group: 930
    - require:
      - file: nsmesdir
 so-pipelines-reload:
  file.absent:
    - name: /opt/so/state/espipelines.txt
    - onchanges:
      - file: esingestconf
      - file: esingestdynamicconf
      - file: esyml
      - file: so-elasticsearch-pipelines-script
 auth_users:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users.tmp
    - source: salt://elasticsearch/files/users
    - user: 930
    - group: 930
    - mode: 600
    - show_changes: False
 auth_users_roles:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users_roles.tmp
    - source: salt://elasticsearch/files/users_roles
    - user: 930
    - group: 930
    - mode: 600
    - show_changes: False
 auth_users_inode:
  require:
    - file: auth_users
  cmd.run:
    - name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:939 /opt/so/conf/elasticsearch/users && chmod 660 /opt/so/conf/elasticsearch/users
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users.tmp
 auth_users_roles_inode:
  require:
    - file: auth_users_roles
  cmd.run:
    - name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:939 /opt/so/conf/elasticsearch/users_roles && chmod 660 /opt/so/conf/elasticsearch/users_roles
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users_roles.tmp
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -1,4 +1,5 @@
 elasticsearch:
  enabled: False
  retention:
    retention_pct: 50
  config:
--- a/salt/elasticsearch/disabled.sls
+++ b/salt/elasticsearch/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - elasticsearch.sostatus
 so-elasticsearch:
  docker_container.absent:
    - force: True
 so-elasticsearch_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elasticsearch$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -0,0 +1,183 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
 {%   set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
 {%   from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
 include:
  - elasticsearch.config
  - elasticsearch.sostatus
 so-elasticsearch:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }}
    - hostname: elasticsearch
    - name: so-elasticsearch
    - user: elasticsearch
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
    - extra_hosts:  {{ LOGSTASH_NODES }}
    - environment:
      {% if LOGSTASH_NODES | length == 1 %}
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
      ulimits:
      - memlock=-1:-1
      - nofile=65536:65536
      - nproc=4096
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
      - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
      - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
      - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
      - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
      {% if GLOBALS.is_manager %}
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% else %}
      - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% endif %}
      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
      - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
      - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
      - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
      {% if ELASTICSEARCHMERGED.config.path.get('repo', False) %}
        {% for repo in ELASTICSEARCHMERGED.config.path.repo %}
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
    - watch:
      - file: cacertz
      - file: esyml
    - require:
      - file: esyml
      - file: eslog4jfile
      - file: nsmesdir
      - file: eslogdir
      - file: cacertz
      - x509: /etc/pki/elasticsearch.crt
      - x509: /etc/pki/elasticsearch.key
      - file: elasticp12perms
      {% if GLOBALS.is_manager %}
      - x509: pki_public_ca_crt
      {% else %}
      - x509: trusttheca
      {% endif %}
      - cmd: auth_users_roles_inode
      - cmd: auth_users_inode
 delete_so-elasticsearch_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elasticsearch$
 {%   if GLOBALS.role != "so-searchnode" %}
 escomponenttemplates:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/templates/component
    - source: salt://elasticsearch/templates/component
    - user: 930
    - group: 939
    - onchanges_in:
      - cmd: so-elasticsearch-templates
 # Auto-generate templates from defaults file
 {%     for index, settings in ES_INDEX_SETTINGS.items() %}
 {%      if settings.index_template is defined %}
 es_index_template_{{index}}:
  file.managed:
    - name: /opt/so/conf/elasticsearch/templates/index/{{ index }}-template.json
    - source: salt://elasticsearch/base-template.json.jinja
    - defaults:
      TEMPLATE_CONFIG: {{ settings.index_template }}
    - template: jinja
    - onchanges_in:
      - cmd: so-elasticsearch-templates
 {%       endif %}
 {%     endfor %}
 {%     if TEMPLATES %}
 # Sync custom templates to /opt/so/conf/elasticsearch/templates
 {%       for TEMPLATE in TEMPLATES %}
 es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
  file.managed:
    - source: salt://elasticsearch/templates/index/{{TEMPLATE}}
 {%         if 'jinja' in TEMPLATE.split('.')[-1] %}
    - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
    - template: jinja
 {%         else %}
    - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
 {%         endif %}
    - user: 930
    - group: 939
    - onchanges_in:
      - cmd: so-elasticsearch-templates
 {%       endfor %}
 {%     endif %}
 so-es-cluster-settings:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-cluster-settings
    - cwd: /opt/so
    - template: jinja
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 so-elasticsearch-ilm-policy-load:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-ilm-policy-load
    - cwd: /opt/so
    - require:
      - docker_container: so-elasticsearch
      - file: so-elasticsearch-ilm-policy-load-script
    - onchanges:
      - file: so-elasticsearch-ilm-policy-load-script
 so-elasticsearch-templates:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-templates-load
    - cwd: /opt/so
    - template: jinja
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 so-elasticsearch-pipelines:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }}
    - require:
      - docker_container: so-elasticsearch
      - file: so-elasticsearch-pipelines-script
 so-elasticsearch-roles-load:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-roles-load
    - cwd: /opt/so
    - template: jinja
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 {%   endif %}
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -3,425 +3,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
 {% if sls in allowed_states %}
 include:
-  - ssl
+{% if ELASTICSEARCHMERGED.enabled %}
-
+  - elasticsearch.enabled
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
 {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %}
 {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %}
 {% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
 vm.max_map_count:
  sysctl.present:
    - value: 262144
 # Add ES Group
 elasticsearchgroup:
  group.present:
    - name: elasticsearch
    - gid: 930
 esconfdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch
    - user: 930
    - group: 939
    - makedirs: True
 # Add ES user
 elasticsearch:
  user.present:
    - uid: 930
    - gid: 930
    - home: /opt/so/conf/elasticsearch
    - createhome: False
 {% if GLOBALS.is_manager %}
 # We have to add the Manager CA to the CA list
 cascriptsync:
  file.managed:
    - name: /usr/sbin/so-catrust
    - source: salt://elasticsearch/tools/sbin_jinja/so-catrust
    - user: 939
    - group: 939
    - mode: 750
    - template: jinja
    - defaults:
        GLOBALS: {{ GLOBALS }}
 # Run the CA magic
 cascriptfun:
  cmd.run:
    - name: /usr/sbin/so-catrust
    - require:
        - file: cascriptsync
 {% endif %}
 elasticsearch_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticsearch/tools/sbin
    - user: 930
    - group: 939
    - file_mode: 755
    - exclude_pat:
      - so-catrust
      - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state
 elasticsearch_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticsearch/tools/sbin_jinja
    - user: 939
    - group: 939 
    - file_mode: 755
    - template: jinja
    - exclude_pat:
      - so-elasticsearch-ilm-policy-load # exclude this because we need to watch it for changes, we sync it in another state
    - defaults:
        GLOBALS: {{ GLOBALS }}
 so-elasticsearch-ilm-policy-load-script:
  file.managed:
    - name: /usr/sbin/so-elasticsearch-ilm-policy-load
    - source: salt://elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
    - user: 930
    - group: 939
    - mode: 754
    - template: jinja
 so-elasticsearch-pipelines-script:
  file.managed:
    - name: /usr/sbin/so-elasticsearch-pipelines
    - source: salt://elasticsearch/tools/sbin/so-elasticsearch-pipelines
    - user: 930
    - group: 939
    - mode: 754
 # Move our new CA over so Elastic and Logstash can use SSL with the internal CA
 catrustdir:
  file.directory:
    - name: /opt/so/conf/ca
    - user: 939
    - group: 939
    - makedirs: True
 cacertz:
  file.managed:
    - name: /opt/so/conf/ca/cacerts
    - source: salt://common/cacerts
    - user: 939
    - group: 939
 capemz:
  file.managed:
    - name: /opt/so/conf/ca/tls-ca-bundle.pem
    - source: salt://common/tls-ca-bundle.pem
    - user: 939
    - group: 939
 esingestdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/ingest
    - user: 930
    - group: 939
    - makedirs: True
 estemplatedir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/templates/index
    - user: 930
    - group: 939
    - makedirs: True
 esrolesdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/roles
    - user: 930
    - group: 939
    - makedirs: True
 eslibdir:
  file.absent:
    - name: /opt/so/conf/elasticsearch/lib
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
    - source: salt://elasticsearch/files/ingest-dynamic
    - user: 930
    - group: 939
    - template: jinja
 esingestconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
    - source: salt://elasticsearch/files/ingest
    - user: 930
    - group: 939
 eslog4jfile:
  file.managed:
    - name: /opt/so/conf/elasticsearch/log4j2.properties
    - source: salt://elasticsearch/files/log4j2.properties
    - user: 930
    - group: 939
    - template: jinja
 esyml:
  file.managed:
    - name: /opt/so/conf/elasticsearch/elasticsearch.yml
    - source: salt://elasticsearch/files/elasticsearch.yaml.jinja
    - user: 930
    - group: 939
    - defaults:
        ESCONFIG: {{ ESCONFIG }}
    - template: jinja
 {% if GLOBALS.role != "so-searchnode" %}
 escomponenttemplates:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/templates/component
    - source: salt://elasticsearch/templates/component
    - user: 930
    - group: 939
    - onchanges_in:
      - cmd: so-elasticsearch-templates
 # Auto-generate templates from defaults file
 {% for index, settings in ES_INDEX_SETTINGS.items() %}
  {% if settings.index_template is defined %}
 es_index_template_{{index}}:
  file.managed:
    - name: /opt/so/conf/elasticsearch/templates/index/{{ index }}-template.json
    - source: salt://elasticsearch/base-template.json.jinja
    - defaults:
      TEMPLATE_CONFIG: {{ settings.index_template }}
    - template: jinja
    - onchanges_in:
      - cmd: so-elasticsearch-templates
  {% endif %}
 {% endfor %}
 {% if TEMPLATES %}
 # Sync custom templates to /opt/so/conf/elasticsearch/templates
 {% for TEMPLATE in TEMPLATES %}
 es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
  file.managed:
    - source: salt://elasticsearch/templates/index/{{TEMPLATE}}
    {% if 'jinja' in TEMPLATE.split('.')[-1] %}
    - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
    - template: jinja
    {% else %}
    - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
    {% endif %}
    - user: 930
    - group: 939
    - onchanges_in:
      - cmd: so-elasticsearch-templates
 {% endfor %}
 {% endif %}
 {% endif %}
 esroles:
  file.recurse:
    - source: salt://elasticsearch/roles/
    - name: /opt/so/conf/elasticsearch/roles/
    - clean: True
    - template: jinja
    - user: 930
    - group: 939
 nsmesdir:
  file.directory:
    - name: /nsm/elasticsearch
    - user: 930
    - group: 939
    - makedirs: True
 eslogdir:
  file.directory:
    - name: /opt/so/log/elasticsearch
    - user: 930
    - group: 939
    - makedirs: True
 es_repo_dir:
  file.directory:
    - name: /nsm/elasticsearch/repo/
    - user: 930
    - group: 930
    - require:
      - file: nsmesdir
 so-pipelines-reload:
  file.absent:
    - name: /opt/so/state/espipelines.txt
    - onchanges:
      - file: esingestconf
      - file: esingestdynamicconf
      - file: esyml
      - file: so-elasticsearch-pipelines-script
 auth_users:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users.tmp
    - source: salt://elasticsearch/files/users
    - user: 930
    - group: 930
    - mode: 600
    - show_changes: False
 auth_users_roles:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users_roles.tmp
    - source: salt://elasticsearch/files/users_roles
    - user: 930
    - group: 930
    - mode: 600
    - show_changes: False
 auth_users_inode:
  require:
    - file: auth_users
  cmd.run:
    - name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:939 /opt/so/conf/elasticsearch/users && chmod 660 /opt/so/conf/elasticsearch/users
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users.tmp
 auth_users_roles_inode:
  require:
    - file: auth_users_roles
  cmd.run:
    - name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:939 /opt/so/conf/elasticsearch/users_roles && chmod 660 /opt/so/conf/elasticsearch/users_roles
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users_roles.tmp
 so-elasticsearch:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }}
    - hostname: elasticsearch
    - name: so-elasticsearch
    - user: elasticsearch
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
    - extra_hosts:  {{ LOGSTASH_NODES }}
    - environment:
      {% if LOGSTASH_NODES | length == 1 %}
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
      ulimits:
      - memlock=-1:-1
      - nofile=65536:65536
      - nproc=4096
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
      - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
      - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
      - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
      - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
      {% if GLOBALS.is_manager %}
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% else %}
      - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% endif %}
      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
      - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
      - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
      - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
      {% if ESCONFIG.path.get('repo', False) %}
        {% for repo in ESCONFIG.path.repo %}
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
    - watch:
      - file: cacertz
      - file: esyml
    - require:
      - file: esyml
      - file: eslog4jfile
      - file: nsmesdir
      - file: eslogdir
      - file: cacertz
      - x509: /etc/pki/elasticsearch.crt
      - x509: /etc/pki/elasticsearch.key
      - file: elasticp12perms
      {% if GLOBALS.is_manager %}
      - x509: pki_public_ca_crt
      {% else %}
      - x509: trusttheca
      {% endif %}
      - cmd: auth_users_roles_inode
      - cmd: auth_users_inode
 append_so-elasticsearch_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elasticsearch
 {% if GLOBALS.role != "so-searchnode" %}
 so-es-cluster-settings:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-cluster-settings
    - cwd: /opt/so
    - template: jinja
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 so-elasticsearch-ilm-policy-load:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-ilm-policy-load
    - cwd: /opt/so
    - require:
      - docker_container: so-elasticsearch
      - file: so-elasticsearch-ilm-policy-load-script
    - onchanges:
      - file: so-elasticsearch-ilm-policy-load-script
 so-elasticsearch-templates:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-templates-load
    - cwd: /opt/so
    - template: jinja
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 so-elasticsearch-pipelines:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }}
    - require:
      - docker_container: so-elasticsearch
      - file: so-elasticsearch-pipelines-script
 so-elasticsearch-roles-load:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-roles-load
    - cwd: /opt/so
    - template: jinja
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 {% endif %}
 {% else %}
-
+  - elasticsearch.disabled
-{{sls}}_state_not_allowed:
+{% endif %}
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %} {# if 'elasticsearch' in top_states #}
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -1,4 +1,7 @@
 elasticsearch:
  enabled:
    description: You can enable or disable Elasticsearch.
    helpLink: elasticsearch.html
  esheap:
    description: Specify the memory heap size in (m)egabytes for Elasticsearch.
    helpLink: elasticsearch.html
--- a/salt/elasticsearch/sostatus.sls
+++ b/salt/elasticsearch/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-elasticsearch_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elasticsearch
    - unless: grep -q so-elasticsearch /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/elasticsearch/template.map.jinja
+++ b/salt/elasticsearch/template.map.jinja
@@ -1,5 +1,5 @@
-{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
+{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
+{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
 {% for index, settings in ES_INDEX_SETTINGS.items() %}
  {% if settings.index_template is defined %}
    {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
--- a/salt/elasticsearch/tools/sbin_jinja/so-catrust
+++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust
@@ -11,14 +11,14 @@
 set -e
 # Check to see if we have extracted the ca cert.
-if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then
+if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
    docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
-    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/common/cacerts
+    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
-    docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
+    docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
    docker rm so-elasticsearchca
-    echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
+    echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
-    echo "sosca" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
+    echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
-    cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem
+    cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
 else
    exit 0
 fi
--- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
+++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
@@ -6,15 +6,15 @@
 . /usr/sbin/so-common
-{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
+{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
+{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
 {%- for index, settings in ES_INDEX_SETTINGS.items() %}
-  {%- if settings.policy is defined %}
+{%-   if settings.policy is defined %}
 echo
 echo "Setting up {{ index }}-logs policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://localhost:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }'
 echo
-  {%- endif %}
+{%-   endif %}
 {%- endfor %}
 echo
--- a/salt/idh/config.sls
+++ b/salt/idh/config.sls
@@ -0,0 +1,85 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %}
 {%   from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
 include:
  - idh.openssh.config
  - firewall
 # If True, block IDH Services from accepting connections on Managment IP
 {% if RESTRICTIDHSERVICES %}
  {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %}
  {% for service in IDH_SERVICES %}
  {% if service in ["smnp","ntp", "tftp"] %}
    {% set proto = 'udp' %}
  {% else %}
    {% set proto = 'tcp' %}
  {% endif %}
 block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} :
  iptables.insert:
    - table: filter
    - chain: INPUT
    - jump: DROP
    - position: 1
    - proto:  {{ proto }}
    - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }}
    - destination: {{ GLOBALS.node_ip }}
  {% endfor %}
 {% endif %}
 # Create a config directory
 idhconfdir:
  file.directory:
    - name: /opt/so/conf/idh
    - user: 939
    - group: 939
    - makedirs: True
 # Create a log directory
 idhlogdir:
  file.directory:
    - name: /nsm/idh
    - user: 939
    - group: 939
    - makedirs: True
 opencanary_config:
  file.managed:
    - name: /opt/so/conf/idh/opencanary.conf
    - source: salt://idh/idh.conf.jinja
    - template: jinja
    - defaults:
        OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
 idh_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://idh/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 #idh_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://idh/tools/sbin_jinja
 #    - user: 939
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idh/defaults.yaml
+++ b/salt/idh/defaults.yaml
@@ -1,5 +1,6 @@
 idh:
-  restrict_management_ip: false
+  enabled: False
  restrict_management_ip: False
  openssh:
    enable: true
    config:
--- a/salt/idh/disabled.sls
+++ b/salt/idh/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - idh.sostatus
 so-idh:
  docker_container.absent:
    - force: True
 so-idh_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-idh$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -0,0 +1,39 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - idh.config
  - idh.sostatus
 so-idh:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }}
    - name: so-idh
    - detach: True
    - network_mode: host
    - binds:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
    - watch:
      - file: opencanary_config
    - require:
      - file: opencanary_config
 delete_so-idh_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-idh$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idh/init.sls
+++ b/salt/idh/init.sls
@@ -3,103 +3,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'idh/opencanary_config.map.jinja' import IDHMERGED %}
 {% if sls in allowed_states %}
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %}
 {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
 include:
-  - idh.openssh.config
+{% if IDHMERGED.enabled %}
-  - firewall
+  - idh.enabled
 # If True, block IDH Services from accepting connections on Managment IP
 {% if RESTRICTIDHSERVICES %}
  {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %}
  {% for service in IDH_SERVICES %}
  {% if service in ["smnp","ntp", "tftp"] %}
    {% set proto = 'udp' %}
  {% else %}
    {% set proto = 'tcp' %}
  {% endif %}
 block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} :
  iptables.insert:
    - table: filter
    - chain: INPUT
    - jump: DROP
    - position: 1
    - proto:  {{ proto }}
    - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }}
    - destination: {{ GLOBALS.node_ip }}
  {% endfor %}
 {% endif %}
 # Create a config directory
 temp:
  file.directory:
    - name: /opt/so/conf/idh
    - user: 939
    - group: 939
    - makedirs: True
 # Create a log directory
 configdir:
  file.directory:
    - name: /nsm/idh
    - user: 939
    - group: 939
    - makedirs: True
 opencanary_config:
  file.managed:
    - name: /opt/so/conf/idh/opencanary.conf
    - source: salt://idh/idh.conf.jinja
    - template: jinja
    - defaults:
        OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
 idh_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://idh/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 #idh_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://idh/tools/sbin_jinja
 #    - user: 939
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 so-idh:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }}
    - name: so-idh
    - detach: True
    - network_mode: host
    - binds:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
    - watch:
      - file: opencanary_config
    - require:
      - file: opencanary_config
 append_so-idh_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-idh
 {% else %}
-
+  - idh.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idh/opencanary_config.map.jinja
+++ b/salt/idh/opencanary_config.map.jinja
@@ -20,6 +20,7 @@
 {% set IDH_PORTGROUPS = {} %}
 {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %}
 {% set IDHMERGED = salt['pillar.get']('idh', IDHCONFIG.idh, merge=True) %}
 {% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %}
 {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %}
 {# update skinlist to skin.list to avoid issues with SOC UI config #}
--- a/salt/idh/soc_idh.yaml
+++ b/salt/idh/soc_idh.yaml
@@ -1,4 +1,7 @@
 idh:
  enabled:
    description: You can enable or disable IDH.
    helpLink: idh.html
  opencanary:
    config:
      logger:
--- a/salt/idh/sostatus.sls
+++ b/salt/idh/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-idh_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-idh
    - unless: grep -q so-idh /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idstools/config.sls
+++ b/salt/idstools/config.sls
@@ -0,0 +1,42 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - idstools.sync_files
 idstoolslogdir:
  file.directory:
    - name: /opt/so/log/idstools
    - user: 939
    - group: 939
    - makedirs: True
 idstools_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://idstools/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 #idstools_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://idstools/tools/sbin_jinja
 #    - user: 934
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idstools/defaults.yaml
+++ b/salt/idstools/defaults.yaml
@@ -1,4 +1,5 @@
 idstools:
  enabled: False
  config:
    urls: []
    ruleset: ETOPEN
--- a/salt/idstools/disabled.sls
+++ b/salt/idstools/disabled.sls
@@ -0,0 +1,31 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - idstools.sostatus
 so-idstools:
  docker_container.absent:
    - force: True
 so-idstools_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-idstools$
 so-rule-update:
  cron.absent:
    - identifier: so-rule-update
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idstools/enabled.sls
+++ b/salt/idstools/enabled.sls
@@ -0,0 +1,55 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   set proxy = salt['pillar.get']('manager:proxy') %}
 include:
  - idstools.config
  - idstools.sostatus
 so-idstools:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
    - hostname: so-idstools
    - user: socore
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
    {% if proxy %}
    - environment:
      - http_proxy={{ proxy }}
      - https_proxy={{ proxy }}
      - no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
    {% endif %}
    - binds:
      - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
      - /opt/so/rules/nids:/opt/so/rules/nids:rw
    - watch:
      - file: idstoolsetcsync
 delete_so-idstools_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-idstools$
 so-rule-update:
  cron.present:
    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
    - identifier: so-rule-update
    - user: root
    - minute: '1'
    - hour: '7'
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/idstools/etc/rulecat.conf
+++ b/salt/idstools/etc/rulecat.conf
@@ -1,6 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %}
+{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
 {%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}
 {%- if GLOBALS.airgap is sameas true -%}
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -2,78 +2,12 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
+
-{% if sls in allowed_states %}
+{% from 'idstools/map.jinja' import IDSTOOLSMERGED %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% set proxy = salt['pillar.get']('manager:proxy') %}
 include:
-  - idstools.sync_files
+{% if IDSTOOLSMERGED.enabled %}
-
+  - idstools.enabled
 # IDSTools Setup
 idstoolslogdir:
  file.directory:
    - name: /opt/so/log/idstools
    - user: 939
    - group: 939
    - makedirs: True
 idstools_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://idstools/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 #idstools_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://idstools/tools/sbin_jinja
 #    - user: 934
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 so-rule-update:
  cron.present:
    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
    - identifier: so-rule-update
    - user: root
    - minute: '1'
    - hour: '7'
 so-idstools:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
    - hostname: so-idstools
    - user: socore
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
    {% if proxy %}
    - environment:
      - http_proxy={{ proxy }}
      - https_proxy={{ proxy }}
      - no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
    {% endif %}
    - binds:
      - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
      - /opt/so/rules/nids:/opt/so/rules/nids:rw
    - watch:
      - file: idstoolsetcsync
 append_so-idstools_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-idstools
 {% else %}
-
+  - idstools.disabled
-{{sls}}_state_not_allowed:
+{% endif %}
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif%}
--- a/salt/idstools/map.jinja
+++ b/salt/idstools/map.jinja
@@ -0,0 +1,7 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS with context %}
 {% set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}
--- a/salt/idstools/soc_idstools.yaml
+++ b/salt/idstools/soc_idstools.yaml
@@ -1,4 +1,6 @@
 idstools:
  enabled:
    description: You can enable or disable IDSTools.
  config:
    oinkcode:
      description: Enter your registration code or oinkcode for paid NIDS rulesets.
--- a/salt/idstools/sostatus.sls
+++ b/salt/idstools/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-idstools_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-idstools
    - unless: grep -q so-idstools /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/influxdb/config.sls
+++ b/salt/influxdb/config.sls
@@ -0,0 +1,96 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'influxdb/map.jinja' import INFLUXMERGED %}
 include:
  - salt.minion
  - ssl
 # Influx DB
 influxconfdir:
  file.directory:
    - name: /opt/so/conf/influxdb
    - makedirs: True
 influxlogdir:
  file.directory:
    - name: /opt/so/log/influxdb
    - dir_mode: 755
    - user: 939
    - group: 939
    - makedirs: True
 influxdbdir:
  file.directory:
    - name: /nsm/influxdb
    - makedirs: True
 influxdb_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://influxdb/tools/sbin
    - user: 939
    - group: 939
    - file_mode: 755
 #influxdb_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://influxdb/tools/sbin_jinja
 #    - user: 939
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 influxdbconf:
  file.managed:
    - name: /opt/so/conf/influxdb/config.yaml
    - source: salt://influxdb/config.yaml.jinja
    - user: 939
    - group: 939
    - template: jinja
    - defaults:
        INFLUXMERGED: {{ INFLUXMERGED }}
 influxdbbucketsconf:
  file.managed:
    - name: /opt/so/conf/influxdb/buckets.json
    - source: salt://influxdb/buckets.json.jinja
    - user: 939
    - group: 939
    - template: jinja
    - defaults:
        INFLUXMERGED: {{ INFLUXMERGED }}
 influxdb-templates:
  file.recurse:
    - name: /opt/so/conf/influxdb/templates
    - source: salt://influxdb/templates
    - user: 939
    - group: 939
    - template: jinja
    - clean: True
    - defaults:
        INFLUXMERGED: {{ INFLUXMERGED }}
 influxdb_curl_config:
  file.managed:
    - name: /opt/so/conf/influxdb/curl.config
    - source: salt://influxdb/curl.config.jinja
    - mode: 600
    - template: jinja
    - show_changes: False
    - makedirs: True
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/influxdb/defaults.yaml
+++ b/salt/influxdb/defaults.yaml
@@ -1,4 +1,5 @@
 influxdb:
  enabled: False
  config:
    assets-path: /ui
    bolt-path: /var/lib/influxdb2/influxd.bolt
--- a/salt/influxdb/disabled.sls
+++ b/salt/influxdb/disabled.sls
@@ -0,0 +1,32 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - influxdb.sostatus
 so-influxdb:
  docker_container.absent:
    - force: True
 so-influxdb_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-influxdb$
 get_influxdb_size:
  cron.absent:
    - identifier: get_influxdb_size
    - user: root
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -0,0 +1,87 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
 include:
  - influxdb.config
  - influxdb.sostatus
 so-influxdb:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
    - hostname: influxdb
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf
      - INFLUXDB_HTTP_LOG_ENABLED=false
      - DOCKER_INFLUXDB_INIT_MODE=setup
      - DOCKER_INFLUXDB_INIT_USERNAME=so
      - DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }}
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
    - binds:
      - /opt/so/log/influxdb/:/log:rw
      - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
      - file: influxdbconf
    - require:
      - file: influxdbconf
      - x509: influxdb_key
      - x509: influxdb_crt
 delete_so-influxdb_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-influxdb$
 influxdb-setup:
  cmd.run:
    - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
    - require:
      - file: influxdbbucketsconf
      - file: influxdb_curl_config
      - docker_container: so-influxdb
 metrics_link_file:
  cmd.run:
    - name: so-influxdb-manage dashboardpath "Security Onion Performance" > /opt/so/saltstack/local/salt/influxdb/metrics_link.txt
    - require:
      - docker_container: so-influxdb
 # Install cron job to determine size of influxdb for telegraf
 get_influxdb_size:
  cron.present:
    - name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1'
    - identifier: get_influxdb_size
    - user: root
    - minute: '*/1'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -1,163 +1,13 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-{% if sls in allowed_states %}
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-{% from 'docker/docker.map.jinja' import DOCKER %}
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+# Elastic License 2.0.
 {% from 'influxdb/map.jinja' import INFLUXMERGED %}
 {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
 {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {% set TOKEN = salt['pillar.get']('influxdb:token') %}
 include:
-  - salt.minion
+{% if INFLUXMERGED.enabled %}
-  - ssl
+  - influxdb.enabled
 # Influx DB
 influxconfdir:
  file.directory:
    - name: /opt/so/conf/influxdb
    - makedirs: True
 influxlogdir:
  file.directory:
    - name: /opt/so/log/influxdb
    - dir_mode: 755
    - user: 939
    - group: 939
    - makedirs: True
 influxdbdir:
  file.directory:
    - name: /nsm/influxdb
    - makedirs: True
 influxdb_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://influxdb/tools/sbin
    - user: 939
    - group: 939
    - file_mode: 755
 #influxdb_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://influxdb/tools/sbin_jinja
 #    - user: 939
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 influxdbconf:
  file.managed:
    - name: /opt/so/conf/influxdb/config.yaml
    - source: salt://influxdb/config.yaml.jinja
    - user: 939
    - group: 939
    - template: jinja
    - defaults:
        INFLUXMERGED: {{ INFLUXMERGED }}
 influxdbbucketsconf:
  file.managed:
    - name: /opt/so/conf/influxdb/buckets.json
    - source: salt://influxdb/buckets.json.jinja
    - user: 939
    - group: 939
    - template: jinja
    - defaults:
        INFLUXMERGED: {{ INFLUXMERGED }}
 influxdb-templates:
  file.recurse:
    - name: /opt/so/conf/influxdb/templates
    - source: salt://influxdb/templates
    - user: 939
    - group: 939
    - template: jinja
    - clean: True
    - defaults:
        INFLUXMERGED: {{ INFLUXMERGED }}
 influxdb_curl_config:
  file.managed:
    - name: /opt/so/conf/influxdb/curl.config
    - source: salt://influxdb/curl.config.jinja
    - mode: 600
    - template: jinja
    - show_changes: False
    - makedirs: True
 so-influxdb:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }}
    - hostname: influxdb
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf
      - INFLUXDB_HTTP_LOG_ENABLED=false
      - DOCKER_INFLUXDB_INIT_MODE=setup
      - DOCKER_INFLUXDB_INIT_USERNAME=so
      - DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }}
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
    - binds:
      - /opt/so/log/influxdb/:/log:rw
      - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
      - file: influxdbconf
    - require:
      - file: influxdbconf
      - x509: influxdb_key
      - x509: influxdb_crt
 append_so-influxdb_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-influxdb
 influxdb-setup:
  cmd.run:
    - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log
    - require:
      - file: influxdbbucketsconf
      - file: influxdb_curl_config
      - docker_container: so-influxdb
 metrics_link_file:
  cmd.run:
    - name: so-influxdb-manage dashboardpath "Security Onion Performance" > /opt/so/saltstack/local/salt/influxdb/metrics_link.txt
    - require:
      - docker_container: so-influxdb
 # Install cron job to determine size of influxdb for telegraf
 get_influxdb_size:
  cron.present:
    - name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1'
    - identifier: get_influxdb_size
    - user: root
    - minute: '*/1'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% endif %}
 {% else %}
-
+  - influxdb.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/influxdb/map.jinja
+++ b/salt/influxdb/map.jinja
@@ -1,2 +1,7 @@
-{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %}
 {% set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %}
--- a/salt/influxdb/soc_influxdb.yaml
+++ b/salt/influxdb/soc_influxdb.yaml
@@ -1,4 +1,7 @@
 influxdb:
  enabled:
    description: You can enable or disable InfluxDB.
    helpLink: influxdb.html
  config:
    assets-path:
      description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
--- a/salt/influxdb/sostatus.sls
+++ b/salt/influxdb/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-influxdb_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-influxdb
    - unless: grep -q so-influxdb /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kibana/config.map.jinja
+++ b/salt/kibana/config.map.jinja
@@ -1,18 +0,0 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
 {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
 {% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
 {% if salt['pillar.get']('kibana:secrets') %}
  {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}
  {% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %}
  {% do KIBANACONFIG.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %}
 {% endif %}
 {% set KIBANACONFIG = salt['pillar.get']('kibana:config', default=KIBANACONFIG.kibana.config, merge=True) %}
--- a/salt/kibana/config.sls
+++ b/salt/kibana/config.sls
@@ -0,0 +1,93 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   import_yaml 'kibana/defaults.yaml' as default_settings %}
 {%   from 'kibana/map.jinja' import KIBANAMERGED %}
 # Add ES Group
 kibanasearchgroup:
  group.present:
    - name: kibana
    - gid: 932
 # Add ES user
 kibana:
  user.present:
    - uid: 932
    - gid: 932
    - home: /opt/so/conf/kibana
    - createhome: False
 # Drop the correct nginx config based on role
 kibanaconfdir:
  file.directory:
    - name: /opt/so/conf/kibana/etc
    - user: 932
    - group: 939
    - makedirs: True
 kibana_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://kibana/tools/sbin
    - user: 932
    - group: 939
    - file_mode: 755
 kibana_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://kibana/tools/sbin_jinja
    - user: 932
    - group: 939 
    - file_mode: 755
    - template: jinja
    - defaults:
      GLOBALS: {{ GLOBALS }}
 kibanaconfig:
  file.managed:
    - name: /opt/so/conf/kibana/etc/kibana.yml
    - source: salt://kibana/etc/kibana.yml.jinja
    - user: 932
    - group: 939
    - mode: 660
    - template: jinja
    - defaults:
        KIBANACONFIG: {{ KIBANAMERGED.config }}
    - show_changes: False
 kibanalogdir:
  file.directory:
    - name: /opt/so/log/kibana
    - user: 932
    - group: 939
    - makedirs: True
 kibanacustdashdir:
  file.directory:
    - name: /opt/so/conf/kibana/customdashboards
    - user: 932
    - group: 939
    - makedirs: True
 synckibanacustom:
  file.recurse:
    - name: /opt/so/conf/kibana/customdashboards
    - source: salt://kibana/custom
    - user: 932
    - group: 939
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -1,5 +1,5 @@
 kibana:
-  enabled: True
+  enabled: False
  config:
    server:
      name: kibana
--- a/salt/kibana/disabled.sls
+++ b/salt/kibana/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - kibana.sostatus
 so-kibana:
  docker_container.absent:
    - force: True
 so-kibana_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-kibana$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kibana/enabled.sls
+++ b/salt/kibana/enabled.sls
@@ -0,0 +1,53 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - kibana.config
  - kibana.sostatus
 # Start the kibana docker
 so-kibana:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }}
    - hostname: kibana
    - user: kibana
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
    - binds:
      - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
      - file: kibanaconfig
 delete_so-kibana_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-kibana$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -3,125 +3,14 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'kibana/map.jinja' import KIBANAMERGED %}
 {% if sls in allowed_states %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as default_settings %}
 {% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %}
 {% from 'kibana/config.map.jinja' import KIBANACONFIG with context %}
 # Add ES Group
 kibanasearchgroup:
  group.present:
    - name: kibana
    - gid: 932
 # Add ES user
 kibana:
  user.present:
    - uid: 932
    - gid: 932
    - home: /opt/so/conf/kibana
    - createhome: False
 # Drop the correct nginx config based on role
 kibanaconfdir:
  file.directory:
    - name: /opt/so/conf/kibana/etc
    - user: 932
    - group: 939
    - makedirs: True
 kibana_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://kibana/tools/sbin
    - user: 932
    - group: 939
    - file_mode: 755
 kibana_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://kibana/tools/sbin_jinja
    - user: 932
    - group: 939 
    - file_mode: 755
    - template: jinja
    - defaults:
      GLOBALS: {{ GLOBALS }}
 kibanaconfig:
  file.managed:
    - name: /opt/so/conf/kibana/etc/kibana.yml
    - source: salt://kibana/etc/kibana.yml.jinja
    - user: 932
    - group: 939
    - mode: 660
    - template: jinja
    - defaults:
        KIBANACONFIG: {{ KIBANACONFIG }}
    - show_changes: False
 kibanalogdir:
  file.directory:
    - name: /opt/so/log/kibana
    - user: 932
    - group: 939
    - makedirs: True
 kibanacustdashdir:
  file.directory:
    - name: /opt/so/conf/kibana/customdashboards
    - user: 932
    - group: 939
    - makedirs: True
 synckibanacustom:
  file.recurse:
    - name: /opt/so/conf/kibana/customdashboards
    - source: salt://kibana/custom
    - user: 932
    - group: 939
 # Start the kibana docker
 so-kibana:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }}
    - hostname: kibana
    - user: kibana
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
    - binds:
      - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
      - file: kibanaconfig
 append_so-kibana_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kibana
 include:
 {% if KIBANAMERGED.enabled %}
  - kibana.enabled
  - kibana.so_config_load
  - kibana.so_securitySolution_load
  - kibana.so_dashboard_load
 {% else %}
-
+  - kibana.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kibana/map.jinja
+++ b/salt/kibana/map.jinja
@@ -0,0 +1,23 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
 {% do KIBANADEFAULTS.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
 {% if salt['pillar.get']('kibana:secrets') %}
  {% do KIBANADEFAULTS.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}
  {% do KIBANADEFAULTS.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %}
  {% do KIBANADEFAULTS.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %}
 {% endif %}
 {% set KIBANAMERGED = salt['pillar.get']('kibana', default=KIBANADEFAULTS.kibana, merge=True) %}
--- a/salt/kibana/so_config_load.sls
+++ b/salt/kibana/so_config_load.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 include:
-  - kibana
+  - kibana.enabled
 config_saved_objects:
  file.managed:
@@ -25,5 +25,5 @@ so-kibana-config-load:
    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/config_saved_objects.ndjson.template
    - cwd: /opt/so
    - require:
-      - sls: kibana
+      - sls: kibana.enabled
      - file: config_saved_objects
--- a/salt/kibana/so_dashboard_load.sls
+++ b/salt/kibana/so_dashboard_load.sls
@@ -5,7 +5,7 @@
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
-  - kibana
+  - kibana.enabled
 dashboard_saved_objects_template:
  file.managed:
@@ -27,7 +27,7 @@ so-kibana-dashboard-load:
    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/saved_objects.ndjson.template
    - cwd: /opt/so
    - require:
-      - sls: kibana
+      - sls: kibana.enabled
      - file: dashboard_saved_objects_template
 {%- if HIGHLANDER %}
 dashboard_saved_objects_template_hl:
@@ -50,6 +50,6 @@ so-kibana-dashboard-load_hl:
    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
    - cwd: /opt/so
    - require:
-      - sls: kibana
+      - sls: kibana.enabled
      - file: dashboard_saved_objects_template_hl
 {%- endif %}
--- a/salt/kibana/so_savedobjects_defaults.sls
+++ b/salt/kibana/so_savedobjects_defaults.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 include:
-  - kibana
+  - kibana.enabled
  - kibana.so_config_load
  - kibana.so_securitySolution_load
  - kibana.so_dashboard_load
--- a/salt/kibana/so_securitySolution_load.sls
+++ b/salt/kibana/so_securitySolution_load.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 include:
-  - kibana
+  - kibana.enabled
 securitySolution_saved_objects:
  file.managed:
@@ -25,5 +25,5 @@ so-kibana-securitySolution_saved_objects-load:
    - name: /usr/sbin/so-kibana-config-load -u /opt/so/conf/kibana/securitySolution_saved_objects.ndjson.template
    - cwd: /opt/so
    - require:
-      - sls: kibana
+      - sls: kibana.enabled
      - file: securitySolution_saved_objects
--- a/salt/kibana/soc_kibana.yaml
+++ b/salt/kibana/soc_kibana.yaml
@@ -1,4 +1,7 @@
 kibana:
  enabled: 
    description: You can enable or disable Kibana.
    helpLink: kibana.html
  config:
    elasticsearch:
      requestTimeout:
--- a/salt/kibana/sostatus.sls
+++ b/salt/kibana/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-kibana_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kibana
    - unless: grep -q so-kibana /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kratos/config.sls
+++ b/salt/kratos/config.sls
@@ -0,0 +1,71 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from "kratos/map.jinja" import KRATOSMERGED %}
 # Add Kratos Group
 kratosgroup:
  group.present:
    - name: kratos
    - gid: 928
 # Add Kratos user
 kratos:
  user.present:
    - uid: 928
    - gid: 928
    - home: /opt/so/conf/kratos
 kratosdir:
  file.directory:
    - name: /nsm/kratos
    - user: 928
    - group: 928
    - mode: 700
    - makedirs: True
 kratosdbdir:
  file.directory:
    - name: /nsm/kratos/db
    - user: 928
    - group: 928
    - mode: 700
    - makedirs: True
 kratoslogdir:
  file.directory:
    - name: /opt/so/log/kratos
    - user: 928
    - group: 928
    - makedirs: True
 kratosschema:
  file.managed:
    - name: /opt/so/conf/kratos/schema.json
    - source: salt://kratos/files/schema.json
    - user: 928
    - group: 928
    - mode: 600
 kratosconfig:
  file.managed:
    - name: /opt/so/conf/kratos/kratos.yaml
    - source: salt://kratos/files/kratos.yaml.jinja
    - user: 928
    - group: 928
    - mode: 600
    - template: jinja
    - defaults:
        KRATOSMERGED: {{ KRATOSMERGED }}
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kratos/defaults.yaml
+++ b/salt/kratos/defaults.yaml
@@ -1,4 +1,5 @@
 kratos:
  enabled: False
  config:
    session:
      lifespan: 24h
--- a/salt/kratos/disabled.sls
+++ b/salt/kratos/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - kratos.sostatus
 so-kratos:
  docker_container.absent:
    - force: True
 so-kratos_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-kratos$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -0,0 +1,69 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - kratos.config
  - kratos.sostatus
 so-kratos:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
    - hostname: kratos
    - name: so-kratos
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro    
      - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
      - file: kratosconfig
    - require:
      - file: kratosschema
      - file: kratosconfig
      - file: kratoslogdir
      - file: kratosdir
 delete_so-kratos_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-kratos$
 wait_for_kratos:
  http.wait_for_successful_query:
    - name: 'http://{{ GLOBALS.manager }}:4434/'
    - ssl: True
    - verify_ssl: False
    - status:
      - 200
      - 301
      - 302
      - 404
    - status_type: list
    - wait_for: 300
    - request_interval: 10
    - require:
      -  docker_container: so-kratos
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kratos/files/kratos.yaml.jinja
+++ b/salt/kratos/files/kratos.yaml.jinja
@@ -1,14 +1 @@
-{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
+{{ KRATOSMERGED.config | yaml(false) }}
 {%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
 {%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %}
 {{- KRATOSMERGED | yaml(false) }}
--- a/salt/kratos/init.sls
+++ b/salt/kratos/init.sls
@@ -3,118 +3,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'kratos/map.jinja' import KRATOSMERGED %}
 {% if sls in allowed_states %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 # Add Kratos Group
 kratosgroup:
  group.present:
    - name: kratos
    - gid: 928
 # Add Kratos user
 kratos:
  user.present:
    - uid: 928
    - gid: 928
    - home: /opt/so/conf/kratos
 kratosdir:
  file.directory:
    - name: /nsm/kratos
    - user: 928
    - group: 928
    - mode: 700
    - makedirs: True
 kratosdbdir:
  file.directory:
    - name: /nsm/kratos/db
    - user: 928
    - group: 928
    - mode: 700
    - makedirs: True
 kratoslogdir:
  file.directory:
    - name: /opt/so/log/kratos
    - user: 928
    - group: 928
    - makedirs: True
 kratosschema:
  file.managed:
    - name: /opt/so/conf/kratos/schema.json
    - source: salt://kratos/files/schema.json
    - user: 928
    - group: 928
    - mode: 600
 kratosconfig:
  file.managed:
    - name: /opt/so/conf/kratos/kratos.yaml
    - source: salt://kratos/files/kratos.yaml.jinja
    - user: 928
    - group: 928
    - mode: 600
    - template: jinja
    - defaults:
        GLOBALS: {{ GLOBALS }}
 so-kratos:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
    - hostname: kratos
    - name: so-kratos
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro    
      - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
      - file: kratosconfig
    - require:
      - file: kratosschema
      - file: kratosconfig
      - file: kratoslogdir
      - file: kratosdir
 append_so-kratos_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kratos
 wait_for_kratos:
  http.wait_for_successful_query:
    - name: 'http://{{ GLOBALS.manager }}:4434/'
    - ssl: True
    - verify_ssl: False
    - status:
      - 200
      - 301
      - 302
      - 404
    - status_type: list
    - wait_for: 300
    - request_interval: 10
    - require:
      -  docker_container: so-kratos
 include:
 {% if KRATOSMERGED.enabled %}
  - kratos.enabled
 {% else %}
-
+  - kratos.disabled
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/kratos/map.jinja
+++ b/salt/kratos/map.jinja
@@ -0,0 +1,19 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
 {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
 {% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -1,4 +1,8 @@
 kratos:
  enabled:
    description: You can enable or disable Kratos.
    advanced: True
    helpLink: kratos.html
  config:
    session:
      lifespan: 
--- a/salt/kratos/sostatus.sls
+++ b/salt/kratos/sostatus.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-kratos_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kratos
    - unless: grep -q so-kratos /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/logstash/config.sls
+++ b/salt/logstash/config.sls
@@ -0,0 +1,153 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
 include:
  - ssl
  {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
  - elasticsearch
  {% endif %}
 # Create the logstash group
 logstashgroup:
  group.present:
    - name: logstash
    - gid: 931
 # Add the logstash user for the jog4j settings
 logstash:
  user.present:
    - uid: 931
    - gid: 931
    - home: /opt/so/conf/logstash
 lslibdir:
  file.absent:
    - name: /opt/so/conf/logstash/lib
 logstash_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://logstash/tools/sbin
    - user: 931
    - group: 939
    - file_mode: 755
 #logstash_sbin_jinja:
 #  file.recurse:
 #    - name: /usr/sbin
 #    - source: salt://logstash/tools/sbin_jinja
 #    - user: 931
 #    - group: 939 
 #    - file_mode: 755
 #    - template: jinja
 lsetcdir:
  file.directory:
    - name: /opt/so/conf/logstash/etc
    - user: 931
    - group: 939
    - makedirs: True
 lspipelinedir:
  file.directory:
    - name: /opt/so/conf/logstash/pipelines
    - user: 931
    - group: 939
 {% for assigned_pipeline in ASSIGNED_PIPELINES %}
    {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
 ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:
  file.managed:
    - source: salt://logstash/pipelines/config/{{CONFIGFILE}}
      {% if 'jinja' in CONFIGFILE.split('.')[-1] %}
    - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1] | replace(".jinja", "")}}
    - template: jinja
    - defaults:
        GLOBALS: {{ GLOBALS }}
        ES_USER: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}"
        ES_PASS: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}"
        THREADS: {{ LOGSTASH_MERGED.config.pipeline_x_workers }}
        BATCH: {{ LOGSTASH_MERGED.config.pipeline_x_batch_x_size }}
      {% else %}
    - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1]}}
      {% endif %}
    - user: 931
    - group: 939
    - mode: 660
    - makedirs: True
    - show_changes: False
    {% endfor %}
 ls_pipeline_{{assigned_pipeline}}:
  file.directory:
    - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}
    - user: 931
    - group: 939
    - require:
    {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
      - file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
    {% endfor %}
    - clean: True
 {% endfor %}
 # Copy down all the configs
 lspipelinesyml:
  file.managed:
    - name: /opt/so/conf/logstash/etc/pipelines.yml
    - source: salt://logstash/etc/pipelines.yml.jinja
    - template: jinja
    - defaults:
        ASSIGNED_PIPELINES: {{ ASSIGNED_PIPELINES }}
 lsetcsync:
  file.recurse:
    - name: /opt/so/conf/logstash/etc
    - source: salt://logstash/etc
    - user: 931
    - group: 939
    - template: jinja
    - clean: True
    - exclude_pat: pipelines*
    - defaults:
        LOGSTASH_MERGED: {{ LOGSTASH_MERGED }}
 # Create the import directory
 importdir:
  file.directory:
    - name: /nsm/import
    - user: 931
    - group: 939
    - makedirs: True
 # Create the logstash data directory
 nsmlsdir:
  file.directory:
    - name: /nsm/logstash/tmp
    - user: 931
    - group: 939
    - makedirs: True
 # Create the log directory
 lslogdir:
  file.directory:
    - name: /opt/so/log/logstash
    - user: 931
    - group: 939
    - makedirs: True
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/logstash/defaults.yaml
+++ b/salt/logstash/defaults.yaml
@@ -1,4 +1,5 @@
 logstash:
  enabled: False
  assigned_pipelines:
    roles:
      standalone:
--- a/salt/logstash/disabled.sls
+++ b/salt/logstash/disabled.sls
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - logstash.sostatus
 so-logstash:
  docker_container.absent:
    - force: True
 so-logstash_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-logstash$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -0,0 +1,101 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import REDIS_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
 include:
  - elasticsearch.ca
  - logstash.config
  - logstash.sostatus
 so-logstash:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }}
    - hostname: so-logstash
    - name: so-logstash
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
    - user: logstash
    - extra_hosts: {{ REDIS_NODES }}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /opt/so/conf/elasticsearch/templates/:/templates/:ro
      - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro
      - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro
      - /opt/so/rules:/etc/nsm/rules:ro
      - /nsm/import:/nsm/import:ro
      - /nsm/logstash:/usr/share/logstash/data:rw
      - /opt/so/log/logstash:/var/log/logstash:rw
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
      {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
      {% endif %}
      {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-eval','so-fleet'] %}
      - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
      - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro
      {% endif %}
      {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
      {% else %}
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
      {% endif %}
      {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %}
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
      {% endif %}
      {% if GLOBALS.role == 'so-eval' %}
      - /nsm/zeek:/nsm/zeek:ro
      - /nsm/suricata:/suricata:ro
      - /opt/so/log/fleet/:/osquery/logs:ro
      - /opt/so/log/strelka:/strelka:ro
      {% endif %}
    - watch:
      - file: lsetcsync
      {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
      - file: ls_pipeline_{{assigned_pipeline}}
        {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
      - file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
        {% endfor %}
      {% endfor %}
    - require:
      {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
      - x509: etc_filebeat_crt
      {% endif %}
      {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - x509: pki_public_ca_crt
      {% else %}
      - x509: trusttheca
      {% endif %}
      {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - file: cacertz
      - file: capemz
      {% endif %}
 delete_so-logstash_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-logstash$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`elastic_fleet_package_registry:`
							`enabled: False`