Merge pull request #10481 from Security-Onion-Solutions/2.4/dev

2.4.2

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.4 Beta 2
+## Security Onion 2.4 Beta 3
 
-Security Onion 2.4 Beta 2 is here!
+Security Onion 2.4 Beta 3 is here!
 
 ## Screenshots
 

VERIFY_ISO.md

@@ -1 +1,52 @@
-### An ISO will be available starting in RC1. 
+### 2.4.2-20230531 ISO image built on 2023/05/31
+
+
+
+### Download and Verify
+
+2.4.2-20230531 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso
+
+MD5: EB861EFB7F7DA6FB418075B4C452E4EB  
+SHA1: 479A72DBB0633CB23608122F7200A24E2C3C3128  
+SHA256: B69C1AE4C576BBBC37F4B87C2A8379903421E65B2C4F24C90FABB0EAD6F0471B 
+
+Signature for ISO image:  
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig
+
+Signing key:  
+https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
+
+For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image.
+
+Download and import the signing key:  
+```
+wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS -O - | gpg --import -  
+```
+
+Download the signature file for the ISO:  
+```
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig
+```
+
+Download the ISO image:  
+```
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso
+```
+
+Verify the downloaded ISO image using the signature file:  
+```
+gpg --verify securityonion-2.4.2-20230531.iso.sig securityonion-2.4.2-20230531.iso
+```
+
+The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
+```
+gpg: Signature made Wed 31 May 2023 05:01:41 PM EDT using RSA key ID FE507013
+gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
+```
+
+Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
+https://docs.securityonion.net/en/2.4/installation.html

VERSION

@@ -1 +1 @@
-2.4.1
+2.4.2

pillar/logstash/fleet.sls

@@ -1,6 +0,0 @@
-logstash:
-  pipelines:
-    fleet:
-      config:
-        - so/0012_input_elastic_agent.conf     
-        - so/9806_output_lumberjack_fleet.conf.jinja

pillar/logstash/helix.sls

@@ -1,42 +0,0 @@
-logstash:
-  pipelines:
-    helix:
-      config:
-        - so/0010_input_hhbeats.conf
-        - so/1033_preprocess_snort.conf
-        - so/1100_preprocess_bro_conn.conf
-        - so/1101_preprocess_bro_dhcp.conf
-        - so/1102_preprocess_bro_dns.conf
-        - so/1103_preprocess_bro_dpd.conf
-        - so/1104_preprocess_bro_files.conf
-        - so/1105_preprocess_bro_ftp.conf
-        - so/1106_preprocess_bro_http.conf
-        - so/1107_preprocess_bro_irc.conf
-        - so/1108_preprocess_bro_kerberos.conf
-        - so/1109_preprocess_bro_notice.conf
-        - so/1110_preprocess_bro_rdp.conf
-        - so/1111_preprocess_bro_signatures.conf
-        - so/1112_preprocess_bro_smtp.conf
-        - so/1113_preprocess_bro_snmp.conf
-        - so/1114_preprocess_bro_software.conf
-        - so/1115_preprocess_bro_ssh.conf
-        - so/1116_preprocess_bro_ssl.conf
-        - so/1117_preprocess_bro_syslog.conf
-        - so/1118_preprocess_bro_tunnel.conf
-        - so/1119_preprocess_bro_weird.conf
-        - so/1121_preprocess_bro_mysql.conf
-        - so/1122_preprocess_bro_socks.conf
-        - so/1123_preprocess_bro_x509.conf
-        - so/1124_preprocess_bro_intel.conf
-        - so/1125_preprocess_bro_modbus.conf
-        - so/1126_preprocess_bro_sip.conf
-        - so/1127_preprocess_bro_radius.conf
-        - so/1128_preprocess_bro_pe.conf
-        - so/1129_preprocess_bro_rfb.conf
-        - so/1130_preprocess_bro_dnp3.conf
-        - so/1131_preprocess_bro_smb_files.conf
-        - so/1132_preprocess_bro_smb_mapping.conf
-        - so/1133_preprocess_bro_ntlm.conf
-        - so/1134_preprocess_bro_dce_rpc.conf
-        - so/8001_postprocess_common_ip_augmentation.conf
-        - so/9997_output_helix.conf.jinja

pillar/logstash/manager.sls

@@ -1,8 +0,0 @@
-logstash:
-  pipelines:
-    manager:
-      config:
-        - so/0011_input_endgame.conf
-        - so/0012_input_elastic_agent.conf
-        - so/0013_input_lumberjack_fleet.conf
-        - so/9999_output_redis.conf.jinja

pillar/logstash/receiver.sls

@@ -1,8 +0,0 @@
-logstash:
-  pipelines:
-    receiver:
-      config:
-        - so/0011_input_endgame.conf
-        - so/0012_input_elastic_agent.conf
-        - so/9999_output_redis.conf.jinja
-        

pillar/logstash/search.sls

@@ -1,7 +0,0 @@
-logstash:
-  pipelines:
-    search:
-      config:
-        - so/0900_input_redis.conf.jinja
-        - so/9805_output_elastic_agent.conf.jinja
-        - so/9900_output_endgame.conf.jinja

pillar/top.sls

@@ -1,44 +1,26 @@
 base:
   '*':
-    - patch.needs_restarting
+    - global.soc_global
-    - ntp.soc_ntp
+    - global.adv_global
-    - ntp.adv_ntp
-    - logrotate
     - docker.soc_docker
     - docker.adv_docker
+    - firewall.soc_firewall
+    - firewall.adv_firewall
+    - influxdb.token
+    - logrotate.soc_logrotate
+    - logrotate.adv_logrotate
+    - nginx.soc_nginx
+    - nginx.adv_nginx
+    - node_data.ips
+    - ntp.soc_ntp
+    - ntp.adv_ntp
+    - patch.needs_restarting
+    - patch.soc_patch
+    - patch.adv_patch
     - sensoroni.soc_sensoroni
     - sensoroni.adv_sensoroni
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
-    - influxdb.token
-    - node_data.ips
-
-  '* and not *_eval and not *_import':
-    - logstash.nodes
-
-  '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
-    - match: compound
-    - zeek
-    - bpf.soc_bpf
-    - bpf.adv_bpf
-
-  '*_managersearch or *_heavynode':
-    - match: compound
-    - logstash
-    - logstash.manager
-    - logstash.search
-    - logstash.soc_logstash
-    - logstash.adv_logstash
-    - elasticsearch.index_templates
-    - elasticsearch.soc_elasticsearch
-    - elasticsearch.adv_elasticsearch
-
-  '*_manager':
-    - logstash
-    - logstash.manager
-    - logstash.soc_logstash
-    - logstash.adv_logstash
-    - elasticsearch.index_templates
 
   '*_manager or *_managersearch':
     - match: compound
@@ -49,14 +31,19 @@ base:
     - kibana.secrets
     {% endif %}
     - secrets
-    - global.soc_global
-    - global.adv_global
     - manager.soc_manager
     - manager.adv_manager
     - idstools.soc_idstools
     - idstools.adv_idstools
+    - logstash.nodes
+    - logstash.soc_logstash
+    - logstash.adv_logstash
     - soc.soc_soc
     - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - kibana.soc_kibana
+    - kibana.adv_kibana
     - kratos.soc_kratos
     - kratos.adv_kratos
     - redis.soc_redis
@@ -65,17 +52,31 @@ base:
     - influxdb.adv_influxdb
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elasticfleet.soc_elasticfleet
+    - elasticfleet.adv_elasticfleet
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - backup.soc_backup
     - backup.adv_backup
-    - firewall.soc_firewall
+    - curator.soc_curator
-    - firewall.adv_firewall
+    - curator.adv_curator
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_sensor':
     - healthcheck.sensor
-    - global.soc_global
+    - strelka.soc_strelka
-    - global.adv_global
+    - strelka.adv_strelka
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -89,16 +90,27 @@ base:
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
     - kibana.secrets
     {% endif %}
-    - global.soc_global
-    - global.adv_global
     - kratos.soc_kratos
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elasticfleet.soc_elasticfleet
+    - elasticfleet.adv_elasticfleet
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
     - idstools.soc_idstools
     - idstools.adv_idstools
     - soc.soc_soc
+    - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - kibana.soc_kibana
+    - kibana.adv_kibana
+    - strelka.soc_strelka
+    - strelka.adv_strelka
+    - curator.soc_curator
+    - curator.adv_curator
     - kratos.soc_kratos
     - kratos.adv_kratos
     - redis.soc_redis
@@ -107,15 +119,19 @@ base:
     - influxdb.adv_influxdb
     - backup.soc_backup
     - backup.adv_backup
-    - firewall.soc_firewall
+    - zeek.soc_zeek
-    - firewall.adv_firewall
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_standalone':
-    - logstash
+    - logstash.nodes
-    - logstash.manager
-    - logstash.search
     - logstash.soc_logstash
     - logstash.adv_logstash
     - elasticsearch.index_templates
@@ -127,8 +143,6 @@ base:
     {% endif %}
     - secrets
     - healthcheck.standalone
-    - global.soc_global
-    - global.adv_global
     - idstools.soc_idstools
     - idstools.adv_idstools
     - kratos.soc_kratos
@@ -139,52 +153,81 @@ base:
     - influxdb.adv_influxdb
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elasticfleet.soc_elasticfleet
+    - elasticfleet.adv_elasticfleet
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
     - soc.soc_soc
+    - soc.adv_soc
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - kibana.soc_kibana
+    - kibana.adv_kibana
+    - strelka.soc_strelka
+    - strelka.adv_strelka
+    - curator.soc_curator
+    - curator.adv_curator
     - backup.soc_backup
     - backup.adv_backup
-    - firewall.soc_firewall
+    - zeek.soc_zeek
-    - firewall.adv_firewall
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_heavynode':
     - elasticsearch.auth
-    - global.soc_global
+    - logstash.nodes
-    - global.adv_global
+    - logstash.soc_logstash
+    - logstash.adv_logstash
+    - elasticsearch.soc_elasticsearch
+    - elasticsearch.adv_elasticsearch
+    - curator.soc_curator
+    - curator.adv_curator
     - redis.soc_redis
+    - redis.adv_redis
+    - zeek.soc_zeek
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
+    - strelka.soc_strelka
+    - strelka.adv_strelka
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_idh':
-    - global.soc_global
-    - global.adv_global
     - idh.soc_idh
     - idh.adv_idh
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_searchnode':
-    - logstash
+    - logstash.nodes
-    - logstash.search
     - logstash.soc_logstash
     - logstash.adv_logstash
-    - elasticsearch.index_templates
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
     {% endif %}
     - redis.soc_redis
-    - global.soc_global
+    - redis.adv_redis
-    - global.adv_global
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_receiver':
-    - logstash
+    - logstash.nodes
-    - logstash.receiver
     - logstash.soc_logstash
     - logstash.adv_logstash
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
@@ -192,8 +235,6 @@ base:
     {% endif %}
     - redis.soc_redis
     - redis.adv_redis
-    - global.soc_global
-    - global.adv_global
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -209,11 +250,20 @@ base:
     - kratos.soc_kratos
     - elasticsearch.soc_elasticsearch
     - elasticsearch.adv_elasticsearch
+    - elasticfleet.soc_elasticfleet
+    - elasticfleet.adv_elasticfleet
+    - elastalert.soc_elastalert
+    - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
     - soc.soc_soc
-    - global.soc_global
+    - soc.adv_soc
-    - global.adv_global
+    - soctopus.soc_soctopus
+    - soctopus.adv_soctopus
+    - kibana.soc_kibana
+    - kibana.adv_kibana
+    - curator.soc_curator
+    - curator.adv_curator
     - backup.soc_backup
     - backup.adv_backup
     - kratos.soc_kratos
@@ -222,23 +272,30 @@ base:
     - redis.adv_redis
     - influxdb.soc_influxdb
     - influxdb.adv_influxdb
-    - firewall.soc_firewall
+    - zeek.soc_zeek
-    - firewall.adv_firewall
+    - zeek.adv_zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
+    - suricata.soc_suricata
+    - suricata.adv_suricata
+    - strelka.soc_strelka
+    - strelka.adv_strelka
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
   '*_fleet':
-    - global.soc_global
-    - global.adv_global
     - backup.soc_backup
     - backup.adv_backup
-    - logstash
+    - logstash.nodes
-    - logstash.fleet
     - logstash.soc_logstash
     - logstash.adv_logstash
+    - elasticfleet.soc_elasticfleet
+    - elasticfleet.adv_elasticfleet
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
-  '*_workstation':
+  '*_desktop':
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}

salt/allowed_states.map.jinja

@@ -3,16 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
-{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
-{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
-{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
-{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
-{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
-{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
-{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
-{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
 {% set saltversion = saltversion.salt.minion.version %}
@@ -35,6 +25,7 @@
           'soc',
           'kratos',
           'elasticfleet',
+          'elastic-fleet-package-registry',
           'firewall',
           'idstools',
           'suricata.manager',
@@ -105,7 +96,8 @@
           'schedule',
           'tcpreplay',
           'docker_clean',
-          'elasticfleet'
+          'elasticfleet',
+          'elastic-fleet-package-registry'
           ],
       'so-manager': [
           'salt.master',
@@ -119,6 +111,7 @@
           'soc',
           'kratos',
           'elasticfleet',
+          'elastic-fleet-package-registry',
           'firewall',
           'idstools',
           'suricata.manager',
@@ -137,6 +130,7 @@
           'influxdb',
           'soc',
           'kratos',
+          'elastic-fleet-package-registry',
           'elasticfleet',
           'firewall',
           'manager',
@@ -166,6 +160,7 @@
           'influxdb',
           'soc',
           'kratos',
+          'elastic-fleet-package-registry',
           'elasticfleet',
           'firewall',
           'idstools',
@@ -212,27 +207,27 @@
           ],
   }, grain='role') %}
 
-  {% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
     {% do allowed_states.append('mysql') %}
   {% endif %}
 
-  {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
+  {%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
     {% do allowed_states.append('zeek') %}
   {%- endif %}
 
-  {% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
+  {% if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
     {% do allowed_states.append('strelka') %}
   {% endif %}
 
-  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
     {% do allowed_states.append('elasticsearch') %}
   {% endif %}
 
-  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
     {% do allowed_states.append('elasticsearch.auth') %}
   {% endif %}
 
-  {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
     {% do allowed_states.append('kibana') %}
     {% do allowed_states.append('kibana.secrets') %}
   {% endif %}
@@ -241,23 +236,19 @@
     {% do allowed_states.append('curator') %}
   {% endif %}
 
-  {% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
     {% do allowed_states.append('elastalert') %}
   {% endif %}
 
-  {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
+  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
     {% do allowed_states.append('playbook') %}
   {% endif %}
 
-  {% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %}
+  {% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
-    {% do allowed_states.append('redis') %}
-  {% endif %}
-
-  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
     {% do allowed_states.append('logstash') %}
   {% endif %}
 
-  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
+  {% if grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver', 'so-eval'] %}
     {% do allowed_states.append('redis') %}
   {% endif %}
   

salt/common/init.sls

@@ -49,12 +49,11 @@ so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - unless: ls /opt/so/conf/so-status/so-status.conf
 
-sosaltstackperms:
+socore_opso_perms:
   file.directory:
-    - name: /opt/so/saltstack
+    - name: /opt/so
     - user: 939
     - group: 939
-    - dir_mode: 770
     
 so_log_perms:
   file.directory:
@@ -112,21 +111,23 @@ elastic_curl_config:
   {% endif %}
 {% endif %}
 
-# Sync some Utilities
+
-utilsyncscripts:
+common_sbin:
   file.recurse:
     - name: /usr/sbin
-    - user: root
+    - source: salt://common/tools/sbin
-    - group: root
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+common_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://common/tools/sbin_jinja
+    - user: 939
+    - group: 939 
     - file_mode: 755
     - template: jinja
-    - source: salt://common/tools/sbin
-    - exclude_pat:
-        - so-common
-        - so-firewall
-        - so-image-common
-        - soup
-        - so-status
 
 so-status_script:
   file.managed:

salt/common/tools/sbin/so-common

@@ -160,39 +160,6 @@ disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 
-elastic_fleet_integration_create() {
-
-    JSON_STRING=$1
-
-    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
-}
-
-elastic_fleet_policy_create() {
-
-    NAME=$1
-    DESC=$2
-    FLEETSERVER=$3
-
-    JSON_STRING=$( jq -n \
-                    --arg NAME "$NAME" \
-                    --arg DESC "$DESC" \
-                    --arg FLEETSERVER "$FLEETSERVER" \
-                    '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":$FLEETSERVER}'
-                    )
-    # Create Fleet Policy
-    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" 
-
-}
-
-elastic_fleet_policy_update() {
-
-    POLICYID=$1
-    JSON_STRING=$2
-
-    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
-}
-
-
 elastic_license() {
 
 read -r -d '' message <<- EOM
@@ -238,7 +205,7 @@ gpg_rpm_import() {
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
 	    fi
 	
-	    RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	    RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 
 	    for RPMKEY in "${RPMKEYS[@]}"; do
     	        rpm --import $RPMKEYSLOC/$RPMKEY

salt/common/tools/sbin/so-elastic-agent-gen-installers

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
-# this file except in compliance with the Elastic License 2.0.
-
-#so-elastic-agent-gen-installers $FleetHost $EnrollmentToken 
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-. /usr/sbin/so-common
-
-ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key')
-
-#FLEETHOST=$(lookup_pillar "server:url" "elasticfleet")
-FLEETHOST="{{ GLOBALS.manager_ip }}"
-
-#FLEETHOST=$1
-#ENROLLMENTOKEN=$2
-CONTAINERGOOS=( "linux" "darwin" "windows" )
-
-#rm -rf /tmp/elastic-agent-workspace
-#mkdir -p /tmp/elastic-agent-workspace
-
-for OS in "${CONTAINERGOOS[@]}"
-do
-    printf "\n\nGenerating $OS Installer..."
-    #cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
-    docker run -e CGO_ENABLED=0 -e GOOS=$OS \
-    --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
-    --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
-    {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN"  -o /output/so-elastic-agent_$OS
-    printf "\n $OS Installer Generated..."
-done

salt/common/tools/sbin/so-elastic-fleet-integration-policy-load

@@ -1,21 +0,0 @@
-#!/bin/bash
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-. /usr/sbin/so-common
-
-# Initial Endpoints
-for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json
-do
-  printf "\n\nInitial Endpoint Policy - Loading $INTEGRATION\n"
-  elastic_fleet_integration_create "@$INTEGRATION"
-done
-
-# Grid Nodes
-for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/grid-nodes/*.json
-do
-  printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n"
-  elastic_fleet_integration_create "@$INTEGRATION"
-done

salt/common/tools/sbin/so-elastic-restart

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-restart elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-restart kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-restart logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-restart curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-restart elastalert $1
-{%- endif %}

salt/common/tools/sbin/so-elastic-start

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-start elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-start kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-start logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-start curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-start elastalert $1
-{%- endif %}

salt/common/tools/sbin/so-elastic-stop

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-stop elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-stop kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-stop logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-stop curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-stop elastalert $1
-{%- endif %}

salt/common/tools/sbin/so-elasticsearch-indices-rw

@@ -1,15 +0,0 @@
-#!/bin/bash
-#
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
-ESPORT=9200
-
-echo "Removing read only attributes for indices..."
-echo
-curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;

salt/common/tools/sbin/so-firewall

@@ -1,104 +0,0 @@
-#!/usr/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-. /usr/sbin/so-common
-
-if [[ $# -lt 1 ]]; then
-  echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>"
-  echo ""
-  echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
-  echo ""
-  exit 1
-fi
-
-for i in "$@"; do
-	case $i in
-		-r=*|--role=*)
-			ROLE="${i#*=}"
-			shift 
-			;;
-		-i=*|--ip=*)
-			IP="${i#*=}"
-			shift 
-			;;
-		-a=*|--apply*)
-			APPLY="${i#*=}"
-			shift
-			;;
-		-*|--*)
-			echo "Unknown option $i"
-			exit 1
-			;;
-		*)
-		;;
-	esac
-done
-
-ROLE=${ROLE,,}
-APPLY=${APPLY,,}
-
-function rolecall() {
-	THEROLE=$1
-	THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog"
-
-	for AROLE in $THEROLES; do
-		if [ "$AROLE" = "$THEROLE" ]; then
-			return 0
-		fi
-	done
-	return 1
-}
-
-# Make sure the required options are specified
-if [ -z "$ROLE" ]; then
-	echo "Please specify a role with --role="
-	exit 1
-fi
-if [ -z "$IP" ]; then
-	echo "Please specify an IP address with --ip="
-	exit 1
-fi
-
-# Are we dealing with a role that this script supports?
-if rolecall "$ROLE"; then
-	echo "$ROLE is a supported role"
-else
-	echo "This is not a supported role"
-	exit 1
-fi
-
- # Are we dealing with an IP?
-if verify_ip4 "$IP"; then
-	echo "$IP is a valid IP or CIDR"
-else
-	echo "$IP is not a valid IP or CIDR"
-	exit 1
-fi
-
-local_salt_dir=/opt/so/saltstack/local/salt/firewall
-
-# Let's see if the file exists and if it does, let's see if the IP exists.
-if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then
-	if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
-		echo "Host already exists"
-		exit 0
-	fi
-fi
-
-# If you have reached this part of your quest then let's add the IP
-echo "Adding $IP to the $ROLE role"
-echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
-
-# Check to see if we are applying this right away.
-if [ "$APPLY" = "true" ]; then
-	echo "Applying the firewall rules"
-	salt-call state.apply firewall queue=True
-	echo "Firewall rules have been applied... Review logs further if there were errors."
-	echo ""
-else
-	echo "Firewall rules will be applied next salt run"
-fi

salt/common/tools/sbin/so-helix-apikey

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-local_salt_dir=/opt/so/saltstack/local
-
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-got_root
-if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
-  echo "This is nto configured for Helix Mode. Please re-install."
-  exit
-else
-  echo "Enter your Helix API Key: "
-  read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
-  docker stop so-logstash
-  docker rm so-logstash
-  echo "Restarting Logstash for updated key"
-  salt-call state.apply logstash queue=True
-fi

salt/common/tools/sbin/so-image-common

@@ -38,6 +38,7 @@ container_list() {
       "so-zeek"
       "so-elastic-agent"
       "so-elastic-agent-builder"
+      "so-elastic-fleet-package-registry"
     )
   elif [ $MANAGERCHECK != 'so-helix' ]; then
     TRUSTED_CONTAINERS=(
@@ -45,6 +46,7 @@ container_list() {
       "so-elastalert"
       "so-elastic-agent"
       "so-elastic-agent-builder"
+      "so-elastic-fleet-package-registry"
       "so-elasticsearch"
       "so-idh"
       "so-idstools"

salt/common/tools/sbin/so-logstash-events

@@ -1,17 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% set MAININT = salt['pillar.get']('host:mainint') -%}
-{% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%}
-
-. /usr/sbin/so-common
-
-if [ "$1" == "" ]; then
-        for i in $(curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines | jq '. | to_entries | .[].key' | sed 's/\"//g'); do echo ${i^}:; curl -s localhost:9600/_node/stats | jq .pipelines.$i.events; done
-else
-        curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines.$1.events
-fi

salt/common/tools/sbin/so-restart

@@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then
 
         case $1 in
                 "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
+                "elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;;
                 *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
         esac
 else

salt/common/tools/sbin/so-rule-update

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-. /usr/sbin/so-common
-
-argstr=""
-for arg in "$@"; do
-    argstr="${argstr} \"${arg}\""
-done
-
-docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"

salt/common/tools/sbin/so-start

@@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then
 	case $1 in
    		"all") salt-call state.highstate queue=True;;
    		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   		"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; 
    		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 	esac
 else

salt/curator/config.sls

@@ -0,0 +1,81 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from "curator/map.jinja" import CURATORMERGED %}
+
+# Create the group
+curatorgroup:
+  group.present:
+    - name: curator
+    - gid: 934
+
+# Add user
+curator:
+  user.present:
+    - uid: 934
+    - gid: 934
+    - home: /opt/so/conf/curator
+    - createhome: False
+
+# Create the log directory
+curlogdir:
+  file.directory:
+    - name: /opt/so/log/curator
+    - user: 934
+    - group: 939
+
+curactiondir:
+  file.directory:
+    - name: /opt/so/conf/curator/action
+    - user: 934
+    - group: 939
+    - makedirs: True
+
+actionconfs:
+  file.recurse:
+    - name: /opt/so/conf/curator/action
+    - source: salt://curator/files/action
+    - user: 934
+    - group: 939
+    - template: jinja
+    - defaults:
+        CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
+        
+curconf:
+  file.managed:
+    - name: /opt/so/conf/curator/curator.yml
+    - source: salt://curator/files/curator.yml
+    - user: 934
+    - group: 939
+    - mode: 660
+    - template: jinja
+    - show_changes: False
+
+curator_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://curator/tools/sbin
+    - user: 934
+    - group: 939
+    - file_mode: 755
+
+curator_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://curator/tools/sbin_jinja
+    - user: 934
+    - group: 939 
+    - file_mode: 755
+    - template: jinja
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/curator/defaults.yaml

@@ -1,98 +1,100 @@
-elasticsearch:
+curator:
-  index_settings:
+  enabled: False
-    logs-import-so:
+  elasticsearch:
-      close: 73000
+    index_settings:
-      delete: 73001
+      logs-import-so:
-    logs-strelka-so:
+        close: 73000
-      close: 30
+        delete: 73001
-      delete: 365
+      logs-strelka-so:
-    logs-suricata-so:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-suricata-so:
-    logs-syslog-so:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-syslog-so:
-    logs-zeek-so:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-zeek-so:
-    logs-elastic_agent-metricbeat-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-metricbeat-default:
-    logs-elastic_agent-osquerybeat-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-osquerybeat-default:
-    logs-elastic_agent-fleet_server-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-fleet_server-default:
-    logs-elastic_agent-filebeat-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-filebeat-default:
-    logs-elastic_agent-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-elastic_agent-default:
-    logs-system-auth-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-auth-default:
-    logs-system-application-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-application-default:
-    logs-system-security-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-security-default:
-    logs-system-system-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-system-default:
-    logs-system-syslog-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-system-syslog-default:
-    logs-windows-powershell-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-windows-powershell-default:
-    logs-windows-sysmon_operational-default:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      logs-windows-sysmon_operational-default:
-    so-beats:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-beats:
-    so-elasticsearch:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-elasticsearch:
-    so-firewall:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-firewall:
-    so-ids:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-ids:
-    so-import:
+        close: 30
-      close: 73000
+        delete: 365
-      delete: 73001
+      so-import:
-    so-kratos:
+        close: 73000
-      close: 30
+        delete: 73001
-      delete: 365
+      so-kratos:
-    so-kibana:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-kibana:
-    so-logstash:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-logstash:
-    so-netflow:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-netflow:
-    so-osquery:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-osquery:
-    so-ossec:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-ossec:
-    so-redis:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-redis:
-    so-strelka:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-strelka:
-    so-syslog:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-syslog:
-    so-zeek:
+        close: 30
-      close: 30
+        delete: 365
-      delete: 365
+      so-zeek:
+        close: 30
+        delete: 365

salt/curator/disabled.sls

@@ -0,0 +1,35 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - curator.sostatus
+  
+so-curator:
+  docker_container.absent:
+    - force: True
+
+so-curator_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-curator$
+
+so-curator-cluster-close:
+  cron.absent:
+    - identifier: so-curator-cluster-close
+
+so-curator-cluster-delete:
+  cron.absent:
+    - identifier: so-curator-cluster-delete
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/curator/enabled.sls

@@ -0,0 +1,88 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+
+include:
+  - curator.config
+  - curator.sostatus
+
+so-curator:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
+    - start: True
+    - hostname: curator
+    - name: so-curator
+    - user: curator
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
+    - interactive: True
+    - tty: True
+    - binds:
+      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
+      - /opt/so/conf/curator/action/:/etc/curator/action:ro
+      - /opt/so/log/curator:/var/log/curator:rw
+      {% if DOCKER.containers['so-curator'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-curator'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+      {% endif %}
+      {% if DOCKER.containers['so-curator'].extra_hosts %}
+    - extra_hosts:
+        {% for XTRAHOST in DOCKER.containers['so-curator'].extra_hosts %}
+      - {{ XTRAHOST }}
+        {% endfor %}
+      {% endif %}
+      {% if DOCKER.containers['so-curator'].extra_env %}
+    - environment:
+        {% for XTRAENV in DOCKER.containers['so-curator'].extra_env %}
+      - {{ XTRAENV }}
+        {% endfor %}
+      {% endif %}
+    - require:
+      - file: actionconfs
+      - file: curconf
+      - file: curlogdir
+    - watch:
+      - file: curconf
+
+delete_so-curator_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-curator$
+
+so-curator-cluster-close:
+  cron.present:
+    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
+    - identifier: so-curator-cluster-close
+    - user: root
+    - minute: '2'
+    - hour: '*/1'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+so-curator-cluster-delete:
+  cron.present:
+    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
+    - identifier: so-curator-cluster-delete
+    - user: root
+    - minute: '*/5'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/curator/files/curator.yml

@@ -4,9 +4,9 @@
 # Elastic License 2.0.
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if grains['role'] in ['so-searchnode', 'so-heavynode'] %}
+{% if GLOBALS.role in ['so-searchnode', 'so-heavynode'] %}
   {%- set elasticsearch = GLOBALS.node_ip -%}
-{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
+{% elif GLOBALS.role in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
   {%- set elasticsearch = GLOBALS.manager_ip -%}
 {%- endif %}
 {%-   set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
@@ -30,10 +30,8 @@ elasticsearch:
       id:
       api_key:
     master_only: False
-{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
     username: "{{ ES_USER }}"
     password: "{{ ES_PASS }}"
-{%- endif %}
 
 logging:
   loglevel: INFO

salt/curator/init.sls

@@ -3,155 +3,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'curator/map.jinja' import CURATORMERGED %}
-{% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
-{% from "curator/map.jinja" import CURATOROPTIONS %}
-{% from "curator/map.jinja" import CURATORMERGED %}
-{% set REMOVECURATORCRON = False %}
-
-# Curator
-# Create the group
-curatorgroup:
-  group.present:
-    - name: curator
-    - gid: 934
-
-# Add user
-curator:
-  user.present:
-    - uid: 934
-    - gid: 934
-    - home: /opt/so/conf/curator
-    - createhome: False
-
-# Create the log directory
-curlogdir:
-  file.directory:
-    - name: /opt/so/log/curator
-    - user: 934
-    - group: 939
-
-curactiondir:
-  file.directory:
-    - name: /opt/so/conf/curator/action
-    - user: 934
-    - group: 939
-    - makedirs: True
-
-actionconfs:
-  file.recurse:
-    - name: /opt/so/conf/curator/action
-    - source: salt://curator/files/action
-    - user: 934
-    - group: 939
-    - template: jinja
-    - defaults:
-        CURATORMERGED: {{ CURATORMERGED }}
-        
-curconf:
-  file.managed:
-    - name: /opt/so/conf/curator/curator.yml
-    - source: salt://curator/files/curator.yml
-    - user: 934
-    - group: 939
-    - mode: 660
-    - template: jinja
-    - show_changes: False
-
-curclusterclose: 
-  file.managed:
-    - name: /usr/sbin/so-curator-cluster-close
-    - source: salt://curator/files/bin/so-curator-cluster-close
-    - user: 934
-    - group: 939
-    - mode: 755
-    - template: jinja
-
-curclusterdelete:
-  file.managed:
-    - name: /usr/sbin/so-curator-cluster-delete
-    - source: salt://curator/files/bin/so-curator-cluster-delete
-    - user: 934
-    - group: 939
-    - mode: 755
-
-curclusterdeletedelete:
-  file.managed:
-    - name: /usr/sbin/so-curator-cluster-delete-delete
-    - source: salt://curator/files/bin/so-curator-cluster-delete-delete
-    - user: 934
-    - group: 939
-    - mode: 755
-    - template: jinja
-
-so-curator:
-  docker_container.{{ CURATOROPTIONS.status }}:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
-    - start: {{ CURATOROPTIONS.start }}
-    - hostname: curator
-    - name: so-curator
-    - user: curator
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
-    - interactive: True
-    - tty: True
-    - binds:
-      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
-      - /opt/so/conf/curator/action/:/etc/curator/action:ro
-      - /opt/so/log/curator:/var/log/curator:rw
-    - require:
-      - file: actionconfs
-      - file: curconf
-      - file: curlogdir
-    - watch:
-      - file: curconf
-
-append_so-curator_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-curator
-    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
-  {% if not CURATOROPTIONS.start %}
-so-curator_so-status.disabled:
-  file.comment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
-  {% else %}
-delete_so-curator_so-status.disabled:
-  file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
-  {% endif %}
-
-so-curator-cluster-close:
-  cron.present:
-    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
-    - identifier: so-curator-cluster-close
-    - user: root
-    - minute: '2'
-    - hour: '*/1'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
-so-curator-cluster-delete:
-  cron.present:
-    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
-    - identifier: so-curator-cluster-delete
-    - user: root
-    - minute: '*/5'
-    - hour: '*'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
 
+include:
+{% if CURATORMERGED.enabled %}
+  - curator.enabled
 {% else %}
-
+  - curator.disabled
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
 {% endif %}

salt/curator/map.jinja

@@ -1,18 +1,7 @@
-{% set CURATOROPTIONS = {} %}
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-{% set ENABLED = salt['pillar.get']('curator:enabled', True) %}
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-{% do CURATOROPTIONS.update({'manage_sostatus': True}) %}
+   https://securityonion.net/license; you may not use this file except in compliance with the
-
+   Elastic License 2.0. #}
-# don't start the docker container if curator is disabled via pillar
-{% if not ENABLED %}
-  {% do CURATOROPTIONS.update({'start': False}) %}
-  {% do CURATOROPTIONS.update({'status': 'absent'}) %}
-  {% if (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %}
-    {% do CURATOROPTIONS.update({'manage_sostatus': False}) %}
-  {% endif %}
-{% else %}
-  {% do CURATOROPTIONS.update({'start': True}) %}
-  {% do CURATOROPTIONS.update({'status': 'running'}) %}
-{% endif %}
 
 {% import_yaml 'curator/defaults.yaml' as CURATORDEFAULTS %}
-{% set CURATORMERGED = salt['pillar.get']('elasticsearch:index_settings', CURATORDEFAULTS.elasticsearch.index_settings, merge=true) %}
+{% set CURATORMERGED = salt['pillar.get']('curator', CURATORDEFAULTS.curator, merge=true) %}

salt/curator/soc_curator.yaml

@@ -0,0 +1,108 @@
+curator:
+  enabled:
+    description: You can enable or disable Curator.
+    helpLink: curator.html
+  elasticsearch:
+    index_settings:
+      logs-import-so:
+        close: &close
+          description: Age, in days, when Curator closes the index.
+          helpLink: curator.html
+          forcedType: int
+        delete: &delete
+          description: Age, in days, when Curator deletes the index.
+          helpLink: curator.html
+          forcedType: int
+      logs-strelka-so:
+        close: *close
+        delete: *delete
+      logs-suricata-so:
+        close: *close
+        delete: *delete
+      logs-syslog-so:
+        close: *close
+        delete: *delete
+      logs-zeek-so:
+        close: *close
+        delete: *delete
+      logs-elastic_agent-metricbeat-default:
+        close: *close
+        delete: *delete
+      logs-elastic_agent-osquerybeat-default:
+        close: *close
+        delete: *delete
+      logs-elastic_agent-fleet_server-default:
+        close: *close
+        delete: *delete
+      logs-elastic_agent-filebeat-default:
+        close: *close
+        delete: *delete
+      logs-elastic_agent-default:
+        close: *close
+        delete: *delete
+      logs-system-auth-default:
+        close: *close
+        delete: *delete
+      logs-system-application-default:
+        close: *close
+        delete: *delete
+      logs-system-security-default:
+        close: *close
+        delete: *delete
+      logs-system-system-default:
+        close: *close
+        delete: *delete
+      logs-system-syslog-default:
+        close: *close
+        delete: *delete
+      logs-windows-powershell-default:
+        close: *close
+        delete: *delete
+      logs-windows-sysmon_operational-default:
+        close: *close
+        delete: *delete
+      so-beats:
+        close: *close
+        delete: *delete
+      so-elasticsearch:
+        close: *close
+        delete: *delete
+      so-firewall:
+        close: *close
+        delete: *delete
+      so-ids:
+        close: *close
+        delete: *delete
+      so-import:
+        close: *close
+        delete: *delete
+      so-kratos:
+        close: *close
+        delete: *delete
+      so-kibana:
+        close: *close
+        delete: *delete
+      so-logstash:
+        close: *close
+        delete: *delete
+      so-netflow:
+        close: *close
+        delete: *delete
+      so-osquery:
+        close: *close
+        delete: *delete
+      so-ossec:
+        close: *close
+        delete: *delete
+      so-redis:
+        close: *close
+        delete: *delete
+      so-strelka:
+        close: *close
+        delete: *delete
+      so-syslog:
+        close: *close
+        delete: *delete
+      so-zeek:
+        close: *close
+        delete: *delete

salt/curator/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-curator_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-curator
+    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/curator/tools/sbin_jinja/so-curator-cluster-delete-delete

@@ -10,44 +10,58 @@
 {%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%}
 
 LOG="/opt/so/log/curator/so-curator-cluster-delete.log"
-LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}})
+ALERT_LOG="/opt/so/log/curator/alert.log"
+LOG_SIZE_LIMIT_GB=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}})
+LOG_SIZE_LIMIT=$(( "$LOG_SIZE_LIMIT_GB" * 1000 * 1000 * 1000 ))
+ITERATION=0
+MAX_ITERATIONS=10
 
 overlimit() {
-         [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]]
+         [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt ${LOG_SIZE_LIMIT} ]]
 }
 
-# Check to see if Elasticsearch indices using more disk space than LOG_SIZE_LIMIT
+###########################
-# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, we will break out of the loop.
+# Check for 2 conditions: #
-while overlimit; do
+###########################
+# 1. Check if Elasticsearch indices are using more disk space than LOG_SIZE_LIMIT
+# 2. Check if the maximum number of iterations - MAX_ITERATIONS - has been exceeded. If so, exit.
+# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, or the number of iterations has exceeded the maximum allowed number of iterations, we will break out of the loop.
+
+while overlimit && [[ $ITERATION -lt $MAX_ITERATIONS ]]; do
+
   # If we can't query Elasticsearch, then immediately return false.
   /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status > /dev/null 2>&1
   [ $? -eq 1 ] && echo "$(date) - Could not query Elasticsearch." >> ${LOG} && exit
+
   # We iterate through the closed and open indices
-  CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
+  CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -vE "playbook|so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
-  OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
+  OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -vE "playbook|so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
-	for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do
+
-	  # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
+  for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do
+    # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
     # To do so, we need to identify to which data stream this index is associated
     # We extract the data stream name using the pattern below
     DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
     DATASTREAM=$(echo "${INDEX}" | grep -oE "$DATASTREAM_PATTERN")
     # We look up the data stream, and determine the write index. If there is only one backing index, we delete the entire data stream
-	  BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length')
+    BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length')
-	  if [ "$BACKING_INDICES" -gt 1 ]; then
+    if [ "$BACKING_INDICES" -gt 1 ]; then
       CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
-	    # We make sure we are not trying to delete a write index
+      # We make sure we are not trying to delete a write index
       if [ "${INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then
         # This should not be a write index, so we should be allowed to delete it
-        printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${INDEX} index...\n" >> ${LOG}
+        printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT_GB} GB) - Deleting ${INDEX} index...\n" >> ${LOG}
         /usr/sbin/so-elasticsearch-query ${INDEX} -XDELETE >> ${LOG} 2>&1
       fi
-	  else
+    fi
-      # We delete the entire data stream, since there is only one backing index
+    if ! overlimit ; then
-	    printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${DATASTREAM} data stream...\n" >> ${LOG}
-      /usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE >> ${LOG} 2>&1
-	  fi
-    if ! overlimit; then
       exit
     fi
+    ((ITERATION++))
   done
+    if [[ $ITERATION -ge $MAX_ITERATIONS ]]; then
+      alert_id=$(uuidgen)
+      printf "\n$(date) -> Maximum iteration limit reached ($MAX_ITERATIONS). Unable to bring disk below threshold. Writing alert ($alert_id) to ${ALERT_LOG}\n" >> ${LOG}
+      printf "\n$(date),$alert_id,Maximum iteration limit reached ($MAX_ITERATIONS). Unable to bring disk below threshold.\n" >> ${ALERT_LOG}
+    fi
 done

salt/docker/defaults.yaml

@@ -8,30 +8,51 @@ docker:
       final_octet: 20
       port_bindings:
         - 0.0.0.0:5000:5000
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-elastic-fleet':
       final_octet: 21
       port_bindings:
         - 0.0.0.0:8220:8220/tcp
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-elasticsearch':
       final_octet: 22
       port_bindings:
         - 0.0.0.0:9200:9200/tcp
         - 0.0.0.0:9300:9300/tcp
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-idstools':
       final_octet: 25
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-influxdb':
       final_octet: 26
       port_bindings:
         - 0.0.0.0:8086:8086
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-kibana':
       final_octet: 27
       port_bindings:
         - 0.0.0.0:5601:5601
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-kratos':
       final_octet: 28
       port_bindings:
         - 0.0.0.0:4433:4433
         - 0.0.0.0:4434:4434
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-logstash':
       final_octet: 29
       port_bindings:
@@ -45,57 +66,135 @@ docker:
         - 0.0.0.0:6052:6052
         - 0.0.0.0:6053:6053
         - 0.0.0.0:9600:9600
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-mysql':
       final_octet: 30
       port_bindings:
         - 0.0.0.0:3306:3306
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-nginx':
       final_octet: 31
       port_bindings:
         - 80:80
         - 443:443
+        - 8443:8443
+        - 7788:7788
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-playbook':
       final_octet: 32
       port_bindings:
         - 0.0.0.0:3000:3000
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-redis':
       final_octet: 33
       port_bindings:
         - 0.0.0.0:6379:6379
         - 0.0.0.0:9696:9696
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
+    'so-sensoroni':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-soc':
       final_octet: 34
       port_bindings:
         - 0.0.0.0:9822:9822
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-soctopus':
       final_octet: 35
       port_bindings:
         - 0.0.0.0:7000:7000
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-strelka-backend':
       final_octet: 36
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-strelka-filestream':
       final_octet: 37
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-strelka-frontend':
       final_octet: 38
       port_bindings:
         - 0.0.0.0:57314:57314
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-strelka-manager':
       final_octet: 39
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-strelka-gatekeeper':
       final_octet: 40
       port_bindings:
         - 0.0.0.0:6381:6379
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-strelka-coordinator':
       final_octet: 41
       port_bindings:
         - 0.0.0.0:6380:6379
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-elastalert':
       final_octet: 42
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-curator':
       final_octet: 43
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-elastic-fleet-package-registry':
       final_octet: 44
       port_bindings:
         - 0.0.0.0:8080:8080/tcp
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-idh':
       final_octet: 45
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
+    'so-telegraf':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
+    'so-steno':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
+    'so-suricata':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
+    'so-zeek':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []

salt/docker/init.sls

@@ -26,10 +26,10 @@ dockerheldpackages:
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 1.6.18-3.1.el9
+      - containerd.io: 1.6.20-3.1.el9
-      - docker-ce: 23.0.1-1.el9
+      - docker-ce: 23.0.5-1.el9
-      - docker-ce-cli: 23.0.1-1.el9
+      - docker-ce-cli: 23.0.5-1.el9
-      - docker-ce-rootless-extras: 23.0.1-1.el9
+      - docker-ce-rootless-extras: 23.0.5-1.el9
     - hold: True
     - update_holds: True
 {% endif %}

salt/docker/soc_docker.yaml

@@ -28,6 +28,24 @@ docker:
         helpLink: docker.html
         advanced: True
         multiline: True
+      custom_bind_mounts:
+        description: List of custom local volume bindings.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_hosts:
+        description: List of additional host entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_env:
+        description: List of additional ENV entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
     so-dockerregistry: *dockerOptions
     so-elastalert: *dockerOptions
     so-elastic-fleet-package-registry: *dockerOptions

salt/elastalert/config.sls

@@ -0,0 +1,103 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+{%   from 'elastalert/map.jinja' import ELASTALERTMERGED %}
+
+# Create the group
+elastagroup:
+  group.present:
+    - name: elastalert
+    - gid: 933
+
+# Add user
+elastalert:
+  user.present:
+    - uid: 933
+    - gid: 933
+    - home: /opt/so/conf/elastalert
+    - createhome: False
+
+elastalogdir:
+  file.directory:
+    - name: /opt/so/log/elastalert
+    - user: 933
+    - group: 933
+    - makedirs: True
+
+elastalert_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elastalert/tools/sbin
+    - user: 933
+    - group: 939
+    - file_mode: 755
+
+#elastalert_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://elastalert/tools/sbin_jinja
+#    - user: 933
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
+elastarules:
+  file.directory:
+    - name: /opt/so/rules/elastalert
+    - user: 933
+    - group: 933
+    - makedirs: True
+
+elastaconfdir:
+  file.directory:
+    - name: /opt/so/conf/elastalert
+    - user: 933
+    - group: 933
+    - makedirs: True
+
+elastasomodulesdir:
+  file.directory:
+    - name: /opt/so/conf/elastalert/modules/so
+    - user: 933
+    - group: 933
+    - makedirs: True
+
+elastacustmodulesdir:
+  file.directory:
+    - name: /opt/so/conf/elastalert/modules/custom
+    - user: 933
+    - group: 933
+    - makedirs: True
+
+elastasomodulesync:
+  file.recurse:
+    - name: /opt/so/conf/elastalert/modules/so
+    - source: salt://elastalert/files/modules/so
+    - user: 933
+    - group: 933
+    - makedirs: True
+
+elastaconf:
+  file.managed:
+    - name: /opt/so/conf/elastalert/elastalert_config.yaml
+    - source: salt://elastalert/files/elastalert_config.yaml.jinja
+    - context:
+        elastalert_config: {{ ELASTALERTMERGED.config }}
+    - user: 933
+    - group: 933
+    - mode: 660
+    - template: jinja
+    - show_changes: False
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastalert/defaults.yaml

@@ -1,4 +1,5 @@
 elastalert:
+  enabled: False
   config:
     rules_folder: /opt/elastalert/rules/
     scan_subdirectories: true
@@ -12,9 +13,10 @@ elastalert:
     es_port: 9200
     es_conn_timeout: 55
     max_query_size: 5000
+    eql: true
     use_ssl: true
     verify_certs: false
-    writeback_index: elastalert_status
+    writeback_index: elastalert
     alert_time_limit:
       days: 2
     index_settings:

salt/elastalert/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - elastalert.sostatus
+  
+so-elastalert:
+  docker_container.absent:
+    - force: True
+
+so-elastalert_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-elastalert$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastalert/elastalert_config.map.jinja

@@ -1,11 +0,0 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% import_yaml 'elastalert/defaults.yaml' as ELASTALERT %}
-{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
-
-
-{% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager}) %}
-{% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
-{% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
-
-{% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %}
-

salt/elastalert/enabled.sls

@@ -0,0 +1,74 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+
+include:
+  - elastalert.config
+  - elastalert.sostatus
+
+wait_for_elasticsearch:
+  cmd.run:
+    - name: so-elasticsearch-wait
+
+so-elastalert:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
+    - hostname: elastalert
+    - name: so-elastalert
+    - user: so-elastalert
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
+    - detach: True
+    - binds:
+      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
+      - /opt/so/log/elastalert:/var/log/elastalert:rw
+      - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
+      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
+      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+      {% endif %}
+    - extra_hosts:
+      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
+      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
+      - {{ XTRAHOST }}
+        {% endfor %}
+      {% endif %}
+      {% if DOCKER.containers['so-elastalert'].extra_env %}
+    - environment:
+        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
+      - {{ XTRAENV }}
+        {% endfor %}
+      {% endif %}
+    - require:
+      - cmd: wait_for_elasticsearch
+      - file: elastarules
+      - file: elastalogdir
+      - file: elastacustmodulesdir
+      - file: elastaconf
+    - watch:
+      - file: elastaconf
+    - onlyif:
+      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
+
+delete_so-elastalert_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-elastalert$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastalert/files/modules/so/playbook-es.py

@@ -31,7 +31,7 @@ class PlaybookESAlerter(Alerter):
                 creds = (self.rule['es_username'], self.rule['es_password'])
 
             payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
-            url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/so-playbook-alerts-{today}/_doc/"
+            url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/"
             requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds)
                             
     def get_info(self):

salt/elastalert/init.sls

@@ -1,124 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# this file except in compliance with the Elastic License 2.0.
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Elastic License 2.0.
-{% if sls in allowed_states %}
 
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'elastalert/map.jinja' import ELASTALERTMERGED %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
-{% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %}
-
-# Create the group
-elastagroup:
-  group.present:
-    - name: elastalert
-    - gid: 933
-
-# Add user
-elastalert:
-  user.present:
-    - uid: 933
-    - gid: 933
-    - home: /opt/so/conf/elastalert
-    - createhome: False
-
-elastalogdir:
-  file.directory:
-    - name: /opt/so/log/elastalert
-    - user: 933
-    - group: 933
-    - makedirs: True
-
-elastarules:
-  file.directory:
-    - name: /opt/so/rules/elastalert
-    - user: 933
-    - group: 933
-    - makedirs: True
-
-elastaconfdir:
-  file.directory:
-    - name: /opt/so/conf/elastalert
-    - user: 933
-    - group: 933
-    - makedirs: True
-
-elastasomodulesdir:
-  file.directory:
-    - name: /opt/so/conf/elastalert/modules/so
-    - user: 933
-    - group: 933
-    - makedirs: True
-
-elastacustmodulesdir:
-  file.directory:
-    - name: /opt/so/conf/elastalert/modules/custom
-    - user: 933
-    - group: 933
-    - makedirs: True
-
-elastasomodulesync:
-  file.recurse:
-    - name: /opt/so/conf/elastalert/modules/so
-    - source: salt://elastalert/files/modules/so
-    - user: 933
-    - group: 933
-    - makedirs: True
-
-elastaconf:
-  file.managed:
-    - name: /opt/so/conf/elastalert/elastalert_config.yaml
-    - source: salt://elastalert/files/elastalert_config.yaml.jinja
-    - context:
-        elastalert_config: {{ elastalert_config.elastalert.config }}
-    - user: 933
-    - group: 933
-    - mode: 660
-    - template: jinja
-    - show_changes: False
-
-wait_for_elasticsearch:
-  cmd.run:
-    - name: so-elasticsearch-wait
-
-so-elastalert:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastalert:{{ GLOBALS.so_version }}
-    - hostname: elastalert
-    - name: so-elastalert
-    - user: so-elastalert
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
-    - detach: True
-    - binds:
-      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
-      - /opt/so/log/elastalert:/var/log/elastalert:rw
-      - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
-      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-    - extra_hosts:
-      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    - require:
-      - cmd: wait_for_elasticsearch
-      - file: elastarules
-      - file: elastalogdir
-      - file: elastacustmodulesdir
-      - file: elastaconf
-    - watch:
-      - file: elastaconf
-    - onlyif:
-      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
-
-
-append_so-elastalert_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-elastalert
 
+include:
+{% if ELASTALERTMERGED.enabled %}
+  - elastalert.enabled
 {% else %}
-
+  - elastalert.disabled
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
 {% endif %}

salt/elastalert/map.jinja

@@ -0,0 +1,15 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+   
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% import_yaml 'elastalert/defaults.yaml' as ELASTALERTDEFAULTS %}
+{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
+
+
+{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %}
+{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
+{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
+
+{% set ELASTALERTMERGED = salt['pillar.get']('elastalert', ELASTALERTDEFAULTS.elastalert, merge=True) %}

salt/elastalert/soc_elastalert.yaml

@@ -1,4 +1,7 @@
 elastalert:
+  enabled:
+    description: You can enable or disable Elastalert.
+    helpLink: elastalert.html
   config:
     disable_rules_on_error:
       description: Disable rules on failure.

salt/elastalert/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-elastalert_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-elastalert
+    - unless: grep -q so-elastalert /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastic-fleet-package-registry/config.sls

@@ -0,0 +1,29 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+# Add Group
+elasticsagentprgroup:
+  group.present:
+    - name: elastic-agent-pr
+    - gid: 948
+
+# Add user
+elastic-agent-pr:
+  user.present:
+    - uid: 948
+    - gid: 948
+    - home: /opt/so/conf/elastic-fleet-pr
+    - createhome: False
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastic-fleet-package-registry/defaults.yaml

@@ -0,0 +1,2 @@
+elastic_fleet_package_registry:
+  enabled: False

salt/elastic-fleet-package-registry/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - elastic-fleet-package-registry.sostatus
+  
+so-elastic-fleet-package-registry:
+  docker_container.absent:
+    - force: True
+
+so-elastic-fleet-package-registry_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-elastic-fleet-package-registry$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastic-fleet-package-registry/enabled.sls

@@ -0,0 +1,59 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+
+include:
+  - elastic-fleet-package-registry.config
+  - elastic-fleet-package-registry.sostatus
+
+so-elastic-fleet-package-registry:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
+    - name: so-elastic-fleet-package-registry
+    - hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
+    - detach: True
+    - user: 948
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
+    - extra_hosts:
+        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        - {{ XTRAHOST }}
+          {% endfor %}
+        {% endif %}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    - binds:
+        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+    {% endif %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+    - environment:
+        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+      - {{ XTRAENV }}
+        {% endfor %}
+      {% endif %}
+delete_so-elastic-fleet-package-registry_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-elastic-fleet-package-registry$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elastic-fleet-package-registry/init.sls

@@ -1,52 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# this file except in compliance with the Elastic License 2.0.
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Elastic License 2.0.
-{% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
 
-# Add Group
+{% from 'elastic-fleet-package-registry/map.jinja' import ELASTICFLEETPACKAGEREGISTRYMERGED %}
-elasticsagentprgroup:
-  group.present:
-    - name: elastic-agent-pr
-    - gid: 948
-
-
-# Add user
-elastic-agent-pr:
-  user.present:
-    - uid: 948
-    - gid: 948
-    - home: /opt/so/conf/elastic-fleet-pr
-    - createhome: False
-
-so-elastic-fleet-package-registry:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
-    - name: so-elastic-fleet-package-registry
-    - hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
-    - detach: True
-    - user: 948
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
-    - extra_hosts:
-        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-
-append_so-elastic-fleet-package-registry_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-elastic-fleet-package-registry
 
+include:
+{% if ELASTICFLEETPACKAGEREGISTRYMERGED.enabled %}
+  - elastic-fleet-package-registry.enabled
 {% else %}
-
+  - elastic-fleet-package-registry.disabled
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
 {% endif %}

salt/elastic-fleet-package-registry/map.jinja

@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'elastic-fleet-package-registry/defaults.yaml' as ELASTICFLEETPACKAGEREGISTRYDEFAULTS %}
+{% set ELASTICFLEETPACKAGEREGISTRYMERGED = salt['pillar.get']('elastic_fleet_package_registry', ELASTICFLEETPACKAGEREGISTRYDEFAULTS.elastic_fleet_package_registry, merge=True) %}

salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml

@@ -0,0 +1,4 @@
+elastic_fleet_package_registry:
+  enabled:
+    description: You can enable or disable Elastic Fleet Package Registry.
+    advanced: True

salt/elastic-fleet-package-registry/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-elastic-fleet-package-registry_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-elastic-fleet-package-registry
+    - unless: grep -q so-elastic-fleet-package-registry /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticfleet/artifact_registry.sls

@@ -0,0 +1,11 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+
+
+fleetartifactdir:
+  file.directory:
+    - name: /nsm/elastic-fleet/artifacts
+    - user: 947
+    - group: 939
+    - makedirs: True

salt/elasticfleet/config.sls

@@ -0,0 +1,91 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% if sls.split('.')[0] in allowed_states %}
+
+# Add EA Group
+elasticsagentgroup:
+  group.present:
+    - name: elastic-agent
+    - gid: 947
+
+# Add EA user
+elastic-agent:
+  user.present:
+    - uid: 947
+    - gid: 947
+    - home: /opt/so/conf/elastic-fleet
+    - createhome: False
+
+elasticfleet_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticfleet/tools/sbin
+    - user: 947
+    - group: 939
+    - file_mode: 755
+
+elasticfleet_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticfleet/tools/sbin_jinja
+    - user: 947
+    - group: 939 
+    - file_mode: 755
+    - template: jinja
+
+eaconfdir:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet
+    - user: 947
+    - group: 939
+    - makedirs: True
+
+eastatedir:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet/state
+    - user: 947
+    - group: 939
+    - makedirs: True
+
+{%   if GLOBALS.role != "so-fleet" %}
+eaintegrationsdir:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet/integrations
+    - user: 947
+    - group: 939
+    - makedirs: True
+
+eadynamicintegration:
+  file.recurse:
+    - name: /opt/so/conf/elastic-fleet/integrations
+    - source: salt://elasticfleet/files/integrations-dynamic
+    - user: 947
+    - group: 939
+    - template: jinja
+
+eaintegration:
+  file.recurse:
+    - name: /opt/so/conf/elastic-fleet/integrations
+    - source: salt://elasticfleet/files/integrations
+    - user: 947
+    - group: 939
+
+ea-integrations-load:
+  file.absent:
+    - name: /opt/so/state/eaintegrations.txt
+    - onchanges:
+      - file: eaintegration
+      - file: eadynamicintegration
+{% endif %}
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticfleet/defaults.yaml

@@ -0,0 +1,23 @@
+elasticfleet:
+  enabled: False
+  config:
+    server:
+      endpoints_enrollment: ''
+      es_token: ''
+      grid_enrollment: ''
+      url: ''
+  logging:
+    zeek:
+      excluded:
+        - broker
+        - capture_loss
+        - ecat_arp_info
+        - known_hosts
+        - known_services
+        - loaded_scripts
+        - ntp
+        - packet_filter
+        - reporter
+        - stats
+        - stderr
+        - stdout

salt/elasticfleet/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - elasticfleet.sostatus
+  
+so-elastic-fleet:
+  docker_container.absent:
+    - force: True
+
+so-elastic-fleet_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-elastic-fleet$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticfleet/enabled.sls

@@ -0,0 +1,83 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{#   This value is generated during node install and stored in minion pillar #}
+{%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
+
+include:
+  - elasticfleet.config
+  - elasticfleet.sostatus
+
+{%   if SERVICETOKEN != '' %}
+so-elastic-fleet:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
+    - name: so-elastic-fleet
+    - hostname: FleetServer-{{ GLOBALS.hostname }}
+    - detach: True
+    - user: 947
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
+    - extra_hosts:
+        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
+        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
+        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+        - {{ XTRAHOST }}
+          {% endfor %}
+        {% endif %}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+    - binds:
+      - /etc/pki:/etc/pki:ro
+      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
+     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+      {% endif %}      
+    - environment:
+      - FLEET_SERVER_ENABLE=true
+      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
+      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
+      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
+      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
+      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
+      - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
+      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
+      - {{ XTRAENV }}
+        {% endfor %}
+      {% endif %}
+{%   endif %}
+
+{%  if GLOBALS.role != "so-fleet" %}
+so-elastic-fleet-integrations:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-integration-policy-load
+{%  endif %}
+
+delete_so-elastic-fleet_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-elastic-fleet$
+
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json

@@ -1,7 +1,9 @@
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%- raw -%}
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
   "name": "import-zeek-logs",
   "namespace": "so",
@@ -20,10 +22,11 @@
             "data_stream.dataset": "import",
             "tags": [],
             "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"import.file\").slice(0,-4);\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n      imported: true\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"",
-            "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n"
+            "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n"
           }
         }
       }
     }
   }
 }
+{%- endraw -%}

salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json

@@ -1,8 +1,11 @@
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%- raw -%}
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
+  "id": "zeek-logs",
   "name": "zeek-logs",
   "namespace": "so",
   "description": "Zeek logs",
@@ -20,10 +23,11 @@
             "data_stream.dataset": "zeek",
             "tags": [],
             "processors": "- dissect:\n    tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n    field: \"log.file.path\"\n    trim_chars: \".log\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"pipeline\");\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"",
-            "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n"
+            "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n"
           }
         }
       }
     }
   }
 }
+{%- endraw -%}

salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json

@@ -0,0 +1,28 @@
+{
+	"name": "elastic-defend-endpoints",
+	"namespace": "default",
+	"description": "",
+	"package": {
+		"name": "endpoint",
+		"title": "Elastic Defend",
+		"version": ""
+	},
+	"enabled": true,
+	"policy_id": "endpoints-initial",
+	"vars": {},
+	"inputs": [{
+		"type": "endpoint",
+		"enabled": true,
+		"streams": [],
+		"config": {
+			"integration_config": {
+				"value": {
+					"type": "endpoint",
+					"endpointConfig": {
+						"preset": "DataCollection"
+					}
+				}
+			}
+		}
+	}]
+}

salt/elasticfleet/files/integrations/endpoints-initial/osquery.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "osquery_manager",
-    "version": "1.6.0"
+    "version": ""
   },
   "name": "osquery-endpoints",
   "namespace": "default",

salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json

@@ -1,11 +1,11 @@
 {
+  "policy_id": "endpoints-initial",
   "package": {
     "name": "system",
-    "version": "1.25.2"
+    "version": ""
   },
   "name": "system-endpoints",
   "namespace": "default",
-  "policy_id": "endpoints-initial",
   "inputs": {
     "system-logfile": {
       "enabled": true,
@@ -13,14 +13,9 @@
         "system.auth": {
           "enabled": true,
           "vars": {
-            "ignore_older": "72h",
             "paths": [
               "/var/log/auth.log*",
               "/var/log/secure*"
-            ],
-            "preserve_original_event": false,
-            "tags": [
-              "system-auth"
             ]
           }
         },
@@ -30,47 +25,33 @@
             "paths": [
               "/var/log/messages*",
               "/var/log/syslog*"
-            ],
+            ]
-            "tags": [],
-            "ignore_older": "72h"
           }
         }
       }
     },
     "system-winlog": {
       "enabled": true,
+      "vars": {
+        "preserve_original_event": false
+      },
       "streams": {
         "system.application": {
           "enabled": true,
           "vars": {
-            "preserve_original_event": false,
-            "ignore_older": "72h",
-            "language": 0,
             "tags": []
           }
         },
         "system.security": {
           "enabled": true,
           "vars": {
-            "preserve_original_event": false,
-            "ignore_older": "72h",
-            "language": 0,
-            "tags": []
-          }
-        },
-        "system.system": {
-          "enabled": true,
-          "vars": {
-            "preserve_original_event": false,
-            "ignore_older": "72h",
-            "language": 0,
             "tags": []
           }
         }
-      }
+        }
-    },
+      },
-    "system-system/metrics": {
+      "system-system/metrics": {
-      "enabled": false
+        "enabled": false
     }
   }
 }

salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json

@@ -1,11 +1,12 @@
 {
+  "policy_id": "endpoints-initial",
   "package": {
     "name": "windows",
-    "version": "1.19.1"
+    "version": ""
   },
   "name": "windows-endpoints",
+  "description": "",
   "namespace": "default",
-  "policy_id": "endpoints-initial",
   "inputs": {
     "windows-winlog": {
       "enabled": true,
@@ -13,47 +14,54 @@
         "windows.forwarded": {
           "enabled": true,
           "vars": {
-            "preserve_original_event": false,
-            "ignore_older": "72h",
-            "language": 0,
             "tags": [
               "forwarded"
-            ]
+            ],
+            "preserve_original_event": false
           }
         },
         "windows.powershell": {
           "enabled": true,
           "vars": {
-            "preserve_original_event": false,
+            "tags": [],
-            "event_id": "400, 403, 600, 800",
+            "preserve_original_event": false
-            "ignore_older": "72h",
-            "language": 0,
-            "tags": []
           }
         },
         "windows.powershell_operational": {
           "enabled": true,
           "vars": {
-            "preserve_original_event": false,
+            "tags": [],
-            "event_id": "4103, 4104, 4105, 4106",
+            "preserve_original_event": false
-            "ignore_older": "72h",
-            "language": 0,
-            "tags": []
           }
         },
         "windows.sysmon_operational": {
           "enabled": true,
           "vars": {
-            "preserve_original_event": false,
+            "tags": [],
-            "ignore_older": "72h",
+            "preserve_original_event": false
-            "language": 0,
-            "tags": []
           }
         }
       }
     },
     "windows-windows/metrics": {
-      "enabled": false
+      "enabled": false,
+      "streams": {
+        "windows.perfmon": {
+          "enabled": false,
+          "vars": {
+            "perfmon.group_measurements_by_instance": false,
+            "perfmon.ignore_non_existent_counters": false,
+            "perfmon.queries": "- object: 'Process'\n  instance: [\"*\"]\n  counters:\n   - name: '% Processor Time'\n     field: cpu_perc\n     format: \"float\"\n   - name: \"Working Set\"\n",
+            "period": "10s"
+          }
+        },
+        "windows.service": {
+          "enabled": false,
+          "vars": {
+            "period": "60s"
+          }
+        }
+      }
     }
   }
 }

salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "elasticsearch",
-    "version": "1.0.0"
+    "version": ""
   },
   "name": "elasticsearch-logs",
   "namespace": "default",

salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.1"
+    "version": ""
   },
   "name": "idh-logs",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
   "name": "import-evtx-logs",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
   "name": "import-suricata-logs",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
   "name": "kratos-logs",
   "namespace": "so",
@@ -18,7 +18,7 @@
               "/opt/so/log/kratos/kratos.log"
             ],
             "data_stream.dataset": "kratos",
-            "tags": [],
+            "tags": ["so-kratos"],
             "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos",
             "custom": "pipeline: kratos"
           }

salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "osquery_manager",
-    "version": "1.6.0"
+    "version": ""
   },
   "name": "osquery-grid-nodes",
   "namespace": "default",

salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "redis",
-    "version": "1.4.0"
+    "version": ""
   },
   "name": "redis-logs",
   "namespace": "default",

salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.2"
+    "version": ""
   },
   "name": "soc-auth-sync-logs",
   "namespace": "so",
@@ -18,7 +18,7 @@
               "/opt/so/log/soc/sync.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": [],
+            "tags": ["so-soc"],
             "processors": "- dissect:\n    tokenizer: \"%{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: auth_sync",
             "custom": "pipeline: common"
           }

salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.2"
+    "version": ""
   },
   "name": "soc-salt-relay-logs",
   "namespace": "so",
@@ -18,7 +18,7 @@
               "/opt/so/log/soc/salt-relay.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": [],
+            "tags": ["so-soc"],
             "processors": "- dissect:\n    tokenizer: \"%{soc.ts} | %{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: salt_relay",
             "custom": "pipeline: common"
           }

salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.2"
+    "version": ""
   },
   "name": "soc-sensoroni-logs",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.2"
+    "version": ""
   },
   "name": "soc-server-logs",
   "namespace": "so",
@@ -18,7 +18,7 @@
               "/opt/so/log/soc/sensoroni-server.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": [],
+            "tags": ["so-soc"],
             "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: server\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
             "custom": "pipeline: common"
           }

salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
   "name": "strelka-logs",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "log",
-    "version": "1.1.0"
+    "version": ""
   },
   "name": "suricata-logs",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "tcp",
-    "version": "1.5.0"
+    "version": ""
   },
   "name": "syslog-tcp-514",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json

@@ -1,7 +1,7 @@
 {
   "package": {
     "name": "udp",
-    "version": "1.5.0"
+    "version": ""
   },
   "name": "syslog-udp-514",
   "namespace": "so",

salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json

@@ -1,11 +1,11 @@
 {
+  "policy_id": "so-grid-nodes",
   "package": {
     "name": "system",
-    "version": "1.25.2"
+    "version": ""
   },
   "name": "system-grid-nodes",
   "namespace": "default",
-  "policy_id": "so-grid-nodes",
   "inputs": {
     "system-logfile": {
       "enabled": true,
@@ -13,14 +13,9 @@
         "system.auth": {
           "enabled": true,
           "vars": {
-            "ignore_older": "72h",
             "paths": [
               "/var/log/auth.log*",
               "/var/log/secure*"
-            ],
-            "preserve_original_event": false,
-            "tags": [
-              "system-auth"
             ]
           }
         },
@@ -30,9 +25,7 @@
             "paths": [
               "/var/log/messages*",
               "/var/log/syslog*"
-            ],
+            ]
-            "tags": [],
-            "ignore_older": "72h"
           }
         }
       }

salt/elasticfleet/init.sls

@@ -1,87 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# this file except in compliance with the Elastic License 2.0.
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Elastic License 2.0.
-{% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
 
-# These values are generated during node install and stored in minion pillar
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
-{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %}
-#{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %}
-#{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %}
-
-# Add EA Group
-elasticsagentgroup:
-  group.present:
-    - name: elastic-agent
-    - gid: 947
-
-# Add EA user
-elastic-agent:
-  user.present:
-    - uid: 947
-    - gid: 947
-    - home: /opt/so/conf/elastic-fleet
-    - createhome: False
-
-eaconfdir:
-  file.directory:
-    - name: /opt/so/conf/elastic-fleet
-    - user: 947
-    - group: 939
-    - makedirs: True
-
-eastatedir:
-  file.directory:
-    - name: /opt/so/conf/elastic-fleet/state
-    - user: 947
-    - group: 939
-    - makedirs: True
-
-
-  {% if SERVICETOKEN != '' %}
-so-elastic-fleet:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
-    - name: so-elastic-fleet
-    - hostname: FleetServer-{{ GLOBALS.hostname }}
-    - detach: True
-    - user: 947
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
-    - extra_hosts:
-        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-    - binds:
-      - /etc/pki:/etc/pki:ro
-      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
-    - environment:
-      - FLEET_SERVER_ENABLE=true
-      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
-      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
-      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
-      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
-      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
-      - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
-      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
-      - FLEET_CA=/etc/pki/tls/certs/intca.crt
-  {% endif %}
-
-append_so-elastic-fleet_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-elastic-fleet
 
+include:
+{% if ELASTICFLEETMERGED.enabled %}
+  - elasticfleet.enabled
 {% else %}
-
+  - elasticfleet.disabled
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
 {% endif %}