Merge branch 'dev' into feature/setup-refactor

# Conflicts:
#	README.md
#	VERSION
#	pillar/top.sls
#	salt/common/grafana/grafana_dashboards/eval/eval.json
#	salt/common/init.sls
#	salt/common/tools/sbin/so-status
#	salt/curator/init.sls
#	salt/elastalert/init.sls
#	salt/elasticsearch/init.sls
#	salt/filebeat/init.sls
#	salt/fleet/files/scripts/so-fleet-setup
#	salt/fleet/init.sls
#	salt/grafana/dashboards/sensor_nodes/sensor.json
#	salt/hive/init.sls
#	salt/idstools/init.sls
#	salt/kibana/bin/so-kibana-config-load
#	salt/logstash/init.sls
#	salt/master/init.sls
#	salt/mysql/init.sls
#	salt/nginx/etc/index.html
#	salt/pcap/init.sls
#	salt/playbook/init.sls
#	salt/reactor/fleet.sls
#	salt/redis/init.sls
#	salt/sensoroni/init.sls
#	salt/soctopus/init.sls
#	salt/strelka/init.sls
#	salt/suricata/init.sls
#	salt/tcpreplay/init.sls
#	salt/wazuh/init.sls
#	salt/zeek/init.sls
#	setup/so-functions
#	setup/so-setup
#	setup/so-whiptail

README.md

@@ -31,15 +31,6 @@
 - Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
 - The osquery MacOS package does not install correctly.
 
-
-## Version 1.2.1 Beta 1 ISO Download
-
-[HH1.2.1-6.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.2.1-6.iso)  
-
-MD5: D7E66CA8AAC37E70E2A2F7BB12EB3C23  
-SHA1: D91D921896F9ADA600EBA0ADAA548D8630B5341F  
-SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B  
-
 ### Warnings and Disclaimers
 
 - This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
@@ -55,33 +46,36 @@ SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B
 
 Evaluation Mode:
 
-- ISO or a Single VM running Ubuntu 16.04 or CentOS 7
+- ISO or a Single VM running Ubuntu 18.04 or CentOS 7
 - Minimum 12GB of RAM
 - Minimum 4 CPU cores
 - Minimum 2 NICs
 
 Distributed:
 
-- 3 VMs running the ISO or Ubuntu 16.04 or CentOS 7 (You can mix and match)
+- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match)
 - Minimum 8GB of RAM per VM
 - Minimum 4 CPU cores per VM
 - Minimum 2 NICs for forward nodes
 
-### Prerequisites for Network Based Install
+### Installation
 
-Install git if using a Centos 7 Minimal install:
+For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO).
+
+If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04.
+
+If using CentOS 7 Minimal, you will need to install git:
 
 ```sudo yum -y install git```
 
-### Installation
+Once you have git, then do the following:
-
-Once you resolve those requirements or are using Ubuntu 16.04 do the following:
 
 ```
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
 cd securityonion-saltstack
 sudo bash so-setup-network
 ```
+
 Follow the prompts and reboot if asked to do so.
 
 Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide).

VERSION

@@ -1 +1 @@
-1.2.1
+1.2.2

pillar/masters/example.sls

@@ -1,10 +0,0 @@
-# Example Pillar file for a master
-master:
-  esaccessip: 127.0.0.1
-  esheap: CHANGEME
-  esclustername: {{ grains.host }}
-  freq: 0
-  domainstats: 0
-  lsheap: 1500m
-  lsaccessip: 127.0.0.1
-  elastalert: 1

pillar/nodes/example.sls

@@ -1,5 +0,0 @@
-# Example Pillar file for a sensor
-node:
-  ls_heapsize: CHANGEME
-  es_heapsize: CHANGEME
-  node_type: CHANGEME

pillar/top.sls

@@ -1,4 +1,11 @@
 base:
+  '*':
+    - patch.needs_restarting
+
+  '*_eval or *_helix or *_heavynode or *_sensor':
+    - match: compound
+    - zeek
+
   '*_mastersearch or *_heavynode':
     - match: compound
     - logstash
@@ -66,7 +73,3 @@ base:
     - logstash
     - logstash.search
     - minions.{{ grains.id }}
-
-  '*':
-    - patch.needs_restarting
-    - docker.config

pillar/zeek/init.sls

@@ -0,0 +1,55 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc
+    CompressLogs: 1
+  local:
+    '@load':
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    '@load-sigs':
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;

salt/common/init.sls

@@ -1,8 +1,3 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
-{% set MASTER = salt['grains.get']('master') %}
-{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
-{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %}
-{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -18,34 +13,15 @@ socore:
     - createhome: True
     - shell: /bin/bash
 
-# Create a state directory
-
-statedir:
-  file.directory:
-    - name: /opt/so/state
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-salttmp:
-  file.directory:
-    - name: /opt/so/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
 
 # Install packages needed for the sensor
-
 sensorpkgs:
   pkg.installed:
     - skip_suggestions: False
     - pkgs:
-      - docker-ce
       - wget
       - jq
       {% if grains['os'] != 'CentOS' %}
-      - python-docker
-      - python-m2crypto
       - apache2-utils
       {% else %}
       - net-tools
@@ -64,7 +40,6 @@ alwaysupdated:
     - skip_suggestions: True
 
 # Set time to UTC
-
 Etc/UTC:
   timezone.system
 
@@ -77,339 +52,3 @@ utilsyncscripts:
     - file_mode: 755
     - template: jinja
     - source: salt://common/tools/sbin
-
-# Make sure Docker is running!
-docker:
-  service.running:
-    - enable: True
-
-# Drop the correct nginx config based on role
-
-nginxconfdir:
-  file.directory:
-    - name: /opt/so/conf/nginx
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxconf:
-  file.managed:
-    - name: /opt/so/conf/nginx/nginx.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/nginx/nginx.conf.{{ grains.role }}
-
-nginxlogdir:
-  file.directory:
-    - name: /opt/so/log/nginx/
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxtmp:
-  file.directory:
-    - name: /opt/so/tmp/nginx/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-so-core:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
-    - hostname: so-core
-    - user: socore
-    - binds:
-      - /opt/so:/opt/so:rw
-      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - /opt/so/log/nginx/:/var/log/nginx:rw
-      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
-      - /opt/so/tmp/nginx/:/run:rw
-      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
-      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
-      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
-    - cap_add: NET_BIND_SERVICE
-    - port_bindings:
-      - 80:80
-      - 443:443
-    {%- if FLEETMASTER or FLEETNODE %}
-      - 8090:8090
-    {%- endif %}
-    - watch:
-      - file: /opt/so/conf/nginx/nginx.conf
-
-# Add Telegraf to monitor all the things.
-tgraflogdir:
-  file.directory:
-    - name: /opt/so/log/telegraf
-    - makedirs: True
-
-tgrafetcdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/etc
-    - makedirs: True
-
-tgrafetsdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/scripts
-    - makedirs: True
-
-tgrafsyncscripts:
-  file.recurse:
-    - name: /opt/so/conf/telegraf/scripts
-    - user: 939
-    - group: 939
-    - file_mode: 755
-    - template: jinja
-    - source: salt://common/telegraf/scripts
-
-tgrafconf:
-  file.managed:
-    - name: /opt/so/conf/telegraf/etc/telegraf.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/telegraf/etc/telegraf.conf
-
-so-telegraf:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
-    - environment:
-      - HOST_PROC=/host/proc
-      - HOST_ETC=/host/etc
-      - HOST_SYS=/host/sys
-      - HOST_MOUNT_PREFIX=/host
-    - network_mode: host
-    - port_bindings:
-      - 127.0.0.1:8094:8094
-    - binds:
-      - /opt/so/log/telegraf:/var/log/telegraf:rw
-      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
-      - /var/run/utmp:/var/run/utmp:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /:/host/root:ro
-      - /sys:/host/sys:ro
-      - /proc:/host/proc:ro
-      - /nsm:/host/nsm:ro
-      - /etc:/host/etc:ro
-      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
-      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
-      - /opt/so/conf/telegraf/scripts:/scripts:ro
-      - /opt/so/log/stenographer:/var/log/stenographer:ro
-      - /opt/so/log/suricata:/var/log/suricata:ro
-    - watch:
-      - /opt/so/conf/telegraf/etc/telegraf.conf
-      - /opt/so/conf/telegraf/scripts
-
-# If its a master or eval lets install the back end for now
-{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %}
-
-# Influx DB
-influxconfdir:
-  file.directory:
-    - name: /opt/so/conf/influxdb/etc
-    - makedirs: True
-
-influxdbdir:
-  file.directory:
-    - name: /nsm/influxdb
-    - makedirs: True
-
-influxdbconf:
-  file.managed:
-    - name: /opt/so/conf/influxdb/etc/influxdb.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/influxdb/etc/influxdb.conf
-
-so-influxdb:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
-    - hostname: influxdb
-    - environment:
-      - INFLUXDB_HTTP_LOG_ENABLED=false
-    - binds:
-      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
-      - /nsm/influxdb:/var/lib/influxdb:rw
-      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
-      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
-    - port_bindings:
-      - 0.0.0.0:8086:8086
-    - watch:
-      - file: /opt/so/conf/influxdb/etc/influxdb.conf
-
-# Grafana all the things
-grafanadir:
-  file.directory:
-    - name: /nsm/grafana
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconfdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashmdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashevaldir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashfndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashsndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconf:
-  file.recurse:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/etc
-
-{% if salt['pillar.get']('mastertab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboard-master:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/master/master.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('sensorstab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/sensor_nodes/sensor.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MONINT: {{ SNDATA.monint }}
-      MANINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('nodestab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboardsearch-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('evaltab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/eval/eval.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.monint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-so-grafana:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
-    - hostname: grafana
-    - user: socore
-    - binds:
-      - /nsm/grafana:/var/lib/grafana:rw
-      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
-      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
-      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
-      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
-    - environment:
-      - GF_SECURITY_ADMIN_PASSWORD=augusta
-    - port_bindings:
-      - 0.0.0.0:3000:3000
-    - watch:
-      - file: /opt/so/conf/grafana/*
-
-{% endif %}

salt/common/maps/broversion.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-zeek'
+  ]
+} %}

salt/common/maps/domainstats.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-domainstats'
+  ]
+} %}

salt/common/maps/eval.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-dockerregistry',
+    'so-soc',
+    'so-kratos',
+    'so-idstools',
+    'so-elasticsearch',
+    'so-kibana',
+    'so-steno',
+    'so-suricata',
+    'so-zeek',
+    'so-curator',
+    'so-elastalert',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/fleet.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis',
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf'
+  ]
+} %}

salt/common/maps/fleet_master.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis'
+  ]
+} %}

salt/common/maps/freq.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-freqserver'
+  ]
+} %}

salt/common/maps/grafana.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-influxdb',
+    'so-grafana'
+  ]
+} %}

salt/common/maps/heavynode.map.jinja

@@ -0,0 +1,14 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-steno',
+    'so-suricata',
+    'so-wazuh',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/helixsensor.map.jinja

@@ -0,0 +1,12 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-idstools',
+    'so-steno',
+    'so-zeek',
+    'so-redis',
+    'so-logstash',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/hotnode.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+     'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+   ]
+} %}

salt/common/maps/master.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-dockerregistry',
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-acng',
+    'so-idstools',
+    'so-redis',
+    'so-elasticsearch',
+    'so-logstash',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/mastersearch.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-acng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/playbook.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-playbook',
+    'so-navigator'
+  ]
+} %}

salt/common/maps/searchnode.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/sensor.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-steno',
+    'so-suricata',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/so-status.map.jinja

@@ -0,0 +1,61 @@
+{% set role = grains.id.split('_') | last %}
+{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
+
+# Check if the service is enabled and append it's required containers
+# to the list predefined by the role / minion id affix
+{% macro append_containers(pillar_name, k, compare )%}
+  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
+    {% for li in d['containers'] %}
+      {{ docker['containers'].append(li) }}
+    {% endfor %}
+  {% endif %}
+{% endmacro %}
+
+{% set docker = salt['grains.filter_by']({
+  '*_'~role: {
+    'containers': docker['containers']
+  } 
+},grain='id', merge=salt['pillar.get']('docker')) %}
+
+{% if role == 'eval' %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role == 'heavynode' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}
+
+{% if role == 'mastersearch' %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role == 'master' %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role == 'searchnode' %}
+  {{ append_containers('master', 'wazuh', 0) }}
+{% endif %}
+
+{% if role == 'sensor' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}

salt/common/maps/thehive.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-thehive',
+    'so-thehive-es',
+    'so-cortex'
+  ]
+} %}

salt/common/maps/warmnode.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-elasticsearch'
+  ]
+} %}

salt/common/maps/wazuh.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-wazuh'
+  ]
+} %}

salt/common/tools/sbin/so-elastic-download

@@ -2,7 +2,7 @@
 MASTER=MASTER
 VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
-"so-core:$VERSION" \
+"so-nginx:$VERSION" \
 "so-thehive-cortex:$VERSION" \
 "so-curator:$VERSION" \
 "so-domainstats:$VERSION" \

salt/common/tools/sbin/so-status

@@ -14,35 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{%- from 'common/maps/so-status.map.jinja' import docker with context %}
-# {%- set pillar_suffix = ':containers' -%}
+{%- set container_list = docker['containers'] %}
-# {%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
-#     {%- set pillar_val = 'master_search' -%}
-# {%- elif (salt['grains.get']('role') == 'so-master') -%}
-#     {%- set pillar_val = 'master' -%}
-# {%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
-#     {%- set pillar_val = 'heavy_node' -%}
-# {%- elif (salt['grains.get']('role') == 'so-sensor') -%}
-#     {%- set pillar_val = 'sensor' -%}
-# {%- elif (salt['grains.get']('role') == 'so-eval') -%}
-#     {%- set pillar_val = 'eval' -%}
-# {%- elif (salt['grains.get']('role') == 'so-fleet') -%}
-#     {%- set pillar_val = 'fleet' -%}
-# {%- elif (salt['grains.get']('role') == 'so-helix') -%}
-#     {%- set pillar_val = 'helix' -%}
-# {%- elif (salt['grains.get']('role') == 'so-node') -%}
-#     {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
-#         {%- set pillar_val = 'parser_node' -%}
-#     {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
-#         {%- set pillar_val = 'hot_node' -%}
-#     {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
-#         {%- set pillar_val = 'warm_node' -%}
-#     {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
-#         {%- set pillar_val = 'search_node' -%}
-#     {%- endif -%}
-# {%- endif -%}
-# {%- set pillar_name = pillar_val ~ pillar_suffix -%}
-# {%- set container_list = salt['pillar.get'](pillar_name) %}
 
 if ! [ "$(id -u)" = 0 ]; then
    echo "This command must be run as root"
@@ -98,14 +71,15 @@ compare_lists() {
 # {% endraw %}
 
 create_expected_container_list() {
-    # {% for item in container_list%}
+    {% for item in container_list%}
         expected_container_list+=("{{ item }}")
-    # {% endfor %}
+    {% endfor %}
 }
 
 populate_container_lists() {
+    systemctl is-active --quiet docker
 
-    if systemctl is-active --quiet docker; then
+    if [[ $? = 0 ]]; then
         mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
             | jq -c '.[] | { Name: .Names[0], State: .State }' \
             | tr -d '/{"}')

salt/curator/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
 # Curator

salt/docker/init.sls

@@ -0,0 +1,8 @@
+installdocker:
+  pkg.installed:
+    - name: docker-ce
+
+# Make sure Docker is running!
+docker:
+  service.running:
+    - enable: True

salt/elastalert/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 

salt/elasticsearch/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {% if FEATURES %}

salt/filebeat/init.sls

@@ -11,7 +11,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}

salt/fleet/files/scripts/so-fleet-setup

@@ -41,7 +41,7 @@ sleep 120
 echo "Installing launcher via salt..."
 salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
 salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
-docker stop so-core
+docker stop so-nginx
 salt-call state.apply common queue=True >> /root/fleet-setup.log
 
 echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}"

salt/fleet/init.sls

@@ -1,7 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
 {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%}
 {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set MAINIP = salt['pillar.get']('node:mainip') %}
 {% set FLEETARCH = salt['grains.get']('role') %}
@@ -21,9 +21,6 @@
 #        hostname: {{ grains.host }}
 #{% endif %}
 
-include:
-  - mysql
-
 # Fleet Setup
 fleetcdir:
   file.directory:
@@ -89,9 +86,6 @@ fleetdb:
     - connection_port: 3306
     - connection_user: root
     - connection_pass: {{ MYSQLPASS }}
-    - require:
-      - sls: mysql
-      - cmd: so-mysql
 
 fleetdbuser:
   mysql_user.present:
@@ -101,8 +95,6 @@ fleetdbuser:
     - connection_port: 3306
     - connection_user: root
     - connection_pass: {{ MYSQLPASS }}
-    - require:
-      - fleetdb
 
 fleetdbpriv:
   mysql_grants.present:
@@ -114,8 +106,7 @@ fleetdbpriv:
     - connection_port: 3306
     - connection_user: root
     - connection_pass: {{ MYSQLPASS }}
-    - require:
+
-      - fleetdb
 
 {% if FLEETPASS == None or FLEETJWT == None %}
 

salt/grafana/dashboards/sensor_nodes/sensor.json

@@ -447,6 +447,13 @@
           ]
         }
       ],
+<<<<<<<< HEAD:salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
+      "thresholds": "5,10",
+      "title": "{{ SERVERNAME }} -Zeek Packet Loss",
+      "type": "singlestat",
+      "valueFontSize": "80%",
+      "valueMaps": [
+========
       "thresholds": [],
       "timeFrom": null,
       "timeRegions": [],
@@ -474,6 +481,7 @@
           "min": null,
           "show": true
         },
+>>>>>>>> dev:salt/grafana/dashboards/sensor_nodes/sensor.json
         {
           "format": "short",
           "label": null,
@@ -2060,6 +2068,8 @@
       }
     },
     {
+<<<<<<<< HEAD:salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
+========
       "aliasColors": {},
       "bars": false,
       "cacheTimeout": null,
@@ -2193,6 +2203,7 @@
       }
     },
     {
+>>>>>>>> dev:salt/grafana/dashboards/sensor_nodes/sensor.json
       "aliasColors": {
         "Buffered": "#6ED0E0",
         "Cached": "#F9934E",

salt/grafana/init.sls

@@ -0,0 +1,175 @@
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set MASTER = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+
+{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %}
+
+# Grafana all the things
+grafanadir:
+  file.directory:
+    - name: /nsm/grafana
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanaconfdir:
+  file.directory:
+    - name: /opt/so/conf/grafana/etc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashdir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashmdir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/master
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashevaldir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/eval
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashfndir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashsndir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanaconf:
+  file.recurse:
+    - name: /opt/so/conf/grafana/etc
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://grafana/etc
+
+{% if salt['pillar.get']('mastertab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboard-master:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://grafana/dashboards/master/master.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MANINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.manint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+{% if salt['pillar.get']('sensorstab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboard-{{ SN }}:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://grafana/dashboards/sensor_nodes/sensor.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MONINT: {{ SNDATA.monint }}
+      MANINT: {{ SNDATA.manint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+{% if salt['pillar.get']('nodestab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboardsearch-{{ SN }}:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://grafana/dashboards/search_nodes/searchnode.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MANINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.manint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+{% if salt['pillar.get']('evaltab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboard-{{ SN }}:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://grafana/dashboards/eval/eval.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MANINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.monint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+so-grafana:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
+    - hostname: grafana
+    - user: socore
+    - binds:
+      - /nsm/grafana:/var/lib/grafana:rw
+      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
+      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
+      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
+      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
+    - environment:
+      - GF_SECURITY_ADMIN_PASSWORD=augusta
+    - port_bindings:
+      - 0.0.0.0:3000:3000
+    - watch:
+      - file: /opt/so/conf/grafana/*
+
+{% endif %}

salt/hive/init.sls

@@ -1,5 +1,5 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 hiveconfdir:
   file.directory:

salt/idstools/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 # IDSTools Setup
 idstoolsdir:

salt/influxdb/init.sls

@@ -0,0 +1,43 @@
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set MASTER = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+
+
+{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %}
+
+# Influx DB
+influxconfdir:
+  file.directory:
+    - name: /opt/so/conf/influxdb/etc
+    - makedirs: True
+
+influxdbdir:
+  file.directory:
+    - name: /nsm/influxdb
+    - makedirs: True
+
+influxdbconf:
+  file.managed:
+    - name: /opt/so/conf/influxdb/etc/influxdb.conf
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://influxdb/etc/influxdb.conf
+
+so-influxdb:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
+    - hostname: influxdb
+    - environment:
+      - INFLUXDB_HTTP_LOG_ENABLED=false
+    - binds:
+      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
+      - /nsm/influxdb:/var/lib/influxdb:rw
+      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
+      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
+    - port_bindings:
+      - 0.0.0.0:8086:8086
+    - watch:
+      - file: influxdbconf
+
+{% endif %}

salt/kibana/bin/so-kibana-config-load

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 {%- set MASTER = salt['pillar.get']('static:masterip', '') %}
+{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
 {%- set FLEET = salt['pillar.get']('static:fleet_ip', '') %}
 {%- set KRATOS = salt['pillar.get']('kratos:redirect', '') %}
 
@@ -28,8 +29,10 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o
 # SOCtopus and Master
 sed -i "s/PLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson
 
+{% if FLEET_NODE %}
 # Fleet IP
 sed -i "s/FLEETPLACEHOLDER/{{ FLEET }}/g" /opt/so/conf/kibana/saved_objects.ndjson
+{% endif %}
 
 # Kratos redirect
 sed -i "s/PCAPPLACEHOLDER/{{ KRATOS }}/g" /opt/so/conf/kibana/saved_objects.ndjson

salt/kibana/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {% if FEATURES %}

salt/logstash/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {% if FEATURES %}

salt/master/files/registry/scripts/so-docker-download

@@ -1,9 +1,9 @@
 #!/bin/bash
 
 MASTER={{ MASTER }}
-VERSION="HH1.2.1"
+VERSION="HH1.2.2"
 TRUSTED_CONTAINERS=( \
-"so-core:$VERSION" \
+"so-nginx:$VERSION" \
 "so-cyberchef:$VERSION" \
 "so-acng:$VERSION" \
 "so-soc:$VERSION" \

salt/master/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
 

salt/mysql/init.sls

@@ -1,6 +1,6 @@
 {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set MAINIP = salt['pillar.get']('node:mainip') %}
 {% set FLEETARCH = salt['grains.get']('role') %}
@@ -57,6 +57,7 @@ mysqldatadir:
     - user: 939
     - group: 939
     - makedirs: True
+
 {% if MYSQLPASS == None %}
 
 mysql_password_none:
@@ -84,9 +85,4 @@ so-mysql:
       - /opt/so/log/mysql:/var/log/mysql:rw
     - watch:
       - /opt/so/conf/mysql/etc
-  cmd.run:
-    - name: until nc -z {{ MASTERIP }} 3306; do sleep 1; done
-    - timeout: 360
-    - onchanges:
-      - docker_container: so-mysql
 {% endif %}

salt/nginx/etc/nginx.conf.so-eval

@@ -299,12 +299,12 @@ http {
           return        302 /auth/self-service/browser/flows/login;
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /usr/share/nginx/html/40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/etc/nginx.conf.so-fleet

@@ -86,12 +86,12 @@ http {
 
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/etc/nginx.conf.so-heavynode

@@ -77,12 +77,12 @@ http {
 #        location / {
 #        }
 #
-#        error_page 404 /404.html;
+#        #error_page 404 /404.html;
-#            location = /40x.html {
+#        #    location = /40x.html {
-#        }
+#        #}
 #
 #        error_page 500 502 503 504 /50x.html;
-#            location = /50x.html {
+#            location = /usr/share/nginx/html/50x.html {
 #        }
 #    }
 

salt/nginx/etc/nginx.conf.so-helix

@@ -47,12 +47,12 @@ http {
         location / {
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/etc/nginx.conf.so-master

@@ -299,12 +299,12 @@ http {
           return        302 /auth/self-service/browser/flows/login;
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/etc/nginx.conf.so-mastersearch

@@ -299,12 +299,12 @@ http {
           return        302 /auth/self-service/browser/flows/login;
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/etc/nginx.conf.so-node

@@ -47,12 +47,12 @@ http {
         location / {
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/etc/nginx.conf.so-sensor

@@ -47,12 +47,12 @@ http {
         location / {
         }
 
-        error_page 404 /404.html;
+        #error_page 404 /404.html;
-            location = /40x.html {
+        #    location = /40x.html {
-        }
+        #}
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+            location = /usr/share/nginx/html/50x.html {
         }
     }
 

salt/nginx/html/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+</head>
+<body>
+Security Onion
+</body>
+</html>

salt/nginx/init.sls

@@ -0,0 +1,64 @@
+{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %}
+{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %}
+{% set MASTER = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+
+# Drop the correct nginx config based on role
+nginxconfdir:
+  file.directory:
+    - name: /opt/so/conf/nginx/html
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+nginxhtml:
+  file.recurse:
+    - name: /opt/so/conf/nginx/html
+    - source: salt://nginx/html/
+    - user: 939
+    - group: 939
+
+nginxconf:
+  file.managed:
+    - name: /opt/so/conf/nginx/nginx.conf
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://nginx/etc/nginx.conf.{{ grains.role }}
+
+nginxlogdir:
+  file.directory:
+    - name: /opt/so/log/nginx/
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+nginxtmp:
+  file.directory:
+    - name: /opt/so/tmp/nginx/tmp
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+so-nginx:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }}
+    - hostname: so-nginx
+    - binds:
+      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /opt/so/log/nginx/:/var/log/nginx:rw
+      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
+      - /opt/so/tmp/nginx/:/run:rw
+      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
+      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
+      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
+    - cap_add: NET_BIND_SERVICE
+    - port_bindings:
+      - 80:80
+      - 443:443
+    {%- if FLEETMASTER or FLEETNODE %}
+      - 8090:8090
+    {%- endif %}
+    - watch:
+      - file: nginxconf
+      - file: nginxconfdir

salt/nodered/init.sls

@@ -61,7 +61,7 @@ noderedlog:
 
 so-nodered:
   docker_container.running:
-    - image: soshybridhunter/so-nodered:HH1.2.1
+    - image: soshybridhunter/so-nodered:HH1.2.2
     - interactive: True
     - binds:
       - /opt/so/conf/nodered/:/data:rw

salt/pcap/init.sls

@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}

salt/playbook/init.sls

@@ -1,5 +1,5 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 playbookdb:

salt/reactor/fleet.sls

@@ -55,7 +55,7 @@ def run():
 
       # Run Docker container that will build the packages
       gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \
-         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.2.1", \
+         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.2.2", \
          f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
       
       # Update the 'packages-built' timestamp on the webpage (stored in the static pillar)

salt/redis/init.sls

@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 # Redis Setup

salt/salt/init.sls

@@ -1,3 +1,28 @@
+# Create a state directory
+
+statedir:
+  file.directory:
+    - name: /opt/so/state
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+salttmp:
+  file.directory:
+    - name: /opt/so/tmp
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+{% if grains['os'] != 'CentOS' %}    
+saltpymodules:
+  pkg.installed:
+    - pkgs:
+      - python-docker
+      - python-m2crypto
+  {% endif %}
+
+
 salt_minion_service:
   service.running:
     - name: salt-minion

salt/sensoroni/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 sensoronidir:

salt/soc/files/kratos/kratos.yaml

@@ -6,6 +6,13 @@ selfservice:
     password:
       enabled: true
 
+  settings:
+    privileged_session_max_age: 1m
+    after:
+      profile:
+        hooks:
+          - hook: verify
+          
   verify:
     return_to: https://{{ WEBACCESS }}/
 
@@ -14,29 +21,14 @@ selfservice:
 
   login:
     request_lifespan: 10m
-    after:
-      password:
-        -
-          job: session
-        -
-          job: redirect
-          config:
-            default_redirect_url: https://{{ WEBACCESS }}/
-            allow_user_defined_redirect: true
 
   registration:
     request_lifespan: 10m
     after:
       password:
-        -
+        hooks:
-          job: verify
+          - hook: session
-        -
+          - hook: verify
-          job: session
-        -
-          job: redirect
-          config:
-            default_redirect_url: https://{{ WEBACCESS }}/
-            allow_user_defined_redirect: true
 
 log:
   level: debug
@@ -58,7 +50,7 @@ urls:
     public: https://{{ WEBACCESS }}/auth/
     admin: https://{{ WEBACCESS }}/kratos/
   default_return_to: https://{{ WEBACCESS }}/
-  whitelisted_return_to_domains:
+  whitelisted_return_to_urls:
     - http://127.0.0.1
 
 hashers:

salt/soc/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 socdir:

salt/soctopus/init.sls

@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 soctopusdir:

salt/strelka/init.sls

@@ -14,7 +14,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set MASTER = grains['master'] %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 
 # Strelka config
 strelkaconfdir:
@@ -72,7 +72,7 @@ strelka_gatekeeper:
 
 strelka_frontend:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-frontend:HH1.2.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-frontend:HH1.2.2
     - binds:
       - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
       - /nsm/strelka/log/:/var/log/strelka/:rw
@@ -84,7 +84,7 @@ strelka_frontend:
 
 strelka_backend:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:HH1.2.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:HH1.2.2
     - binds:
       - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
       - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
@@ -94,7 +94,7 @@ strelka_backend:
 
 strelka_manager:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-manager:HH1.2.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-manager:HH1.2.2
     - binds:
       - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
     - name: so-strelka-manager
@@ -102,7 +102,7 @@ strelka_manager:
 
 strelka_filestream:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-filestream:HH1.2.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-filestream:HH1.2.2
     - binds:
       - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
       - /nsm/strelka:/nsm/strelka

salt/suricata/init.sls

@@ -15,7 +15,7 @@
 
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set BROVER = salt['pillar.get']('static:broversion', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
 {% set BPF_STATUS = 0  %}

salt/tcpreplay/init.sls

@@ -1,5 +1,5 @@
 {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 so-tcpreplay:

salt/telegraf/init.sls

@@ -0,0 +1,70 @@
+{% set MASTER = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+
+# Add Telegraf to monitor all the things.
+tgraflogdir:
+  file.directory:
+    - name: /opt/so/log/telegraf
+    - makedirs: True
+
+tgrafetcdir:
+  file.directory:
+    - name: /opt/so/conf/telegraf/etc
+    - makedirs: True
+
+tgrafetsdir:
+  file.directory:
+    - name: /opt/so/conf/telegraf/scripts
+    - makedirs: True
+
+tgrafsyncscripts:
+  file.recurse:
+    - name: /opt/so/conf/telegraf/scripts
+    - user: 939
+    - group: 939
+    - file_mode: 755
+    - template: jinja
+    - source: salt://telegraf/scripts
+
+tgrafconf:
+  file.managed:
+    - name: /opt/so/conf/telegraf/etc/telegraf.conf
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://telegraf/etc/telegraf.conf
+
+so-telegraf:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
+    - environment:
+      - HOST_PROC=/host/proc
+      - HOST_ETC=/host/etc
+      - HOST_SYS=/host/sys
+      - HOST_MOUNT_PREFIX=/host
+    - network_mode: host
+    - port_bindings:
+      - 127.0.0.1:8094:8094
+    - binds:
+      - /opt/so/log/telegraf:/var/log/telegraf:rw
+      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
+      - /var/run/utmp:/var/run/utmp:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /:/host/root:ro
+      - /sys:/host/sys:ro
+      - /proc:/host/proc:ro
+      - /nsm:/host/nsm:ro
+      - /etc:/host/etc:ro
+      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
+      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
+      {% else %}
+      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
+      {% endif %}
+      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
+      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
+      - /opt/so/conf/telegraf/scripts:/scripts:ro
+      - /opt/so/log/stenographer:/var/log/stenographer:ro
+      - /opt/so/log/suricata:/var/log/suricata:ro
+    - watch:
+      - file: tgrafconf
+      - file: tgrafsyncscripts

salt/top.sls

@@ -11,15 +11,17 @@
 
 base:
   '*':
+    - salt
+    - docker
     - patch.os.schedule
     - motd
-    - salt
 
   '*_helix':
     - ca
     - ssl
     - registry
     - common
+    - telegraf
     - firewall
     - idstools
     - pcap
@@ -34,6 +36,7 @@ base:
     - ca
     - ssl
     - common
+    - telegraf
     - firewall
     - pcap
     - suricata
@@ -57,6 +60,10 @@ base:
     - registry
     - master
     - common
+    - nginx
+    - telegraf
+    - influxdb
+    - grafana
     - soc
     - firewall
     - idstools
@@ -105,6 +112,10 @@ base:
     - ssl
     - registry
     - common
+    - nginx
+    - telegraf
+    - influxdb
+    - grafana
     - soc
     - firewall
     - master
@@ -179,6 +190,7 @@ base:
     - ca
     - ssl
     - common
+    - telegraf
     - firewall
     {%- if WAZUH != 0 %}
     - wazuh
@@ -194,6 +206,10 @@ base:
 
   '*_mastersensor':
     - common
+    - nginx
+    - telegraf
+    - influxdb
+    - grafana
     - firewall
     - sensor
     - master
@@ -207,6 +223,10 @@ base:
     - ssl
     - registry
     - common
+    - nginx
+    - telegraf
+    - influxdb
+    - grafana
     - soc
     - firewall
     - master
@@ -248,6 +268,7 @@ base:
     - ca
     - ssl
     - common
+    - telegraf
     - firewall
     - redis
     {%- if WAZUH != 0 %}
@@ -272,6 +293,8 @@ base:
     - ca
     - ssl
     - common
+    - nginx
+    - telegraf
     - firewall
     - mysql
     - redis

salt/wazuh/init.sls

@@ -1,5 +1,5 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 # Add ossec group
 ossecgroup:

salt/zeek/defaults.yml

@@ -1,17 +0,0 @@
-zeek:
-  zeekctl:
-    MailTo: root@localhost
-    MailConnectionSummary: 1
-    MinDiskSpace: 5
-    MailHostUpDown: 1
-    LogRotationInterval: 3600
-    LogExpireInterval: 0
-    StatsLogEnable: 1
-    StatsLogExpireInterval: 0
-    StatusCmdShowAll: 0
-    CrashExpireInterval: 0
-    SitePolicyScripts: local.zeek
-    LogDir: /nsm/zeek/logs
-    SpoolDir: /nsm/zeek/spool
-    CfgDir: /opt/zeek/etc
-    CompressLogs: 1

salt/zeek/files/local.zeek

@@ -1,132 +0,0 @@
-##! Local site policy. Customize as appropriate.
-##!
-##! This file will not be overwritten when upgrading or reinstalling!
-
-# This script logs which scripts were loaded during each run.
-@load misc/loaded-scripts
-
-# Apply the default tuning scripts for common tuning settings.
-@load tuning/defaults
-
-# Estimate and log capture loss.
-@load misc/capture-loss
-
-# Enable logging of memory, packet and lag statistics.
-@load misc/stats
-
-# Load the scan detection script.  It's disabled by default because
-# it often causes performance issues.
-#@load misc/scan
-
-# Detect traceroute being run on the network. This could possibly cause
-# performance trouble when there are a lot of traceroutes on your network.
-# Enable cautiously.
-#@load misc/detect-traceroute
-
-# Generate notices when vulnerable versions of software are discovered.
-# The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more
-# information.
-@load frameworks/software/vulnerable
-
-# Detect software changing (e.g. attacker installing hacked SSHD).
-@load frameworks/software/version-changes
-
-# This adds signatures to detect cleartext forward and reverse windows shells.
-@load-sigs frameworks/signatures/detect-windows-shells
-
-# Load all of the scripts that detect software in various protocols.
-@load protocols/ftp/software
-@load protocols/smtp/software
-@load protocols/ssh/software
-@load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when
-# running on live traffic.  Enable it cautiously.
-#@load protocols/http/detect-webapps
-
-# This script detects DNS results pointing toward your Site::local_nets
-# where the name is not part of your local DNS zone and is being hosted
-# externally.  Requires that the Site::local_zones variable is defined.
-@load protocols/dns/detect-external-names
-
-# Script to detect various activity in FTP sessions.
-@load protocols/ftp/detect
-
-# Scripts that do asset tracking.
-@load protocols/conn/known-hosts
-@load protocols/conn/known-services
-@load protocols/ssl/known-certs
-
-# This script enables SSL/TLS certificate validation.
-@load protocols/ssl/validate-certs
-
-# This script prevents the logging of SSL CA certificates in x509.log
-@load protocols/ssl/log-hostcerts-only
-
-# Uncomment the following line to check each SSL certificate hash against the ICSI
-# certificate notary service; see http://notary.icsi.berkeley.edu .
-# @load protocols/ssl/notary
-
-# If you have GeoIP support built in, do some geographic detections and
-# logging for SSH traffic.
-@load protocols/ssh/geo-data
-# Detect hosts doing SSH bruteforce attacks.
-@load protocols/ssh/detect-bruteforcing
-# Detect logins using "interesting" hostnames.
-@load protocols/ssh/interesting-hostnames
-
-# Detect SQL injection attacks.
-@load protocols/http/detect-sqli
-
-#### Network File Handling ####
-
-# Enable MD5 and SHA1 hashing for all files.
-@load frameworks/files/hash-all-files
-
-# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
-@load frameworks/files/detect-MHR
-
-# Extend email alerting to include hostnames
-@load policy/frameworks/notice/extend-email/hostnames
-
-# Uncomment the following line to enable detection of the heartbleed attack. Enabling
-# this might impact performance a bit.
-# @load policy/protocols/ssl/heartbleed
-
-# Uncomment the following line to enable logging of connection VLANs. Enabling
-# this adds two VLAN fields to the conn.log file.
-# @load policy/protocols/conn/vlan-logging
-
-# Uncomment the following line to enable logging of link-layer addresses. Enabling
-# this adds the link-layer address for each connection endpoint to the conn.log file.
-# @load policy/protocols/conn/mac-logging
-
-# JA3 - SSL Detection Goodness
-@load ja3
-
-# HASSH
-@load hassh
-
-# You can load your own intel into:
-# /opt/so/saltstack/bro/policy/intel/ on the master
-@load intel
-
-# Load a custom Bro policy
-# /opt/so/saltstack/bro/policy/custom/ on the master
-#@load custom/somebropolicy.bro
-
-# Write logs in JSON
-redef LogAscii::use_json = T;
-redef LogAscii::json_timestamps = JSON::TS_ISO8601;
-
-# CVE-2020-0601
-@load cve-2020-0601
-
-# BPF Configuration
-@load securityonion/bpfconf
-
-# Community ID
-@load securityonion/communityid
-
-# Extracted files
-@load securityonion/file-extraction

salt/zeek/files/local.zeek.jinja

@@ -0,0 +1,11 @@
+##! Local site policy.
+
+{%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %}
+
+{%- for k, v in LOCAL.items() %}
+  {%- if k|lower in ALLOWEDOPTIONS %}
+    {%- for li in v|sort %}
+{{ k }} {{ li }}
+    {%- endfor %}
+  {%- endif %}
+{%- endfor %}

salt/zeek/files/zeekctl.cfg.jinja

@@ -2,7 +2,7 @@
 
 {%- set ALLOWEDOPTIONS = ['commtimeout','commandtimeout','compresscmd','compressextension','compresslogs','compresslogsinflight','controltopic','crashexpireinterval','croncmd','debug','env_vars','havenfs','keeplogs','logdir','logexpireinterval','logrotationinterval','mailalarmsinterval','mailalarmsto','mailarchivelogfail','mailconnectionsummary','mailfrom','mailhostupdown','mailreceivingpackets','mailreplyto','mailsubjectprefix','mailto','makearchivename','memlimit','mindiskspace','pfringclusterid','pfringclustertype','pfringfirstappinstance','prefixes','savetraces','sendmail','sitepluginpath','sitepolicypath','sitepolicyscripts','statslogenable','statslogexpireinterval','statuscmdshowall','stoptimeout','stopwait','timefmt','timemachinehost','timemachineport','zeekargs','zeekport','bindir','capstatspath','cfgdir','debuglog','defaultstoredir','helperdir','libdir','libdir64','libdirinternal','localnetscfg','lockfile','logexpireminutes','nodecfg','os','pcapbufsize','pcapsnaplen','plugindir','pluginzeekdir','policydir','policydirsiteinstall','policydirsiteinstallauto','postprocdir','scriptsdir','spooldir','standalone','statefile','staticdir','statsdir','statslog','time','tmpdir','tmpexecdir','tracesummary','version','zeek','zeekbase'] %}
 
-{%- for option in ZEEKCTL %}
+{%- for option in ZEEKCTL|sort %}
   {%- if option|lower in ALLOWEDOPTIONS %}
 {{ option }} = {{ ZEEKCTL[option] }}
   {%- endif %}

salt/zeek/init.sls

@@ -1,11 +1,10 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
 {% set BPF_STATUS = 0  %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 
-{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %}
+{% set ZEEK = salt['pillar.get']('zeek', {}) %}
-{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %}
 
 # Zeek Salt State
 
@@ -144,13 +143,16 @@ zeekbpf:
       - "ip or not ip"
 {% endif %}
 
+
 localzeeksync:
   file.managed:
     - name: /opt/so/conf/zeek/local.zeek
-    - source: salt://zeek/files/local.zeek
+    - source: salt://zeek/files/local.zeek.jinja
     - user: 937
     - group: 939
     - template: jinja
+    - defaults:
+        LOCAL: {{ ZEEK.local | tojson }}
 
 so-zeek:
   docker_container.running:

setup/so-variables

@@ -32,5 +32,5 @@ export percentage_str='Getting started'
 
 export DEBIAN_FRONTEND=noninteractive
 
-export so_version=1.2.1
+export so_version=1.2.2
 

upgrade/so-update-functions

@@ -17,7 +17,7 @@
 
 # Set the new SO Version
 
-UPDATEVERSION=1.2.1
+UPDATEVERSION=1.2.2
 BUILD=HH
 
 #Determine the current install version
@@ -35,7 +35,6 @@ HOSTNAME=$(hostname)
 if [ $MASTERCHECK != 'so-helix' ]; then
     TRUSTED_CONTAINERS=( \
     "so-acng:$BUILD$UPDATEVERSION" \
-    "so-core:$BUILD$UPDATEVERSION" \
     "so-thehive-cortex:$BUILD$UPDATEVERSION" \
     "so-curator:$BUILD$UPDATEVERSION" \
     "so-domainstats:$BUILD$UPDATEVERSION" \
@@ -53,6 +52,7 @@ if [ $MASTERCHECK != 'so-helix' ]; then
     "so-logstash:$BUILD$UPDATEVERSION" \
     "so-mysql:$BUILD$UPDATEVERSION" \
     "so-navigator:$BUILD$UPDATEVERSION" \
+    "so-nginx:$BUILD$UPDATEVERSION" \
     "so-playbook:$BUILD$UPDATEVERSION" \
     "so-redis:$BUILD$UPDATEVERSION" \
     "so-soc:$BUILD$UPDATEVERSION" \
@@ -67,10 +67,10 @@ if [ $MASTERCHECK != 'so-helix' ]; then
     "so-zeek:$BUILD$UPDATEVERSION" )
   else
     TRUSTED_CONTAINERS=( \
-    "so-core:$BUILD$UPDATEVERSION" \
     "so-filebeat:$BUILD$UPDATEVERSION" \
     "so-idstools:$BUILD$UPDATEVERSION" \
     "so-logstash:$BUILD$UPDATEVERSION" \
+    "so-nginx:$BUILD$UPDATEVERSION" \
     "so-redis:$BUILD$UPDATEVERSION" \
     "so-steno:$BUILD$UPDATEVERSION" \
     "so-suricata:$BUILD$UPDATEVERSION" \
@@ -156,12 +156,12 @@ salt_highstate() {
 update_held_packages() {
 
     if [ $OS == "centos" ]
-      SALTVER=2019.2.3
+      SALTVER=2019.2.4
       DOCKERVER=
       yum -y --disableexcludes=all update salt-$SALTVER
       yum -y --disableexcludes=all update docker-ce-$DOCKERVER
     else
-      SALTVER=2019.2.3+ds-1
+      SALTVER=2019.2.4+ds-1
       DOCKERVER=5:19.03.8~3-0~ubuntu-xenial
     fi