Merge pull request #221 from Security-Onion-Solutions/feature/registry

Feature/registry
2025-12-06 09:12:45 +01:00 · 2020-01-14 15:50:08 -05:00
parent d84cc41e12 54fb2ad244
commit 8550dc63c2
44 changed files with 3687 additions and 2857 deletions
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
@@ -114,16 +116,9 @@ nginxtmp:
    - group: 939
    - makedirs: True

-# Start the core docker
-so-coreimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.4
-
 so-core:
  docker_container.running:
-    - require:
-      - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }}
    - hostname: so-core
    - user: socore
    - binds:
@@ -175,15 +170,9 @@ tgrafconf:
    - template: jinja
    - source: salt://common/telegraf/etc/telegraf.conf

-so-telegrafimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
 so-telegraf:
  docker_container.running:
-    - require:
-      - so-telegrafimage
-    - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:HH{{ VERSION }}
    - environment:
      - HOST_PROC=/host/proc
      - HOST_ETC=/host/etc
@@ -236,15 +225,9 @@ influxdbconf:
    - template: jinja
    - source: salt://common/influxdb/etc/influxdb.conf

-so-influximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
 so-influxdb:
  docker_container.running:
-    - require:
-      - so-influximage
-    - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:HH{{ VERSION }}
    - hostname: influxdb
    - environment:
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -303,7 +286,7 @@ grafanadashfndir:

 grafanadashsndir:
  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
    - user: 939
    - group: 939
    - makedirs: True
@@ -362,11 +345,11 @@ dashboard-{{ SN }}:
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 dashboard-{{ SN }}:
  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
    - user: 939
    - group: 939
    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json
+    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
    - defaults:
      SERVERNAME: {{ SN }}
      MANINT: {{ SNDATA.manint }}
@@ -400,14 +383,9 @@ dashboard-{{ SN }}:
 {% endfor %}
 {% endif %}

-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
 so-grafana:
  docker_container.running:
-    - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }}
    - hostname: grafana
    - user: socore
    - binds:
--- a/salt/common/tools/sbin/so-elastic-download
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -0,0 +1,46 @@
+#!/bin/bash
+MASTER=MASTER
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-auth-api:$VERSION" \
+"so-auth-ui:$VERSION" \
+"so-core:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  echo "Downloading $i"
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
+done
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
 # Curator
 # Create the group
@@ -112,15 +114,9 @@ curdel:
   - month: '*'
   - dayweek: '*'

-so-curatorimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-curator:HH1.1.0
-
 so-curator:
  docker_container.running:
-    - require:
-      - so-curatorimage
-    - image: docker.io/soshybridhunter/so-curator:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }}
    - hostname: curator
    - name: so-curator
    - user: curator
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}

 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
@@ -109,15 +110,9 @@ elastaconf:
    - group: 939
    - template: jinja

-so-elastalertimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elastalert:HH1.1.1
-
 so-elastalert:
  docker_container.running:
-    - require:
-      - so-elastalertimage
-    - image: docker.io/soshybridhunter/so-elastalert:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }}
    - hostname: elastalert
    - name: so-elastalert
    - user: elastalert
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -12,6 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}

 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
@@ -98,15 +100,9 @@ eslogdir:
    - group: 939
    - makedirs: True

-so-elasticsearchimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elasticsearch:HH1.1.4
-
 so-elasticsearch:
  docker_container.running:
-    - require:
-      - so-elasticsearchimage
-    - image: docker.io/soshybridhunter/so-elasticsearch:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
    - hostname: elasticsearch
    - name: so-elasticsearch
    - user: elasticsearch
@@ -140,7 +136,3 @@ so-elasticsearch-pipelines-file:
 so-elasticsearch-pipelines:
 cmd.run:
   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
-
-# Tell the main cluster I am here
-#curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
-
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC

 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set MASTER = grains['master'] %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}

 # Filebeat Setup
@@ -46,25 +47,9 @@ filebeatconfsync:
    - group: 0
    - template: jinja

-#filebeatcrt:
-#  file.managed:
-#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-#    - source: salt://filebeat/files/filebeat.crt
-
-#filebeatkey:
-#  file.managed:
-#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-#    - source: salt://filebeat/files/filebeat.key
-
-so-filebeatimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-filebeat:HH1.1.4
-
 so-filebeat:
  docker_container.running:
-    - require:
-      - so-filebeatimage
-    - image: docker.io/soshybridhunter/so-filebeat:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
    - hostname: so-filebeat
    - user: root
    - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -1,6 +1,8 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}

 # Fleet Setup
 fleetcdir:
@@ -59,15 +61,9 @@ fleetdbpriv:
    - user: fleetdbuser
    - host: 172.17.0.0/255.255.0.0

-so-fleetimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-fleet:HH1.1.3
-
 so-fleet:
  docker_container.running:
-    - require:
-      - so-fleetimage
-    - image: docker.io/soshybridhunter/so-fleet:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:HH{{ VERSION }}
    - hostname: so-fleet
    - port_bindings:
      - 0.0.0.0:8080:8080
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -1,4 +1,6 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 hiveconfdir:
  file.directory:
    - name: /opt/so/conf/hive/etc
@@ -53,15 +55,9 @@ hiveesdata:
    - user: 939
    - group: 939

-so-thehive-esimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-es:HH1.1.4
-
 so-thehive-es:
  docker_container.running:
-    - require:
-      - so-thehive-esimage
-    - image: docker.io/soshybridhunter/so-thehive-es:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }}
    - hostname: so-thehive-es
    - name: so-thehive-es
    - user: 939
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # IDSTools Setup
 idstoolsdir:
  file.directory:
@@ -61,15 +62,9 @@ ruleslink:
    - name: /opt/so/saltstack/salt/suricata/rules
    - target: /opt/so/rules/nids

-so-idstoolsimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-idstools:HH1.1.0
-
 so-idstools:
  docker_container.running:
-    - require:
-      - so-idstoolsimage
-    - image: docker.io/soshybridhunter/so-idstools:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:HH{{ VERSION }}
    - hostname: so-idstools
    - user: socore
    - binds:
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -1,4 +1,5 @@
-{% set master = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}

 # Add ES Group
 kibanasearchgroup:
@@ -52,25 +53,17 @@ synckibanacustom:
    - user: 932
    - group: 939

-# File.Recurse for custom saved dashboards
-
-so-kibanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-kibana:HH1.1.4
-
 # Start the kibana docker
 so-kibana:
  docker_container.running:
-    - require:
-      - so-kibanaimage
-    - image: docker.io/soshybridhunter/so-kibana:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:HH{{ VERSION }}
    - hostname: kibana
    - user: kibana
    - environment:
      - KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
-      - ELASTICSEARCH_HOST={{ master }}
+      - ELASTICSEARCH_HOST={{ MASTER }}
      - ELASTICSEARCH_PORT=9200
-      - MASTER={{ master }}
+      - MASTER={{ MASTER }}
    - binds:
      - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
      - /opt/so/log/kibana:/var/log/kibana:rw
@@ -78,11 +71,3 @@ so-kibana:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    - port_bindings:
      - 0.0.0.0:5601:5601
-
-# Keep the setting correct
-#KibanaHappy:
-#  cmd.script:
-#    - shell: /bin/bash
-#    - runas: socore
-#    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Logstash Section - Decide which pillar to use
 {% if grains['role'] == 'so-sensor' %}

@@ -152,16 +153,9 @@ lslogdir:
    - group: 939
    - makedirs: True

-# Add the container
-so-logstashimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.4
-
 so-logstash:
  docker_container.running:
-    - require:
-      - so-logstashimage
-    - image: docker.io/soshybridhunter/so-logstash:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }}
    - hostname: so-logstash
    - name: so-logstash
    - user: logstash
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}

 {% if masterproxy == 1 %}
@@ -55,16 +56,10 @@ acngcopyconf:
    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
    - source: salt://master/files/acng/acng.conf

-so-acngimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-acng:HH1.1.0
-
 # Install the apt-cacher-ng container
 so-aptcacherng:
  docker_container.running:
-    - require:
-      - so-acngimage
-    - image: docker.io/soshybridhunter/so-acng:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }}
    - hostname: so-acng
    - port_bindings:
      - 0.0.0.0:3142:3142
@@ -73,39 +68,4 @@ so-aptcacherng:
      - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
      - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro

-
-# Create the config directory for the docker registry
-dockerregistryconfdir:
-  file.directory:
-    - name: /opt/so/conf/docker-registry/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-dockerregistrylogdir:
-  file.directory:
-    - name: /opt/so/log/docker-registry
-    - user: 939
-    - group: 939
-    - makedirs: true
-
-# Copy the config
-dockerregistryconf:
-  file.managed:
-    - name: /opt/so/conf/docker-registry/etc/config.yml
-    - source: salt://master/files/registry/config.yml
-
-# Install the registry container
-so-dockerregistry:
-  docker_container.running:
-    - image: registry:2
-    - hostname: so-registry
-    - port_bindings:
-      - 0.0.0.0:5000:5000
-    - binds:
-      - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
-      - /opt/so/conf/docker-registry:/var/lib/registry:rw
-      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
-      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-
 {% endif %}
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -1,6 +1,8 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # MySQL Setup
 mysqlpkgs:
  pkg.installed:
@@ -48,15 +50,9 @@ mysqldatadir:
    - group: 939
    - makedirs: True

-so-mysqlimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-mysql:HH1.1.0
-
 so-mysql:
  docker_container.running:
-    - require:
-      - so-mysqlimage
-    - image: docker.io/soshybridhunter/so-mysql:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }}
    - hostname: so-mysql
    - user: socore
    - port_bindings:
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC

 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # PCAP Section

 # Create the logstash group
@@ -94,15 +95,9 @@ stenolog:
    - group: 941
    - makedirs: True

-so-stenoimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-steno:HH1.1.3
-
 so-steno:
  docker_container.running:
-    - require:
-      - so-stenoimage
-    - image: docker.io/soshybridhunter/so-steno:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
    - network_mode: host
    - privileged: True
    - port_bindings:
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -1,4 +1,6 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}

 playbookdb:
  file.managed:
@@ -24,15 +26,9 @@ navigatorconfig:
    - makedirs: True
    - template: jinja

-so-playbookimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-playbook:HH1.1.3
-
 so-playbook:
  docker_container.running:
-    - require:
-      - so-playbookimage
-    - image: docker.io/soshybridhunter/so-playbook:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:HH{{ VERSION }}
    - hostname: playbook
    - name: so-playbook
    - binds:
@@ -40,15 +36,9 @@ so-playbook:
    - port_bindings:
      - 0.0.0.0:3200:3000

-so-navigatorimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-navigator:HH1.1.1
-
 so-navigator:
  docker_container.running:
-    - require:
-      - so-navigatorimage
-    - image: docker.io/soshybridhunter/so-navigator:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }}
    - hostname: navigator
    - name: so-navigator
    - binds:
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC

 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -13,6 +13,8 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}

 # Redis Setup
 redisconfdir:
@@ -44,15 +46,9 @@ redisconfsync:
    - group: 939
    - template: jinja

-so-redisimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-redis:HH1.1.0
-
 so-redis:
  docker_container.running:
-    - require:
-      - so-redisimage
-    - image: docker.io/soshybridhunter/so-redis:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }}
    - hostname: so-redis
    - user: socore
    - port_bindings:
--- a/salt/master/files/registry/config.yml
+++ b/salt/master/files/registry/config.yml
@@ -21,4 +21,3 @@ health:
    threshold: 3
 proxy:
  remoteurl: https://registry-1.docker.io
-
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -0,0 +1,41 @@
+# Create the config directory for the docker registry
+dockerregistryconfdir:
+  file.directory:
+    - name: /opt/so/conf/docker-registry/etc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+dockerregistrydir:
+  file.directory:
+    - name: /nsm/docker-registry/docker
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+dockerregistrylogdir:
+  file.directory:
+    - name: /opt/so/log/docker-registry
+    - user: 939
+    - group: 939
+    - makedirs: true
+
+# Copy the config
+dockerregistryconf:
+  file.managed:
+    - name: /opt/so/conf/docker-registry/etc/config.yml
+    - source: salt://registry/etc/config.yml
+
+# Install the registry container
+so-dockerregistry:
+  docker_container.running:
+    - image: registry:2
+    - hostname: so-registry
+    - port_bindings:
+      - 0.0.0.0:5000:5000
+    - binds:
+      - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
+      - /opt/so/conf/docker-registry:/var/lib/registry:rw
+      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
+      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
+      - /etc/pki/registry.key:/etc/pki/registry.key:ro
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 sensoronidir:
  file.directory:
    - name: /opt/so/conf/sensoroni
@@ -27,15 +30,9 @@ sensoronisync:
    - group: 939
    - template: jinja

-so-sensoroniimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-sensoroni:HH1.1.3
-
 so-sensoroni:
  docker_container.running:
-    - require:
-      - so-sensoroniimage
-    - image: docker.io/soshybridhunter/so-sensoroni:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:HH{{ VERSION }}
    - hostname: sensoroni
    - name: so-sensoroni
    - binds:
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 soctopusdir:
  file.directory:
    - name: /opt/so/conf/soctopus
@@ -44,15 +47,9 @@ navigatordefaultlayer:
    - replace: False
    - template: jinja

-so-soctopusimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-soctopus:HH1.1.3
-
 so-soctopus:
  docker_container.running:
-    - require:
-      - so-soctopusimage
-    - image: docker.io/soshybridhunter/so-soctopus:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }}
    - hostname: soctopus
    - name: so-soctopus
    - binds:
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -14,7 +14,9 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set BROVER = salt['pillar.get']('static:broversion', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}

 # Suricata

@@ -78,15 +80,9 @@ surithresholding:
    - group: 940
    - template: jinja
    
-so-suricataimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
-
 so-suricata:
  docker_container.running:
-    - require:
-      - so-suricataimage
-    - image: docker.io/soshybridhunter/so-suricata:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }}
    - privileged: True
    - environment:
      - INTERFACE={{ interface }}
--- a/salt/syslog-ng/files/patterndb.xml
+++ b/salt/syslog-ng/files/patterndb.xml
--- a/salt/syslog-ng/files/syslog-ng.conf
+++ b/salt/syslog-ng/files/syslog-ng.conf
@@ -1,243 +0,0 @@
-@version: 3.5
-source s_syslog { unix-dgram("/dev/log"); };
-
-source s_network {
-	tcp();
-	udp();
-};
-
-parser p_db {
-	db-parser(file("/opt/so/conf/syslog-ng/patterndb.xml"));
-};
-
-filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_snort { match('snort:' value("MSGHDR")); };
-filter f_bro_headers { message("^#") };
-
-rewrite r_cisco_program {
-        set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-        set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-};
-
-rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
-rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global) condition(program("bro_*" type(glob)))); };
-rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
-rewrite r_host { set("$SOURCEIP", value("HOST")); };
-rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };
-
-template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };
-
-source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
-source s_bro_http {
-	file("/nsm/bro/logs/current/http_eth1.log" flags(no-parse) program_override("bro_http"));
-
-};
-source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
-source s_bro_files { file("/nsm/bro/logs/current/files.log" flags(no-parse) program_override("bro_files")); };
-source s_bro_dhcp { file("/nsm/bro/logs/current/dhcp.log" flags(no-parse) program_override("bro_dhcp")); };
-source s_bro_weird { file("/nsm/bro/logs/current/weird.log" flags(no-parse) program_override("bro_weird")); };
-source s_bro_tunnels { file("/nsm/bro/logs/current/tunnel.log" flags(no-parse) program_override("bro_tunnels")); };
-source s_bro_syslog { file("/nsm/bro/logs/current/syslog.log" flags(no-parse) program_override("bro_syslog")); };
-source s_bro_ftp { file("/nsm/bro/logs/current/ftp.log" flags(no-parse) program_override("bro_ftp")); };
-source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
-source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
-source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
-source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
-source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
-source s_bro_software { file("/nsm/bro/logs/current/software.log" flags(no-parse) program_override("bro_software")); };
-source s_bro_irc { file("/nsm/bro/logs/current/irc.log" flags(no-parse) program_override("bro_irc")); };
-source s_bro_ssh { file("/nsm/bro/logs/current/ssh.log" flags(no-parse) program_override("bro_ssh")); };
-source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) program_override("bro_intel")); };
-source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
-source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
-source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
-source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
-source s_bro_kerberos { file("/nsm/bro/logs/current/kerberos.log" flags(no-parse) program_override("bro_kerberos")); };
-source s_bro_rdp { file("/nsm/bro/logs/current/rdp.log" flags(no-parse) program_override("bro_rdp")); };
-source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_override("bro_pe")); };
-source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
-source s_bro_smb_mapping { file("/nsm/bro/logs/current/smb_mapping.log" flags(no-parse) program_override("bro_smb_mapping")); };
-source s_bro_smb_files { file("/nsm/bro/logs/current/smb_files.log" flags(no-parse) program_override("bro_smb_files")); };
-source s_bro_ntlm { file("/nsm/bro/logs/current/ntlm.log" flags(no-parse) program_override("bro_ntlm")); };
-source s_bro_dce_rpc { file("/nsm/bro/logs/current/dce_rpc.log" flags(no-parse) program_override("bro_dce_rpc")); };
-source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
-source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
-source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
-
-destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
-destination d_logstash { tcp("logstash" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };
-
-log {
-	source(s_bro_conn);
-	source(s_bro_http);
-	source(s_bro_dns);
-	source(s_bro_weird);
-  	source(s_bro_tunnels);
-	source(s_bro_syslog);
-	source(s_bro_ftp);
-	source(s_bro_files);
-	source(s_bro_dhcp);
-	source(s_bro_notice);
-	source(s_bro_smtp);
-	source(s_bro_smtp_entities);
-	source(s_bro_ssl);
-   	source(s_bro_irc);
-	source(s_bro_software);
-  	source(s_bro_ssh);
-	source(s_bro_smb_mapping);
-	source(s_bro_smb_files);
-	source(s_bro_ntlm);
-	source(s_bro_dce_rpc);
-  	source(s_bro_intel);
-  	source(s_bro_x509);
-  	source(s_bro_snmp);
-  	source(s_bro_radius);
-  	source(s_bro_mysql);
-  	source(s_bro_kerberos);
-  	source(s_bro_rdp);
-  	source(s_bro_pe);
-  	source(s_bro_sip);
-  	source(s_bro_modbus);
-  	source(s_bro_dnp3);
-  	source(s_bro_rfb);
-	source(s_ossec);
-	source(s_network);
-	source(s_syslog);
-	log { filter(f_bro_headers); flags(final); };
-	log { destination(d_logstash); };
-};
-# Bring it all back
-#source s_src {
-#       system();
-#       internal();
-#};
-########################
-# Destinations
-########################
-# First some standard logfile
-#
-destination d_auth { file("/var/log/auth.log"); };
-destination d_cron { file("/var/log/cron.log"); };
-destination d_daemon { file("/var/log/daemon.log"); };
-destination d_kern { file("/var/log/kern.log"); };
-destination d_lpr { file("/var/log/lpr.log"); };
-destination d_mail { file("/var/log/mail.log"); };
-destination d_syslog { file("/var/log/syslog"); };
-destination d_user { file("/var/log/user.log"); };
-destination d_uucp { file("/var/log/uucp.log"); };
-
-# This files are the log come from the mail subsystem.
-#
-destination d_mailinfo { file("/var/log/mail/mail.info"); };
-destination d_mailwarn { file("/var/log/mail/mail.warn"); };
-destination d_mailerr { file("/var/log/mail/mail.err"); };
-
-# Logging for INN news system
-#
-destination d_newscrit { file("/var/log/news/news.crit"); };
-destination d_newserr { file("/var/log/news/news.err"); };
-destination d_newsnotice { file("/var/log/news/news.notice"); };
-
-# Some `catch-all' logfiles.
-#
-destination d_debug { file("/var/log/debug"); };
-destination d_error { file("/var/log/error"); };
-destination d_messages { file("/var/log/messages"); };
-
-# The root's console.
-#
-destination d_console { usertty("root"); };
-
-# Virtual console.
-#
-destination d_console_all { file("/dev/tty10"); };
-
-# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
-# you must invoke nsole' with the -file' option:
-#
-#    $ xconsole -file /dev/xconsole [...]
-#
-destination d_xconsole { pipe("/dev/xconsole"); };
-
-# Send the messages to an other host
-#
-#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };
-
-# Debian only
-destination d_ppp { file("/var/log/ppp.log"); };
-
-########################
-# Filters
-########################
-# Here's come the filter options. With this rules, we can set which
-# message go where.
-
-filter f_dbg { level(debug); };
-filter f_info { level(info); };
-filter f_notice { level(notice); };
-filter f_warn { level(warn); };
-filter f_err { level(err); };
-filter f_crit { level(crit .. emerg); };
-
-filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
-filter f_error { level(err .. emerg) and not filter(f_snort); };
-filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); };
-filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
-filter f_cron { facility(cron) and not filter(f_debug); };
-filter f_daemon { facility(daemon) and not filter(f_debug); };
-filter f_kern { facility(kern) and not filter(f_debug); };
-filter f_lpr { facility(lpr) and not filter(f_debug); };
-filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); };
-filter f_mail { facility(mail) and not filter(f_debug); };
-filter f_news { facility(news) and not filter(f_debug); };
-filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_snort); };
-filter f_user { facility(user) and not filter(f_debug); };
-filter f_uucp { facility(uucp) and not filter(f_debug); };
-
-filter f_cnews { level(notice, err, crit) and facility(news); };
-filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
-
-filter f_ppp { facility(local2) and not filter(f_debug); };
-filter f_console { level(warn .. emerg); };
-
-########################
-# Log paths
-########################
-log { source(s_syslog); filter(f_auth); destination(d_auth); };
-log { source(s_syslog); filter(f_cron); destination(d_cron); };
-log { source(s_syslog); filter(f_daemon); destination(d_daemon); };
-log { source(s_syslog); filter(f_kern); destination(d_kern); };
-log { source(s_syslog); filter(f_lpr); destination(d_lpr); };
-log { source(s_syslog); filter(f_syslog3); destination(d_syslog); };
-log { source(s_syslog); filter(f_user); destination(d_user); };
-log { source(s_syslog); filter(f_uucp); destination(d_uucp); };
-
-log { source(s_syslog); filter(f_mail); destination(d_mail); };
-#log { source(s_syslog); filter(f_mail); filter(f_info); destination(d_mailinfo); };
-#log { source(s_syslog); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
-#log { source(s_syslog); filter(f_mail); filter(f_err); destination(d_mailerr); };
-
-log { source(s_syslog); filter(f_news); filter(f_crit); destination(d_newscrit); };
-log { source(s_syslog); filter(f_news); filter(f_err); destination(d_newserr); };
-log { source(s_syslog); filter(f_news); filter(f_notice); destination(d_newsnotice); };
-#log { source(s_syslog); filter(f_cnews); destination(d_console_all); };
-#log { source(s_syslog); filter(f_cother); destination(d_console_all); };
-
-#log { source(s_syslog); filter(f_ppp); destination(d_ppp); };
-
-log { source(s_syslog); filter(f_debug); destination(d_debug); };
-log { source(s_syslog); filter(f_error); destination(d_error); };
-log { source(s_syslog); filter(f_messages); destination(d_messages); };
-
-log { source(s_syslog); filter(f_console); destination(d_console_all); destination(d_xconsole); };
-log { source(s_syslog); filter(f_crit); destination(d_console); };
-
-# All messages send to a remote site
-#
-#log { source(s_syslog); destination(d_net); };
-
-###
-# Include all config files in /etc/syslog-ng/conf.d/
-###
--- a/salt/syslog-ng/init.sls
+++ b/salt/syslog-ng/init.sls
@@ -1,18 +0,0 @@
-# Sync the Files
-file.directory:
-  - name: /opt/so/conf/syslog-ng
-  - user: 939
-  - group: 939
-
-# Syslog-ng Docker
-
-so-syslog-ng:
-  dockerng.running:
-    - image: pillaritem/so-logstash
-    - hostname: syslog-ng
-    - priviledged: true
-    - ports:
-      - 514/tcp
-      - 514/udp
-      - 601
-    - network_mode: so-elastic-net
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -1,15 +1,11 @@
 {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-
-so-tcpreplayimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}

 so-tcpreplay:
  docker_container.running:
-    - require:
-      - so-tcpreplayimage
    - network_mode: "host"
-    - image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }}
    - name: so-tcpreplay
    - user: root
    - interactive: True
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -20,7 +20,7 @@ base:
    - idstools
    - pcap
    - suricata
-    - bro
+    - zeek
    - redis
    - logstash
    - filebeat
@@ -34,7 +34,7 @@ base:
    - pcap
    - suricata
    {%- if BROVER != 'SURICATA' %}
-    - bro
+    - zeek
    {%- endif %}
    - wazuh
    - filebeat
@@ -46,10 +46,11 @@ base:
  'G@role:so-eval':
    - ca
    - ssl
+    - registry
+    - master
    - common
    - sensoroni
    - firewall
-    - master
    - idstools
    - auth
    {%- if OSQUERY != 0 %}
@@ -60,7 +61,7 @@ base:
    - kibana
    - pcap
    - suricata
-    - bro
+    - zeek
    - curator
    - elastalert
    {%- if OSQUERY != 0 %}
@@ -92,6 +93,7 @@ base:
  'G@role:so-master':
    - ca
    - ssl
+    - registry
    - common
    - sensoroni
    - firewall
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,5 +1,6 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Add ossec group
 ossecgroup:
  group.present:
@@ -71,15 +72,9 @@ wazuhmgrwhitelist:
    - mode: 755
    - template: jinja

-so-wazuhimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.4
-
 so-wazuh:
  docker_container.running:
-    - require:
-      - so-wazuhimage
-    - image: docker.io/soshybridhunter/so-wazuh:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
    - hostname: {{HOSTNAME}}-wazuh-manager
    - name: so-wazuh
    - detach: True
--- a/salt/zeek/cron/packetloss.sh
+++ b/salt/zeek/cron/packetloss.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -0,0 +1,120 @@
+##! Local site policy. Customize as appropriate.
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Estimate and log capture loss.
+@load misc/capture-loss
+
+# Enable logging of memory, packet and lag statistics.
+@load misc/stats
+
+# Load the scan detection script.  It's disabled by default because
+# it often causes performance issues.
+#@load misc/scan
+
+# Detect traceroute being run on the network. This could possibly cause
+# performance trouble when there are a lot of traceroutes on your network.
+# Enable cautiously.
+#@load misc/detect-traceroute
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more
+# information.
+@load frameworks/software/vulnerable
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+@load-sigs frameworks/signatures/detect-windows-shells
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets
+# where the name is not part of your local DNS zone and is being hosted
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
+# Uncomment the following line to check each SSL certificate hash against the ICSI
+# certificate notary service; see http://notary.icsi.berkeley.edu .
+# @load protocols/ssl/notary
+
+# If you have GeoIP support built in, do some geographic detections and
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
+
+#### Network File Handling ####
+
+# Enable MD5 and SHA1 hashing for all files.
+@load frameworks/files/hash-all-files
+
+# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
+@load frameworks/files/detect-MHR
+
+# Extend email alerting to include hostnames
+@load policy/frameworks/notice/extend-email/hostnames
+
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file.
+# @load policy/protocols/conn/vlan-logging
+
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
+
+# JA3 - SSL Detection Goodness
+@load policy/ja3
+
+# HASSH
+@load policy/hassh
+
+# You can load your own intel into:
+# /opt/so/saltstack/bro/policy/intel/ on the master
+@load intel
+
+# Load a custom Bro policy
+# /opt/so/saltstack/bro/policy/custom/ on the master
+#@load custom/somebropolicy.bro
+
+# Write logs in JSON
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
--- a/salt/zeek/files/node.cfg
+++ b/salt/zeek/files/node.cfg
@@ -0,0 +1,47 @@
+{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+
+{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %}
+{%- if salt['pillar.get']('sensor:bro_proxies') %}
+  {%- set proxies =  salt['pillar.get']('sensor:bro_proxies', '1') %}
+{%- else %}
+  {%- if salt['pillar.get']('sensor:bro_pins') %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %}
+  {%- else %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %}
+  {%- endif %}
+{%- endif %}
+[manager]
+type=manager
+host=localhost
+
+[logger]
+type=logger
+host=localhost
+
+[proxy]
+type=proxy
+host=localhost
+
+[worker-1]
+type=worker
+host=localhost
+interface=af_packet::{{ interface }}
+lb_method=custom
+
+{%- if salt['pillar.get']('sensor:bro_lbprocs') %}
+lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }}
+{%- else %}
+lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }}
+{%- endif %}
+{%- if salt['pillar.get']('sensor:bro_pins') %}
+pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }}
+{%- endif %}
+af_packet_fanout_id=23
+af_packet_fanout_mode=AF_Packet::FANOUT_HASH
+af_packet_buffer_size=128*1024*1024
+{%- else %}
+[brosa]
+type=standalone
+host=localhost
+interface={{ interface }}
+{%- endif %}
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -0,0 +1,118 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+# Zeek Salt State
+# Add Zeek group
+zeekgroup:
+  group.present:
+    - name: zeek
+    - gid: 937
+
+# Add Zeek User
+zeek:
+  user.present:
+    - uid: 937
+    - gid: 937
+    - home: /home/zeek
+
+# Create some directories
+zeekpolicydir:
+  file.directory:
+    - name: /opt/so/conf/zeek/policy
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Zeek Log Directory
+zeeklogdir:
+  file.directory:
+    - name: /nsm/zeek/logs
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Zeek Spool Directory
+zeekspooldir:
+  file.directory:
+    - name: /nsm/zeek/spool/manager
+    - user: 937
+    - makedirs: true
+
+# Zeek extracted
+zeekextractdir:
+  file.directory:
+    - name: /nsm/zeek/extracted
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+zeeksfafincompletedir:
+  file.directory:
+    - name: /nsm/faf/files/incomplete
+    - user: 937
+    - makedirs: true
+
+zeeksfafcompletedir:
+  file.directory:
+    - name: /nsm/faf/files/complete
+    - user: 937
+    - makedirs: true
+
+# Sync the policies
+zeekpolicysync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/policy
+    - source: salt://zeek/policy
+    - user: 937
+    - group: 939
+    - template: jinja
+
+# Sync node.cfg
+nodecfgsync:
+  file.managed:
+    - name: /opt/so/conf/zeek/node.cfg
+    - source: salt://zeek/files/node.cfg
+    - user: 937
+    - group: 939
+    - template: jinja
+
+plcronscript:
+  file.managed:
+    - name: /usr/local/bin/packetloss.sh
+    - source: salt://zeek/cron/packetloss.sh
+    - mode: 755
+
+/usr/local/bin/packetloss.sh:
+  cron.present:
+    - user: root
+    - minute: '*/10'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+localzeeksync:
+  file.managed:
+    - name: /opt/so/conf/zeek/local.zeek
+    - source: salt://zeek/files/local.zeek
+    - user: 937
+    - group: 939
+    - template: jinja
+
+so-zeek:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:HH{{ VERSION }}
+    - privileged: True
+    - binds:
+      - /nsm/zeek/logs:/nsm/zeek/logs:rw
+      - /nsm/zeek/spool:/nsm/zeek/spool:rw
+      - /nsm/zeek/extracted:/nsm/zeek/extracted:rw
+      - /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
+      - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
+      - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
+      - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
+      - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
+    - network_mode: host
+    - watch:
+      - file: /opt/so/conf/zeek/local.zeek
+      - file: /opt/so/conf/zeek/node.cfg
+      - file: /opt/so/conf/zeek/policy
--- a/salt/zeek/policy/intel/load.zeek
+++ b/salt/zeek/policy/intel/load.zeek
@@ -0,0 +1 @@
+#Intel
--- a/salt/zeek/policy/securityonion/add-interface-to-logs.bro
+++ b/salt/zeek/policy/securityonion/add-interface-to-logs.bro
@@ -0,0 +1,20 @@
+{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
+global interface = "{{ interface }}";
+
+event bro_init()
+	{
+	if ( ! reading_live_traffic() )
+		return;
+
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
+	                            $path_func(id: Log::ID, path: string, rec: HTTP::Info) =
+	                            	{
+	                            	local peer = get_event_peer()$descr;
+	                            	if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
+	                            		return cat("http_", Cluster::nodes[peer]$interface);
+	                            	else
+	                            		return "http";
+	                            	}
+	                            ]);
+	}
--- a/salt/zeek/policy/securityonion/apt1/load.zeek
+++ b/salt/zeek/policy/securityonion/apt1/load.zeek
@@ -0,0 +1,9 @@
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+
+redef Intel::read_files += {
+  fmt("%s/apt1-fqdn.dat", @DIR),
+  fmt("%s/apt1-md5.dat", @DIR),
+  fmt("%s/apt1-certs.dat", @DIR)
+};
--- a/salt/zeek/policy/securityonion/apt1/apt1-certs.dat
+++ b/salt/zeek/policy/securityonion/apt1/apt1-certs.dat
@@ -0,0 +1,26 @@
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice
+b054e26ef827fbbf5829f84a9bdbb697a5b042fc	Intel::CERT_HASH	Mandiant APT1 Report	ALPHA	T
+7bc0cc2cf7c3a996c32dbe7e938993f7087105b4	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+7855c132af1390413d4e4ff4ead321f8802d8243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+f3e3c590d7126bd227733e9d8313d2575c421243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d4d4e896ce7d73b573f0a0006080a246aec61fe7	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bcdf4809c1886ac95478bbafde246d0603934298	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+6b4855df8afc8d57a671fe5ed628f6d88852a922	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d50fdc82c328319ac60f256d3119b8708cd5717b	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+70b48d5177eebe9c762e9a37ecabebfd10e1b7e9	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+3a6a299b764500ce1b6e58a32a257139d61a3543	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bf4f90e0029b2263af1141963ddf2a0c71a6b5fb	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+b21139583dec0dae344cca530690ec1f344acc79	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+21971ffef58baf6f638df2f7e2cceb4c58b173c8	Intel::CERT_HASH	Mandiant APT1 Report	EMAIL	T
+04ecff66973c92a1c348666d5a4738557cce0cfc	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+f97d1a703aec44d0f53a3a294e33acda43a49de1	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+1b27a897cda019da2c3a6dc838761871e8bf5b5d	Intel::CERT_HASH	Mandiant APT1 Report	LAME	T
+d515996e8696612dc78fc6db39006466fc6550df	Intel::CERT_HASH	Mandiant APT1 Report	MOON-NIGHT	T
+8f79315659e59c79f1301ef4aee67b18ae2d9f1c	Intel::CERT_HASH	Mandiant APT1 Report	NONAME	T
+a57a84975e31e376e3512da7b05ad06ef6441f53	Intel::CERT_HASH	Mandiant APT1 Report	NS	T
+b3db37a0edde97b3c3c15da5f2d81d27af82f583	Intel::CERT_HASH	Mandiant APT1 Report	SERVER (PEM)	T
+6d8f1454f6392361fb2464b744d4fc09eee5fcfd	Intel::CERT_HASH	Mandiant APT1 Report	SUR	T
+b66e230f404b2cc1c033ccacda5d0a14b74a2752	Intel::CERT_HASH	Mandiant APT1 Report	VIRTUALLYTHERE	T
+4acbadb86a91834493dde276736cdf8f7ef5d497	Intel::CERT_HASH	Mandiant APT1 Report	WEBMAIL	T
+86a48093d9b577955c4c9bd19e30536aae5543d4	Intel::CERT_HASH	Mandiant APT1 Report	YAHOO	T
--- a/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
+++ b/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
--- a/salt/zeek/policy/securityonion/apt1/apt1-md5.dat
+++ b/salt/zeek/policy/securityonion/apt1/apt1-md5.dat
--- a/salt/zeek/policy/securityonion/conn-add-sensorname.bro
+++ b/salt/zeek/policy/securityonion/conn-add-sensorname.bro
@@ -0,0 +1,10 @@
+global sensorname = "{{ grains.host }}";
+
+redef record Conn::Info += {
+	sensorname: string &log &optional;
+};
+
+event connection_state_remove(c: connection)
+	{
+	c$conn$sensorname = sensorname;
+	}
--- a/salt/zeek/policy/securityonion/file-extraction/load.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/load.zeek
@@ -0,0 +1 @@
+@load ./extract
--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -0,0 +1,21 @@
+global ext_map: table[string] of string = {
+    ["application/x-dosexec"] = "exe",
+    ["text/plain"] = "txt",
+    ["image/jpeg"] = "jpg",
+    ["image/png"] = "png",
+    ["text/html"] = "html",
+} &default ="";
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+    {
+    if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
+        return;
+
+    local ext = "";
+
+    if ( meta?$mime_type )
+        ext = ext_map[meta$mime_type];
+
+    local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
+    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
+    }
--- a/salt/zeek/policy/securityonion/json-logs/load.bro
+++ b/salt/zeek/policy/securityonion/json-logs/load.bro
@@ -0,0 +1,3 @@
+@load tuning/json-logs
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+redef LogAscii::use_json = T;
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -409,20 +409,24 @@ docker_install() {
    yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    yum -y update
    yum -y install docker-ce python36-docker
-    if [ $INSTALLTYPE != 'EVALMODE' ]; then
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
      docker_registry
+      echo "Restarting Docker" >> $SETUPLOG 2>&1
+      systemctl restart docker
+      systemctl enable docker
+    else
+      docker_registry
+      echo "Restarting Docker" >> $SETUPLOG 2>&1
+      systemctl restart docker
+      systemctl enable docker
    fi
-    echo "Restarting Docker" >> $SETUPLOG 2>&1
-    systemctl restart docker
-    systemctl enable docker

  else
+
    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
      apt-get update >> $SETUPLOG 2>&1
      apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
-      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
-        docker_registry >> $SETUPLOG 2>&1
-      fi
+      docker_registry >> $SETUPLOG 2>&1
      echo "Restarting Docker" >> $SETUPLOG 2>&1
      systemctl restart docker >> $SETUPLOG 2>&1
    else
@@ -450,6 +454,59 @@ docker_registry() {

 }

+docker_seed_registry() {
+  VERSION="HH1.1.4"
+  TRUSTED_CONTAINERS=( \
+  "so-auth-api:$VERSION" \
+  "so-auth-ui:$VERSION" \
+  "so-core:$VERSION" \
+  "so-thehive-cortex:$VERSION" \
+  "so-curator:$VERSION" \
+  "so-domainstats:$VERSION" \
+  "so-elastalert:$VERSION" \
+  "so-elasticsearch:$VERSION" \
+  "so-filebeat:$VERSION" \
+  "so-fleet:$VERSION" \
+  "so-fleet-launcher:$VERSION" \
+  "so-freqserver:$VERSION" \
+  "so-grafana:$VERSION" \
+  "so-idstools:$VERSION" \
+  "so-influxdb:$VERSION" \
+  "so-kibana:$VERSION" \
+  "so-logstash:$VERSION" \
+  "so-mysql:$VERSION" \
+  "so-navigator:$VERSION" \
+  "so-playbook:$VERSION" \
+  "so-redis:$VERSION" \
+  "so-sensoroni:$VERSION" \
+  "so-soctopus:$VERSION" \
+  "so-steno:$VERSION" \
+  #"so-strelka:$VERSION" \
+  "so-suricata:$VERSION" \
+  "so-telegraf:$VERSION" \
+  "so-thehive:$VERSION" \
+  "so-thehive-es:$VERSION" \
+  "so-wazuh:$VERSION" \
+  "so-zeek:$VERSION" )
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+  done
+  
+}
+
 es_heapsize() {

  # Determine ES Heap Size
@@ -650,6 +707,7 @@ master_static() {
  touch /opt/so/saltstack/pillar/static.sls

  echo "static:" > /opt/so/saltstack/pillar/static.sls
+  echo "  soversion: 1.1.4" >> /opt/so/saltstack/pillar/static.sls
  echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
  echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
  echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -364,6 +364,10 @@ if (whiptail_you_sure) ; then
      salt_checkin >> $SETUPLOG 2>&1
      salt-call state.apply ca >> $SETUPLOG 2>&1
      salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      salt-call state.apply registry >> $SETUPLOG 2>&1
+      echo -e "XXX\n42\nDownloading Containers from the Internet... \nXXX"
+      docker_seed_registry >> $SETUPLOG 2>&1
      echo -e "XXX\n43\nInstalling Common Components... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
      echo -e "XXX\n45\nApplying firewall rules... \nXXX"
@@ -603,12 +607,16 @@ if (whiptail_you_sure) ; then
      salt_checkin >> $SETUPLOG 2>&1
      salt-call state.apply ca >> $SETUPLOG 2>&1
      salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      salt-call state.apply registry >> $SETUPLOG 2>&1
+      echo -e "XXX\n14\nDownloading Containers from the Internet... \nXXX"
+      docker_seed_registry >> $SETUPLOG 2>&1
+      salt-call state.apply master >> $SETUPLOG 2>&1
      echo -e "XXX\n15\nInstalling core components... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
      echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
      salt-call state.apply firewall >> $SETUPLOG 2>&1
      echo -e "XXX\n25\nInstalling master components... \nXXX"
-      salt-call state.apply master >> $SETUPLOG 2>&1
      salt-call state.apply idstools >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
        salt-call state.apply mysql >> $SETUPLOG 2>&1
--- a/updatemaster.sh
+++ b/updatemaster.sh
@@ -11,4 +11,5 @@ chown -R socore:socore /opt/so/saltstack/salt
 chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
 cd ~
 rm -rf /tmp/sogh
+# Run so-elastic-download here and call this soup with some magic
 salt-call state.highstate