From d587120613d4f8e630c38d416dab1365960c4765 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 17 Jun 2021 14:42:04 -0400
Subject: [PATCH 1/5] set ELASTICCUURL default as curl

---
 salt/common/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 9d20de62b..c8f1c7f12 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -186,6 +186,8 @@ utilsyncscripts:
     - template: jinja
     - source: salt://common/tools/sbin
     - defaults:
+        ELASTICCURL: 'curl'
+    - context:
         ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
 
 {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}

From 63b120e9e242674ae9fea12bf248d25e330b2de0 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 17 Jun 2021 14:56:05 -0400
Subject: [PATCH 2/5] use just curl for elastic in soup

---
 salt/common/tools/sbin/soup | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 64c8de66b..32280f707 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -392,7 +392,7 @@ rc1_to_rc2() {
   local NAME=$(echo $p | awk '{print $1}')
   local IP=$(echo $p | awk '{print $2}')
   echo "Removing the old cross cluster config for $NAME"
-  {{ ELASTICCURL }} -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}'
+  curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}'
   done </tmp/nodes.txt
   # Add the nodes back using hostname
   while read p; do
@@ -400,7 +400,7 @@ rc1_to_rc2() {
     local EHOSTNAME=$(echo $p | awk -F"_" '{print $1}')
     local IP=$(echo $p | awk '{print $2}')
     echo "Adding the new cross cluster config for $NAME"
-    {{ ELASTICCURL }} -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
+    curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
   done </tmp/nodes.txt
 
   INSTALLEDVERSION=rc.2

From 0cb4562254ecde33dc069d8e975a5eaf1cb96f18 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 17 Jun 2021 15:19:27 -0400
Subject: [PATCH 3/5] Lock so-user to avoid two processes from overwriting
 eachother

---
 salt/common/tools/sbin/so-user | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 800fca745..0f44a3227 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -45,6 +45,13 @@ elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearc
 esUID=${ELASTIC_UID:-930}
 esGID=${ELASTIC_GID:-930}
 
+function lock() {
+  # Obtain file descriptor lock
+  exec 99>/var/tmp/so-user.lock || fail "Unable to create lock descriptor; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually."
+  flock -w 10 99 || fail "Another process is using so-user; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually."
+  trap 'rm -f /var/tmp/so-user.lock' EXIT
+}
+
 function fail() {
   msg=$1
   echo "$1"
@@ -219,12 +226,9 @@ function syncElastic() {
     mv "${rolesTmpFile}" "${elasticRolesFile}"
 
     if [[ -z "$SKIP_STATE_APPLY" ]]; then
-      echo "Applying elastic state locally; This can take a few minutes..."
-      echo "Applying elastic state locally at $(date)" >> /opt/so/log/soc/sync.log 2>&1
-      salt-call state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
-      echo "Applying elastic state to elastic minions; This can take a few minutes..."
+      echo "Elastic state will be re-applied to affected minions in the background."
       echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1
-      salt -C 'G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
+      salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 &
     fi
   else
     echo "Newly generated users/roles files are incomplete; aborting."
@@ -331,6 +335,7 @@ case "${operation}" in
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
+    lock
     validateEmail "$email"
     updatePassword
     createUser "$email"
@@ -349,6 +354,7 @@ case "${operation}" in
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
+    lock
     updateUser "$email"
     syncAll
     echo "Successfully updated user"
@@ -358,6 +364,7 @@ case "${operation}" in
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
+    lock
     updateStatus "$email" 'active'
     syncAll
     echo "Successfully enabled user"
@@ -369,6 +376,7 @@ case "${operation}" in
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
+    lock
     updateStatus "$email" 'locked'
     syncAll
     echo "Successfully disabled user"
@@ -380,6 +388,7 @@ case "${operation}" in
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
 
+    lock
     deleteUser "$email"
     syncAll
     echo "Successfully deleted user"
@@ -388,7 +397,8 @@ case "${operation}" in
     ;;
 
   "sync")
-    syncAll && echo "Synchronization completed at $(date)"
+    lock
+    syncAll
     ;;
 
   "validate")

From afe7ddb48099a7a5685c681e0fcabfc49a59220d Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 17 Jun 2021 15:51:53 -0400
Subject: [PATCH 4/5] Remove passwords from soctopus templates since these are
 the basis for elastalert rules, which will use the user/pass at the
 elastalert global config level

---
 salt/soctopus/files/templates/es-generic.template | 6 ------
 salt/soctopus/files/templates/generic.template    | 6 ------
 salt/soctopus/files/templates/osquery.template    | 6 ------
 3 files changed, 18 deletions(-)

diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template
index 9b5ace95a..8183a5af4 100644
--- a/salt/soctopus/files/templates/es-generic.template
+++ b/salt/soctopus/files/templates/es-generic.template
@@ -1,13 +1,7 @@
 {% set ES = salt['pillar.get']('global:managerip', '') %}
-{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 
 alert: modules.so.playbook-es.PlaybookESAlerter
 elasticsearch_host: "{{ ES }}:9200"
-{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-elasticsearch_user: "{{ ES_USER }}"
-elasticsearch_pass: "{{ ES_PASS }}"
-{% endif %}
 play_title: ""
 play_url: "https://{{ ES }}/playbook/issues/6000"
 sigma_level: ""
diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template
index d3736f894..c3733db2c 100644
--- a/salt/soctopus/files/templates/generic.template
+++ b/salt/soctopus/files/templates/generic.template
@@ -1,15 +1,9 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
-{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
 
 elasticsearch_host: "{{ es }}:9200"
-{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-elasticsearch_user: "{{ ES_USER }}"
-elasticsearch_pass: "{{ ES_PASS }}"
-{% endif %}
 play_title: ""
 play_id: ""
 event.module: "playbook"
diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template
index 328a7e275..f937de5ea 100644
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -1,15 +1,9 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
-{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
  
 elasticsearch_host: "{{ es }}:9200"
-{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-elasticsearch_user: "{{ ES_USER }}"
-elasticsearch_pass: "{{ ES_PASS }}"
-{% endif %}
 play_title: ""
 event.module: "playbook"
 event.dataset: "alert"

From b294cee278ddbd5b620f78b5675a8c60f22071a9 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 17 Jun 2021 15:53:07 -0400
Subject: [PATCH 5/5] Remove passwords from soctopus templates since these are
 the basis for elastalert rules, which will use the user/pass at the
 elastalert global config level

---
 salt/soctopus/init.sls | 1 -
 1 file changed, 1 deletion(-)

diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index b32c67487..1c7c92434 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -21,7 +21,6 @@ soctopus-sync:
     - source: salt://soctopus/files/templates
     - user: 939
     - group: 939
-    - file_mode: 600
     - template: jinja
 
 soctopusconf: