enabled/disable soc in ui

salt/manager/tools/sbin/so-minion

@@ -302,6 +302,13 @@ function add_soctopus_to_minion() {
 	"  " >> $PILLARFILE
 }
 
+function add_soc_to_minion() {
+    printf '%s\n'\
+    "soc:"\
+    "  enabled: True"\
+	"  " >> $PILLARFILE
+}
+
 function create_fleet_policy() {
 
 	JSON_STRING=$( jq -n \
@@ -356,6 +363,7 @@ function createEVAL() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }
 
 function createSTANDALONE() {
@@ -372,6 +380,7 @@ function createSTANDALONE() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }
 
 function createMANAGER() {
@@ -386,6 +395,7 @@ function createMANAGER() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }
 
 function createMANAGERSEARCH() {
@@ -400,6 +410,7 @@ function createMANAGERSEARCH() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }
 
 function createIMPORT() {
@@ -409,6 +420,7 @@ function createIMPORT() {
 	add_telegraf_to_minion
 	add_influxdb_to_minion
 	add_nginx_to_minion
+	add_soc_to_minion
 }
 
 function createFLEET() {
@@ -418,6 +430,7 @@ function createFLEET() {
 	update_fleet_host_urls
 	update_logstash_outputs
 	add_telegraf_to_minion
+	add_nginx_to_minion
 }
 
 function createIDH() {
@@ -433,21 +446,18 @@ function createHEAVYNODE() {
 	add_redis_to_minion
 	add_curator_to_minion
 	add_telegraf_to_minion
-	add_nginx_to_minion
 }
 
 function createSENSOR() {
 	add_sensor_to_minion
 	add_strelka_strelka_to_minion
 	add_telegraf_to_minion
-	add_nginx_to_minion
 }
 
 function createSEARCHNODE() {
 	add_elasticsearch_to_minion
 	add_logstash_to_minion
 	add_telegraf_to_minion
-	add_nginx_to_minion
 	updateMine
 	apply_ES_state
 }

salt/soc/config.sls

@@ -0,0 +1,115 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - manager.sync_es_users
+
+socdir:
+  file.directory:
+    - name: /opt/so/conf/soc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+socdatadir:
+  file.directory:
+    - name: /nsm/soc/jobs
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+soclogdir:
+  file.directory:
+    - name: /opt/so/log/soc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+socsaltdir:
+  file.directory:
+    - name: /opt/so/conf/soc/salt
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+socconfig:
+  file.managed:
+    - name: /opt/so/conf/soc/soc.json
+    - source: salt://soc/files/soc/soc.json.jinja
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+    - show_changes: False
+
+socmotd:
+  file.managed:
+    - name: /opt/so/conf/soc/motd.md
+    - source: salt://soc/files/soc/motd.md
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+socbanner:
+  file.managed:
+    - name: /opt/so/conf/soc/banner.md
+    - source: salt://soc/files/soc/banner.md
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+soc_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://soc/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#soc_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://soc/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
+soccustom:
+  file.managed:
+    - name: /opt/so/conf/soc/custom.js
+    - source: salt://soc/files/soc/custom.js
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+soccustomroles:
+  file.managed:
+    - name: /opt/so/conf/soc/custom_roles
+    - source: salt://soc/files/soc/custom_roles
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+socusersroles:
+  file.exists:
+    - name: /opt/so/conf/soc/soc_users_roles
+    - require:
+      - sls: manager.sync_es_users
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/soc/defaults.map.jinja

@@ -1,3 +1,8 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER -%}
@@ -5,28 +10,28 @@
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
 
 {% for module, application_url in GLOBALS.application_urls.items() %}
-{%   do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %}
+{%   do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %}
 {% endfor %}
 
 {# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #}
 {% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %}
 {%   for m in minions.keys() %}
-{%     do SOCDEFAULTS.soc.server.modules.elastic.remoteHostUrls.append(m) %}
+{%     do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append(m) %}
 {%   endfor %}
 {% endfor %}
 
-{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
 
-{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
-{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
-{% for tool in SOCDEFAULTS.soc.server.client.tools %}
+{% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
 {%   if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %}
 {%     do tool.update({'link': METRICS_LINK}) %}
 {%   endif %}
 {% endfor %}
 
-{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
 
-{% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
+{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
 
 {% set SOCDEFAULTS = SOCDEFAULTS.soc %}

salt/soc/disabled.sls

@@ -0,0 +1,31 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - soc.sostatus
+  
+so-soc:
+  docker_container.absent:
+    - force: True
+
+so-soc_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-soc$
+
+salt-relay:
+  cron.absent:
+    - identifier: salt-relay
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/soc/enabled.sls

@@ -0,0 +1,68 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
+
+include:
+  - soc.config
+  - soc.sostatus
+
+so-soc:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
+    - hostname: soc
+    - name: so-soc
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
+    - binds:
+      - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
+      - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
+      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
+      - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
+      - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
+      - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
+      - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
+      - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw
+      - /opt/so/saltstack:/opt/so/saltstack:rw
+    - extra_hosts: {{ DOCKER_EXTRA_HOSTS }}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+    - watch:
+      - file: /opt/so/conf/soc/*
+    - require:
+      - file: socdatadir
+      - file: soclogdir
+      - file: socconfig
+      - file: socmotd
+      - file: socbanner
+      - file: soccustom
+      - file: soccustomroles
+      - file: socusersroles
+
+delete_so-soc_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-soc$
+
+salt-relay:
+  cron.present:
+    - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
+    - identifier: salt-relay
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/soc/files/soc/soc.json.jinja

@@ -1,2 +1,2 @@
 {% from 'soc/merged.map.jinja' import SOCMERGED -%}
-{{ SOCMERGED | json(sort_keys=True, indent=4 * ' ') }}
+{{ SOCMERGED.config | json(sort_keys=True, indent=4 * ' ') }}

salt/soc/init.sls

@@ -1,160 +1,13 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-{% if sls in allowed_states %}
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
 
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'soc/config.map.jinja' import SOCMERGED %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
-{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
 
 include:
-  - manager.sync_es_users
+{% if SOCMERGED.enabled %}
-
+  - soc.enabled
-socdir:
-  file.directory:
-    - name: /opt/so/conf/soc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-socdatadir:
-  file.directory:
-    - name: /nsm/soc/jobs
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-soclogdir:
-  file.directory:
-    - name: /opt/so/log/soc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-socsaltdir:
-  file.directory:
-    - name: /opt/so/conf/soc/salt
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-socconfig:
-  file.managed:
-    - name: /opt/so/conf/soc/soc.json
-    - source: salt://soc/files/soc/soc.json.jinja
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-    - show_changes: False
-
-socmotd:
-  file.managed:
-    - name: /opt/so/conf/soc/motd.md
-    - source: salt://soc/files/soc/motd.md
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-socbanner:
-  file.managed:
-    - name: /opt/so/conf/soc/banner.md
-    - source: salt://soc/files/soc/banner.md
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-soc_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://soc/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-#soc_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://soc/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-soccustom:
-  file.managed:
-    - name: /opt/so/conf/soc/custom.js
-    - source: salt://soc/files/soc/custom.js
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-soccustomroles:
-  file.managed:
-    - name: /opt/so/conf/soc/custom_roles
-    - source: salt://soc/files/soc/custom_roles
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-socusersroles:
-  file.exists:
-    - name: /opt/so/conf/soc/soc_users_roles
-    - require:
-      - sls: manager.sync_es_users
-
-salt-relay:
-  cron.present:
-  - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
-  - identifier: salt-relay
-
-so-soc:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
-    - hostname: soc
-    - name: so-soc
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
-    - binds:
-      - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
-      - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
-      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
-      - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
-      - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
-      - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
-      - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
-      - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw
-      - /opt/so/saltstack:/opt/so/saltstack:rw
-    - extra_hosts: {{ DOCKER_EXTRA_HOSTS }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-    - watch:
-      - file: /opt/so/conf/soc/*
-    - require:
-      - file: socdatadir
-      - file: soclogdir
-      - file: socconfig
-      - file: socmotd
-      - file: socbanner
-      - file: soccustom
-      - file: soccustomroles
-      - file: socusersroles
-
-append_so-soc_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-soc
-
 {% else %}
-
+  - soc.disabled
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
 {% endif %}

salt/soc/merged.map.jinja

@@ -1,3 +1,8 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
@@ -6,14 +11,14 @@
 
 {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}
 
-{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #}
+{# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
-{% if SOCMERGED.server.modules.cases != 'soc' %}
+{% if SOCMERGED.config.server.modules.cases != 'soc' %}
-{%   do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %}
+{%   do SOCMERGED.config.server.modules.elastic.update({'casesEnabled': false}) %}
-{%   do SOCMERGED.server.client.update({'casesEnabled': false}) %}
+{%   do SOCMERGED.config.server.client.update({'casesEnabled': false}) %}
-{%   do SOCMERGED.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
+{%   do SOCMERGED.config.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
-{%   do SOCMERGED.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
+{%   do SOCMERGED.config.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
-{%   if SOCMERGED.server.modules.cases == 'elasticcases' %}
+{%   if SOCMERGED.config.server.modules.cases == 'elasticcases' %}
-{%     do SOCMERGED.server.modules.update({
+{%     do SOCMERGED.config.server.modules.update({
          'elasticcases': {
            'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':5601',
            'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user,
@@ -23,13 +28,13 @@
 {%   endif %}
 {% endif %}
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
-{% do SOCMERGED.server.modules.pop('cases') %}
+{% do SOCMERGED.config.server.modules.pop('cases') %}
 
 {% if pillar.manager.playbook == 0 %}
-{%   do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %}
+{%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}
 
-{% set standard_actions = SOCMERGED.pop('actions') %}
+{% set standard_actions = SOCMERGED.config.pop('actions') %}
 {% if pillar.global.endgamehost is defined %}
 {%   set endgame_dict = {
        "name": "Endgame",
@@ -42,12 +47,12 @@
 {%   do standard_actions.append(endgame_dict) %}
 {% endif %}
 
-{%   do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.hunt.update({'actions': standard_actions}) %}
-{%   do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.dashboards.update({'actions': standard_actions}) %}
-{%   do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %}
+{%   do SOCMERGED.config.server.client.update({'job': {'actions': standard_actions}}) %}
-{%   do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %}
-{%   do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %}
 
-{% set standard_eventFields = SOCMERGED.pop('eventFields') %}
+{% set standard_eventFields = SOCMERGED.config.pop('eventFields') %}
-{%   do SOCMERGED.server.client.hunt.update({'eventFields': standard_eventFields}) %}
+{%   do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %}
-{%   do SOCMERGED.server.client.dashboards.update({'eventFields': standard_eventFields}) %}
+{%   do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %}

salt/soc/soc_soc.yaml

@@ -1,224 +1,228 @@
 soc:
-  licenseKey:
+  enabled:
-    title: License Key
+    description: You can enable or disable SOC.
-    description: Optional Security Onion license key to unlock enterprise features.
+    advanced: True
-    global: True
+  config:
-  logLevel:
+    licenseKey:
-    title: Log Level
+      title: License Key
-    description: The SOC log level, useful for enabling debug logging for advanced troubleshooting. Allowed values are debug, info, warn, error. The SOC log is available at /opt/so/log/soc/sensoroni-server.log.
+      description: Optional Security Onion license key to unlock enterprise features.
-    global: True
-    regex: ^(info|debug|warn|error)$
-  files:
-    soc:
-      banner__md:
-        title: Login Banner
-        description: Customize the login page with a specific markdown-formatted message.
-        file: True
-        global: True
-        syntax: md
-        helpLink: soc-customization.html
-      motd__md:
-        title: Overview Page
-        description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
-        file: True
-        global: True
-        syntax: md
-        helpLink: soc-customization.html
-      custom__js:
-        title: Custom Javascript
-        description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
-        file: True
-        global: True
-        advanced: True
-        helpLink: soc-customization.html
-      custom_roles:
-        title: Custom Roles
-        description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
-        file: True
-        global: True
-        advanced: True
-        helpLink: soc-customization.html
-  actions:
-    description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
-    global: True
-  eventFields:
-    default:
-      description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset".
       global: True
-      advanced: True
+    logLevel:
-  server:
+      title: Log Level
-    srvKey:
+      description: The SOC log level, useful for enabling debug logging for advanced troubleshooting. Allowed values are debug, info, warn, error. The SOC log is available at /opt/so/log/soc/sensoroni-server.log.
-      description: Unique key for protecting the integrity of user submitted data via the web browser.
       global: True
-      sensitive: True
+      regex: ^(info|debug|warn|error)$
-      advanced: True
+    files:
-    maxPacketCount:
+      soc:
-      description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.
+        banner__md:
-      global: True
+          title: Login Banner
-      advanced: True
+          description: Customize the login page with a specific markdown-formatted message.
-    modules:
+          file: True
-      elastic:
+          global: True
-        index:
+          syntax: md
-          description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
+          helpLink: soc-customization.html
+        motd__md:
+          title: Overview Page
+          description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
+          file: True
+          global: True
+          syntax: md
+          helpLink: soc-customization.html
+        custom__js:
+          title: Custom Javascript
+          description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
+          file: True
           global: True
           advanced: True
-        cacheMs:
+          helpLink: soc-customization.html
-          description: Duration (in milliseconds) to cache the Elasticsearch index field data to minimize repeated requests for this typically static information.
+        custom_roles:
+          title: Custom Roles
+          description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
+          file: True
           global: True
           advanced: True
-        timeoutMs:
+          helpLink: soc-customization.html
-          description: Duration (in milliseconds) to wait for a response from the Elasticsearch host before giving up and showing an error on the SOC UI.
+    actions:
+      description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
+      global: True
+    eventFields:
+      default:
+        description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset".
+        global: True
+        advanced: True
+    server:
+      srvKey:
+        description: Unique key for protecting the integrity of user submitted data via the web browser.
+        global: True
+        sensitive: True
+        advanced: True
+      maxPacketCount:
+        description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.
+        global: True
+        advanced: True
+      modules:
+        elastic:
+          index:
+            description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
+            global: True
+            advanced: True
+          cacheMs:
+            description: Duration (in milliseconds) to cache the Elasticsearch index field data to minimize repeated requests for this typically static information.
+            global: True
+            advanced: True
+          timeoutMs:
+            description: Duration (in milliseconds) to wait for a response from the Elasticsearch host before giving up and showing an error on the SOC UI.
+            global: True
+            advanced: True
+          casesEnabled:
+            description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
+            global: True
+            advanced: True
+          extractCommonObservables:
+            description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
+            global: True
+          timeShiftMs:
+            description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs).
+            global: True
+            advanced: True
+          defaultDurationMs:
+            description: Duration (in milliseconds) to add before and after the event's timestamp, when querying PCAP data related to the event. If the PCAP-related event record itself has an event.duration value, it will be used instead of this default.
+            global: True
+            advanced: True
+          esSearchOffsetMs:
+            description: Duration (in milliseconds) to add before and after the selected event's timestamp, when looking up PCAP-related events in order to pivot to PCAP.
+            global: True
+            advanced: True
+          maxLogLength:
+            description: The maximum length of an Elasticsearch related log line that is output to the Sensoroni log file. This prevents massive Elasticsearch responses from being dumped into the text log file on disk.
+            global: True
+            advanced: True
+          asyncThreshold:
+            description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete.
+            global: True
+            advanced: True
+        sostatus:
+          refreshIntervalMs:
+            description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled.
+            global: True
+            advanced: True
+          offlineThresholdMs:
+            description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
+            global: True
+            advanced: True
+      client:
+        apiTimeoutMs:
+          description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
+          global: True
+          advanced: True
+        webSocketTimeoutMs:
+          description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting.
+          global: True
+          advanced: True
+        tipTimeoutMs:
+          description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation.
+          global: True
+        cacheExpirationMs:
+          description: Duration (in milliseconds) of cached data within the browser, including users and settings.
           global: True
           advanced: True
         casesEnabled:
-          description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
+          description: Set to true to enable case management in SOC.
+          global: True
+        inactiveTools:
+          description: List of external tools to remove from the SOC UI.
+          global: True
+        tools:
+          description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
           global: True
           advanced: True
-        extractCommonObservables:
+        hunt: &appSettings
-          description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
+          groupItemsPerPage:
-          global: True
+            description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
-        timeShiftMs:
+            global: True
-          description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs).
+          groupFetchLimit:
-          global: True
+            description: Default maximum number of aggregations to retrieve per search. Larger values consume more bandwidth and server resources.
-          advanced: True
+            global: True
-        defaultDurationMs:
+          eventItemsPerPage:
-          description: Duration (in milliseconds) to add before and after the event's timestamp, when querying PCAP data related to the event. If the PCAP-related event record itself has an event.duration value, it will be used instead of this default.
+            description: Default number of items to show per page. Larger values consume more vertical area in the SOC UI.
-          global: True
+            global: True
-          advanced: True
+          eventFetchLimit:
-        esSearchOffsetMs:
+            description: Default maximum number of items to retrieve per search. Larger values consume more bandwidth and server resources.
-          description: Duration (in milliseconds) to add before and after the selected event's timestamp, when looking up PCAP-related events in order to pivot to PCAP.
+            global: True
-          global: True
+          relativeTimeValue:
-          advanced: True
+            description: The duration of time to look backwards when searching for items. Used in combination with the relativeTimeUnit setting.
-        maxLogLength:
+            global: True
-          description: The maximum length of an Elasticsearch related log line that is output to the Sensoroni log file. This prevents massive Elasticsearch responses from being dumped into the text log file on disk.
+          relativeTimeUnit:
-          global: True
+            description: The unit of time for the relativeTimeValue setting. Possible values are 10 (seconds), 20 (minutes), 30 (hours), 40 (days), 50 (weeks), and 60 (months).
-          advanced: True
+            global: True
-        asyncThreshold:
+          mostRecentlyUsedLimit:
-          description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete.
+            description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
-          global: True
+            global: True
-          advanced: True
+          queries:
-      sostatus:
+            description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
-        refreshIntervalMs:
+            global: True
-          description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled.
+        alerts: *appSettings
-          global: True
+        cases: *appSettings
-          advanced: True
+        dashboards: *appSettings
-        offlineThresholdMs:
+        case:
-          description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
+          analyzerNodeId:
-          global: True
+            description: The node ID on which analyzers will be executed.
-          advanced: True
+            global: True
-    client:
+            advanced: True
-      apiTimeoutMs:
+          mostRecentlyUsedLimit:
-        description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
+            description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
-        global: True
+            global: True
-        advanced: True
+          renderAbbreviatedCount:
-      webSocketTimeoutMs:
+            description: When the number of case related items exceeds this number, the middle section of the results will be hidden from view, avoiding unnecessary scrolling.
-        description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting.
+            global: True
-        global: True
+            advanced: True
-        advanced: True
+          presets:
-      tipTimeoutMs:
+            artifactType:
-        description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation.
+              labels:
-        global: True
+                description: List of available artifact types. Some of these default types have special characteristics and related functionality, built into SOC.
-      cacheExpirationMs:
+                global: True
-        description: Duration (in milliseconds) of cached data within the browser, including users and settings.
+              customEnabled:
-        global: True
+                description: Set to true to allow users add their own artifact types directly in the SOC UI.
-        advanced: True
+                global: True
-      casesEnabled:
+            category:
-        description: Set to true to enable case management in SOC.
+              labels:
-        global: True
+                description: List of available case categories.
-      inactiveTools:
+                global: True
-        description: List of external tools to remove from the SOC UI.
+              customEnabled:
-        global: True
+                description: Set to true to allow users add their own categories directly in the SOC UI.
-      tools:
+                global: True
-        description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
+            pap:
-        global: True
+              labels:
-        advanced: True
+                description: List of available PAP (Permissible Actions Protocol) values.
-      hunt: &appSettings
+                global: True
-        groupItemsPerPage:
+              customEnabled:
-          description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
+                description: Set to true to allow users add their own PAP values directly in the SOC UI.
-          global: True
+                global: True
-        groupFetchLimit:
+            severity:
-          description: Default maximum number of aggregations to retrieve per search. Larger values consume more bandwidth and server resources.
+              labels:
-          global: True
+                description: List of available case severities.
-        eventItemsPerPage:
+                global: True
-          description: Default number of items to show per page. Larger values consume more vertical area in the SOC UI.
+              customEnabled:
-          global: True
+                description: Set to true to allow users add their own severities directly in the SOC UI.
-        eventFetchLimit:
+                global: True
-          description: Default maximum number of items to retrieve per search. Larger values consume more bandwidth and server resources.
+            status:
-          global: True
+              labels:
-        relativeTimeValue:
+                description: List of available case statuses. Some statuses have specifial characteristics and related functionality built into SOC.
-          description: The duration of time to look backwards when searching for items. Used in combination with the relativeTimeUnit setting.
+                global: True
-          global: True
+              customEnabled:
-        relativeTimeUnit:
+                description: Set to true to allow users add their own case statuses directly in the SOC UI.
-          description: The unit of time for the relativeTimeValue setting. Possible values are 10 (seconds), 20 (minutes), 30 (hours), 40 (days), 50 (weeks), and 60 (months).
+                global: True
-          global: True
+            tags:
-        mostRecentlyUsedLimit:
+              labels:
-          description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
+                description: List of available tags.
-          global: True
+                global: True
-        queries:
+              customEnabled:
-          description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
+                description: Set to true to allow users add their own tags directly in the SOC UI.
-          global: True
+                global: True
-      alerts: *appSettings
+            tlp:
-      cases: *appSettings
+              labels:
-      dashboards: *appSettings
+                description: List of available TLP (Traffic Light Protocol) values.
-      case:
+                global: True
-        analyzerNodeId:
+              customEnabled:
-          description: The node ID on which analyzers will be executed.
+                description: Set to true to allow users add their own TLP values directly in the SOC UI.
-          global: True
+                global: True
-          advanced: True
-        mostRecentlyUsedLimit:
-          description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
-          global: True
-        renderAbbreviatedCount:
-          description: When the number of case related items exceeds this number, the middle section of the results will be hidden from view, avoiding unnecessary scrolling.
-          global: True
-          advanced: True
-        presets:
-          artifactType:
-            labels:
-              description: List of available artifact types. Some of these default types have special characteristics and related functionality, built into SOC.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own artifact types directly in the SOC UI.
-              global: True
-          category:
-            labels:
-              description: List of available case categories.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own categories directly in the SOC UI.
-              global: True
-          pap:
-            labels:
-              description: List of available PAP (Permissible Actions Protocol) values.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own PAP values directly in the SOC UI.
-              global: True
-          severity:
-            labels:
-              description: List of available case severities.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own severities directly in the SOC UI.
-              global: True
-          status:
-            labels:
-              description: List of available case statuses. Some statuses have specifial characteristics and related functionality built into SOC.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own case statuses directly in the SOC UI.
-              global: True
-          tags:
-            labels:
-              description: List of available tags.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own tags directly in the SOC UI.
-              global: True
-          tlp:
-            labels:
-              description: List of available TLP (Traffic Light Protocol) values.
-              global: True
-            customEnabled:
-              description: Set to true to allow users add their own TLP values directly in the SOC UI.
-              global: True

salt/soc/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-soc_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-soc
+    - unless: grep -q so-soc /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}