Merge branch 'dev' of github.com:Security-Onion-Solutions/securityonion-saltstack into dev

pillar/logstash/master.sls

@@ -2,5 +2,6 @@ logstash:
   pipelines:
     master:
       config:
+        - so/0009_input_beats.conf      
         - so/0010_input_hhbeats.conf
         - so/9999_output_redis.conf.jinja

pillar/logstash/search.sls

@@ -5,12 +5,12 @@ logstash:
         - so/0900_input_redis.conf.jinja
         - so/9000_output_zeek.conf.jinja
         - so/9002_output_import.conf.jinja
+        - so/9034_output_syslog.conf.jinja
         - so/9100_output_osquery.conf.jinja
         - so/9400_output_suricata.conf.jinja
         - so/9500_output_beats.conf.jinja
         - so/9600_output_ossec.conf.jinja
         - so/9700_output_strelka.conf.jinja
   templates:
-    - so/so-beats-template.json
     - so/so-common-template.json
     - so/so-zeek-template.json

salt/common/init.sls

@@ -62,6 +62,7 @@ commonpkgs:
       - python3-dateutil
       - python3-m2crypto
       - python3-mysqldb
+      - git
 heldpackages:
   pkg.installed:
     - pkgs:
@@ -96,12 +97,13 @@ commonpkgs:
       - device-mapper-persistent-data
       - lvm2
       - openssl
+      - git
 
 heldpackages:
   pkg.installed:
     - pkgs:
       - containerd.io: 1.2.13-3.2.el7
-      - docker-ce: 3:19.03.9-3.el7
+      - docker-ce: 3:19.03.11-3.el7
     - hold: True
     - update_holds: True
 {% endif %}
@@ -128,4 +130,4 @@ utilsyncscripts:
     - group: 0
     - file_mode: 755
     - template: jinja
-    - source: salt://common/tools/sbin
+    - source: salt://common/tools/sbin

salt/common/tools/sbin/so-docker-refresh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+master_check() {
+  # Check to see if this is a master
+  MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then
+    echo "This is a master. We can proceed"
+  else
+    echo "Please run soup on the master. The master controls all updates."
+    exit 1
+  fi
+}
+
+update_docker_containers() {
+  
+  # Download the containers from the interwebs
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+  
+}
+
+version_check() {
+  if [ -f /etc/soversion ]; then
+    VERSION=$(cat /etc/soversion)
+  else
+    echo "Unable to detect version. I will now terminate."
+    exit 1
+  fi
+}
+got_root
+master_check
+version_check
+
+# Use the hostname
+HOSTNAME=$(hostname)
+BUILD=HH
+# List all the containers
+if [ $MASTERCHECK != 'so-helix' ]; then
+    TRUSTED_CONTAINERS=( \
+    "so-acng:$BUILD$VERSION" \
+    "so-thehive-cortex:$BUILD$VERSION" \
+    "so-curator:$BUILD$VERSION" \
+    "so-domainstats:$BUILD$VERSION" \
+    "so-elastalert:$BUILD$VERSION" \
+    "so-elasticsearch:$BUILD$VERSION" \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-fleet:$BUILD$VERSION" \
+    "so-fleet-launcher:$BUILD$VERSION" \
+    "so-freqserver:$BUILD$VERSION" \
+    "so-grafana:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-influxdb:$BUILD$VERSION" \
+    "so-kibana:$BUILD$VERSION" \
+    "so-kratos:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-mysql:$BUILD$VERSION" \
+    "so-navigator:$BUILD$VERSION" \
+    "so-nginx:$BUILD$VERSION" \
+    "so-playbook:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-soc:$BUILD$VERSION" \
+    "so-soctopus:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-strelka:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-thehive:$BUILD$VERSION" \
+    "so-thehive-es:$BUILD$VERSION" \
+    "so-wazuh:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  else
+    TRUSTED_CONTAINERS=( \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-nginx:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  fi
+
+update_docker_containers

salt/common/tools/sbin/so-fleet-setup

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+#so-fleet-setup $FleetEmail $FleetPassword 
+
+if [[ $# -ne 2 ]] ; then
+      echo "Username or Password was not set - exiting now."
+      exit 1
+fi
+
+# Checking to see if required containers are started...
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "Starting Docker Containers..."
+        salt-call state.apply mysql queue=True >> /root/fleet-setup.log
+        salt-call state.apply fleet queue=True >> /root/fleet-setup.log
+        salt-call state.apply redis queue=True >> /root/fleet-setup.log
+fi
+
+docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
+docker exec so-fleet fleetctl setup --email $1 --password $2
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
+docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
+docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
+
+
+# Enable Fleet
+echo "Enabling Fleet..."
+salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+# Generate osquery install packages
+echo "Generating osquery install packages - this will take some time..."
+salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
+sleep 120
+
+echo "Installing launcher via salt..."
+salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
+salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
+docker stop so-nginx
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+echo "Fleet Setup Complete - Login with the username and password you ran the script with."

salt/common/tools/sbin/so-saltstack-update

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+default_salt_dir=/opt/so/saltstack/default
+clone_to_tmp() {
+
+  # TODO Need to add a air gap option
+  # Make a temp location for the files
+  mkdir /tmp/sogh
+  cd /tmp/sogh
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  cd /tmp
+
+}
+
+copy_new_files() {
+
+  # Copy new files over to the salt dir
+  cd /tmp/sogh/securityonion-saltstack
+  git checkout $BRANCH
+  rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
+  rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/
+  chown -R socore:socore $default_salt_dir/salt
+  chown -R socore:socore $default_salt_dir/pillar
+  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
+  rm -rf /tmp/sogh
+}
+
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+got_root
+if [ $# -ne 1 ] ; then
+  BRANCH=master
+else
+  BRANCH=$1
+fi
+clone_to_tmp
+copy_new_files

salt/curator/init.sls

@@ -89,7 +89,7 @@ curdel:
 
 so-curatorcloseddeletecron:
  cron.present:
-   - name: /usr/sbin/so-curator-closed-delete
+   - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
    - user: root
    - minute: '*'
    - hour: '*'
@@ -99,7 +99,7 @@ so-curatorcloseddeletecron:
 
 so-curatorclosecron:
  cron.present:
-   - name: /usr/sbin/so-curator-close
+   - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
    - user: root
    - minute: '*'
    - hour: '*'
@@ -109,7 +109,7 @@ so-curatorclosecron:
 
 so-curatordeletecron:
  cron.present:
-   - name: /usr/sbin/so-curator-delete
+   - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
    - user: root
    - minute: '*'
    - hour: '*'

salt/elasticsearch/files/ingest/beats.common

@@ -0,0 +1,35 @@
+{
+  "description" : "beats.common",
+  "processors" : [
+    {"community_id":   {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}},    
+    { "set":           { "if": "ctx.winlog?.channel != null",   "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true }  },
+    { "set":           { "if": "ctx.agent?.type != null",   "field": "module", "value": "{{agent.type}}", "override": true }  },   
+    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3",   "field": "event.category", "value": "host,process,network", "override": true }  },
+    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1",   "field": "event.category", "value": "host,process", "override": true }  },
+    { "rename": 	   { "field": "agent.hostname", 			            "target_field": "agent.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationHostname", 	  "target_field": "destination.hostname",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationIp", 		      "target_field": "destination.ip",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationPort", 	      "target_field": "destination.port",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Image", 			            "target_field": "process.executable",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ProcessID", 			        "target_field": "process.pid",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ProcessGuid", 			      "target_field": "process.entity_id",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.CommandLine", 			      "target_field": "process.command_line",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.CurrentDirectory", 			"target_field": "process.working_directory",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Description", 			      "target_field": "process.pe.description",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Product", 			          "target_field": "process.pe.product",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.OriginalFileName", 			"target_field": "process.pe.original_file_name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.FileVersion", 			      "target_field": "process.pe.file_version",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentCommandLine", 			"target_field": "process.parent.command_line",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentImage", 			      "target_field": "process.parent.executable",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentProcessGuid", 			"target_field": "process.parent.entity_id",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentProcessId", 			  "target_field": "process.ppid",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Protocol", 	              "target_field": "network.transport",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourceHostname", 	      "target_field": "source.hostname",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourceIp", 		          "target_field": "source.ip",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourcePort", 		        "target_field": "source.port",		"ignore_missing": true 	} },   
+    { "rename": 	   { "field": "winlog.event_data.targetFilename",		      "target_field": "file.target",	"ignore_missing": true 	} },
+    { "pipeline":    { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/syslog

@@ -6,6 +6,10 @@
                 "field": "message",
                 "pattern" : "%{message}",
                 "on_failure": [ { "drop" : { } } ]
+        },
+        "remove": {
+                "field": [ "type", "agent" ],
+                "ignore_failure": true
         }
     },
     { "pipeline":       { "name": "common"                                             } }

salt/filebeat/etc/filebeat.yml

@@ -75,10 +75,10 @@ filebeat.modules:
 filebeat.inputs:
 #------------------------------ Log prospector --------------------------------
 {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %}
-  - type: syslog
+
+  - type: udp
     enabled: true
-    protocol.udp:
+    host: "0.0.0.0:514"
-      host: "0.0.0.0:514"
     fields:
       module: syslog
       dataset: syslog
@@ -87,7 +87,20 @@ filebeat.inputs:
     processors:
     - drop_fields:
         fields: ["source", "prospector", "input", "offset", "beat"]
+    fields_under_root: true
 
+  - type: tcp
+    enabled: true
+    host: "0.0.0.0:514"
+    fields:
+      module: syslog
+      dataset: syslog
+    pipeline: "syslog"
+    index: "so-syslog-%{+yyyy.MM.dd}"
+    processors:
+    - drop_fields:
+        fields: ["source", "prospector", "input", "offset", "beat"]
+    fields_under_root: true
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log

salt/firewall/init.sls

@@ -6,7 +6,8 @@
 {% elif grains['role'] == 'so-sensor' %}
   {% set ip = salt['pillar.get']('sensor:mainip', '') %}
 {% elif grains['role'] == 'so-fleet' %}
-  {% set ip = salt['pillar.get']('node:mainip', '') %}
+  {% set MAININT = salt['pillar.get']('host:mainint') %}
+  {% set ip = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% endif %}
 
 {% set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
@@ -366,17 +367,6 @@ enable_minions_influxdb_8086_{{ip}}:
     - position: 1
     - save: True
 
-enable_minion_osquery_8080_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8080
-    - position: 1
-    - save: True
-
 enable_minion_osquery_8090_{{ip}}:
   iptables.insert:
     - table: filter
@@ -803,7 +793,7 @@ enable_fleet_osquery_8080_{{ip}}:
     - save: True
 
     
-enable_fleetnodetemp_mysql_3306_{{ip}}:
+enable_fleetnode_mysql_3306_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
@@ -814,7 +804,7 @@ enable_fleetnodetemp_mysql_3306_{{ip}}:
     - position: 1
     - save: True
 
-enable_fleettemp_osquery_8080_{{ip}}:
+enable_fleet_osquery_8080_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
@@ -858,4 +848,20 @@ enable_fleetnode_8090_{{ip}}:
 
 {% endfor %}
 
+# Make it so all the minions can talk to fleet standalone node
+{% for ip in pillar.get('minions')  %}
+
+enable_minion_fleet_standalone_8090_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 8090
+    - position: 1
+    - save: True
+
+{% endfor %}
+
 {% endif %}

salt/fleet/event_enable-fleet.sls

@@ -1,5 +1,6 @@
 {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret') %}
-{%- set MAINIP = salt['pillar.get']('node:mainip') -%}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 
 so/fleet:
   event.send:

salt/fleet/event_gen-packages.sls

@@ -1,15 +1,24 @@
 {% set MASTER = salt['grains.get']('master') %}
 {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}
 {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %}
+{% set VERSION = salt['pillar.get']('static:soversion') %}
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
+
+{% if CUSTOM_FLEET_HOSTNAME != None && CUSTOM_FLEET_HOSTNAME != '' %}
+   {% set HOSTNAME =  CUSTOM_FLEET_HOSTNAME  %}
+{% else %}
+   {% set HOSTNAME = grains.host  %}
+{% endif %}
 
 so/fleet:
   event.send:
     - data:
         action: 'genpackages'
-        hostname: {{ grains.host }}
+        package-hostname: {{ HOSTNAME }}
         role: {{ grains.role }}
         mainip: {{ grains.host }}
         enroll-secret: {{ ENROLLSECRET }}
         current-package-version: {{ CURRENTPACKAGEVERSION }}
         master: {{ MASTER }}
+        version: {{ VERSION }}
         

salt/fleet/event_update-custom-hostname.sls

@@ -0,0 +1,9 @@
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
+
+so/fleet:
+  event.send:
+    - data:
+        action: 'update_custom_hostname'
+        custom_hostname: {{ CUSTOM_FLEET_HOSTNAME }}
+        role: {{ grains.role }}
+        

salt/fleet/files/dedicated-index.html

@@ -1,96 +0,0 @@
-{%- set PACKAGESTS = salt['pillar.get']('static:fleet_packages-timestamp:', 'N/A') -%}
-
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-<style>
-* {
-	box-sizing: border-box;
-	font-family: Arial, Helvetica, sans-serif;
-	padding-left: 30px;
-	padding-right: 30px;
-}
-
-body {
-	font-family: Arial, Helvetica, sans-serif;
-	background-color: #2a2a2a;
-
-}
-a {
-	color: #f2f2f2;
-	text-align: left;
-	padding: 0px;
-}
-
-.center-content {
-	margin: 0 auto;
-}
-
-/* Style the top navigation bar */
-.topnav {
-	overflow: hidden;
-	background-color: #333;
-	width: 1080px;
-	display: flex;
-	align-content: center;
-}
-
-/* Style the topnav links */
-.topnav a {
-	margin: auto;
-	color: #f2f2f2;
-	text-align: center;
-	padding: 14px 16px;
-	text-decoration: none;
-}
-
-/* Change color on hover */
-.topnav a:hover {
-	background-color: #ddd;
-	color: black;
-}
-
-/* Style the content */
-.content {
-	background-color: #2a2a2a;
-	padding: 10px;
-	padding-top: 20px;
-	padding-left: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-
-/* Style the footer */
-.footer {
-	background-color: #2a2a2a;
-	padding: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-</style>
-</head>
-<body>
-	<div class="center-content">
-		<div class="topnav center-content">
-			<a href="/fleet/" target="_blank">Fleet</a>
-			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion" target="_blank">Osquery/Fleet Docs</a>
-			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
-		</div>
-		  
-		<div class="content center-content">
-			<p>
-                <div style="text-align: center;">
-                    <h1>Security Onion - Dedicated Fleet Node</h1>
-				</div>
-				<br/>
-				<br/>
-			  </p>
-		  </div>
-	</div>
-</body>
-</html>

salt/fleet/files/packs/hh/hh-post-login.sh

@@ -1,13 +0,0 @@
-#!/bin/sh
-echo "Applying Post Configuration for Osquery"
-#fleetctl apply -f /packs/hh/osquery.conf
-fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
-fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
-fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
-fleetctl apply -f /packs/hh/hhdefault.yml
-
-for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml;
- do fleetctl apply -f "$pack"
-done
-echo ""
-echo "You can now exit the container by typing exit"

salt/fleet/files/scripts/so-fleet-packages

@@ -1,34 +0,0 @@
-#!/bin/bash
-{% set MAIN_HOSTNAME = salt['grains.get']('host') %}
-{% set MAIN_IP = salt['pillar.get']('node:mainip') %}
-
-local_salt_dir=/opt/so/saltstack/local
-
-#so-fleet-packages $FleetHostname/IP 
-
-#if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
-#        echo "so-fleet container not running... Exiting..."
-#        exit 1
-#fi
-
-#docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >>  /etc/hosts"
-#esecret=$(docker exec so-fleet fleetctl get enroll-secret)
-
-#Concat fleet.crt & ca.crt  - this is required for launcher connectivity
-#cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
-#Actually only need to use /etc/ssl/certs/intca.crt
-
-#Create the output directory
-#mkdir /opt/so/conf/fleet/packages
-
-docker run \
-  --rm \
-  --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
-  --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \
-  docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090
-
-cp /opt/so/conf/fleet/packages/launcher.* $local_salt_dir/salt/launcher/packages/
-
-#Update timestamp on packages webpage
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $local_salt_dir/salt/fleet/files/dedicated-index.html

salt/fleet/files/scripts/so-fleet-setup

@@ -1,48 +0,0 @@
-#!/bin/bash
-{% set MAIN_HOSTNAME = salt['grains.get']('host') %}
-{% set MAIN_IP = salt['pillar.get']('node:mainip') %}
-
-#so-fleet-setup.sh $FleetEmail
-
-# Enable Fleet
-echo "Starting Docker Containers..."
-salt-call state.apply mysql queue=True >> /root/fleet-setup.log
-salt-call state.apply fleet queue=True >> /root/fleet-setup.log
-salt-call state.apply redis queue=True >> /root/fleet-setup.log
-
-if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
-        echo "so-fleet container not running... Exiting..."
-        exit 1
-fi
-
-initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
-
-docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >>  /etc/hosts"
-docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet
-docker exec so-fleet fleetctl setup --email $1 --password $initpw
-
-docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
-docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
-docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
-docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
-docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf
-
-
-# Enable Fleet
-echo "Enabling Fleet..."
-salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
-salt-call state.apply nginx queue=True >> /root/fleet-setup.log
-
-# Generate osquery install packages
-echo "Generating osquery install packages - this will take some time..."
-salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
-sleep 120
-
-echo "Installing launcher via salt..."
-salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
-salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
-docker stop so-nginx
-salt-call state.apply nginx queue=True >> /root/fleet-setup.log
-
-echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}"
-echo "Your username is $2 and your password is $initpw"

salt/fleet/init.sls

@@ -3,12 +3,11 @@
 {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
-{% set MAINIP = salt['pillar.get']('node:mainip') %}
 {% set FLEETARCH = salt['grains.get']('role') %}
 
-
 {% if FLEETARCH == "so-fleet" %}
-  {% set MAINIP = salt['pillar.get']('node:mainip') %}
+  {% set MAININT = salt['pillar.get']('host:mainint') %}
+  {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% else %}
   {% set MAINIP = salt['pillar.get']('static:masterip') %}
 {% endif %}
@@ -16,14 +15,6 @@
 include:
   - mysql
 
-#{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %}
-#so/fleet:
-#  event.send:
-#    - data:
-#        action: 'enablefleet'
-#        hostname: {{ grains.host }}
-#{% endif %}
-
 # Fleet Setup
 fleetcdir:
   file.directory:
@@ -67,21 +58,6 @@ fleetlogdir:
     - group: 939
     - makedirs: True
 
-fleetsetupscripts:
-  file.recurse:
-    - name: /usr/sbin
-    - user: 0
-    - group: 0
-    - file_mode: 755
-    - template: jinja
-    - source: salt://fleet/files/scripts
-
-osquerypackageswebpage:
-  file.managed:
-    - name: /opt/so/conf/fleet/packages/index.html
-    - source: salt://fleet/files/dedicated-index.html
-    - template: jinja
-
 fleetdb:
   mysql_database.present:
     - name: fleet

salt/idstools/init.sls

@@ -39,7 +39,7 @@ idstoolsetcsync:
 
 so-ruleupdatecron:
   cron.present:
-    - name: /usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log
+    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
     - user: root
     - minute: '1'
     - hour: '7'

salt/logstash/pipelines/config/so/0009_input_beats.conf

@@ -0,0 +1,6 @@
+input {
+  beats {
+    port => "5044"
+    tags => [ "beat-ext" ]
+  }
+}

salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja

@@ -3,24 +3,21 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
 
 filter {
-  if "syslog" in [tags] and "test_data" not in [tags] {
+  if [module] =~ "syslog" {
     mutate {
-	  ##add_tag => [ "conf_file_9034"]
+          ##add_tag => [ "conf_file_9000"]
-	}
+        }
   }
 }
 output {
-  if "syslog" in [tags] and "test_data" not in [tags] {
+  if [module] =~ "syslog" {
     elasticsearch {
+      pipeline => "%{module}"
       hosts => "{{ ES }}"
       index => "so-syslog-%{+YYYY.MM.dd}"
-      template_name => "logstash"
+      template_name => "so-common"
       template => "/so-common-template.json"
       template_overwrite => true
     }

salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja

@@ -3,22 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Wes Lambert
+
-# Last Update: 09/14/2018
-filter {
-  if "beat" in [tags] {
-    mutate {
-          ##add_tag => [ "conf_file_9500"]
-        }
-  }
-}
 output {
-  if "beat" in [tags] {
+  if "beat-ext" in [tags] {
     elasticsearch {
+      pipeline => "beats.common" 
       hosts => "{{ ES }}"
       index => "so-beats-%{+YYYY.MM.dd}"
-      template_name => "so-beats"
+      template_name => "so-common"
-      template => "/so-beats-template.json"
+      template => "/so-common-template.json"
       template_overwrite => true
     }
   }

salt/master/init.sls

@@ -61,6 +61,7 @@ so-aptcacherng:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }}
     - hostname: so-acng
+    - restart_policy: always
     - port_bindings:
       - 0.0.0.0:3142:3142
     - binds:

salt/mysql/init.sls

@@ -6,7 +6,8 @@
 {% set FLEETARCH = salt['grains.get']('role') %}
 
 {% if FLEETARCH == "so-fleet" %}
-  {% set MAINIP = salt['pillar.get']('node:mainip') %}
+  {% set MAININT = salt['pillar.get']('host:mainint') %}
+  {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% else %}
   {% set MAINIP = salt['pillar.get']('static:masterip') %}
 {% endif %}

salt/nginx/etc/nginx.conf.so-eval

@@ -136,7 +136,7 @@ http {
           proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
-        location ~ ^/auth/.*?(whoami|login|logout) {
+        location ~ ^/auth/.*?(whoami|login|logout|settings) {
           rewrite               /auth/(.*) /$1 break;
           proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;

salt/nginx/etc/nginx.conf.so-fleet

@@ -1,4 +1,6 @@
-{%- set MAINIP = salt['pillar.get']('node:mainip', '') %}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/

salt/nginx/etc/nginx.conf.so-master

@@ -136,7 +136,7 @@ http {
           proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
-        location ~ ^/auth/.*?(whoami|login|logout) {
+        location ~ ^/auth/.*?(whoami|login|logout|settings) {
           rewrite               /auth/(.*) /$1 break;
           proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;

salt/nginx/etc/nginx.conf.so-mastersearch

@@ -136,7 +136,7 @@ http {
           proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
-        location ~ ^/auth/.*?(whoami|login|logout) {
+        location ~ ^/auth/.*?(whoami|login|logout|settings) {
           rewrite               /auth/(.*) /$1 break;
           proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;

salt/nginx/etc/nginx.conf.so-standalone

@@ -136,7 +136,7 @@ http {
           proxy_set_header      X-Forwarded-Proto $scheme;
         }
 
-        location ~ ^/auth/.*?(whoami|login|logout) {
+        location ~ ^/auth/.*?(whoami|login|logout|settings) {
           rewrite               /auth/(.*) /$1 break;
           proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;

salt/playbook/init.sls

@@ -86,15 +86,22 @@ so-playbook:
 
 {% endif %}
 
+playbooklogdir:
+  file.directory:
+    - name: /opt/so/log/playbook
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 so-playbooksynccron:
   cron.present:
-    - name: /usr/sbin/so-playbook-sync
+    - name: /usr/sbin/so-playbook-sync > /opt/so/log/playbook/sync.log 2>&1
     - user: root
     - minute: '*/5'
 
 so-playbookruleupdatecron:
   cron.present:
-    - name: /usr/sbin/so-playbook-ruleupdate
+    - name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1
     - user: root
     - minute: '1'
     - hour: '6'

salt/reactor/fleet.sls

@@ -9,19 +9,19 @@ import subprocess
 def run():
   MINIONID = data['id']
   ACTION = data['data']['action']
-  HOSTNAME = data['data']['hostname']
-  ROLE = data['data']['role']
-  ESECRET = data['data']['enroll-secret']
-  MAINIP = data['data']['mainip']
   local_salt_dir = /opt/so/saltstack/local
   STATICFILE = local_salt_dir + '/pillar/static.sls'
   SECRETSFILE = local_salt_dir + '/pillar/secrets.sls'
 
-  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
+  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch','standalone']:
-    
     if ACTION == 'enablefleet':
       logging.info('so/fleet enablefleet reactor')
 
+      ESECRET = data['data']['enroll-secret']
+      MAINIP = data['data']['mainip']
+      ROLE = data['data']['role']
+      HOSTNAME = data['data']['hostname']
+
       # Enable Fleet
       for line in fileinput.input(STATICFILE, inplace=True):
         if ROLE == 'so-fleet':
@@ -49,15 +49,18 @@ def run():
       logging.info('so/fleet genpackages reactor')
 
       PACKAGEVERSION = data['data']['current-package-version']
+      PACKAGEHOSTNAME = data['data']['package-hostname']
       MASTER = data['data']['master']
+      VERSION = data['data']['version']
+      ESECRET = data['data']['enroll-secret']
       
       # Increment the package version by 1
       PACKAGEVERSION += 1
 
       # Run Docker container that will build the packages
-      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + local_salt_dir + "/salt/fleet/packages,target=/output", \
+      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,ssource=" + local_salt_dir + "/salt/fleet/packages,target=/output", \
-         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \
+         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \
-         f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
+         f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
       
       # Update the 'packages-built' timestamp on the webpage (stored in the static pillar)
       for line in fileinput.input(STATICFILE, inplace=True):
@@ -70,6 +73,16 @@ def run():
         print(line)
 
       # Copy over newly-built packages
-      copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii')      
+      copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii')    
+
+    if ACTION == 'update_custom_hostname':
+      logging.info('so/fleet update_custom_hostname reactor')
+
+      CUSTOMHOSTNAME = data['data']['custom_hostname']
+      
+        # Update the Fleet host in the static pillar
+      for line in fileinput.input(STATICFILE, inplace=True):
+        line = re.sub(r'fleet_custom_hostname: \S*', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip())
+        print(line)  
 
   return {}

salt/registry/init.sls

@@ -42,6 +42,7 @@ so-dockerregistry:
   docker_container.running:
     - image: registry:2
     - hostname: so-registry
+    - restart_policy: always
     - port_bindings:
       - 0.0.0.0:5000:5000
     - binds:

salt/sensoroni/files/sensoroni.json

@@ -1,25 +0,0 @@
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
-{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
-{
-  "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
-  "server": {
-    "bindAddress": "0.0.0.0:9822",
-    "maxPacketCount": 5000,
-    "htmlDir": "html",
-    "modules": {
-      "filedatastore": {
-        "jobDir": "jobs"
-      },
-      "securityonion": {
-        "elasticsearchHost": "http://{{ MASTERIP }}:9200",
-        "elasticsearchUsername": "",
-        "elasticsearchPassword": "",
-        "elasticsearchVerifyCert": false
-      },
-      "statickeyauth": {
-        "anonymousCidr": "172.17.0.0/24",
-        "apiKey": "{{ SENSORONIKEY }}"
-      }
-    }
-  }
-}

salt/sensoroni/init.sls

@@ -1,45 +0,0 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
-{% set MASTER = salt['grains.get']('master') %}
-
-sensoronidir:
-  file.directory:
-    - name: /opt/so/conf/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-sensoronidatadir:
-  file.directory:
-    - name: /nsm/sensoroni/jobs
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-sensoronilogdir:
-  file.directory:
-    - name: /opt/so/log/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-sensoronisync:
-  file.recurse:
-    - name: /opt/so/conf/sensoroni
-    - source: salt://sensoroni/files
-    - user: 939
-    - group: 939
-    - template: jinja
-
-so-sensoroni:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:{{ VERSION }}
-    - hostname: sensoroni
-    - name: so-sensoroni
-    - binds:
-      - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
-      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/sensoroni/:/opt/sensoroni/logs/:rw
-    - port_bindings:
-      - 0.0.0.0:9822:9822
-    - watch:
-      - file: /opt/so/conf/sensoroni

salt/soc/files/kratos/kratos.yaml

@@ -42,7 +42,7 @@ urls:
   login_ui: https://{{ WEBACCESS }}/login/
   registration_ui: https://{{ WEBACCESS }}/login/
   error_ui: https://{{ WEBACCESS }}/login/
-  settings_ui: https://{{ WEBACCESS }}/
+  settings_ui: https://{{ WEBACCESS }}/?r=/settings
   verify_ui: https://{{ WEBACCESS }}/
   mfa_ui: https://{{ WEBACCESS }}/
 

salt/ssl/init.sls

@@ -1,9 +1,11 @@
 {% set master = salt['grains.get']('master') %}
 {% set masterip = salt['pillar.get']('static:masterip', '') %}
 {% set HOSTNAME = salt['grains.get']('host') %}
-{% set MAINIP = salt['pillar.get']('node:mainip') %}
 {% set global_ca_text = [] %}
 {% set global_ca_server = [] %}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
 
 {% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %}
     {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
@@ -200,6 +202,7 @@ chownfilebeatp8:
     - signing_policy: masterssl
     - public_key: /etc/pki/masterssl.key
     - CN: {{ HOSTNAME }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -222,7 +225,7 @@ chownfilebeatp8:
   x509.certificate_managed:
     - signing_private_key: /etc/pki/fleet.key
     - CN: {{ HOSTNAME }}
-    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
+    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True

salt/wazuh/init.sls

@@ -80,11 +80,6 @@ wazuhmgrwhitelist:
     - mode: 755
     - template: jinja
 
-wazuhagentservice:
-  service.running:
-    - name: wazuh-agent
-    - enable: True
-
 so-wazuh:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }}
@@ -110,3 +105,8 @@ whitelistmanager:
   cmd.run:
     - name: /usr/sbin/wazuh-manager-whitelist
     - cwd: /
+
+wazuhagentservice:
+  service.running:
+    - name: wazuh-agent
+    - enable: True

salt/zeek/cron/packetloss.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log
+/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1

setup/so-functions

@@ -258,6 +258,10 @@ check_soremote_pass() {
 	check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH"
 }
 
+check_fleet_node_pass() {
+	check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH"
+}
+
 check_web_pass() {
 	check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH"
 }
@@ -295,6 +299,30 @@ collect_adminuser_inputs() {
 	done
 }
 
+collect_fleet_custom_hostname_inputs() {
+	whiptail_fleet_custom_hostname
+}
+
+collect_fleetuser_inputs() {
+	# Get a username & password for the Fleet admin user
+	local valid_user=no
+	while [[ $valid_user != yes ]]; do
+		whiptail_create_fleet_node_user		
+		if so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; then
+			valid_user=yes
+		else
+			whiptail_invalid_user_warning
+		fi
+	done
+
+	FPMATCH=no
+	while [[ $FPMATCH != yes ]]; do
+		whiptail_create_fleet_node_user_password1
+		whiptail_create_fleet_node_user_password2
+		check_fleet_node_pass
+	done
+}
+
 
 collect_webuser_inputs() {
 	# Get a password for the web admin user
@@ -390,6 +418,7 @@ check_requirements() {
 		req_mem=8
 		req_cores=4
 		if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
+		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
 	fi
 
 	if [[ $num_nics -lt $req_nics ]]; then
@@ -585,14 +614,18 @@ disable_misc_network_features() {
 	filter_unused_nics
 	if [ ${#filtered_nics[@]} -ne 0 ]; then
 		for unused_nic in "${filtered_nics[@]}"; do
-			# Disable DHCPv4/v6 and autoconnect
+			if [ -n "$unused_nic" ]; then
-			nmcli con mod "$unused_nic" \
+				echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1
-				ipv4.method disabled \
-				ipv6.method ignore \
-				connection.autoconnect "no" >> "$setup_log" 2>&1
 
-			# Flush any existing IPs
+				# Disable DHCPv4/v6 and autoconnect
-			ip addr flush "$unused_nic" >> "$setup_log" 2>&1
+				nmcli con mod "$unused_nic" \
+					ipv4.method disabled \
+					ipv6.method ignore \
+					connection.autoconnect "no" >> "$setup_log" 2>&1
+
+				# Flush any existing IPs
+				ip addr flush "$unused_nic" >> "$setup_log" 2>&1
+			fi
 		done
 	fi
 	# Disable IPv6
@@ -609,9 +642,9 @@ docker_install() {
 		{
 			yum clean expire-cache;
 			yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
-			yum -y install docker-ce-19.03.9-3.el7 containerd.io-1.2.6-3.el7;
+			yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7;
-			yum versionlock docker-ce-19.03.9-3.el7;
+			yum versionlock docker-ce-19.03.11-3.el7;
-			yum versionlock containerd.io-1.2.6-3.el7
+			yum versionlock containerd.io-1.2.13-3.2.el7
 		} >> "$setup_log" 2>&1
 		
 	else
@@ -812,6 +845,17 @@ get_minion_type() {
 	echo "$minion_type"
 }
 
+host_pillar() {
+
+	local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls
+
+	# Create the host pillar
+	printf '%s\n'\
+		"host:"\
+		"  mainint: $MNIC"\
+		"" > "$pillar_file"
+}
+
 install_cleanup() {
 	echo "Installer removing the following files:"
 	ls -lR "$temp_install_dir"
@@ -904,6 +948,7 @@ master_static() {
 		"  cortexorgname: SecurityOnion"\
 		"  cortexorguser: soadmin"\
 		"  cortexorguserkey: $CORTEXORGUSERKEY"\
+		"  fleet_custom_hostname: "\
 		"  fleet_master: False"\
 		"  fleet_node: False"\
 		"  fleet_packages-timestamp: N/A"\
@@ -1213,7 +1258,7 @@ salt_checkin() {
 
 # Run a salt command to generate the minion key
 salt_firstcheckin() {
-	salt-call state.show_top >> /dev/null # send output to /dev/null because we don't actually care about the ouput
+	salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput
 }
 
 set_base_heapsizes() {

setup/so-setup

@@ -145,6 +145,7 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then
 	is_sensor=true
 elif [ "$install_type" = 'FLEET' ]; then
 	is_minion=true
+	is_fleet_standalone=true
 	OSQUERY=1
 elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
@@ -152,10 +153,12 @@ fi
 
 if [[ $is_eval ]]; then
 	check_requirements "eval"
-elif [[ $is_distmaster || $is_minion ]]; then
+elif [[ $is_fleet_standalone ]]; then
-	check_requirements "dist"
+	check_requirements "dist" "fleet"
 elif [[ $is_sensor && ! $is_eval ]]; then
 	check_requirements "dist" "sensor"
+elif [[ $is_distmaster || $is_minion ]]; then
+	check_requirements "dist"
 fi
 
 whiptail_patch_schedule
@@ -256,7 +259,7 @@ if [[ $is_master ]]; then
 	get_redirect
 fi
 
-if [[ $is_distmaster || ( $is_sensor || $is_node ) && ! $is_eval ]]; then
+if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then
 	whiptail_master_updates
 	if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then
 		whiptail_master_updates_warning
@@ -305,6 +308,14 @@ if [[ $is_node && ! $is_eval ]]; then
 	fi
 fi
 
+if [ "$install_type" == 'FLEET' ]; then
+	collect_fleetuser_inputs
+	collect_fleet_custom_hostname_inputs
+else
+	FLEETNODEUSER=$WEBUSER
+	FLEETNODEPASSWD1=$WEBPASSWD1
+fi
+
 whiptail_make_changes
 
 if [[ -n "$TURBO" ]]; then
@@ -341,6 +352,10 @@ if [[ $is_minion ]]; then
 	copy_ssh_key >> $setup_log 2>&1
 fi
 
+if [[ $is_fleet_standalone ]]; then
+	host_pillar >> $setup_log 2>&1
+fi
+
 # Begin install
 {
 	# Set initial percentage to 0
@@ -500,11 +515,24 @@ fi
 	fi
 	
 	if [[ "$OSQUERY" = 1 ]]; then
+		set_progress_str 73 "$(print_salt_state_apply 'mysql')"
+		salt-call state.apply -l info mysql >> $setup_log 2>&1
+
 		set_progress_str 73 "$(print_salt_state_apply 'fleet')"
 		salt-call state.apply -l info fleet >> $setup_log 2>&1
 
-		set_progress_str 74 "$(print_salt_state_apply 'redis')"
+		set_progress_str 73 "$(print_salt_state_apply 'redis')"
 		salt-call state.apply -l info redis >> $setup_log 2>&1
+
+		if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then
+			set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
+			pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}"
+			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
+		fi
+	
+		set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"	
+		so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1
+
 	fi
 
 	if [[ "$WAZUH" = 1 ]]; then

setup/so-whiptail

@@ -24,7 +24,7 @@ whiptail_basic_bro() {
 	[ -n "$TESTING" ] && return
 
 	BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter the number of bro processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3)
+	"Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -51,7 +51,7 @@ whiptail_bro_pins() {
 		cpu_core_list_whiptail+=("$item" "OFF")
 	done
 
-	BROPINS=$(whiptail --noitem --title "Pin Bro CPUS" --checklist "Please select $lb_procs cores to pin Bro to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
+	BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 
@@ -165,6 +165,38 @@ whiptail_create_admin_user_password2() {
 
 }
 
+whiptail_create_fleet_node_user() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \
+	"Please enter an email for use as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_create_fleet_node_user_password1() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEPASSWD1=$(whiptail --title "Security Onion Install" --passwordbox \
+	"Enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_create_fleet_node_user_password2() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEPASSWD2=$(whiptail --title "Security Onion Install" --passwordbox \
+	"Re-enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+}
+
 whiptail_create_soremote_user() {
 
 	[ -n "$TESTING" ] && return
@@ -238,6 +270,19 @@ whiptail_create_web_user_password2() {
 
 }
 
+whiptail_fleet_custom_hostname() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \
+	"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+
+
 whiptail_requirements_error() {
 
 	local requirement_needed=$1