enable/disable idstools in ui

salt/idstools/config.sls

@@ -0,0 +1,42 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - idstools.sync_files
+
+idstoolslogdir:
+  file.directory:
+    - name: /opt/so/log/idstools
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+idstools_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://idstools/tools/sbin
+    - user: 934
+    - group: 939
+    - file_mode: 755
+
+#idstools_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://idstools/tools/sbin_jinja
+#    - user: 934
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/idstools/defaults.yaml

@@ -1,4 +1,5 @@
 idstools:
+  enabled: False
   config:
     urls: []
     ruleset: ETOPEN
@@ -6,4 +7,4 @@ idstools:
   sids:
     enabled: []
     disabled: []
-    modify: []
+    modify: []

salt/idstools/disabled.sls

@@ -0,0 +1,31 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - idstools.sostatus
+  
+so-idstools:
+  docker_container.absent:
+    - force: True
+
+so-idstools_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-idstools$
+
+so-rule-update:
+  cron.absent:
+    - identifier: so-rule-update
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/idstools/enabled.sls

@@ -0,0 +1,55 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   set proxy = salt['pillar.get']('manager:proxy') %}
+
+include:
+  - idstools.config
+  - idstools.sostatus
+
+so-idstools:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
+    - hostname: so-idstools
+    - user: socore
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
+    {% if proxy %}
+    - environment:
+      - http_proxy={{ proxy }}
+      - https_proxy={{ proxy }}
+      - no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
+    {% endif %}
+    - binds:
+      - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
+      - /opt/so/rules/nids:/opt/so/rules/nids:rw
+    - watch:
+      - file: idstoolsetcsync
+
+delete_so-idstools_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-idstools$
+
+so-rule-update:
+  cron.present:
+    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
+    - identifier: so-rule-update
+    - user: root
+    - minute: '1'
+    - hour: '7'
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/idstools/etc/rulecat.conf

@@ -1,6 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %}
-{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}
+{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
 {%- if GLOBALS.airgap is sameas true -%}
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
@@ -35,4 +34,4 @@
 {%-   for URL in IDSTOOLSMERGED.config.urls %}
 --url={{ URL }}
 {%-   endfor %}
-{%- endif %}
+{%- endif %}

salt/idstools/init.sls

@@ -2,78 +2,12 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set proxy = salt['pillar.get']('manager:proxy') %}
+
+{% from 'idstools/map.jinja' import IDSTOOLSMERGED %}
 
 include:
-  - idstools.sync_files
-
-# IDSTools Setup
-
-idstoolslogdir:
-  file.directory:
-    - name: /opt/so/log/idstools
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-idstools_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://idstools/tools/sbin
-    - user: 934
-    - group: 939
-    - file_mode: 755
-
-#idstools_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://idstools/tools/sbin_jinja
-#    - user: 934
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-so-rule-update:
-  cron.present:
-    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
-    - identifier: so-rule-update
-    - user: root
-    - minute: '1'
-    - hour: '7'
-
-so-idstools:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
-    - hostname: so-idstools
-    - user: socore
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
-    {% if proxy %}
-    - environment:
-      - http_proxy={{ proxy }}
-      - https_proxy={{ proxy }}
-      - no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
-    {% endif %}
-    - binds:
-      - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
-      - /opt/so/rules/nids:/opt/so/rules/nids:rw
-    - watch:
-      - file: idstoolsetcsync
-
-append_so-idstools_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-idstools
-
+{% if IDSTOOLSMERGED.enabled %}
+  - idstools.enabled
 {% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif%}
+  - idstools.disabled
+{% endif %}

salt/idstools/map.jinja

@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+   
+{% import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS with context %}
+{% set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}

salt/idstools/soc_idstools.yaml

@@ -1,4 +1,6 @@
 idstools:
+  enabled:
+    description: You can enable or disable IDSTools.
   config:
     oinkcode:
       description: Enter your registration/oink code for paid NIDS rulesets.

salt/idstools/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-idstools_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-idstools
+    - unless: grep -q so-idstools /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/manager/tools/sbin/so-minion

@@ -149,7 +149,6 @@ function add_fleet_to_minion() {
 		"  " >> $PILLARFILE
 }
 
-
 # Add IDH Services info to the minion file
 function add_idh_to_minion() {
 	printf '%s\n'\
@@ -346,6 +345,13 @@ function add_kratos_to_minion() {
 	"  " >> $PILLARFILE
 }
 
+function add_idstools_to_minion() {
+    printf '%s\n'\
+    "idstools:"\
+    "  enabled: True"\
+	"  " >> $PILLARFILE
+}
+
 function create_fleet_policy() {
 
 	JSON_STRING=$( jq -n \
@@ -404,6 +410,7 @@ function createEVAL() {
 	add_registry_to_minion
 	add_mysql_to_minion
 	add_kratos_to_minion
+	add_idstools_to_minion
 }
 
 function createSTANDALONE() {
@@ -424,6 +431,7 @@ function createSTANDALONE() {
 	add_registry_to_minion
 	add_mysql_to_minion
 	add_kratos_to_minion
+	add_idstools_to_minion
 }
 
 function createMANAGER() {
@@ -442,6 +450,7 @@ function createMANAGER() {
 	add_registry_to_minion
 	add_mysql_to_minion
 	add_kratos_to_minion
+	add_idstools_to_minion
 }
 
 function createMANAGERSEARCH() {
@@ -460,6 +469,7 @@ function createMANAGERSEARCH() {
 	add_registry_to_minion
 	add_mysql_to_minion
 	add_kratos_to_minion
+	add_idstools_to_minion
 }
 
 function createIMPORT() {
@@ -472,6 +482,7 @@ function createIMPORT() {
 	add_soc_to_minion
 	add_registry_to_minion
 	add_kratos_to_minion
+	add_idstools_to_minion
 }
 
 function createFLEET() {