From 65334d15ea1cf806b2482ace2d511370053f55a8 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 24 Nov 2020 09:33:38 -0500
Subject: [PATCH 1/4] 
 https://github.com/Security-Onion-Solutions/securityonion/issues/2040

---
 salt/pcap/init.sls                            | 42 -------------------
 salt/{pcap => sensoroni}/files/sensoroni.json |  5 ++-
 salt/sensoroni/init.sls                       | 41 ++++++++++++++++++
 salt/top.sls                                  |  1 +
 setup/so-functions                            | 13 +++++-
 setup/so-setup                                |  1 +
 6 files changed, 59 insertions(+), 44 deletions(-)
 rename salt/{pcap => sensoroni}/files/sensoroni.json (76%)
 create mode 100644 salt/sensoroni/init.sls

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 5a13c1231..e98bbecf5 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -45,13 +45,6 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-sensoroniconfdir:
-  file.directory:
-    - name: /opt/so/conf/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
 {% if BPF_STENO %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
@@ -77,15 +70,6 @@ stenoconf:
     - defaults:
         BPF_COMPILED: "{{ BPF_COMPILED }}"
 
-sensoroniagentconf:
-  file.managed:
-    - name: /opt/so/conf/sensoroni/sensoroni.json
-    - source: salt://pcap/files/sensoroni.json
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
 stenoca:
   file.directory:
     - name: /opt/so/conf/steno/certs
@@ -127,13 +111,6 @@ stenolog:
     - group: 941
     - makedirs: True
 
-sensoronilog:
-  file.directory:
-    - name: /opt/so/log/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
 so-steno:
   docker_container.{{ STENOOPTIONS.status }}:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }}
@@ -170,25 +147,6 @@ so-steno_so-status.disabled:
     - regex: ^so-steno$
   {% endif %}
 
-so-sensoroni:
-  docker_container.running:
-    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
-    - network_mode: host
-    - binds:
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      - /nsm/pcap:/nsm/pcap:rw
-      - /nsm/import:/nsm/import:rw
-      - /nsm/pcapout:/nsm/pcapout:rw
-      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
-    - watch:
-      - file: /opt/so/conf/sensoroni/sensoroni.json
-
-append_so-sensoroni_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-sensoroni
-
 {% else %}
 
 pcap_state_not_allowed:
diff --git a/salt/pcap/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json
similarity index 76%
rename from salt/pcap/files/sensoroni.json
rename to salt/sensoroni/files/sensoroni.json
index 8a9027bd0..f7c1edc25 100644
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -1,6 +1,7 @@
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
 {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%}
-{%- set CHECKININTERVALMS = salt['pillar.get']('pcap:sensor_checkin_interval_ms', 10000) -%}
+{%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:sensor_checkin_interval_ms', 10000) -%}
+{%- set STENOENABLED = salt['pillar.get']('steno:enabled', False) %}
 {
   "logFilename": "/opt/sensoroni/logs/sensoroni.log",
   "logLevel":"info",
@@ -13,11 +14,13 @@
       "statickeyauth": {
         "apiKey": "{{ SENSORONIKEY }}"
       },
+{%- if STENOENABLED %}      
       "stenoquery": {
         "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
         "pcapInputPath": "/nsm/pcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
+{%- endif %}
     }
   }
 }
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
new file mode 100644
index 000000000..3268e86fd
--- /dev/null
+++ b/salt/sensoroni/init.sls
@@ -0,0 +1,41 @@
+sensoroniconfdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoroniagentconf:
+  file.managed:
+    - name: /opt/so/conf/sensoroni/sensoroni.json
+    - source: salt://sensoroni/files/sensoroni.json
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+sensoronilog:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+so-sensoroni:
+  docker_container.running:
+    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
+    - network_mode: host
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/import:/nsm/import:rw
+      - /nsm/pcapout:/nsm/pcapout:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json
+
+append_so-sensoroni_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-sensoroni
\ No newline at end of file
diff --git a/salt/top.sls b/salt/top.sls
index bbd2a862d..9d41481fe 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -44,6 +44,7 @@ base:
     - patch.os.schedule
     - motd
     - salt.minion-check
+    - sensoroni
     - salt.lasthighstate
   
   '*_helix and G@saltversion:{{saltversion}}':
diff --git a/setup/so-functions b/setup/so-functions
index f13a183f2..4ba639fa5 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1166,7 +1166,7 @@ manager_global() {
                 "  managerupdate: $MANAGERUPDATES"\
 		"  imagerepo: '$IMAGEREPO'"\
 		"  pipeline: 'redis'"\
-		"pcap:"\
+		"sensoroni:"\
 		"  sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\
 		"strelka:"\
 		"  enabled: $STRELKA"\
@@ -1968,6 +1968,17 @@ set_updates() {
 	fi
 }
 
+steno_pillar() {
+
+	local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
+
+	# Create the stenographer pillar
+	printf '%s\n'\
+		"steno:"\
+		"  enabled: True" >> "$pillar_file"
+
+}
+
 mark_version() {
 	# Drop a file with the current version
 	echo "$SOVERSION" > /etc/soversion
diff --git a/setup/so-setup b/setup/so-setup
index 22e429ad4..a064de623 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -511,6 +511,7 @@ fi
 	if [[ $is_sensor || $is_helix || $is_import ]]; then
 		set_progress_str 4 'Generating sensor pillar'
 		sensor_pillar >> $setup_log 2>&1
+		steno_pillar >> $setup_log
 	fi
 
 	set_progress_str 5 'Installing Salt and dependencies'

From 4dfd49ef393c97da2211bead39952f4f88d7c921 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 24 Nov 2020 10:11:28 -0500
Subject: [PATCH 2/4] add vars
 https://github.com/Security-Onion-Solutions/securityonion/issues/2040

---
 salt/sensoroni/init.sls | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 3268e86fd..a55049c06 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,3 +1,7 @@
+{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
+{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{% set MANAGER = salt['grains.get']('master') %}
+
 sensoroniconfdir:
   file.directory:
     - name: /opt/so/conf/sensoroni

From 995a37743284c8b8f32079ad7f309229a0ff8698 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 24 Nov 2020 11:31:41 -0500
Subject: [PATCH 3/4] squigly comma if steno enabled
 https://github.com/Security-Onion-Solutions/securityonion/issues/2040

---
 salt/sensoroni/files/sensoroni.json | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json
index f7c1edc25..ee46b5937 100644
--- a/salt/sensoroni/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -1,7 +1,7 @@
-{%- set URLBASE = salt['pillar.get']('global:url_base') %}
-{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%}
-{%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:sensor_checkin_interval_ms', 10000) -%}
-{%- set STENOENABLED = salt['pillar.get']('steno:enabled', False) %}
+{% set URLBASE = salt['pillar.get']('global:url_base') -%}
+{% set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%}
+{% set CHECKININTERVALMS = salt['pillar.get']('sensoroni:sensor_checkin_interval_ms', 10000) -%}
+{% set STENOENABLED = salt['pillar.get']('steno:enabled', False) -%}
 {
   "logFilename": "/opt/sensoroni/logs/sensoroni.log",
   "logLevel":"info",
@@ -13,13 +13,15 @@
       "importer": {},
       "statickeyauth": {
         "apiKey": "{{ SENSORONIKEY }}"
-      },
-{%- if STENOENABLED %}      
+{%- if STENOENABLED %} 
+      },     
       "stenoquery": {
         "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
         "pcapInputPath": "/nsm/pcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
+{%- else %}
+      }
 {%- endif %}
     }
   }

From fe2662cab82e37fbddf7ee887c0433fae0d5e6c5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 24 Nov 2020 11:42:03 -0500
Subject: [PATCH 4/4] dont enable steno pillar on import node
 https://github.com/Security-Onion-Solutions/securityonion/issues/2040

---
 setup/so-setup | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup/so-setup b/setup/so-setup
index a064de623..0dfbef58a 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -511,7 +511,9 @@ fi
 	if [[ $is_sensor || $is_helix || $is_import ]]; then
 		set_progress_str 4 'Generating sensor pillar'
 		sensor_pillar >> $setup_log 2>&1
-		steno_pillar >> $setup_log
+		if [[ $is_sensor || $is_helix ]]; then
+			steno_pillar >> $setup_log
+		fi
 	fi
 
 	set_progress_str 5 'Installing Salt and dependencies'