merge with dev and resolve conflict

salt/common/tools/sbin/so-common

@@ -19,24 +19,29 @@ IMAGEREPO=securityonion
 
 # Check for prerequisites
 if [ "$(id -u)" -ne 0 ]; then
-        echo "This script must be run using sudo!"
-        exit 1
+    echo "This script must be run using sudo!"
+    exit 1
 fi
 
 # Define a banner to separate sections
 banner="========================================================================="
 
 header() {
-        echo
-        printf '%s\n' "$banner" "$*" "$banner"
+	echo
+    printf '%s\n' "$banner" "$*" "$banner"
 }
 
 lookup_pillar() {
-        key=$1
-        cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}'
+    key=$1
+    cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}'
 }
 
 lookup_pillar_secret() {
-        key=$1
-        cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}'
+    key=$1
+    cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}'
+}
+
+check_container() {
+	docker ps | grep "$1:" > /dev/null 2>&1
+	return $?
 }

salt/common/tools/sbin/so-cortex-user-add

@@ -47,7 +47,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type:
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully added user to Cortex."
 else
-    echo "Failed to add user to Cortex. See API response below."
+    echo "Failed to add user to Cortex."
     exit 2
 fi
     

salt/common/tools/sbin/so-thehive-user-add

@@ -46,7 +46,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type:
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully added user to TheHive."
 else
-    echo "Failed to add user to TheHive. See API response below."
+    echo "Failed to add user to TheHive."
     echo $resp
     exit 2
 fi

salt/common/tools/sbin/so-user

@@ -8,18 +8,7 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-# Make sure the user is root
-got_root
+. /usr/sbin/so-common
 
 if [[ $# < 1 || $# > 2 ]]; then
   echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
@@ -190,9 +179,9 @@ case "${operation}" in
     validateEmail "$email"
     createUser "$email"
     echo "Successfully added new user to SOC"
-    echo $password | so-thehive-user-add "$email"
-    echo $password | so-cortex-user-add "$email"
-    echo $password | so-fleet-user-add "$email"
+    check_container thehive && echo $password | so-thehive-user-add "$email"
+    check_container cortex && echo $password | so-cortex-user-add "$email"
+    check_container fleet && echo $password | so-fleet-user-add "$email"
     ;;
 
   "list")

salt/common/tools/sbin/so-wazuh-agent-manage

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if docker ps |grep so-wazuh >/dev/null 2>&1; then
+  docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@"
+else
+  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
+fi

salt/common/tools/sbin/so-wazuh-agent-upggrade

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if docker ps |grep so-wazuh >/dev/null 2>&1; then
+  docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@"
+else
+  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
+fi

salt/elastalert/init.sls

@@ -100,6 +100,12 @@ elastaconf:
     - group: 933
     - template: jinja
 
+wait_for_elasticsearch:
+  module.run:
+    - http.wait_for_successful_query:
+      - url: 'http://{{MANAGER}}:9200/_cat/indices/.kibana*'
+      - wait_for: 180
+
 so-elastalert:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }}
@@ -112,5 +118,6 @@ so-elastalert:
       - /opt/so/log/elastalert:/var/log/elastalert:rw
       - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
       - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro
-
+    - require:
+      - module: wait_for_elasticsearch
 {% endif %}

salt/soc/files/soc/soc.json

@@ -63,7 +63,7 @@
           "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ],
           "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ],
           "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ],
-          "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.cipher", "ssl.curve", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
+          "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
           "::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ],
           "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ],
           "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ],

salt/top.sls

@@ -149,7 +149,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - minio
     - redis
     - kibana
     - elastalert
@@ -198,7 +197,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - minio
     - redis
     - kibana
     - pcap
@@ -314,7 +312,6 @@ base:
     - manager
     - idstools
     - suricata.manager
-    - minio
     {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
     - mysql
     {%- endif %}
@@ -355,7 +352,6 @@ base:
     - nginx
     - telegraf
     - firewall
-    - minio
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}