Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into gpg

2026-05-22 03:01:52 +02:00 · 2020-11-11 13:52:31 -05:00
parent 9a59ceee4e 8160ef104d
commit a29def504e
94 changed files with 748 additions and 329 deletions
@@ -1,4 +1,51 @@
 #!py

+import logging
+
 def status():
-  return __salt__['cmd.run']('/usr/sbin/so-status')
+    return __salt__['cmd.run']('/usr/sbin/so-status')
+
+
+def mysql_conn(retry):
+    log = logging.getLogger(__name__)
+
+    from time import sleep
+
+    try:
+        from MySQLdb import _mysql
+    except ImportError as e:
+        log.error(e)
+        return False
+
+    mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint'))
+    mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+
+    mysql_up = False
+    for i in range(0, retry):
+        log.debug(f'Connection attempt {i+1}')
+        try:
+            db = _mysql.connect(
+                host=mainip,
+                user='root',
+                passwd=__salt__['pillar.get']('secrets:mysql')
+            )
+            log.debug(f'Connected to MySQL server on {mainip} after {i} attempts.')
+            
+            db.query("""SELECT 1;""")
+            log.debug(f'Successfully completed query against MySQL server on {mainip}')
+            
+            db.close()
+            mysql_up = True
+            break
+        except _mysql.OperationalError as e:
+            log.debug(e)
+        except Exception as e:
+            log.error('Unexpected error occured.')
+            log.error(e)
+            break
+        sleep(1)
+
+    if not mysql_up:
+        log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.')
+
+    return mysql_up
@@ -32,6 +32,18 @@ soconfperms:
    - gid: 939
    - dir_mode: 770

+sostatusconf:
+  file.directory:
+    - name: /opt/so/conf/so-status
+    - uid: 939
+    - gid: 939
+    - dir_mode: 770
+
+so-status.conf:
+  file.touch:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - unless: ls /opt/so/conf/so-status/so-status.conf
+
 sosaltstackperms:
  file.directory:
    - name: /opt/so/saltstack
@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-domainstats'
-  ]
-} %}
@@ -1,20 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-filebeat',
-    'so-nginx',
-    'so-telegraf',
-    'so-dockerregistry',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-elasticsearch',
-    'so-kibana',
-    'so-steno',
-    'so-suricata',
-    'so-zeek',
-    'so-curator',
-    'so-elastalert',
-    'so-soctopus',
-    'so-sensoroni'
-  ]
-} %}
@@ -1,10 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-mysql',
-    'so-fleet',
-    'so-redis',
-    'so-filebeat',
-    'so-nginx',
-    'so-telegraf'
-  ]
-} %}
@@ -1,7 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-mysql',
-    'so-fleet',
-    'so-redis'
-  ]
-} %}
@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-freqserver'
-  ]
-} %}
@@ -1,6 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-influxdb',
-    'so-grafana'
-  ]
-} %}
@@ -1,15 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-redis',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-steno',
-    'so-suricata',
-    'so-wazuh',
-    'so-filebeat',
-    'so-sensoroni'
-  ]
-} %}
@@ -1,12 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-idstools',
-    'so-steno',
-    'so-zeek',
-    'so-redis',
-    'so-logstash',
-    'so-filebeat
-  ]
-} %}
@@ -1,9 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-     'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-   ]
-} %}
@@ -1,10 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-filebeat',
-    'so-nginx',
-    'so-soc',
-    'so-kratos',
-    'so-elasticsearch',
-    'so-kibana'
-  ]
-} %}
@@ -1,21 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-dockerregistry',
-    'so-nginx',
-    'so-telegraf',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-redis',
-    'so-elasticsearch',
-    'so-logstash',
-    'so-kibana',
-    'so-elastalert',
-    'so-filebeat',
-    'so-soctopus'
-  ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
-   {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}
@@ -1,21 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-redis',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-kibana',
-    'so-elastalert',
-    'so-filebeat',
-    'so-soctopus'
-  ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
-   {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}
@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-zeek'
-  ]
-} %}
@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-playbook'
-  ]
-} %}
@@ -1,10 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-filebeat'
-  ]
-} %}
@@ -1,9 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-telegraf',
-    'so-steno',
-    'so-suricata',
-    'so-filebeat',
-    'so-sensoroni'
-  ]
-} %}
@@ -1,48 +0,0 @@
-{% set role = grains.id.split('_') | last %}
-{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
-
-# Check if the service is enabled and append it's required containers
-# to the list predefined by the role / minion id affix
-{% macro append_containers(pillar_name, k, compare )%}
-  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
-    {% if k == 'enabled' %}
-      {% set k = pillar_name %}
-    {% endif %}
-    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
-    {% for li in d['containers'] %}
-      {{ docker['containers'].append(li) }}
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
-
-{% set docker = salt['grains.filter_by']({
-  '*_'~role: {
-    'containers': docker['containers']
-  } 
-},grain='id', merge=salt['pillar.get']('docker')) %}
-
-{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
-  {{ append_containers('manager', 'grafana', 0) }}
-  {{ append_containers('global', 'fleet_manager', 0) }}
-  {{ append_containers('global', 'wazuh', 0) }}
-  {{ append_containers('manager', 'thehive', 0) }}
-  {{ append_containers('manager', 'playbook', 0) }}
-  {{ append_containers('manager', 'freq', 0) }}
-  {{ append_containers('manager', 'domainstats', 0) }}
-{% endif %}
-
-{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
-  {{ append_containers('strelka', 'enabled', 0) }}
-{% endif %}
-
-{% if role in ['heavynode', 'standalone'] %}
-  {{ append_containers('global', 'mdengine', 'SURICATA') }}
-{% endif %}
-
-{% if role == 'searchnode' %}
-  {{ append_containers('manager', 'wazuh', 0) }}
-{% endif %}
-
-{% if role == 'sensor' %}
-  {{ append_containers('global', 'mdengine', 'SURICATA') }}
-{% endif %}
@@ -1,25 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-redis',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-kibana',
-    'so-elastalert',
-    'so-filebeat',
-    'so-suricata',
-    'so-steno',
-    'so-dockerregistry',
-    'so-soctopus',
-    'so-sensoroni'
-  ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
-   {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}
@@ -1,9 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-strelka-coordinator',
-    'so-strelka-gatekeeper',
-    'so-strelka-manager',
-    'so-strelka-frontend',
-    'so-strelka-filestream'
-  ]
-} %}
@@ -1,7 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-thehive',
-    'so-thehive-es',
-    'so-cortex'
-  ]
-} %}
@@ -1,7 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-elasticsearch'
-  ]
-} %}
@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-wazuh'
-  ]
-} %}
@@ -14,8 +14,6 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set container_list = docker['containers'] | sort | unique %}

 if ! [ "$(id -u)" = 0 ]; then
   echo "This command must be run as root"
@@ -39,9 +37,8 @@ declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
 declare -a PENDING_STATUSES=("paused" "created" "restarting")
 declare -a GOOD_STATUSES=("running")
 declare -a DISABLED_CONTAINERS=()
-{%- if salt['pillar.get']('steno:enabled', 'True') is sameas false %}
-DISABLED_CONTAINERS+=("so-steno")
-{%- endif %}
+mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.conf | grep "^\s*#" | tr -d "#")
+

 declare -a temp_container_name_list=()
 declare -a temp_container_state_list=()
@@ -83,9 +80,9 @@ compare_lists() {
 # {% endraw %}

 create_expected_container_list() {
-    {% for item in container_list -%}
-        expected_container_list+=("{{ item }}")
-    {% endfor -%}
+
+    mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#")    
+
 }

 populate_container_lists() {
@@ -175,7 +172,7 @@ print_line() {

    printf "    $service_name "
    for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
-        printf "-"
+        printf "${state_color}%b\e[0m" "-"
    done
    printf " [ "
    printf "${state_color}%b\e[0m" "$service_state"
@@ -1,2 +1,27 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=close
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -34,6 +34,13 @@
 #fi

 # Avoid starting multiple instances
-if ! pgrep -f "so-curator-closed-delete-delete" >/dev/null; then
-	/usr/sbin/so-curator-closed-delete-delete
-fi
+APP=closeddelete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+/usr/sbin/so-curator-closed-delete-delete
@@ -1,5 +1,28 @@
-
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=closedeletedelete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 {%- if grains['role'] in ['so-node', 'so-heavynode'] %}
  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%}  
@@ -1,2 +1,27 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=delete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/delete.yml > /dev/null 2>&1
@@ -127,6 +127,12 @@ so-curator:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
+
+append_so-curator_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-curator
+
 # Begin Curator Cron Jobs

 # Close
@@ -56,6 +56,11 @@ so-domainstats:
    - binds:
      - /opt/so/log/domainstats:/var/log/domain_stats

+append_so-domainstats_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-domainstats
+
 {% else %}

 domainstats_state_not_allowed:
@@ -121,6 +121,12 @@ so-elastalert:
      - {{MANAGER_URL}}:{{MANAGER_IP}}
    - require:
      - module: wait_for_elasticsearch
+
+append_so-elastalert_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-elastalert
+
 {% endif %}

 {% else %}
@@ -12,7 +12,7 @@
      {
        "if": "ctx.exiftool?.keys !=null",
          "field": "exiftool.keys",
-          "processor":{
+          "processor": {
            "append": {
              "field": "scan.exiftool",
              "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
@@ -20,6 +20,18 @@
          }
      }
    },
+    { "foreach":
+      {
+        "if": "ctx.exiftool?.keys !=null",
+          "field": "exiftool.keys",
+          "processor": {
+            "set": {
+              "field": "exiftool.{{_ingest._value.key}}",
+              "value": "{{_ingest._value.value}}"
+            }
+          }
+      }
+    },
    { "foreach":
      {
        "if": "ctx.scan?.yara?.meta !=null",
@@ -32,6 +44,14 @@
          }
      }
    },
+    { "set":         { "if": "ctx.exiftool?.SourceFile != null", "field": "file.source",        "value": "{{exiftool.SourceFile}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FilePermissions != null", "field": "file.permissions",        "value": "{{exiftool.FilePermissions}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileName != null", "field": "file.name",        "value": "{{exiftool.FileName}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileModifyDate != null", "field": "file.mtime",        "value": "{{exiftool.FileModifyDate}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileAccessDate != null", "field": "file.accessed",        "value": "{{exiftool.FileAccessDate}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileInodeChangeDate != null", "field": "file.ctime",        "value": "{{exiftool.FileInodeChangeDate}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory",        "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem",        "value": "{{exiftool.Subsystem}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name",        "value": "{{scan.yara.matches.0}}" }},
    { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "dataset",        "value": "alert", "override": true }},
    { "rename":         { "field": "file.flavors.mime", "target_field": "file.mime_type",        "ignore_missing": true }},
@@ -13,7 +13,7 @@
        }
    },
    { "grok":           { "field": "message",       "patterns": ["<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}"], "ignore_failure": false } },
-    { "set": { "if": "ctx.source.application == 'filterlog'", "field": "dataset", "value": "firewall" } },
+    { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall" } },
    { "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog" } },
    { "pipeline":       { "name": "common"                                             } }
  ]
@@ -215,13 +215,17 @@ so-elasticsearch:
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
      - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro
-
    - watch:
      - file: cacertz
      - file: esyml
      - file: esingestconf
      - file: so-elasticsearch-pipelines-file

+append_so-elasticsearch_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-elasticsearch
+
 so-elasticsearch-pipelines-file:
  file.managed:
    - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines
@@ -86,6 +86,11 @@ so-filebeat:
    - watch:
      - file: /opt/so/conf/filebeat/etc/filebeat.yml

+append_so-filebeat_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-filebeat
+
 {% else %}

 filebeat_state_not_allowed:
@@ -1,4 +1,10 @@
-{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %}
+{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% if FLEETNODE or FLEETMANAGER %}
+  {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %}
+{% else %}
+  {% set ENROLLSECRET = '' %}
+{% endif %}
 {% set MAININT = salt['pillar.get']('host:mainint') %}
 {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}

@@ -134,4 +134,9 @@ so-fleet:
    - watch:
      - /opt/so/conf/fleet/etc

+append_so-fleet_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-fleet
+
 {% endif %}
@@ -56,6 +56,11 @@ so-freq:
    - binds:
      - /opt/so/log/freq_server:/var/log/freq_server:rw

+append_so-freq_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-freq
+
 {% else %}

 freqserver_state_not_allowed:
@@ -236,6 +236,11 @@ so-grafana:
    - watch:
      - file: /opt/so/conf/grafana/*

+append_so-grafana_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-grafana
+
 {% endif %}

 {% else %}
@@ -76,6 +76,11 @@ so-idstools:
    - watch:
      - file: idstoolsetcsync

+append_so-idstools_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-idstools
+
 {% else %}

 idstools_state_not_allowed:
@@ -54,6 +54,11 @@ so-influxdb:
    - watch:
      - file: influxdbconf

+append_so-influxdb_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-influxdb
+
 {% endif %}

 {% else %}
@@ -90,6 +90,11 @@ so-kibana:
    - port_bindings:
      - 0.0.0.0:5601:5601

+append_so-kibana_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-kibana
+
 kibanadashtemplate:
  file.managed:
    - name: /opt/so/conf/kibana/saved_objects.ndjson.template
@@ -202,6 +202,11 @@ so-logstash:
      - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
 {% endfor %}

+append_so-logstash_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-logstash
+
 {% else %}

 logstash_state_not_allowed:
@@ -81,6 +81,11 @@ so-aptcacherng:
      - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
      - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro

+append_so-aptcacherng_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-aptcacherng
+
 {% endif %}

 strelka_yara_update:
@@ -62,6 +62,11 @@ so-minio:
      - /etc/pki/minio.crt:/.minio/certs/public.crt:ro
    - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"

+append_so-minio_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-minio
+
 {% else %}

 minio_state_not_allowed:
@@ -94,9 +94,20 @@ so-mysql:
      - /opt/so/conf/mysql/etc
  cmd.run:
    - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
-    - timeout: 900
+    - timeout: 600
    - onchanges:
      - docker_container: so-mysql
+  module.run:
+    - so.mysql_conn:
+      - retry: 300
+    - onchanges:
+      - cmd: so-mysql
+
+append_so-mysql_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-mysql
+
 {% endif %}

 {% else %}
@@ -98,6 +98,11 @@ so-nginx:
      - file: nginxconf
      - file: nginxconfdir

+append_so-nginx_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-nginx
+
 {% else %}

 nginx_state_not_allowed:
@@ -74,6 +74,11 @@ so-nodered:
    - port_bindings:
      - 0.0.0.0:1880:1880

+append_so-nodered_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-nodered
+
 so-nodered-flows:
  cmd.run:
    - name: /usr/sbin/so-nodered-load-flows
@@ -152,6 +152,24 @@ so-steno:
    - watch:
      - file: /opt/so/conf/steno/config

+append_so-steno_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-steno
+    - unless: grep so-steno /opt/so/conf/so-status/so-status.conf
+
+  {% if STENOOPTIONS.status == 'running' %}
+delete_so-steno_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+  {% elif STENOOPTIONS.status == 'stopped' %}
+so-steno_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+  {% endif %}
+
 so-sensoroni:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
@@ -166,6 +184,11 @@ so-sensoroni:
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json

+append_so-sensoroni_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-sensoroni
+
 {% else %}

 pcap_state_not_allowed:
@@ -93,6 +93,11 @@ so-playbook:
    - port_bindings:
      - 0.0.0.0:3200:3000

+append_so-playbook_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-playbook
+
 {% endif %}

 so-playbooksynccron:
@@ -31,16 +31,17 @@ def run():
        print(line) 

      # Update the enroll secret in the secrets pillar
-      for line in fileinput.input(SECRETSFILE, inplace=True):
-        line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
-        print(line)      
+      if ESECRET != "":
+        for line in fileinput.input(SECRETSFILE, inplace=True):
+          line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
+          print(line)

-        # Update the Fleet host in the static pillar
+      # Update the Fleet host in the static pillar
      for line in fileinput.input(STATICFILE, inplace=True):
        line = re.sub(r'fleet_hostname: \S*', f"fleet_hostname: '{HOSTNAME}'", line.rstrip())
        print(line)  

-        # Update the Fleet IP in the static pillar
+      # Update the Fleet IP in the static pillar
      for line in fileinput.input(STATICFILE, inplace=True):
        line = re.sub(r'fleet_ip: \S*', f"fleet_ip: '{MAINIP}'", line.rstrip())
        print(line)   
@@ -70,6 +70,11 @@ so-redis:
    - watch:
      - file: /opt/so/conf/redis/etc

+append_so-redis_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-redis
+
 {% else %}

 redis_state_not_allowed:
@@ -57,6 +57,11 @@ so-dockerregistry:
      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
      - /etc/pki/registry.key:/etc/pki/registry.key:ro

+append_so-dockerregistry_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-dockerregistry
+
 {% else %}

 registry_state_not_allowed:
@@ -67,6 +67,11 @@ so-soc:
    - watch:
      - file: /opt/so/conf/soc/*

+append_so-soc_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-soc
+
 # Add Kratos Group
 kratosgroup:
  group.present:
@@ -119,6 +124,11 @@ so-kratos:
    - watch:
      - file: /opt/so/conf/kratos

+append_so-kratos_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-kratos
+
 {% else %}

 soc_state_not_allowed:
@@ -73,6 +73,11 @@ so-soctopus:
    - extra_hosts:
      - {{MANAGER_URL}}:{{MANAGER_IP}}

+append_so-soctopus_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-soctopus
+
 {% else %}

 soctopus_state_not_allowed:
@@ -87,6 +87,11 @@ strelka_coordinator:
    - port_bindings:
      - 0.0.0.0:6380:6379

+append_so-strelka-coordinator_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-coordinator
+
 strelka_gatekeeper:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -95,6 +100,11 @@ strelka_gatekeeper:
    - port_bindings:
      - 0.0.0.0:6381:6379

+append_so-strelka-gatekeeper_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-gatekeeper
+
 strelka_frontend:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }}
@@ -107,6 +117,11 @@ strelka_frontend:
    - port_bindings:
      - 0.0.0.0:57314:57314

+append_so-strelka-frontend_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-frontend
+
 strelka_backend:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }}
@@ -117,6 +132,11 @@ strelka_backend:
    - command: strelka-backend
    - restart_policy: on-failure

+append_so-strelka-backend_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-backend
+
 strelka_manager:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }}
@@ -125,6 +145,11 @@ strelka_manager:
    - name: so-strelka-manager
    - command: strelka-manager

+append_so-strelka-manager_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-manager
+
 strelka_filestream:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }}
@@ -133,6 +158,11 @@ strelka_filestream:
      - /nsm/strelka:/nsm/strelka
    - name: so-strelka-filestream
    - command: strelka-filestream
+
+append_so-strelka-filestream_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-filestream
    
 strelka_zeek_extracted_sync:
  cron.present:
@@ -163,6 +163,11 @@ so-suricata:
      - file: /opt/so/conf/suricata/rules/
      - file: /opt/so/conf/suricata/bpf

+append_so-suricata_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-suricata
+
 surilogrotate:
  file.managed:
    - name: /opt/so/conf/suricata/suri-rotate.conf
@@ -73,6 +73,11 @@ so-telegraf:
      - file: tgrafconf
      - file: tgrafsyncscripts

+append_so-telegraf_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-telegraf
+
 {% else %}

 telegraf_state_not_allowed:
@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=checkfiles
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 FILES=$(ls -1x /host/nsm/faf/complete/ | wc -l)

@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=helixeps
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 PREVCOUNTFILE='/tmp/helixevents.txt'
 EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=influxsize
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'})

@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=oldpcap
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 # Get the data
 OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'})
@@ -1,4 +1,29 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+APP=redis
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}')
 PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}')
@@ -1,4 +1,29 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+APP=stenoloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 # Get the data
 DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}')
@@ -1,4 +1,29 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+APP=suriloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf

 SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4)
 CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l)
@@ -1,6 +1,32 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
 # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp

+APP=zeekcaploss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 if [ -d "/host/nsm/zeek/spool/logger" ]; then
  WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
  ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
@@ -23,4 +49,4 @@ if [ -f "$ZEEKLOG" ]; then
    fi
  fi
  echo "$CURRENTTS" > $LASTCAPTURELOSSLOG
-fi
+fi
@@ -1,5 +1,31 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage
+
+APP=zeekloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
 declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
@@ -14,4 +40,4 @@ else
  TOTAL=$((CURRENTPACKETS - PASTPACKETS))
  LOSS=$(echo $DROPPED $TOTAL / p | dc)
  echo "zeekdrop drop=$LOSS"
-fi
+fi
@@ -102,6 +102,11 @@ so-thehive-es:
      - 0.0.0.0:9400:9400
      - 0.0.0.0:9500:9500

+append_so-thehive-es_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-thehive-es
+
 # Install Cortex
 so-cortex:
  docker_container.running:
@@ -116,6 +121,11 @@ so-cortex:
    - port_bindings:
      - 0.0.0.0:9001:9001

+append_so-cortex_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-cortex
+
 cortexscript:
  cmd.script:
    - source: salt://thehive/scripts/cortex_init
@@ -136,6 +146,11 @@ so-thehive:
    - port_bindings:
      - 0.0.0.0:9000:9000

+append_so-thehive_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-thehive
+
 thehivescript:
  cmd.script:
    - source: salt://thehive/scripts/hive_init
@@ -6,6 +6,13 @@
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
 {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
 {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
+{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
+{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
+{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
+{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
+{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
+{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
 {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
@@ -42,7 +49,6 @@ base:
    - salt.master
    - ca
    - ssl
-    - common
    - registry
    - telegraf
    - firewall
@@ -52,15 +58,18 @@ base:
    - suricata
    - zeek
    - redis
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
    - schedule

  '*_sensor and G@saltversion:{{saltversion}}':
    - match: compound
    - ca
    - ssl
-    - common
    - telegraf
    - firewall
    - nginx
@@ -86,7 +95,6 @@ base:
    - salt.master
    - ca
    - ssl
-    - common
    - registry
    - manager
    - nginx
@@ -98,14 +106,18 @@ base:
    - idstools
    - suricata.manager
    - healthcheck
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
    - mysql
    {%- endif %}
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
+    {%- if KIBANA %}
    - kibana
+    {%- endif %}
    - pcap
    - suricata
    {%- if ZEEKVER != 'SURICATA' %}
@@ -114,9 +126,15 @@ base:
    {%- if STRELKA %}
    - strelka
    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
+    {%- if CURATOR %}
    - curator
+    {%- endif %}
+    {%- if ELASTALERT %}
    - elastalert
+    {%- endif %}
    {%- if FLEETMANAGER or FLEETNODE %}
    - fleet
    - redis
@@ -145,7 +163,6 @@ base:
    - salt.master
    - ca
    - ssl
-    - common
    - registry
    - nginx
    - telegraf
@@ -156,18 +173,30 @@ base:
    - manager
    - idstools
    - suricata.manager
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
    - mysql
    {%- endif %}
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if REDIS %}
    - redis
+    {%- endif %}
+    {%- if KIBANA %}
    - kibana
+    {%- endif %}
+    {%- if ELASTALERT %}
    - elastalert
+    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
    - utility
    - schedule
    {%- if FLEETMANAGER or FLEETNODE %}
@@ -194,7 +223,6 @@ base:
    - salt.master
    - ca
    - ssl
-    - common
    - registry
    - manager
    - nginx
@@ -206,16 +234,24 @@ base:
    - idstools
    - suricata.manager    
    - healthcheck
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
    - mysql
    {%- endif %}
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %} 
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if REDIS %}
    - redis
+    {%- endif %}
+    {%- if KIBANA %}
    - kibana
+    {%- endif %}
    - pcap
    - suricata
    {%- if ZEEKVER != 'SURICATA' %}
@@ -224,9 +260,15 @@ base:
    {%- if STRELKA %}
    - strelka
    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
+    {%- if CURATOR %}
    - curator
+    {%- endif %}
+    {%- if ELASTALERT %}
    - elastalert
+    {%- endif %}
    {%- if FLEETMANAGER or FLEETNODE %}
    - fleet
    - fleet.install_package
@@ -252,9 +294,10 @@ base:

  '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}':
    - match: compound
-    - common
    - firewall
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
    {%- if FLEETMANAGER or FLEETNODE %}
    - fleet.install_package
    {%- endif %}
@@ -263,10 +306,13 @@ base:

  '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}':
    - match: compound
-    - common
    - firewall
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if CURATOR %}
    - curator
+    {%- endif %}
    {%- if FLEETMANAGER or FLEETNODE %}
    - fleet.install_package
    {%- endif %}
@@ -275,9 +321,10 @@ base:

  '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}':
    - match: compound
-    - common
    - firewall
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
    {%- if FLEETMANAGER or FLEETNODE %}
    - fleet.install_package
    {%- endif %}
@@ -288,17 +335,24 @@ base:
    - match: compound
    - ca
    - ssl
-    - common
    - nginx
    - telegraf
    - firewall
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if CURATOR %}
    - curator
+    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
    {%- if FLEETMANAGER or FLEETNODE %}
    - fleet.install_package
    {%- endif %}
@@ -307,7 +361,6 @@ base:

  '*_managersensor and G@saltversion:{{saltversion}}':
    - match: compound
-    - common
    - nginx
    - telegraf
    - influxdb
@@ -326,7 +379,6 @@ base:
    - salt.master
    - ca
    - ssl
-    - common
    - registry
    - nginx
    - telegraf
@@ -337,19 +389,34 @@ base:
    - manager
    - idstools
    - suricata.manager
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
    - mysql
    {%- endif %}
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if REDIS %}
    - redis
+    {%- endif %}
+    {%- if CURATOR %}
    - curator
+    {%- endif %}
+    {%- if KIBANA %}
    - kibana
+    {%- endif %}
+    {%- if ELASTALERT %}
    - elastalert
+    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
+    
    - utility
    - schedule
    {%- if FLEETMANAGER or FLEETNODE %}
@@ -375,18 +442,27 @@ base:
    - match: compound
    - ca
    - ssl
-    - common
    - nginx
    - telegraf
    - firewall
    {%- if WAZUH != 0 %}
    - wazuh
    {%- endif %}
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
    - logstash
+    {%- endif %}
+    {%- if REDIS %}
    - redis
+    {%- endif %}
+    {%- if CURATOR %}
    - curator
+    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
    {%- if STRELKA %}
    - strelka
    {%- endif %}
@@ -398,7 +474,9 @@ base:
    {%- if ZEEKVER != 'SURICATA' %}
    - zeek
    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
    - schedule
    - docker_clean
  
@@ -406,7 +484,6 @@ base:
    - match: compound
    - ca
    - ssl
-    - common
    - nginx
    - telegraf
    - firewall
@@ -422,7 +499,6 @@ base:
    - salt.master
    - ca
    - ssl
-    - common
    - registry
    - manager
    - nginx
@@ -431,9 +507,15 @@ base:
    - idstools
    - suricata.manager
    - pcap
+    {%- if ELASTICSEARCH %}
    - elasticsearch
+    {%- endif %}
+    {%- if KIBANA %}
    - kibana
+    {%- endif %}
+    {%- if FILEBEAT %}
    - filebeat
+    {%- endif %}
    - utility
    - suricata
    - zeek
@@ -110,6 +110,11 @@ so-wazuh:
    - binds:
      - /nsm/wazuh:/var/ossec/data:rw

+append_so-wazuh_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-wazuh
+
 # Register the agent
 registertheagent:
  cmd.run:
@@ -196,6 +196,11 @@ so-zeek:
      - file: /opt/so/conf/zeek/policy
      - file: /opt/so/conf/zeek/bpf

+append_so-zeek_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-zeek
+
 {% else %}

 zeek_state_not_allowed:
@@ -18,12 +18,22 @@ filter_unused_nics() {
 	fi

 	# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
-	filtered_nics=$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
+	filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
 	readarray -t filtered_nics <<< "$filtered_nics"
 	
 	nic_list=()
 	for nic in "${filtered_nics[@]}"; do
-		nic_list+=("$nic" "" "OFF")
+		case $(cat "/sys/class/net/${nic}/carrier") in
+			1)
+				nic_list+=("$nic" "Link UP " "OFF")
+				;;
+			0)
+				nic_list+=("$nic" "Link DOWN " "OFF")
+				;;
+			*)
+				nic_list+=("$nic" "Link UNKNOWN " "OFF")
+				;;
+		esac
 	done

 	export nic_list
@@ -1729,6 +1729,7 @@ salt_checkin() {
 	{
 		salt-call state.apply ca;
 		salt-call state.apply ssl;
+		salt-call saltutil.sync_modules;
 	} >> "$setup_log" 2>&1
 }

@@ -590,6 +590,10 @@ fi
 		set_progress_str 25 'Configuring firewall'
 		set_initial_firewall_policy >> $setup_log 2>&1
 		
+		# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
+		mkdir -p /opt/so/conf/so-status/
+		touch /opt/so/conf/so-status/so-status.conf
+
 		if [[ "$setup_type" == 'iso' ]]; then
 			set_progress_str 26 'Copying containers from iso'
 		else
@@ -684,12 +688,9 @@ fi
 	fi
 	
 	if [[ "$OSQUERY" = 1 ]]; then
-		if [[ "$PLAYBOOK" != 1 ]]; then
-		set_progress_str 74 "$(print_salt_state_apply 'mysql')"
-		salt-call state.apply -l info mysql >> $setup_log 2>&1
-		fi

 		set_progress_str 75 "$(print_salt_state_apply 'fleet')"
+		salt-call state.apply fleet.event_enable-fleet # enable fleet in the global pillar
 		salt-call state.apply -l info fleet >> $setup_log 2>&1

 		set_progress_str 76 "$(print_salt_state_apply 'redis')"
@@ -701,24 +702,24 @@ fi
 			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
 		fi
 	
-		set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"	
+		set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')"	
 		so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1

 	fi

 	if [[ "$WAZUH" = 1 ]]; then
-		set_progress_str 78 "$(print_salt_state_apply 'wazuh')"
+		set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
 		salt-call state.apply -l info wazuh >> $setup_log 2>&1
 	fi

 	if [[ "$THEHIVE" = 1 ]]; then
-		set_progress_str 79 "$(print_salt_state_apply 'thehive')"
+		set_progress_str 80 "$(print_salt_state_apply 'thehive')"
 		salt-call state.apply -l info thehive >> $setup_log 2>&1
 	fi

 	if [[ "$STRELKA" = 1 ]]; then
 		if [[ $is_sensor ]]; then
-			set_progress_str 80 "$(print_salt_state_apply 'strelka')"
+			set_progress_str 81 "$(print_salt_state_apply 'strelka')"
 			salt-call state.apply -l info strelka >> $setup_log 2>&1
 		fi
 		if [[ $STRELKARULES == 1 ]]; then
@@ -727,15 +728,15 @@ fi
 	fi

 	if [[ $is_manager || $is_helix || $is_import ]]; then		
-		set_progress_str 81 "$(print_salt_state_apply 'utility')"
+		set_progress_str 82 "$(print_salt_state_apply 'utility')"
 		salt-call state.apply -l info utility >> $setup_log 2>&1
 	fi

 	if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then
-		set_progress_str 82 "$(print_salt_state_apply 'logstash')"
+		set_progress_str 83 "$(print_salt_state_apply 'logstash')"
 		salt-call state.apply -l info logstash >> $setup_log 2>&1

-		set_progress_str 83 "$(print_salt_state_apply 'filebeat')"
+		set_progress_str 84 "$(print_salt_state_apply 'filebeat')"
 		salt-call state.apply -l info filebeat >> $setup_log 2>&1
 	fi