Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into gpg

salt/_modules/so.py

@@ -1,4 +1,51 @@
 #!py
 
+import logging
+
 def status():
-  return __salt__['cmd.run']('/usr/sbin/so-status')
+    return __salt__['cmd.run']('/usr/sbin/so-status')
+
+
+def mysql_conn(retry):
+    log = logging.getLogger(__name__)
+
+    from time import sleep
+
+    try:
+        from MySQLdb import _mysql
+    except ImportError as e:
+        log.error(e)
+        return False
+
+    mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint'))
+    mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+
+    mysql_up = False
+    for i in range(0, retry):
+        log.debug(f'Connection attempt {i+1}')
+        try:
+            db = _mysql.connect(
+                host=mainip,
+                user='root',
+                passwd=__salt__['pillar.get']('secrets:mysql')
+            )
+            log.debug(f'Connected to MySQL server on {mainip} after {i} attempts.')
+            
+            db.query("""SELECT 1;""")
+            log.debug(f'Successfully completed query against MySQL server on {mainip}')
+            
+            db.close()
+            mysql_up = True
+            break
+        except _mysql.OperationalError as e:
+            log.debug(e)
+        except Exception as e:
+            log.error('Unexpected error occured.')
+            log.error(e)
+            break
+        sleep(1)
+
+    if not mysql_up:
+        log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.')
+
+    return mysql_up

salt/common/init.sls

@@ -32,6 +32,18 @@ soconfperms:
     - gid: 939
     - dir_mode: 770
 
+sostatusconf:
+  file.directory:
+    - name: /opt/so/conf/so-status
+    - uid: 939
+    - gid: 939
+    - dir_mode: 770
+
+so-status.conf:
+  file.touch:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - unless: ls /opt/so/conf/so-status/so-status.conf
+
 sosaltstackperms:
   file.directory:
     - name: /opt/so/saltstack

salt/common/maps/domainstats.map.jinja

@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-domainstats'
-  ]
-} %}

salt/common/maps/eval.map.jinja

@@ -1,20 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-filebeat',
-    'so-nginx',
-    'so-telegraf',
-    'so-dockerregistry',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-elasticsearch',
-    'so-kibana',
-    'so-steno',
-    'so-suricata',
-    'so-zeek',
-    'so-curator',
-    'so-elastalert',
-    'so-soctopus',
-    'so-sensoroni'
-  ]
-} %}

salt/common/maps/fleet.map.jinja

@@ -1,10 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-mysql',
-    'so-fleet',
-    'so-redis',
-    'so-filebeat',
-    'so-nginx',
-    'so-telegraf'
-  ]
-} %}

salt/common/maps/fleet_manager.map.jinja

@@ -1,7 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-mysql',
-    'so-fleet',
-    'so-redis'
-  ]
-} %}

salt/common/maps/freq.map.jinja

@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-freqserver'
-  ]
-} %}

salt/common/maps/grafana.map.jinja

@@ -1,6 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-influxdb',
-    'so-grafana'
-  ]
-} %}

salt/common/maps/heavynode.map.jinja

@@ -1,15 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-redis',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-steno',
-    'so-suricata',
-    'so-wazuh',
-    'so-filebeat',
-    'so-sensoroni'
-  ]
-} %}

salt/common/maps/helixsensor.map.jinja

@@ -1,12 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-idstools',
-    'so-steno',
-    'so-zeek',
-    'so-redis',
-    'so-logstash',
-    'so-filebeat
-  ]
-} %}

salt/common/maps/hotnode.map.jinja

@@ -1,9 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-     'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-   ]
-} %}

salt/common/maps/import.map.jinja

@@ -1,10 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-filebeat',
-    'so-nginx',
-    'so-soc',
-    'so-kratos',
-    'so-elasticsearch',
-    'so-kibana'
-  ]
-} %}

salt/common/maps/manager.map.jinja

@@ -1,21 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-dockerregistry',
-    'so-nginx',
-    'so-telegraf',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-redis',
-    'so-elasticsearch',
-    'so-logstash',
-    'so-kibana',
-    'so-elastalert',
-    'so-filebeat',
-    'so-soctopus'
-  ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
-   {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}

salt/common/maps/managersearch.map.jinja

@@ -1,21 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-redis',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-kibana',
-    'so-elastalert',
-    'so-filebeat',
-    'so-soctopus'
-  ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
-   {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}

salt/common/maps/mdengine.map.jinja

@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-zeek'
-  ]
-} %}

salt/common/maps/playbook.map.jinja

@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-playbook'
-  ]
-} %}

salt/common/maps/searchnode.map.jinja

@@ -1,10 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-filebeat'
-  ]
-} %}

salt/common/maps/sensor.map.jinja

@@ -1,9 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-telegraf',
-    'so-steno',
-    'so-suricata',
-    'so-filebeat',
-    'so-sensoroni'
-  ]
-} %}

salt/common/maps/so-status.map.jinja

@@ -1,48 +0,0 @@
-{% set role = grains.id.split('_') | last %}
-{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
-
-# Check if the service is enabled and append it's required containers
-# to the list predefined by the role / minion id affix
-{% macro append_containers(pillar_name, k, compare )%}
-  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
-    {% if k == 'enabled' %}
-      {% set k = pillar_name %}
-    {% endif %}
-    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
-    {% for li in d['containers'] %}
-      {{ docker['containers'].append(li) }}
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
-
-{% set docker = salt['grains.filter_by']({
-  '*_'~role: {
-    'containers': docker['containers']
-  } 
-},grain='id', merge=salt['pillar.get']('docker')) %}
-
-{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
-  {{ append_containers('manager', 'grafana', 0) }}
-  {{ append_containers('global', 'fleet_manager', 0) }}
-  {{ append_containers('global', 'wazuh', 0) }}
-  {{ append_containers('manager', 'thehive', 0) }}
-  {{ append_containers('manager', 'playbook', 0) }}
-  {{ append_containers('manager', 'freq', 0) }}
-  {{ append_containers('manager', 'domainstats', 0) }}
-{% endif %}
-
-{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
-  {{ append_containers('strelka', 'enabled', 0) }}
-{% endif %}
-
-{% if role in ['heavynode', 'standalone'] %}
-  {{ append_containers('global', 'mdengine', 'SURICATA') }}
-{% endif %}
-
-{% if role == 'searchnode' %}
-  {{ append_containers('manager', 'wazuh', 0) }}
-{% endif %}
-
-{% if role == 'sensor' %}
-  {{ append_containers('global', 'mdengine', 'SURICATA') }}
-{% endif %}

salt/common/maps/standalone.map.jinja

@@ -1,25 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-soc',
-    'so-kratos',
-    'so-idstools',
-    'so-redis',
-    'so-logstash',
-    'so-elasticsearch',
-    'so-curator',
-    'so-kibana',
-    'so-elastalert',
-    'so-filebeat',
-    'so-suricata',
-    'so-steno',
-    'so-dockerregistry',
-    'so-soctopus',
-    'so-sensoroni'
-  ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
-   {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}

salt/common/maps/strelka.map.jinja

@@ -1,9 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-strelka-coordinator',
-    'so-strelka-gatekeeper',
-    'so-strelka-manager',
-    'so-strelka-frontend',
-    'so-strelka-filestream'
-  ]
-} %}

salt/common/maps/thehive.map.jinja

@@ -1,7 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-thehive',
-    'so-thehive-es',
-    'so-cortex'
-  ]
-} %}

salt/common/maps/warmnode.map.jinja

@@ -1,7 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-nginx',
-    'so-telegraf',
-    'so-elasticsearch'
-  ]
-} %}

salt/common/maps/wazuh.map.jinja

@@ -1,5 +0,0 @@
-{% set docker = {
-  'containers': [
-    'so-wazuh'
-  ]
-} %}

salt/common/tools/sbin/so-status

@@ -14,8 +14,6 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set container_list = docker['containers'] | sort | unique %}
 
 if ! [ "$(id -u)" = 0 ]; then
    echo "This command must be run as root"
@@ -39,9 +37,8 @@ declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
 declare -a PENDING_STATUSES=("paused" "created" "restarting")
 declare -a GOOD_STATUSES=("running")
 declare -a DISABLED_CONTAINERS=()
-{%- if salt['pillar.get']('steno:enabled', 'True') is sameas false %}
-DISABLED_CONTAINERS+=("so-steno")
-{%- endif %}
+mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.conf | grep "^\s*#" | tr -d "#")
+
 
 declare -a temp_container_name_list=()
 declare -a temp_container_state_list=()
@@ -83,9 +80,9 @@ compare_lists() {
 # {% endraw %}
 
 create_expected_container_list() {
-    {% for item in container_list -%}
-        expected_container_list+=("{{ item }}")
-    {% endfor -%}
+
+    mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#")    
+
 }
 
 populate_container_lists() {
@@ -175,7 +172,7 @@ print_line() {
 
     printf "    $service_name "
     for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
-        printf "-"
+        printf "${state_color}%b\e[0m" "-"
     done
     printf " [ "
     printf "${state_color}%b\e[0m" "$service_state"

salt/curator/files/bin/so-curator-close

@@ -1,2 +1,27 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=close
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1

salt/curator/files/bin/so-curator-closed-delete

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -34,6 +34,13 @@
 #fi
 
 # Avoid starting multiple instances
-if ! pgrep -f "so-curator-closed-delete-delete" >/dev/null; then
-	/usr/sbin/so-curator-closed-delete-delete
-fi
+APP=closeddelete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+/usr/sbin/so-curator-closed-delete-delete

salt/curator/files/bin/so-curator-closed-delete-delete

@@ -1,5 +1,28 @@
-
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=closedeletedelete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 {%- if grains['role'] in ['so-node', 'so-heavynode'] %}
   {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%}  

salt/curator/files/bin/so-curator-delete

@@ -1,2 +1,27 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=delete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/delete.yml > /dev/null 2>&1

salt/curator/init.sls

@@ -127,6 +127,12 @@ so-curator:
       - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
       - /opt/so/conf/curator/action/:/etc/curator/action:ro
       - /opt/so/log/curator:/var/log/curator:rw
+
+append_so-curator_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-curator
+
 # Begin Curator Cron Jobs
 
 # Close

salt/domainstats/init.sls

@@ -56,6 +56,11 @@ so-domainstats:
     - binds:
       - /opt/so/log/domainstats:/var/log/domain_stats
 
+append_so-domainstats_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-domainstats
+
 {% else %}
 
 domainstats_state_not_allowed:

salt/elastalert/init.sls

@@ -121,6 +121,12 @@ so-elastalert:
       - {{MANAGER_URL}}:{{MANAGER_IP}}
     - require:
       - module: wait_for_elasticsearch
+
+append_so-elastalert_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-elastalert
+
 {% endif %}
 
 {% else %}

salt/elasticsearch/files/ingest/strelka.file

@@ -12,7 +12,7 @@
       {
         "if": "ctx.exiftool?.keys !=null",
           "field": "exiftool.keys",
-          "processor":{
+          "processor": {
             "append": {
               "field": "scan.exiftool",
               "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
@@ -20,6 +20,18 @@
           }
       }
     },
+    { "foreach":
+      {
+        "if": "ctx.exiftool?.keys !=null",
+          "field": "exiftool.keys",
+          "processor": {
+            "set": {
+              "field": "exiftool.{{_ingest._value.key}}",
+              "value": "{{_ingest._value.value}}"
+            }
+          }
+      }
+    },
     { "foreach":
       {
         "if": "ctx.scan?.yara?.meta !=null",
@@ -32,6 +44,14 @@
           }
       }
     },
+    { "set":         { "if": "ctx.exiftool?.SourceFile != null", "field": "file.source",        "value": "{{exiftool.SourceFile}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FilePermissions != null", "field": "file.permissions",        "value": "{{exiftool.FilePermissions}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileName != null", "field": "file.name",        "value": "{{exiftool.FileName}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileModifyDate != null", "field": "file.mtime",        "value": "{{exiftool.FileModifyDate}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileAccessDate != null", "field": "file.accessed",        "value": "{{exiftool.FileAccessDate}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileInodeChangeDate != null", "field": "file.ctime",        "value": "{{exiftool.FileInodeChangeDate}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory",        "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }},
+    { "set":         { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem",        "value": "{{exiftool.Subsystem}}", "ignore_failure": true }},
     { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name",        "value": "{{scan.yara.matches.0}}" }},
     { "set":         { "if": "ctx.scan?.yara?.matches != null", "field": "dataset",        "value": "alert", "override": true }},
     { "rename":         { "field": "file.flavors.mime", "target_field": "file.mime_type",        "ignore_missing": true }},

salt/elasticsearch/files/ingest/syslog

@@ -13,7 +13,7 @@
         }
     },
     { "grok":           { "field": "message",       "patterns": ["<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}"], "ignore_failure": false } },
-    { "set": { "if": "ctx.source.application == 'filterlog'", "field": "dataset", "value": "firewall" } },
+    { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall" } },
     { "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog" } },
     { "pipeline":       { "name": "common"                                             } }
   ]

salt/elasticsearch/init.sls

@@ -215,13 +215,17 @@ so-elasticsearch:
       - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
       - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
       - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro
-
     - watch:
       - file: cacertz
       - file: esyml
       - file: esingestconf
       - file: so-elasticsearch-pipelines-file
 
+append_so-elasticsearch_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-elasticsearch
+
 so-elasticsearch-pipelines-file:
   file.managed:
     - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines

salt/filebeat/init.sls

@@ -86,6 +86,11 @@ so-filebeat:
     - watch:
       - file: /opt/so/conf/filebeat/etc/filebeat.yml
 
+append_so-filebeat_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-filebeat
+
 {% else %}
 
 filebeat_state_not_allowed:

salt/fleet/event_enable-fleet.sls

@@ -1,4 +1,10 @@
-{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %}
+{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% if FLEETNODE or FLEETMANAGER %}
+  {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %}
+{% else %}
+  {% set ENROLLSECRET = '' %}
+{% endif %}
 {% set MAININT = salt['pillar.get']('host:mainint') %}
 {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 

salt/fleet/init.sls

@@ -134,4 +134,9 @@ so-fleet:
     - watch:
       - /opt/so/conf/fleet/etc
 
+append_so-fleet_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-fleet
+
 {% endif %}

salt/freqserver/init.sls

@@ -56,6 +56,11 @@ so-freq:
     - binds:
       - /opt/so/log/freq_server:/var/log/freq_server:rw
 
+append_so-freq_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-freq
+
 {% else %}
 
 freqserver_state_not_allowed:

salt/grafana/init.sls

@@ -236,6 +236,11 @@ so-grafana:
     - watch:
       - file: /opt/so/conf/grafana/*
 
+append_so-grafana_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-grafana
+
 {% endif %}
 
 {% else %}

salt/idstools/init.sls

@@ -76,6 +76,11 @@ so-idstools:
     - watch:
       - file: idstoolsetcsync
 
+append_so-idstools_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-idstools
+
 {% else %}
 
 idstools_state_not_allowed:

salt/influxdb/init.sls

@@ -54,6 +54,11 @@ so-influxdb:
     - watch:
       - file: influxdbconf
 
+append_so-influxdb_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-influxdb
+
 {% endif %}
 
 {% else %}

salt/kibana/init.sls

@@ -90,6 +90,11 @@ so-kibana:
     - port_bindings:
       - 0.0.0.0:5601:5601
 
+append_so-kibana_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-kibana
+
 kibanadashtemplate:
   file.managed:
     - name: /opt/so/conf/kibana/saved_objects.ndjson.template

salt/logstash/init.sls

@@ -202,6 +202,11 @@ so-logstash:
       - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
 {% endfor %}
 
+append_so-logstash_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-logstash
+
 {% else %}
 
 logstash_state_not_allowed:

salt/manager/init.sls

@@ -81,6 +81,11 @@ so-aptcacherng:
       - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
       - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
 
+append_so-aptcacherng_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-aptcacherng
+
 {% endif %}
 
 strelka_yara_update:

salt/minio/init.sls

@@ -62,6 +62,11 @@ so-minio:
       - /etc/pki/minio.crt:/.minio/certs/public.crt:ro
     - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"
 
+append_so-minio_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-minio
+
 {% else %}
 
 minio_state_not_allowed:

salt/mysql/init.sls

@@ -94,9 +94,20 @@ so-mysql:
       - /opt/so/conf/mysql/etc
   cmd.run:
     - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
-    - timeout: 900
+    - timeout: 600
     - onchanges:
       - docker_container: so-mysql
+  module.run:
+    - so.mysql_conn:
+      - retry: 300
+    - onchanges:
+      - cmd: so-mysql
+
+append_so-mysql_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-mysql
+
 {% endif %}
 
 {% else %}

salt/nginx/init.sls

@@ -98,6 +98,11 @@ so-nginx:
       - file: nginxconf
       - file: nginxconfdir
 
+append_so-nginx_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-nginx
+
 {% else %}
 
 nginx_state_not_allowed:

salt/nodered/init.sls

@@ -74,6 +74,11 @@ so-nodered:
     - port_bindings:
       - 0.0.0.0:1880:1880
 
+append_so-nodered_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-nodered
+
 so-nodered-flows:
   cmd.run:
     - name: /usr/sbin/so-nodered-load-flows

salt/pcap/init.sls

@@ -152,6 +152,24 @@ so-steno:
     - watch:
       - file: /opt/so/conf/steno/config
 
+append_so-steno_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-steno
+    - unless: grep so-steno /opt/so/conf/so-status/so-status.conf
+
+  {% if STENOOPTIONS.status == 'running' %}
+delete_so-steno_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+  {% elif STENOOPTIONS.status == 'stopped' %}
+so-steno_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+  {% endif %}
+
 so-sensoroni:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
@@ -166,6 +184,11 @@ so-sensoroni:
     - watch:
       - file: /opt/so/conf/sensoroni/sensoroni.json
 
+append_so-sensoroni_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-sensoroni
+
 {% else %}
 
 pcap_state_not_allowed:

salt/playbook/init.sls

@@ -93,6 +93,11 @@ so-playbook:
     - port_bindings:
       - 0.0.0.0:3200:3000
 
+append_so-playbook_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-playbook
+
 {% endif %}
 
 so-playbooksynccron:

salt/reactor/fleet.sls

@@ -31,16 +31,17 @@ def run():
         print(line) 
 
       # Update the enroll secret in the secrets pillar
-      for line in fileinput.input(SECRETSFILE, inplace=True):
-        line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
-        print(line)      
+      if ESECRET != "":
+        for line in fileinput.input(SECRETSFILE, inplace=True):
+          line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
+          print(line)
 
-        # Update the Fleet host in the static pillar
+      # Update the Fleet host in the static pillar
       for line in fileinput.input(STATICFILE, inplace=True):
         line = re.sub(r'fleet_hostname: \S*', f"fleet_hostname: '{HOSTNAME}'", line.rstrip())
         print(line)  
 
-        # Update the Fleet IP in the static pillar
+      # Update the Fleet IP in the static pillar
       for line in fileinput.input(STATICFILE, inplace=True):
         line = re.sub(r'fleet_ip: \S*', f"fleet_ip: '{MAINIP}'", line.rstrip())
         print(line)   

salt/redis/init.sls

@@ -70,6 +70,11 @@ so-redis:
     - watch:
       - file: /opt/so/conf/redis/etc
 
+append_so-redis_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-redis
+
 {% else %}
 
 redis_state_not_allowed:

salt/registry/init.sls

@@ -57,6 +57,11 @@ so-dockerregistry:
       - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
       - /etc/pki/registry.key:/etc/pki/registry.key:ro
 
+append_so-dockerregistry_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-dockerregistry
+
 {% else %}
 
 registry_state_not_allowed:

salt/soc/init.sls

@@ -67,6 +67,11 @@ so-soc:
     - watch:
       - file: /opt/so/conf/soc/*
 
+append_so-soc_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-soc
+
 # Add Kratos Group
 kratosgroup:
   group.present:
@@ -119,6 +124,11 @@ so-kratos:
     - watch:
       - file: /opt/so/conf/kratos
 
+append_so-kratos_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-kratos
+
 {% else %}
 
 soc_state_not_allowed:

salt/soctopus/init.sls

@@ -73,6 +73,11 @@ so-soctopus:
     - extra_hosts:
       - {{MANAGER_URL}}:{{MANAGER_IP}}
 
+append_so-soctopus_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-soctopus
+
 {% else %}
 
 soctopus_state_not_allowed:

salt/strelka/init.sls

@@ -87,6 +87,11 @@ strelka_coordinator:
     - port_bindings:
       - 0.0.0.0:6380:6379
 
+append_so-strelka-coordinator_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-coordinator
+
 strelka_gatekeeper:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -95,6 +100,11 @@ strelka_gatekeeper:
     - port_bindings:
       - 0.0.0.0:6381:6379
 
+append_so-strelka-gatekeeper_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-gatekeeper
+
 strelka_frontend:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }}
@@ -107,6 +117,11 @@ strelka_frontend:
     - port_bindings:
       - 0.0.0.0:57314:57314
 
+append_so-strelka-frontend_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-frontend
+
 strelka_backend:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }}
@@ -117,6 +132,11 @@ strelka_backend:
     - command: strelka-backend
     - restart_policy: on-failure
 
+append_so-strelka-backend_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-backend
+
 strelka_manager:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }}
@@ -125,6 +145,11 @@ strelka_manager:
     - name: so-strelka-manager
     - command: strelka-manager
 
+append_so-strelka-manager_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-manager
+
 strelka_filestream:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }}
@@ -133,6 +158,11 @@ strelka_filestream:
       - /nsm/strelka:/nsm/strelka
     - name: so-strelka-filestream
     - command: strelka-filestream
+
+append_so-strelka-filestream_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-strelka-filestream
     
 strelka_zeek_extracted_sync:
   cron.present:

salt/suricata/init.sls

@@ -163,6 +163,11 @@ so-suricata:
       - file: /opt/so/conf/suricata/rules/
       - file: /opt/so/conf/suricata/bpf
 
+append_so-suricata_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-suricata
+
 surilogrotate:
   file.managed:
     - name: /opt/so/conf/suricata/suri-rotate.conf

salt/telegraf/init.sls

@@ -73,6 +73,11 @@ so-telegraf:
       - file: tgrafconf
       - file: tgrafsyncscripts
 
+append_so-telegraf_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-telegraf
+
 {% else %}
 
 telegraf_state_not_allowed:

salt/telegraf/scripts/checkfiles.sh

@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=checkfiles
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 FILES=$(ls -1x /host/nsm/faf/complete/ | wc -l)
 

salt/telegraf/scripts/helixeps.sh

@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=helixeps
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 PREVCOUNTFILE='/tmp/helixevents.txt'
 EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"

salt/telegraf/scripts/influxdbsize.sh

@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=influxsize
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'})
 

salt/telegraf/scripts/oldpcap.sh

@@ -1,4 +1,28 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=oldpcap
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 # Get the data
 OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'})

salt/telegraf/scripts/redis.sh

@@ -1,4 +1,29 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+APP=redis
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}')
 PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}')

salt/telegraf/scripts/stenoloss.sh

@@ -1,4 +1,29 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+APP=stenoloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 # Get the data
 DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}')

salt/telegraf/scripts/suriloss.sh

@@ -1,4 +1,29 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+APP=suriloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
 
 SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4)
 CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l)

salt/telegraf/scripts/zeekcaptureloss.sh

@@ -1,6 +1,32 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
 # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
 
+APP=zeekcaploss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 if [ -d "/host/nsm/zeek/spool/logger" ]; then
   WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
   ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
@@ -23,4 +49,4 @@ if [ -f "$ZEEKLOG" ]; then
     fi
   fi
   echo "$CURRENTTS" > $LASTCAPTURELOSSLOG
-fi
+fi

salt/telegraf/scripts/zeekloss.sh

@@ -1,5 +1,31 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage
+
+APP=zeekloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
 ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
 declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
@@ -14,4 +40,4 @@ else
   TOTAL=$((CURRENTPACKETS - PASTPACKETS))
   LOSS=$(echo $DROPPED $TOTAL / p | dc)
   echo "zeekdrop drop=$LOSS"
-fi
+fi

salt/thehive/init.sls

@@ -102,6 +102,11 @@ so-thehive-es:
       - 0.0.0.0:9400:9400
       - 0.0.0.0:9500:9500
 
+append_so-thehive-es_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-thehive-es
+
 # Install Cortex
 so-cortex:
   docker_container.running:
@@ -116,6 +121,11 @@ so-cortex:
     - port_bindings:
       - 0.0.0.0:9001:9001
 
+append_so-cortex_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-cortex
+
 cortexscript:
   cmd.script:
     - source: salt://thehive/scripts/cortex_init
@@ -136,6 +146,11 @@ so-thehive:
     - port_bindings:
       - 0.0.0.0:9000:9000
 
+append_so-thehive_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-thehive
+
 thehivescript:
   cmd.script:
     - source: salt://thehive/scripts/hive_init

salt/top.sls

@@ -6,6 +6,13 @@
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
 {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
 {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
+{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
+{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
+{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
+{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
+{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
+{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
 {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
@@ -42,7 +49,6 @@ base:
     - salt.master
     - ca
     - ssl
-    - common
     - registry
     - telegraf
     - firewall
@@ -52,15 +58,18 @@ base:
     - suricata
     - zeek
     - redis
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     - schedule
 
   '*_sensor and G@saltversion:{{saltversion}}':
     - match: compound
     - ca
     - ssl
-    - common
     - telegraf
     - firewall
     - nginx
@@ -86,7 +95,6 @@ base:
     - salt.master
     - ca
     - ssl
-    - common
     - registry
     - manager
     - nginx
@@ -98,14 +106,18 @@ base:
     - idstools
     - suricata.manager
     - healthcheck
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
     - mysql
     {%- endif %}
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
+    {%- if KIBANA %}
     - kibana
+    {%- endif %}
     - pcap
     - suricata
     {%- if ZEEKVER != 'SURICATA' %}
@@ -114,9 +126,15 @@ base:
     {%- if STRELKA %}
     - strelka
     {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
+    {%- if CURATOR %}
     - curator
+    {%- endif %}
+    {%- if ELASTALERT %}
     - elastalert
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet
     - redis
@@ -145,7 +163,6 @@ base:
     - salt.master
     - ca
     - ssl
-    - common
     - registry
     - nginx
     - telegraf
@@ -156,18 +173,30 @@ base:
     - manager
     - idstools
     - suricata.manager
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
     - mysql
     {%- endif %}
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if REDIS %}
     - redis
+    {%- endif %}
+    {%- if KIBANA %}
     - kibana
+    {%- endif %}
+    {%- if ELASTALERT %}
     - elastalert
+    {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     - utility
     - schedule
     {%- if FLEETMANAGER or FLEETNODE %}
@@ -194,7 +223,6 @@ base:
     - salt.master
     - ca
     - ssl
-    - common
     - registry
     - manager
     - nginx
@@ -206,16 +234,24 @@ base:
     - idstools
     - suricata.manager    
     - healthcheck
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
     - mysql
     {%- endif %}
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %} 
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if REDIS %}
     - redis
+    {%- endif %}
+    {%- if KIBANA %}
     - kibana
+    {%- endif %}
     - pcap
     - suricata
     {%- if ZEEKVER != 'SURICATA' %}
@@ -224,9 +260,15 @@ base:
     {%- if STRELKA %}
     - strelka
     {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
+    {%- if CURATOR %}
     - curator
+    {%- endif %}
+    {%- if ELASTALERT %}
     - elastalert
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet
     - fleet.install_package
@@ -252,9 +294,10 @@ base:
 
   '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}':
     - match: compound
-    - common
     - firewall
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet.install_package
     {%- endif %}
@@ -263,10 +306,13 @@ base:
 
   '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}':
     - match: compound
-    - common
     - firewall
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if CURATOR %}
     - curator
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet.install_package
     {%- endif %}
@@ -275,9 +321,10 @@ base:
 
   '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}':
     - match: compound
-    - common
     - firewall
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet.install_package
     {%- endif %}
@@ -288,17 +335,24 @@ base:
     - match: compound
     - ca
     - ssl
-    - common
     - nginx
     - telegraf
     - firewall
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if CURATOR %}
     - curator
+    {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet.install_package
     {%- endif %}
@@ -307,7 +361,6 @@ base:
 
   '*_managersensor and G@saltversion:{{saltversion}}':
     - match: compound
-    - common
     - nginx
     - telegraf
     - influxdb
@@ -326,7 +379,6 @@ base:
     - salt.master
     - ca
     - ssl
-    - common
     - registry
     - nginx
     - telegraf
@@ -337,19 +389,34 @@ base:
     - manager
     - idstools
     - suricata.manager
-    {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+    {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
     - mysql
     {%- endif %}
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if REDIS %}
     - redis
+    {%- endif %}
+    {%- if CURATOR %}
     - curator
+    {%- endif %}
+    {%- if KIBANA %}
     - kibana
+    {%- endif %}
+    {%- if ELASTALERT %}
     - elastalert
+    {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
+    
     - utility
     - schedule
     {%- if FLEETMANAGER or FLEETNODE %}
@@ -375,18 +442,27 @@ base:
     - match: compound
     - ca
     - ssl
-    - common
     - nginx
     - telegraf
     - firewall
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
+    {%- if LOGSTASH %}
     - logstash
+    {%- endif %}
+    {%- if REDIS %}
     - redis
+    {%- endif %}
+    {%- if CURATOR %}
     - curator
+    {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     {%- if STRELKA %}
     - strelka
     {%- endif %}
@@ -398,7 +474,9 @@ base:
     {%- if ZEEKVER != 'SURICATA' %}
     - zeek
     {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     - schedule
     - docker_clean
   
@@ -406,7 +484,6 @@ base:
     - match: compound
     - ca
     - ssl
-    - common
     - nginx
     - telegraf
     - firewall
@@ -422,7 +499,6 @@ base:
     - salt.master
     - ca
     - ssl
-    - common
     - registry
     - manager
     - nginx
@@ -431,9 +507,15 @@ base:
     - idstools
     - suricata.manager
     - pcap
+    {%- if ELASTICSEARCH %}
     - elasticsearch
+    {%- endif %}
+    {%- if KIBANA %}
     - kibana
+    {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     - utility
     - suricata
     - zeek

salt/wazuh/init.sls

@@ -110,6 +110,11 @@ so-wazuh:
     - binds:
       - /nsm/wazuh:/var/ossec/data:rw
 
+append_so-wazuh_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-wazuh
+
 # Register the agent
 registertheagent:
   cmd.run:

salt/zeek/init.sls

@@ -196,6 +196,11 @@ so-zeek:
       - file: /opt/so/conf/zeek/policy
       - file: /opt/so/conf/zeek/bpf
 
+append_so-zeek_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-zeek
+
 {% else %}
 
 zeek_state_not_allowed:

setup/so-common-functions

@@ -18,12 +18,22 @@ filter_unused_nics() {
 	fi
 
 	# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
-	filtered_nics=$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
+	filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
 	readarray -t filtered_nics <<< "$filtered_nics"
 	
 	nic_list=()
 	for nic in "${filtered_nics[@]}"; do
-		nic_list+=("$nic" "" "OFF")
+		case $(cat "/sys/class/net/${nic}/carrier") in
+			1)
+				nic_list+=("$nic" "Link UP " "OFF")
+				;;
+			0)
+				nic_list+=("$nic" "Link DOWN " "OFF")
+				;;
+			*)
+				nic_list+=("$nic" "Link UNKNOWN " "OFF")
+				;;
+		esac
 	done
 
 	export nic_list

setup/so-functions

@@ -1729,6 +1729,7 @@ salt_checkin() {
 	{
 		salt-call state.apply ca;
 		salt-call state.apply ssl;
+		salt-call saltutil.sync_modules;
 	} >> "$setup_log" 2>&1
 }
 

setup/so-setup

@@ -590,6 +590,10 @@ fi
 		set_progress_str 25 'Configuring firewall'
 		set_initial_firewall_policy >> $setup_log 2>&1
 		
+		# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
+		mkdir -p /opt/so/conf/so-status/
+		touch /opt/so/conf/so-status/so-status.conf
+
 		if [[ "$setup_type" == 'iso' ]]; then
 			set_progress_str 26 'Copying containers from iso'
 		else
@@ -684,12 +688,9 @@ fi
 	fi
 	
 	if [[ "$OSQUERY" = 1 ]]; then
-		if [[ "$PLAYBOOK" != 1 ]]; then
-		set_progress_str 74 "$(print_salt_state_apply 'mysql')"
-		salt-call state.apply -l info mysql >> $setup_log 2>&1
-		fi
 
 		set_progress_str 75 "$(print_salt_state_apply 'fleet')"
+		salt-call state.apply fleet.event_enable-fleet # enable fleet in the global pillar
 		salt-call state.apply -l info fleet >> $setup_log 2>&1
 
 		set_progress_str 76 "$(print_salt_state_apply 'redis')"
@@ -701,24 +702,24 @@ fi
 			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
 		fi
 	
-		set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"	
+		set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')"	
 		so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1
 
 	fi
 
 	if [[ "$WAZUH" = 1 ]]; then
-		set_progress_str 78 "$(print_salt_state_apply 'wazuh')"
+		set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
 		salt-call state.apply -l info wazuh >> $setup_log 2>&1
 	fi
 
 	if [[ "$THEHIVE" = 1 ]]; then
-		set_progress_str 79 "$(print_salt_state_apply 'thehive')"
+		set_progress_str 80 "$(print_salt_state_apply 'thehive')"
 		salt-call state.apply -l info thehive >> $setup_log 2>&1
 	fi
 
 	if [[ "$STRELKA" = 1 ]]; then
 		if [[ $is_sensor ]]; then
-			set_progress_str 80 "$(print_salt_state_apply 'strelka')"
+			set_progress_str 81 "$(print_salt_state_apply 'strelka')"
 			salt-call state.apply -l info strelka >> $setup_log 2>&1
 		fi
 		if [[ $STRELKARULES == 1 ]]; then
@@ -727,15 +728,15 @@ fi
 	fi
 
 	if [[ $is_manager || $is_helix || $is_import ]]; then		
-		set_progress_str 81 "$(print_salt_state_apply 'utility')"
+		set_progress_str 82 "$(print_salt_state_apply 'utility')"
 		salt-call state.apply -l info utility >> $setup_log 2>&1
 	fi
 
 	if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then
-		set_progress_str 82 "$(print_salt_state_apply 'logstash')"
+		set_progress_str 83 "$(print_salt_state_apply 'logstash')"
 		salt-call state.apply -l info logstash >> $setup_log 2>&1
 
-		set_progress_str 83 "$(print_salt_state_apply 'filebeat')"
+		set_progress_str 84 "$(print_salt_state_apply 'filebeat')"
 		salt-call state.apply -l info filebeat >> $setup_log 2>&1
 	fi