diff --git a/salt/_modules/so.py b/salt/_modules/so.py
index 50c29902f..e75c90ec8 100644
--- a/salt/_modules/so.py
+++ b/salt/_modules/so.py
@@ -1,4 +1,51 @@
#!py
+import logging
+
def status():
- return __salt__['cmd.run']('/usr/sbin/so-status')
\ No newline at end of file
+ return __salt__['cmd.run']('/usr/sbin/so-status')
+
+
+def mysql_conn(retry):
+ log = logging.getLogger(__name__)
+
+ from time import sleep
+
+ try:
+ from MySQLdb import _mysql
+ except ImportError as e:
+ log.error(e)
+ return False
+
+ mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint'))
+ mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+
+ mysql_up = False
+ for i in range(0, retry):
+ log.debug(f'Connection attempt {i+1}')
+ try:
+ db = _mysql.connect(
+ host=mainip,
+ user='root',
+ passwd=__salt__['pillar.get']('secrets:mysql')
+ )
+ log.debug(f'Connected to MySQL server on {mainip} after {i} attempts.')
+
+ db.query("""SELECT 1;""")
+ log.debug(f'Successfully completed query against MySQL server on {mainip}')
+
+ db.close()
+ mysql_up = True
+ break
+ except _mysql.OperationalError as e:
+ log.debug(e)
+ except Exception as e:
+ log.error('Unexpected error occured.')
+ log.error(e)
+ break
+ sleep(1)
+
+ if not mysql_up:
+ log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.')
+
+ return mysql_up
\ No newline at end of file
diff --git a/salt/common/init.sls b/salt/common/init.sls
index 90a713c11..cf791cfa2 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -32,6 +32,18 @@ soconfperms:
- gid: 939
- dir_mode: 770
+sostatusconf:
+ file.directory:
+ - name: /opt/so/conf/so-status
+ - uid: 939
+ - gid: 939
+ - dir_mode: 770
+
+so-status.conf:
+ file.touch:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - unless: ls /opt/so/conf/so-status/so-status.conf
+
sosaltstackperms:
file.directory:
- name: /opt/so/saltstack
diff --git a/salt/common/maps/domainstats.map.jinja b/salt/common/maps/domainstats.map.jinja
deleted file mode 100644
index 221dcde03..000000000
--- a/salt/common/maps/domainstats.map.jinja
+++ /dev/null
@@ -1,5 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-domainstats'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/eval.map.jinja b/salt/common/maps/eval.map.jinja
deleted file mode 100644
index 075344e82..000000000
--- a/salt/common/maps/eval.map.jinja
+++ /dev/null
@@ -1,20 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-filebeat',
- 'so-nginx',
- 'so-telegraf',
- 'so-dockerregistry',
- 'so-soc',
- 'so-kratos',
- 'so-idstools',
- 'so-elasticsearch',
- 'so-kibana',
- 'so-steno',
- 'so-suricata',
- 'so-zeek',
- 'so-curator',
- 'so-elastalert',
- 'so-soctopus',
- 'so-sensoroni'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/fleet.map.jinja b/salt/common/maps/fleet.map.jinja
deleted file mode 100644
index c55223125..000000000
--- a/salt/common/maps/fleet.map.jinja
+++ /dev/null
@@ -1,10 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-mysql',
- 'so-fleet',
- 'so-redis',
- 'so-filebeat',
- 'so-nginx',
- 'so-telegraf'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/fleet_manager.map.jinja b/salt/common/maps/fleet_manager.map.jinja
deleted file mode 100644
index 91850846c..000000000
--- a/salt/common/maps/fleet_manager.map.jinja
+++ /dev/null
@@ -1,7 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-mysql',
- 'so-fleet',
- 'so-redis'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/freq.map.jinja b/salt/common/maps/freq.map.jinja
deleted file mode 100644
index d3f692484..000000000
--- a/salt/common/maps/freq.map.jinja
+++ /dev/null
@@ -1,5 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-freqserver'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/grafana.map.jinja b/salt/common/maps/grafana.map.jinja
deleted file mode 100644
index 1118a50fe..000000000
--- a/salt/common/maps/grafana.map.jinja
+++ /dev/null
@@ -1,6 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-influxdb',
- 'so-grafana'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/heavynode.map.jinja b/salt/common/maps/heavynode.map.jinja
deleted file mode 100644
index cbd0fc3b0..000000000
--- a/salt/common/maps/heavynode.map.jinja
+++ /dev/null
@@ -1,15 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-redis',
- 'so-logstash',
- 'so-elasticsearch',
- 'so-curator',
- 'so-steno',
- 'so-suricata',
- 'so-wazuh',
- 'so-filebeat',
- 'so-sensoroni'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/helixsensor.map.jinja b/salt/common/maps/helixsensor.map.jinja
deleted file mode 100644
index 84866de3a..000000000
--- a/salt/common/maps/helixsensor.map.jinja
+++ /dev/null
@@ -1,12 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-idstools',
- 'so-steno',
- 'so-zeek',
- 'so-redis',
- 'so-logstash',
- 'so-filebeat
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/hotnode.map.jinja b/salt/common/maps/hotnode.map.jinja
deleted file mode 100644
index bc9d58360..000000000
--- a/salt/common/maps/hotnode.map.jinja
+++ /dev/null
@@ -1,9 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-logstash',
- 'so-elasticsearch',
- 'so-curator',
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/import.map.jinja b/salt/common/maps/import.map.jinja
deleted file mode 100644
index 324536d11..000000000
--- a/salt/common/maps/import.map.jinja
+++ /dev/null
@@ -1,10 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-filebeat',
- 'so-nginx',
- 'so-soc',
- 'so-kratos',
- 'so-elasticsearch',
- 'so-kibana'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/manager.map.jinja b/salt/common/maps/manager.map.jinja
deleted file mode 100644
index 45358d017..000000000
--- a/salt/common/maps/manager.map.jinja
+++ /dev/null
@@ -1,21 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-dockerregistry',
- 'so-nginx',
- 'so-telegraf',
- 'so-soc',
- 'so-kratos',
- 'so-idstools',
- 'so-redis',
- 'so-elasticsearch',
- 'so-logstash',
- 'so-kibana',
- 'so-elastalert',
- 'so-filebeat',
- 'so-soctopus'
- ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
- {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}
\ No newline at end of file
diff --git a/salt/common/maps/managersearch.map.jinja b/salt/common/maps/managersearch.map.jinja
deleted file mode 100644
index 66c5afd43..000000000
--- a/salt/common/maps/managersearch.map.jinja
+++ /dev/null
@@ -1,21 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-soc',
- 'so-kratos',
- 'so-idstools',
- 'so-redis',
- 'so-logstash',
- 'so-elasticsearch',
- 'so-curator',
- 'so-kibana',
- 'so-elastalert',
- 'so-filebeat',
- 'so-soctopus'
- ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
- {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}
\ No newline at end of file
diff --git a/salt/common/maps/mdengine.map.jinja b/salt/common/maps/mdengine.map.jinja
deleted file mode 100644
index 881e3ec4f..000000000
--- a/salt/common/maps/mdengine.map.jinja
+++ /dev/null
@@ -1,5 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-zeek'
- ]
-} %}
diff --git a/salt/common/maps/playbook.map.jinja b/salt/common/maps/playbook.map.jinja
deleted file mode 100644
index 84baa8dec..000000000
--- a/salt/common/maps/playbook.map.jinja
+++ /dev/null
@@ -1,5 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-playbook'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/searchnode.map.jinja b/salt/common/maps/searchnode.map.jinja
deleted file mode 100644
index b46652742..000000000
--- a/salt/common/maps/searchnode.map.jinja
+++ /dev/null
@@ -1,10 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-logstash',
- 'so-elasticsearch',
- 'so-curator',
- 'so-filebeat'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/sensor.map.jinja b/salt/common/maps/sensor.map.jinja
deleted file mode 100644
index 3f5ebe8eb..000000000
--- a/salt/common/maps/sensor.map.jinja
+++ /dev/null
@@ -1,9 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-telegraf',
- 'so-steno',
- 'so-suricata',
- 'so-filebeat',
- 'so-sensoroni'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja
deleted file mode 100644
index 12bddfec7..000000000
--- a/salt/common/maps/so-status.map.jinja
+++ /dev/null
@@ -1,48 +0,0 @@
-{% set role = grains.id.split('_') | last %}
-{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
-
-# Check if the service is enabled and append it's required containers
-# to the list predefined by the role / minion id affix
-{% macro append_containers(pillar_name, k, compare )%}
- {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
- {% if k == 'enabled' %}
- {% set k = pillar_name %}
- {% endif %}
- {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
- {% for li in d['containers'] %}
- {{ docker['containers'].append(li) }}
- {% endfor %}
- {% endif %}
-{% endmacro %}
-
-{% set docker = salt['grains.filter_by']({
- '*_'~role: {
- 'containers': docker['containers']
- }
-},grain='id', merge=salt['pillar.get']('docker')) %}
-
-{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
- {{ append_containers('manager', 'grafana', 0) }}
- {{ append_containers('global', 'fleet_manager', 0) }}
- {{ append_containers('global', 'wazuh', 0) }}
- {{ append_containers('manager', 'thehive', 0) }}
- {{ append_containers('manager', 'playbook', 0) }}
- {{ append_containers('manager', 'freq', 0) }}
- {{ append_containers('manager', 'domainstats', 0) }}
-{% endif %}
-
-{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
- {{ append_containers('strelka', 'enabled', 0) }}
-{% endif %}
-
-{% if role in ['heavynode', 'standalone'] %}
- {{ append_containers('global', 'mdengine', 'SURICATA') }}
-{% endif %}
-
-{% if role == 'searchnode' %}
- {{ append_containers('manager', 'wazuh', 0) }}
-{% endif %}
-
-{% if role == 'sensor' %}
- {{ append_containers('global', 'mdengine', 'SURICATA') }}
-{% endif %}
\ No newline at end of file
diff --git a/salt/common/maps/standalone.map.jinja b/salt/common/maps/standalone.map.jinja
deleted file mode 100644
index ae3177f4b..000000000
--- a/salt/common/maps/standalone.map.jinja
+++ /dev/null
@@ -1,25 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-soc',
- 'so-kratos',
- 'so-idstools',
- 'so-redis',
- 'so-logstash',
- 'so-elasticsearch',
- 'so-curator',
- 'so-kibana',
- 'so-elastalert',
- 'so-filebeat',
- 'so-suricata',
- 'so-steno',
- 'so-dockerregistry',
- 'so-soctopus',
- 'so-sensoroni'
- ]
-} %}
-
-{% if salt['pillar.get']('global:managerupdate') == 1 %}
- {% do docker.containers.append('so-aptcacherng') %}
-{% endif %}
\ No newline at end of file
diff --git a/salt/common/maps/strelka.map.jinja b/salt/common/maps/strelka.map.jinja
deleted file mode 100644
index b26a1241b..000000000
--- a/salt/common/maps/strelka.map.jinja
+++ /dev/null
@@ -1,9 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-strelka-coordinator',
- 'so-strelka-gatekeeper',
- 'so-strelka-manager',
- 'so-strelka-frontend',
- 'so-strelka-filestream'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/thehive.map.jinja b/salt/common/maps/thehive.map.jinja
deleted file mode 100644
index e4ca7d2a2..000000000
--- a/salt/common/maps/thehive.map.jinja
+++ /dev/null
@@ -1,7 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-thehive',
- 'so-thehive-es',
- 'so-cortex'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/warmnode.map.jinja b/salt/common/maps/warmnode.map.jinja
deleted file mode 100644
index 08cf2dbb8..000000000
--- a/salt/common/maps/warmnode.map.jinja
+++ /dev/null
@@ -1,7 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-nginx',
- 'so-telegraf',
- 'so-elasticsearch'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/maps/wazuh.map.jinja b/salt/common/maps/wazuh.map.jinja
deleted file mode 100644
index 5217a79ee..000000000
--- a/salt/common/maps/wazuh.map.jinja
+++ /dev/null
@@ -1,5 +0,0 @@
-{% set docker = {
- 'containers': [
- 'so-wazuh'
- ]
-} %}
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 904c3ae7d..344db61c6 100755
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -14,8 +14,6 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-{%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set container_list = docker['containers'] | sort | unique %}
if ! [ "$(id -u)" = 0 ]; then
echo "This command must be run as root"
@@ -39,9 +37,8 @@ declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
declare -a PENDING_STATUSES=("paused" "created" "restarting")
declare -a GOOD_STATUSES=("running")
declare -a DISABLED_CONTAINERS=()
-{%- if salt['pillar.get']('steno:enabled', 'True') is sameas false %}
-DISABLED_CONTAINERS+=("so-steno")
-{%- endif %}
+mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.conf | grep "^\s*#" | tr -d "#")
+
declare -a temp_container_name_list=()
declare -a temp_container_state_list=()
@@ -83,9 +80,9 @@ compare_lists() {
# {% endraw %}
create_expected_container_list() {
- {% for item in container_list -%}
- expected_container_list+=("{{ item }}")
- {% endfor -%}
+
+ mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#")
+
}
populate_container_lists() {
@@ -175,7 +172,7 @@ print_line() {
printf " $service_name "
for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
- printf "-"
+ printf "${state_color}%b\e[0m" "-"
done
printf " [ "
printf "${state_color}%b\e[0m" "$service_state"
diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close
index 11324dd31..682653ce4 100644
--- a/salt/curator/files/bin/so-curator-close
+++ b/salt/curator/files/bin/so-curator-close
@@ -1,2 +1,27 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=close
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
/usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1
diff --git a/salt/curator/files/bin/so-curator-closed-delete b/salt/curator/files/bin/so-curator-closed-delete
index 8f6d0a8ea..714aa5f6f 100755
--- a/salt/curator/files/bin/so-curator-closed-delete
+++ b/salt/curator/files/bin/so-curator-closed-delete
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -34,6 +34,13 @@
#fi
# Avoid starting multiple instances
-if ! pgrep -f "so-curator-closed-delete-delete" >/dev/null; then
- /usr/sbin/so-curator-closed-delete-delete
-fi
+APP=closeddelete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+/usr/sbin/so-curator-closed-delete-delete
diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete
index 689056dc2..ac5a1aba2 100755
--- a/salt/curator/files/bin/so-curator-closed-delete-delete
+++ b/salt/curator/files/bin/so-curator-closed-delete-delete
@@ -1,5 +1,28 @@
-
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=closedeletedelete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
{%- if grains['role'] in ['so-node', 'so-heavynode'] %}
{%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%}
diff --git a/salt/curator/files/bin/so-curator-delete b/salt/curator/files/bin/so-curator-delete
index 166497855..6a85eddb4 100644
--- a/salt/curator/files/bin/so-curator-delete
+++ b/salt/curator/files/bin/so-curator-delete
@@ -1,2 +1,27 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=delete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/delete.yml > /dev/null 2>&1
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index 31f738349..2f0147794 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -127,6 +127,12 @@ so-curator:
- /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
- /opt/so/conf/curator/action/:/etc/curator/action:ro
- /opt/so/log/curator:/var/log/curator:rw
+
+append_so-curator_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-curator
+
# Begin Curator Cron Jobs
# Close
diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls
index daac87387..7716ddf83 100644
--- a/salt/domainstats/init.sls
+++ b/salt/domainstats/init.sls
@@ -56,6 +56,11 @@ so-domainstats:
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats
+append_so-domainstats_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-domainstats
+
{% else %}
domainstats_state_not_allowed:
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 2e757805c..7caef532f 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -121,6 +121,12 @@ so-elastalert:
- {{MANAGER_URL}}:{{MANAGER_IP}}
- require:
- module: wait_for_elasticsearch
+
+append_so-elastalert_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-elastalert
+
{% endif %}
{% else %}
diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file
index 82474d8b5..e5e8560f8 100644
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -12,7 +12,7 @@
{
"if": "ctx.exiftool?.keys !=null",
"field": "exiftool.keys",
- "processor":{
+ "processor": {
"append": {
"field": "scan.exiftool",
"value": "{{_ingest._value.key}}={{_ingest._value.value}}"
@@ -20,6 +20,18 @@
}
}
},
+ { "foreach":
+ {
+ "if": "ctx.exiftool?.keys !=null",
+ "field": "exiftool.keys",
+ "processor": {
+ "set": {
+ "field": "exiftool.{{_ingest._value.key}}",
+ "value": "{{_ingest._value.value}}"
+ }
+ }
+ }
+ },
{ "foreach":
{
"if": "ctx.scan?.yara?.meta !=null",
@@ -32,6 +44,14 @@
}
}
},
+ { "set": { "if": "ctx.exiftool?.SourceFile != null", "field": "file.source", "value": "{{exiftool.SourceFile}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.FilePermissions != null", "field": "file.permissions", "value": "{{exiftool.FilePermissions}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.FileName != null", "field": "file.name", "value": "{{exiftool.FileName}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.FileModifyDate != null", "field": "file.mtime", "value": "{{exiftool.FileModifyDate}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.FileAccessDate != null", "field": "file.accessed", "value": "{{exiftool.FileAccessDate}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.FileInodeChangeDate != null", "field": "file.ctime", "value": "{{exiftool.FileInodeChangeDate}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }},
+ { "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }},
{ "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }},
{ "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }},
{ "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }},
diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog
index b4e09e9df..6d28aa705 100644
--- a/salt/elasticsearch/files/ingest/syslog
+++ b/salt/elasticsearch/files/ingest/syslog
@@ -13,7 +13,7 @@
}
},
{ "grok": { "field": "message", "patterns": ["<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}"], "ignore_failure": false } },
- { "set": { "if": "ctx.source.application == 'filterlog'", "field": "dataset", "value": "firewall" } },
+ { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall" } },
{ "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog" } },
{ "pipeline": { "name": "common" } }
]
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 1406df02c..0b28ee6d1 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -215,13 +215,17 @@ so-elasticsearch:
- /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
- /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
- /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro
-
- watch:
- file: cacertz
- file: esyml
- file: esingestconf
- file: so-elasticsearch-pipelines-file
+append_so-elasticsearch_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-elasticsearch
+
so-elasticsearch-pipelines-file:
file.managed:
- name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 26aca3542..98229ca35 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -86,6 +86,11 @@ so-filebeat:
- watch:
- file: /opt/so/conf/filebeat/etc/filebeat.yml
+append_so-filebeat_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-filebeat
+
{% else %}
filebeat_state_not_allowed:
diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls
index d09749a55..34b031685 100644
--- a/salt/fleet/event_enable-fleet.sls
+++ b/salt/fleet/event_enable-fleet.sls
@@ -1,4 +1,10 @@
-{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %}
+{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% if FLEETNODE or FLEETMANAGER %}
+ {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %}
+{% else %}
+ {% set ENROLLSECRET = '' %}
+{% endif %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index e85358542..db3414a18 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -134,4 +134,9 @@ so-fleet:
- watch:
- /opt/so/conf/fleet/etc
+append_so-fleet_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-fleet
+
{% endif %}
\ No newline at end of file
diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls
index 668e33079..5ff454bcc 100644
--- a/salt/freqserver/init.sls
+++ b/salt/freqserver/init.sls
@@ -56,6 +56,11 @@ so-freq:
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw
+append_so-freq_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-freq
+
{% else %}
freqserver_state_not_allowed:
diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls
index 39c2cc26c..8fe88f354 100644
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -236,6 +236,11 @@ so-grafana:
- watch:
- file: /opt/so/conf/grafana/*
+append_so-grafana_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-grafana
+
{% endif %}
{% else %}
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index f3f040895..2aacb973d 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -76,6 +76,11 @@ so-idstools:
- watch:
- file: idstoolsetcsync
+append_so-idstools_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-idstools
+
{% else %}
idstools_state_not_allowed:
diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls
index 669c9e9eb..9dc7ee692 100644
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -54,6 +54,11 @@ so-influxdb:
- watch:
- file: influxdbconf
+append_so-influxdb_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-influxdb
+
{% endif %}
{% else %}
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 7f91719d4..02e76495d 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -90,6 +90,11 @@ so-kibana:
- port_bindings:
- 0.0.0.0:5601:5601
+append_so-kibana_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-kibana
+
kibanadashtemplate:
file.managed:
- name: /opt/so/conf/kibana/saved_objects.ndjson.template
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index cec84bbc1..e23e4eef2 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -202,6 +202,11 @@ so-logstash:
- file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
{% endfor %}
+append_so-logstash_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-logstash
+
{% else %}
logstash_state_not_allowed:
diff --git a/salt/manager/init.sls b/salt/manager/init.sls
index 66e614b62..b506d06bf 100644
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -81,6 +81,11 @@ so-aptcacherng:
- /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
- /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
+append_so-aptcacherng_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-aptcacherng
+
{% endif %}
strelka_yara_update:
diff --git a/salt/minio/init.sls b/salt/minio/init.sls
index c1a681747..484eac1f9 100644
--- a/salt/minio/init.sls
+++ b/salt/minio/init.sls
@@ -62,6 +62,11 @@ so-minio:
- /etc/pki/minio.crt:/.minio/certs/public.crt:ro
- entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"
+append_so-minio_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-minio
+
{% else %}
minio_state_not_allowed:
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index 818b5c303..5fb187ab8 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -94,9 +94,20 @@ so-mysql:
- /opt/so/conf/mysql/etc
cmd.run:
- name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
- - timeout: 900
+ - timeout: 600
- onchanges:
- docker_container: so-mysql
+ module.run:
+ - so.mysql_conn:
+ - retry: 300
+ - onchanges:
+ - cmd: so-mysql
+
+append_so-mysql_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-mysql
+
{% endif %}
{% else %}
diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls
index 9a63ead6c..8d6dd46f7 100644
--- a/salt/nginx/init.sls
+++ b/salt/nginx/init.sls
@@ -98,6 +98,11 @@ so-nginx:
- file: nginxconf
- file: nginxconfdir
+append_so-nginx_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-nginx
+
{% else %}
nginx_state_not_allowed:
diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls
index 8b583bf91..a594c23d9 100644
--- a/salt/nodered/init.sls
+++ b/salt/nodered/init.sls
@@ -74,6 +74,11 @@ so-nodered:
- port_bindings:
- 0.0.0.0:1880:1880
+append_so-nodered_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-nodered
+
so-nodered-flows:
cmd.run:
- name: /usr/sbin/so-nodered-load-flows
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index ade70d718..5a13c1231 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -152,6 +152,24 @@ so-steno:
- watch:
- file: /opt/so/conf/steno/config
+append_so-steno_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-steno
+ - unless: grep so-steno /opt/so/conf/so-status/so-status.conf
+
+ {% if STENOOPTIONS.status == 'running' %}
+delete_so-steno_so-status.disabled:
+ file.uncomment:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - regex: ^so-steno$
+ {% elif STENOOPTIONS.status == 'stopped' %}
+so-steno_so-status.disabled:
+ file.comment:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - regex: ^so-steno$
+ {% endif %}
+
so-sensoroni:
docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
@@ -166,6 +184,11 @@ so-sensoroni:
- watch:
- file: /opt/so/conf/sensoroni/sensoroni.json
+append_so-sensoroni_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-sensoroni
+
{% else %}
pcap_state_not_allowed:
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index eb009b23e..46cd33f17 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -93,6 +93,11 @@ so-playbook:
- port_bindings:
- 0.0.0.0:3200:3000
+append_so-playbook_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-playbook
+
{% endif %}
so-playbooksynccron:
diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls
index a32fb5cfd..a4226b027 100644
--- a/salt/reactor/fleet.sls
+++ b/salt/reactor/fleet.sls
@@ -31,16 +31,17 @@ def run():
print(line)
# Update the enroll secret in the secrets pillar
- for line in fileinput.input(SECRETSFILE, inplace=True):
- line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
- print(line)
+ if ESECRET != "":
+ for line in fileinput.input(SECRETSFILE, inplace=True):
+ line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
+ print(line)
- # Update the Fleet host in the static pillar
+ # Update the Fleet host in the static pillar
for line in fileinput.input(STATICFILE, inplace=True):
line = re.sub(r'fleet_hostname: \S*', f"fleet_hostname: '{HOSTNAME}'", line.rstrip())
print(line)
- # Update the Fleet IP in the static pillar
+ # Update the Fleet IP in the static pillar
for line in fileinput.input(STATICFILE, inplace=True):
line = re.sub(r'fleet_ip: \S*', f"fleet_ip: '{MAINIP}'", line.rstrip())
print(line)
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 1b7611eab..57f189865 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -70,6 +70,11 @@ so-redis:
- watch:
- file: /opt/so/conf/redis/etc
+append_so-redis_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-redis
+
{% else %}
redis_state_not_allowed:
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index c98577ca2..c456aa0c4 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -57,6 +57,11 @@ so-dockerregistry:
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro
+append_so-dockerregistry_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-dockerregistry
+
{% else %}
registry_state_not_allowed:
diff --git a/salt/soc/init.sls b/salt/soc/init.sls
index 012dae330..cc8aee048 100644
--- a/salt/soc/init.sls
+++ b/salt/soc/init.sls
@@ -67,6 +67,11 @@ so-soc:
- watch:
- file: /opt/so/conf/soc/*
+append_so-soc_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-soc
+
# Add Kratos Group
kratosgroup:
group.present:
@@ -119,6 +124,11 @@ so-kratos:
- watch:
- file: /opt/so/conf/kratos
+append_so-kratos_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-kratos
+
{% else %}
soc_state_not_allowed:
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 2c9e721ac..2137a4511 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -73,6 +73,11 @@ so-soctopus:
- extra_hosts:
- {{MANAGER_URL}}:{{MANAGER_IP}}
+append_so-soctopus_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-soctopus
+
{% else %}
soctopus_state_not_allowed:
diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
index dabd58fe5..8748cbe50 100644
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -87,6 +87,11 @@ strelka_coordinator:
- port_bindings:
- 0.0.0.0:6380:6379
+append_so-strelka-coordinator_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-strelka-coordinator
+
strelka_gatekeeper:
docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -95,6 +100,11 @@ strelka_gatekeeper:
- port_bindings:
- 0.0.0.0:6381:6379
+append_so-strelka-gatekeeper_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-strelka-gatekeeper
+
strelka_frontend:
docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }}
@@ -107,6 +117,11 @@ strelka_frontend:
- port_bindings:
- 0.0.0.0:57314:57314
+append_so-strelka-frontend_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-strelka-frontend
+
strelka_backend:
docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }}
@@ -117,6 +132,11 @@ strelka_backend:
- command: strelka-backend
- restart_policy: on-failure
+append_so-strelka-backend_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-strelka-backend
+
strelka_manager:
docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }}
@@ -125,6 +145,11 @@ strelka_manager:
- name: so-strelka-manager
- command: strelka-manager
+append_so-strelka-manager_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-strelka-manager
+
strelka_filestream:
docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }}
@@ -133,6 +158,11 @@ strelka_filestream:
- /nsm/strelka:/nsm/strelka
- name: so-strelka-filestream
- command: strelka-filestream
+
+append_so-strelka-filestream_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-strelka-filestream
strelka_zeek_extracted_sync:
cron.present:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 6245b9e51..0c50bb5d1 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -163,6 +163,11 @@ so-suricata:
- file: /opt/so/conf/suricata/rules/
- file: /opt/so/conf/suricata/bpf
+append_so-suricata_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-suricata
+
surilogrotate:
file.managed:
- name: /opt/so/conf/suricata/suri-rotate.conf
diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls
index bae80c697..8d400ca1e 100644
--- a/salt/telegraf/init.sls
+++ b/salt/telegraf/init.sls
@@ -73,6 +73,11 @@ so-telegraf:
- file: tgrafconf
- file: tgrafsyncscripts
+append_so-telegraf_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-telegraf
+
{% else %}
telegraf_state_not_allowed:
diff --git a/salt/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh
index a22735696..4b6a8493a 100644
--- a/salt/telegraf/scripts/checkfiles.sh
+++ b/salt/telegraf/scripts/checkfiles.sh
@@ -1,4 +1,28 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=checkfiles
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
FILES=$(ls -1x /host/nsm/faf/complete/ | wc -l)
diff --git a/salt/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh
index eee4f65c3..aed559932 100644
--- a/salt/telegraf/scripts/helixeps.sh
+++ b/salt/telegraf/scripts/helixeps.sh
@@ -1,4 +1,28 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=helixeps
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
PREVCOUNTFILE='/tmp/helixevents.txt'
EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
diff --git a/salt/telegraf/scripts/influxdbsize.sh b/salt/telegraf/scripts/influxdbsize.sh
index 7060942ae..4e74c4cf5 100644
--- a/salt/telegraf/scripts/influxdbsize.sh
+++ b/salt/telegraf/scripts/influxdbsize.sh
@@ -1,4 +1,28 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=influxsize
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'})
diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh
index 970c47589..b8d383112 100644
--- a/salt/telegraf/scripts/oldpcap.sh
+++ b/salt/telegraf/scripts/oldpcap.sh
@@ -1,4 +1,28 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=oldpcap
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
# Get the data
OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'})
diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh
index a91e1f2dc..9f5dbd37f 100644
--- a/salt/telegraf/scripts/redis.sh
+++ b/salt/telegraf/scripts/redis.sh
@@ -1,4 +1,29 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+
+APP=redis
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}')
PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}')
diff --git a/salt/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh
index 1b60f0517..d078284a4 100644
--- a/salt/telegraf/scripts/stenoloss.sh
+++ b/salt/telegraf/scripts/stenoloss.sh
@@ -1,4 +1,29 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+
+APP=stenoloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
# Get the data
DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}')
diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh
index 48745c161..cc2cff94c 100644
--- a/salt/telegraf/scripts/suriloss.sh
+++ b/salt/telegraf/scripts/suriloss.sh
@@ -1,4 +1,29 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+
+APP=suriloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4)
CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l)
diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh
index a2e350212..36962e109 100644
--- a/salt/telegraf/scripts/zeekcaptureloss.sh
+++ b/salt/telegraf/scripts/zeekcaptureloss.sh
@@ -1,6 +1,32 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+
# This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
+APP=zeekcaploss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
if [ -d "/host/nsm/zeek/spool/logger" ]; then
WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
@@ -23,4 +49,4 @@ if [ -f "$ZEEKLOG" ]; then
fi
fi
echo "$CURRENTTS" > $LASTCAPTURELOSSLOG
-fi
\ No newline at end of file
+fi
diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh
index 579fdf9f2..9a64ef4dd 100644
--- a/salt/telegraf/scripts/zeekloss.sh
+++ b/salt/telegraf/scripts/zeekloss.sh
@@ -1,5 +1,31 @@
#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
# This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage
+
+APP=zeekloss
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($ZEEKLOG)
CURRENTDROP=${RESULT[3]}
@@ -14,4 +40,4 @@ else
TOTAL=$((CURRENTPACKETS - PASTPACKETS))
LOSS=$(echo $DROPPED $TOTAL / p | dc)
echo "zeekdrop drop=$LOSS"
-fi
\ No newline at end of file
+fi
diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls
index 443ac9a8f..e695c237f 100644
--- a/salt/thehive/init.sls
+++ b/salt/thehive/init.sls
@@ -102,6 +102,11 @@ so-thehive-es:
- 0.0.0.0:9400:9400
- 0.0.0.0:9500:9500
+append_so-thehive-es_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-thehive-es
+
# Install Cortex
so-cortex:
docker_container.running:
@@ -116,6 +121,11 @@ so-cortex:
- port_bindings:
- 0.0.0.0:9001:9001
+append_so-cortex_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-cortex
+
cortexscript:
cmd.script:
- source: salt://thehive/scripts/cortex_init
@@ -136,6 +146,11 @@ so-thehive:
- port_bindings:
- 0.0.0.0:9000:9000
+append_so-thehive_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-thehive
+
thehivescript:
cmd.script:
- source: salt://thehive/scripts/hive_init
diff --git a/salt/top.sls b/salt/top.sls
index 36fd171e1..d707af003 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -6,6 +6,13 @@
{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
+{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
+{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
+{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
+{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
+{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
+{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
+{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
@@ -42,7 +49,6 @@ base:
- salt.master
- ca
- ssl
- - common
- registry
- telegraf
- firewall
@@ -52,15 +58,18 @@ base:
- suricata
- zeek
- redis
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
- schedule
'*_sensor and G@saltversion:{{saltversion}}':
- match: compound
- ca
- ssl
- - common
- telegraf
- firewall
- nginx
@@ -86,7 +95,6 @@ base:
- salt.master
- ca
- ssl
- - common
- registry
- manager
- nginx
@@ -98,14 +106,18 @@ base:
- idstools
- suricata.manager
- healthcheck
- {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+ {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
- mysql
{%- endif %}
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if KIBANA %}
- kibana
+ {%- endif %}
- pcap
- suricata
{%- if ZEEKVER != 'SURICATA' %}
@@ -114,9 +126,15 @@ base:
{%- if STRELKA %}
- strelka
{%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
+ {%- if CURATOR %}
- curator
+ {%- endif %}
+ {%- if ELASTALERT %}
- elastalert
+ {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet
- redis
@@ -145,7 +163,6 @@ base:
- salt.master
- ca
- ssl
- - common
- registry
- nginx
- telegraf
@@ -156,18 +173,30 @@ base:
- manager
- idstools
- suricata.manager
- {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+ {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
- mysql
{%- endif %}
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if REDIS %}
- redis
+ {%- endif %}
+ {%- if KIBANA %}
- kibana
+ {%- endif %}
+ {%- if ELASTALERT %}
- elastalert
+ {%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
- utility
- schedule
{%- if FLEETMANAGER or FLEETNODE %}
@@ -194,7 +223,6 @@ base:
- salt.master
- ca
- ssl
- - common
- registry
- manager
- nginx
@@ -206,16 +234,24 @@ base:
- idstools
- suricata.manager
- healthcheck
- {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+ {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
- mysql
{%- endif %}
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if REDIS %}
- redis
+ {%- endif %}
+ {%- if KIBANA %}
- kibana
+ {%- endif %}
- pcap
- suricata
{%- if ZEEKVER != 'SURICATA' %}
@@ -224,9 +260,15 @@ base:
{%- if STRELKA %}
- strelka
{%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
+ {%- if CURATOR %}
- curator
+ {%- endif %}
+ {%- if ELASTALERT %}
- elastalert
+ {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet
- fleet.install_package
@@ -252,9 +294,10 @@ base:
'*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}':
- match: compound
- - common
- firewall
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
@@ -263,10 +306,13 @@ base:
'*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}':
- match: compound
- - common
- firewall
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if CURATOR %}
- curator
+ {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
@@ -275,9 +321,10 @@ base:
'*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}':
- match: compound
- - common
- firewall
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
@@ -288,17 +335,24 @@ base:
- match: compound
- ca
- ssl
- - common
- nginx
- telegraf
- firewall
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if CURATOR %}
- curator
+ {%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package
{%- endif %}
@@ -307,7 +361,6 @@ base:
'*_managersensor and G@saltversion:{{saltversion}}':
- match: compound
- - common
- nginx
- telegraf
- influxdb
@@ -326,7 +379,6 @@ base:
- salt.master
- ca
- ssl
- - common
- registry
- nginx
- telegraf
@@ -337,19 +389,34 @@ base:
- manager
- idstools
- suricata.manager
- {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %}
+ {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %}
- mysql
{%- endif %}
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if REDIS %}
- redis
+ {%- endif %}
+ {%- if CURATOR %}
- curator
+ {%- endif %}
+ {%- if KIBANA %}
- kibana
+ {%- endif %}
+ {%- if ELASTALERT %}
- elastalert
+ {%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
+
- utility
- schedule
{%- if FLEETMANAGER or FLEETNODE %}
@@ -375,18 +442,27 @@ base:
- match: compound
- ca
- ssl
- - common
- nginx
- telegraf
- firewall
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if LOGSTASH %}
- logstash
+ {%- endif %}
+ {%- if REDIS %}
- redis
+ {%- endif %}
+ {%- if CURATOR %}
- curator
+ {%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
{%- if STRELKA %}
- strelka
{%- endif %}
@@ -398,7 +474,9 @@ base:
{%- if ZEEKVER != 'SURICATA' %}
- zeek
{%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
- schedule
- docker_clean
@@ -406,7 +484,6 @@ base:
- match: compound
- ca
- ssl
- - common
- nginx
- telegraf
- firewall
@@ -422,7 +499,6 @@ base:
- salt.master
- ca
- ssl
- - common
- registry
- manager
- nginx
@@ -431,9 +507,15 @@ base:
- idstools
- suricata.manager
- pcap
+ {%- if ELASTICSEARCH %}
- elasticsearch
+ {%- endif %}
+ {%- if KIBANA %}
- kibana
+ {%- endif %}
+ {%- if FILEBEAT %}
- filebeat
+ {%- endif %}
- utility
- suricata
- zeek
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 03cd3f89e..e8e40c720 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -110,6 +110,11 @@ so-wazuh:
- binds:
- /nsm/wazuh:/var/ossec/data:rw
+append_so-wazuh_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-wazuh
+
# Register the agent
registertheagent:
cmd.run:
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index 712ca53fd..f6edae136 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -196,6 +196,11 @@ so-zeek:
- file: /opt/so/conf/zeek/policy
- file: /opt/so/conf/zeek/bpf
+append_so-zeek_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-zeek
+
{% else %}
zeek_state_not_allowed:
diff --git a/setup/so-common-functions b/setup/so-common-functions
index c3df787cc..0afd732ce 100644
--- a/setup/so-common-functions
+++ b/setup/so-common-functions
@@ -18,12 +18,22 @@ filter_unused_nics() {
fi
# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
- filtered_nics=$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g')
+ filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g')
readarray -t filtered_nics <<< "$filtered_nics"
nic_list=()
for nic in "${filtered_nics[@]}"; do
- nic_list+=("$nic" "" "OFF")
+ case $(cat "/sys/class/net/${nic}/carrier") in
+ 1)
+ nic_list+=("$nic" "Link UP " "OFF")
+ ;;
+ 0)
+ nic_list+=("$nic" "Link DOWN " "OFF")
+ ;;
+ *)
+ nic_list+=("$nic" "Link UNKNOWN " "OFF")
+ ;;
+ esac
done
export nic_list
diff --git a/setup/so-functions b/setup/so-functions
index c19490e73..51a9b01c0 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1729,6 +1729,7 @@ salt_checkin() {
{
salt-call state.apply ca;
salt-call state.apply ssl;
+ salt-call saltutil.sync_modules;
} >> "$setup_log" 2>&1
}
diff --git a/setup/so-setup b/setup/so-setup
index cf180000f..fe69e8148 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -590,6 +590,10 @@ fi
set_progress_str 25 'Configuring firewall'
set_initial_firewall_policy >> $setup_log 2>&1
+ # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
+ mkdir -p /opt/so/conf/so-status/
+ touch /opt/so/conf/so-status/so-status.conf
+
if [[ "$setup_type" == 'iso' ]]; then
set_progress_str 26 'Copying containers from iso'
else
@@ -684,12 +688,9 @@ fi
fi
if [[ "$OSQUERY" = 1 ]]; then
- if [[ "$PLAYBOOK" != 1 ]]; then
- set_progress_str 74 "$(print_salt_state_apply 'mysql')"
- salt-call state.apply -l info mysql >> $setup_log 2>&1
- fi
set_progress_str 75 "$(print_salt_state_apply 'fleet')"
+ salt-call state.apply fleet.event_enable-fleet # enable fleet in the global pillar
salt-call state.apply -l info fleet >> $setup_log 2>&1
set_progress_str 76 "$(print_salt_state_apply 'redis')"
@@ -701,24 +702,24 @@ fi
salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
fi
- set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"
+ set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')"
so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1
fi
if [[ "$WAZUH" = 1 ]]; then
- set_progress_str 78 "$(print_salt_state_apply 'wazuh')"
+ set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
salt-call state.apply -l info wazuh >> $setup_log 2>&1
fi
if [[ "$THEHIVE" = 1 ]]; then
- set_progress_str 79 "$(print_salt_state_apply 'thehive')"
+ set_progress_str 80 "$(print_salt_state_apply 'thehive')"
salt-call state.apply -l info thehive >> $setup_log 2>&1
fi
if [[ "$STRELKA" = 1 ]]; then
if [[ $is_sensor ]]; then
- set_progress_str 80 "$(print_salt_state_apply 'strelka')"
+ set_progress_str 81 "$(print_salt_state_apply 'strelka')"
salt-call state.apply -l info strelka >> $setup_log 2>&1
fi
if [[ $STRELKARULES == 1 ]]; then
@@ -727,15 +728,15 @@ fi
fi
if [[ $is_manager || $is_helix || $is_import ]]; then
- set_progress_str 81 "$(print_salt_state_apply 'utility')"
+ set_progress_str 82 "$(print_salt_state_apply 'utility')"
salt-call state.apply -l info utility >> $setup_log 2>&1
fi
if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then
- set_progress_str 82 "$(print_salt_state_apply 'logstash')"
+ set_progress_str 83 "$(print_salt_state_apply 'logstash')"
salt-call state.apply -l info logstash >> $setup_log 2>&1
- set_progress_str 83 "$(print_salt_state_apply 'filebeat')"
+ set_progress_str 84 "$(print_salt_state_apply 'filebeat')"
salt-call state.apply -l info filebeat >> $setup_log 2>&1
fi
diff --git a/sigs/images/so-acng.sig b/sigs/images/so-acng.sig
new file mode 100644
index 000000000..91c06b7f4
Binary files /dev/null and b/sigs/images/so-acng.sig differ
diff --git a/sigs/images/so-fleet-launcher.sig b/sigs/images/so-fleet-launcher.sig
new file mode 100644
index 000000000..1a9a00a3b
Binary files /dev/null and b/sigs/images/so-fleet-launcher.sig differ
diff --git a/sigs/images/so-fleet.sig b/sigs/images/so-fleet.sig
new file mode 100644
index 000000000..3277719ae
Binary files /dev/null and b/sigs/images/so-fleet.sig differ
diff --git a/sigs/images/so-freqserver.sig b/sigs/images/so-freqserver.sig
new file mode 100644
index 000000000..42f780ca3
Binary files /dev/null and b/sigs/images/so-freqserver.sig differ
diff --git a/sigs/images/so-idstools.sig b/sigs/images/so-idstools.sig
new file mode 100644
index 000000000..74c6d746c
Binary files /dev/null and b/sigs/images/so-idstools.sig differ
diff --git a/sigs/images/so-kratos.sig b/sigs/images/so-kratos.sig
new file mode 100644
index 000000000..7b2b6e9a3
Binary files /dev/null and b/sigs/images/so-kratos.sig differ
diff --git a/sigs/images/so-logstash.sig b/sigs/images/so-logstash.sig
new file mode 100644
index 000000000..33c754f0d
Binary files /dev/null and b/sigs/images/so-logstash.sig differ
diff --git a/sigs/images/so-minio.sig b/sigs/images/so-minio.sig
new file mode 100644
index 000000000..32f77e0e9
Binary files /dev/null and b/sigs/images/so-minio.sig differ
diff --git a/sigs/images/so-mysql.sig b/sigs/images/so-mysql.sig
new file mode 100644
index 000000000..2f2c47f53
Binary files /dev/null and b/sigs/images/so-mysql.sig differ
diff --git a/sigs/images/so-redis.sig b/sigs/images/so-redis.sig
new file mode 100644
index 000000000..0154990b7
Binary files /dev/null and b/sigs/images/so-redis.sig differ
diff --git a/sigs/images/so-soc.sig b/sigs/images/so-soc.sig
new file mode 100644
index 000000000..4b89684bb
Binary files /dev/null and b/sigs/images/so-soc.sig differ
diff --git a/sigs/images/so-soctopus.sig b/sigs/images/so-soctopus.sig
new file mode 100644
index 000000000..256733664
Binary files /dev/null and b/sigs/images/so-soctopus.sig differ
diff --git a/sigs/images/so-strelka-backend.sig b/sigs/images/so-strelka-backend.sig
new file mode 100644
index 000000000..5a54bf2e0
Binary files /dev/null and b/sigs/images/so-strelka-backend.sig differ
diff --git a/sigs/images/so-strelka-filestream.sig b/sigs/images/so-strelka-filestream.sig
new file mode 100644
index 000000000..1bca113cd
Binary files /dev/null and b/sigs/images/so-strelka-filestream.sig differ
diff --git a/sigs/images/so-strelka-frontend.sig b/sigs/images/so-strelka-frontend.sig
new file mode 100644
index 000000000..b8b8dddb3
Binary files /dev/null and b/sigs/images/so-strelka-frontend.sig differ
diff --git a/sigs/images/so-strelka-manager.sig b/sigs/images/so-strelka-manager.sig
new file mode 100644
index 000000000..0e1bafe98
Binary files /dev/null and b/sigs/images/so-strelka-manager.sig differ
diff --git a/sigs/images/so-thehive-cortex.sig b/sigs/images/so-thehive-cortex.sig
new file mode 100644
index 000000000..18198fa96
Binary files /dev/null and b/sigs/images/so-thehive-cortex.sig differ
diff --git a/sigs/images/so-thehive-es.sig b/sigs/images/so-thehive-es.sig
new file mode 100644
index 000000000..0fc118c27
Binary files /dev/null and b/sigs/images/so-thehive-es.sig differ
diff --git a/sigs/images/so-zeek.sig b/sigs/images/so-zeek.sig
new file mode 100644
index 000000000..363196aef
Binary files /dev/null and b/sigs/images/so-zeek.sig differ