Fix firewall changes

salt/idh/init.sls

@@ -60,6 +60,23 @@ opencanary_config:
     - defaults:
         OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
 
+idh_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://idh/tools/sbin
+    - user: 934
+    - group: 939
+    - file_mode: 755
+
+#idh_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://idh/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 so-idh:
   docker_container.running:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }}

salt/idstools/init.sls

@@ -20,6 +20,23 @@ idstoolslogdir:
     - group: 939
     - makedirs: True
 
+idstools_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://idstools/tools/sbin
+    - user: 934
+    - group: 939
+    - file_mode: 755
+
+#idstools_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://idstools/tools/sbin_jinja
+#    - user: 934
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 so-rule-update:
   cron.present:
     - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1

salt/influxdb/init.sls

@@ -31,6 +31,23 @@ influxdbdir:
     - name: /nsm/influxdb
     - makedirs: True
 
+influxdb_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://influxdb/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#influxdb_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://influxdb/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 influxdbconf:
   file.managed:
     - name: /opt/so/conf/influxdb/config.yaml

salt/kibana/init.sls

@@ -34,6 +34,23 @@ kibanaconfdir:
     - group: 939
     - makedirs: True
 
+kibana_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://kibana/tools/sbin
+    - user: 932
+    - group: 939
+    - file_mode: 755
+
+curator_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://kibana/tools/sbin_jinja
+    - user: 932
+    - group: 939 
+    - file_mode: 755
+    - template: jinja
+
 kibanaconfig:
   file.managed:
     - name: /opt/so/conf/kibana/etc/kibana.yml

salt/logstash/init.sls

@@ -43,6 +43,23 @@ lslibdir:
   file.absent:
     - name: /opt/so/conf/logstash/lib
 
+logstash_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://logstash/tools/sbin
+    - user: 931
+    - group: 939
+    - file_mode: 755
+
+#logstash_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://logstash/tools/sbin_jinja
+#    - user: 931
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
 lsetcdir:
   file.directory:
     - name: /opt/so/conf/logstash/etc

salt/logstash/tools/sbin/so-logstash-events

@@ -5,13 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% set MAININT = salt['pillar.get']('host:mainint') -%}
-{% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%}
-
 . /usr/sbin/so-common
 
 if [ "$1" == "" ]; then
-        for i in $(curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines | jq '. | to_entries | .[].key' | sed 's/\"//g'); do echo ${i^}:; curl -s localhost:9600/_node/stats | jq .pipelines.$i.events; done
+        for i in $(curl -s -L http://localhost:9600/_node/stats | jq .pipelines | jq '. | to_entries | .[].key' | sed 's/\"//g'); do echo ${i^}:; curl -s localhost:9600/_node/stats | jq .pipelines.$i.events; done
 else
-        curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines.$1.events
+        curl -s -L http://localhost:9600/_node/stats | jq .pipelines.$1.events
 fi

salt/logstash/tools/sbin/so-logstash-get-parsed

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-docker exec -it so-redis redis-cli llen logstash:unparsed

salt/logstash/tools/sbin/so-logstash-pipeline-stats

@@ -5,13 +5,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% set MAININT = salt['pillar.get']('host:mainint') -%}
-{% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%}
 
 . /usr/sbin/so-common
 
 if [ "$1" == "" ]; then
-        curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines 
+        curl -s -L http://localhost:9600/_node/stats | jq .pipelines 
 else
-        curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines.$1
+        curl -s -L http://localhost:9600/_node/stats | jq .pipelines.$1
 fi

salt/manager/tools/sbin/so-firewall

@@ -144,4 +144,4 @@ def main():
   sys.exit(code)
 
 if __name__ == "__main__":
-  main()
+  main()

salt/manager/tools/sbin/so-firewall-minion

@@ -79,4 +79,4 @@ fi
 		'RECEIVER')
 			so-firewall includehost receiver "$IP" --apply
 			;;
-    esac
+    esac