From 9df8ccac7b395289f8b1567c01bd088375d35c6e Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Tue, 26 Mar 2019 20:26:57 -0400
Subject: [PATCH 01/58] Add masterhostname & masterip to fleet.crt as SAN

---
 salt/ssl/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index a2d2b613f..841fc32ff 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -1,4 +1,5 @@
 {% set master = salt['grains.get']('master') %}
+{%- set masterip = salt['pillar.get']('static:masterip', '') -%}
 
 # Trust the CA
 
@@ -109,6 +110,7 @@ fbcrtlink:
   x509.certificate_managed:
     - signing_private_key: /etc/pki/fleet.key
     - CN: {{ master }}
+    - subjectAltName: DNS:{{ master }},IP:{{ masterip }}
     - days_remaining: 0
     - days_valid: 3650
     - backup: True

From d19d541e325e392899205ca560bdb1e510661eba Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 27 Mar 2019 08:39:59 -0400
Subject: [PATCH 02/58] Copy over so-fleet-setup.sh

---
 salt/fleet/init.sls | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index f3a844ff3..6f2e298a0 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -30,6 +30,11 @@ fleetlogdir:
     - user: 939
     - group: 939
     - makedirs: True
+    
+fleetsetupscript:
+  file.managed:
+    - name: /opt/so/conf/fleet/so-fleet-setup.sh
+    - source: salt://fleet/so-fleet-setup.sh
 
 fleetdb:
   mysql_database.present:

From b84b356c226179f008d212ecba158871b2004043 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 27 Mar 2019 08:40:35 -0400
Subject: [PATCH 03/58] Create so-fleet-setup.sh

---
 salt/fleet/so-fleet-setup.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 salt/fleet/so-fleet-setup.sh

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
new file mode 100644
index 000000000..41fdf854a
--- /dev/null
+++ b/salt/fleet/so-fleet-setup.sh
@@ -0,0 +1,27 @@
+#so-fleet-setup.sh $MasterIP $FleetEmail
+
+initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+
+docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify        
+docker exec so-fleet fleetctl setup --email $2 --password $initpw
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
+
+esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
+
+#Concat fleet.crt & ca.crt  - this is required for launcher connectivity
+cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt
+
+#Create the output directory
+mkdir /opt/so/osquery
+
+docker run \
+  --mount type=bind,source=/opt/so/osquery,target=/output \
+  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/fleet-launcher.crt \
+  defensivedepth/soq-launcher "$esecret" "$1"
+
+echo "Fleet Setup Complete - Login here: https://$1"
+echo "Your username is $2 and your password is $initpw"

From d9b8bc08c25dbe5cb5078a7f502d55b868896482 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 3 Apr 2019 12:28:58 -0400
Subject: [PATCH 04/58] update so-fleet-setup.sh for new hh-launcher docker

---
 salt/fleet/so-fleet-setup.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 41fdf854a..d459df8e3 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -16,12 +16,12 @@ esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
 cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt
 
 #Create the output directory
-mkdir /opt/so/osquery
+mkdir /opt/so/conf/fleet/packages
 
 docker run \
-  --mount type=bind,source=/opt/so/osquery,target=/output \
-  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/fleet-launcher.crt \
-  defensivedepth/soq-launcher "$esecret" "$1"
+  --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
+  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
+  defensivedepth/hh-launcher "$esecret" "$1":8080
 
 echo "Fleet Setup Complete - Login here: https://$1"
 echo "Your username is $2 and your password is $initpw"

From c16209532788dd003c39f53177818df29875796f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 3 Apr 2019 20:35:50 -0400
Subject: [PATCH 05/58] Core Module - Fix html path for osquery binaires

---
 salt/common/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 22e36d1d2..9ae72d360 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -114,7 +114,7 @@ so-core:
       - /opt/so/tmp/nginx/:/run:rw
       - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
       - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
-      - /opt/so/conf/fleet/packages:/opt/so/html/packages
+      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
       - 80:80

From b11668b6010444e081f58c688fc70d7419b7007a Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 4 Apr 2019 06:06:35 -0400
Subject: [PATCH 06/58] Update timestamp on packages webpage

---
 salt/fleet/so-fleet-setup.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index d459df8e3..4fe2527d8 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -23,5 +23,8 @@ docker run \
   --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
   defensivedepth/hh-launcher "$esecret" "$1":8080
 
+#Update timestamp on packages webpage
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
+
 echo "Fleet Setup Complete - Login here: https://$1"
 echo "Your username is $2 and your password is $initpw"

From ca8a774c19130b0fe20e756fd9eb608d6b12b214 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 4 Apr 2019 06:12:34 -0400
Subject: [PATCH 07/58] Create osquery-packages.html

---
 salt/fleet/osquery-packages.html | 113 +++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 salt/fleet/osquery-packages.html

diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html
new file mode 100644
index 000000000..b30cd1343
--- /dev/null
+++ b/salt/fleet/osquery-packages.html
@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+<style>
+* {
+  box-sizing: border-box;
+  font-family: Arial, Helvetica, sans-serif;
+	padding-left: 30px;
+	padding right: 30px;
+}
+
+body {
+  font-family: Arial, Helvetica, sans-serif;
+	background-color: #2a2a2a;
+
+}
+a {
+	color: #f2f2f2;
+	text-align: left;
+	padding: 0px;
+}
+/* Style the top navigation bar */
+.topnav {
+  overflow: hidden;
+  background-color: #333;
+	width: 1080px;
+}
+
+/* Style the topnav links */
+.topnav a {
+  float: left;
+  display: block;
+  color: #f2f2f2;
+  text-align: center;
+  padding: 14px 16px;
+  text-decoration: none;
+}
+
+/* Change color on hover */
+.topnav a:hover {
+  background-color: #ddd;
+  color: black;
+}
+
+/* Style the content */
+.content {
+  background-color: #2a2a2a;
+  padding: 10px;
+	padding-top: 20px;
+	padding-left: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+
+/* Style the footer */
+.footer {
+  background-color: #2a2a2a;
+  padding: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+</style>
+</head>
+<body>
+
+<div class="topnav">
+  <a href="/kibana/" target="_blank">Kibana</a>
+  <a href="/grafana/" target="_blank">Grafana</a>
+  <a href="/fleet/" target="_blank">Fleet</a>
+	<a href="/thehive/" target="_blank">TheHive</a>
+	<a href="/packages/" target="_blank">Osquery Binaries</a>
+	<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
+	<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
+	<a href="https://blog.securityonion.net" target="_blank">Blog</a>
+</div>
+
+<div class="content">
+
+	<p><center><h1>Osquery Packages</h1></center><br>
+
+              <h2>Notes</h2>
+                <ul>
+                        <li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
+                        <li>Packages are not signed.</li>
+	       	</ul>
+		<BR> <h2>Downloads</h2>
+                <ul>
+
+Generated: 04042019
+                       <BR><BR>Packages:
+			<li><a href="/packages/launcher.msi" download="msi-launcher">MSI (Windows)</a></li>
+                        <li><a href="/packages/launcher.deb" download="deb-launcher">DEB (Debian)</a></li>
+                        <li><a href="/packages/launcher.rpm" download="rpm-launcher">RPM (RPM)</a></li>
+			<BR><BR>Config Files:
+	                <li><a href="/packages/launcher.flags" download="launcher.flags">RPM & DEB Flag File</a></li>
+			 <li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags">MSI Flag File</a></li>
+		</ul>
+
+		<BR><h2>Known Issues</h2>
+		<ul>
+			<li>None</li>
+		</ul>
+	</p>
+</div>
+
+
+</body>
+</html>

From 55fcb930cddd67314bcd58cb03ecf74c0ab6c6f8 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 4 Apr 2019 06:15:09 -0400
Subject: [PATCH 08/58] Add osquery-packages.html

---
 salt/fleet/init.sls | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 6f2e298a0..9986d40a9 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -35,6 +35,11 @@ fleetsetupscript:
   file.managed:
     - name: /opt/so/conf/fleet/so-fleet-setup.sh
     - source: salt://fleet/so-fleet-setup.sh
+    
+osquerypackageswebpage:
+  file.managed:
+    - name: /opt/so/conf/fleet/packages/index.html
+    - source: salt://fleet/osquery-packages.html
 
 fleetdb:
   mysql_database.present:

From 7607739fca7bc3b5e2a8d7c4dd2463459dde28d5 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 4 Apr 2019 07:52:12 -0400
Subject: [PATCH 09/58] Update osquery-packages.html

---
 salt/fleet/osquery-packages.html | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html
index b30cd1343..c94ba89b9 100644
--- a/salt/fleet/osquery-packages.html
+++ b/salt/fleet/osquery-packages.html
@@ -91,14 +91,14 @@ a {
 		<BR> <h2>Downloads</h2>
                 <ul>
 
-Generated: 04042019
+Generated: N/A
                        <BR><BR>Packages:
-			<li><a href="/packages/launcher.msi" download="msi-launcher">MSI (Windows)</a></li>
-                        <li><a href="/packages/launcher.deb" download="deb-launcher">DEB (Debian)</a></li>
-                        <li><a href="/packages/launcher.rpm" download="rpm-launcher">RPM (RPM)</a></li>
+			<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
+                        <li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
+                        <li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
 			<BR><BR>Config Files:
-	                <li><a href="/packages/launcher.flags" download="launcher.flags">RPM & DEB Flag File</a></li>
-			 <li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags">MSI Flag File</a></li>
+	                <li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
+			 <li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
 		</ul>
 
 		<BR><h2>Known Issues</h2>

From 91d814f4eb8b13bc378cbc6530d3a34028ef1d66 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 4 Apr 2019 08:03:34 -0400
Subject: [PATCH 10/58] added pre-flight check (is so-fleet running?)

---
 salt/fleet/so-fleet-setup.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 4fe2527d8..64d7fe435 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -1,5 +1,10 @@
 #so-fleet-setup.sh $MasterIP $FleetEmail
 
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "so-fleet container not running... Exiting..."
+        exit 1 
+fi
+
 initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
 
 docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify        

From 69e699f99d96063f34690c770ee858d016097d0e Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 15:22:11 -0400
Subject: [PATCH 11/58] Setup - Add Progress Bar test

---
 so-setup-network.sh | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index dde654eb3..169f32885 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -863,25 +863,25 @@ salt_checkin() {
   # Master State to Fix Mine Usage
   if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
   echo "Building Certificate Authority"
-  salt-call state.apply ca
+  salt-call state.apply ca >>~/sosetup.log 2>&1
   echo " *** Restarting Salt to fix any SSL errors. ***"
-  service salt-master restart
+  service salt-master restart >>~/sosetup.log 2>&1
   sleep 5
-  service salt-minion restart
+  service salt-minion restart >>~/sosetup.log 2>&1
   sleep 15
   echo " Applyng a mine hack "
-  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt
+  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
   echo " Applying SSL state "
-  salt-call state.apply ssl
+  salt-call state.apply ssl >>~/sosetup.log 2>&1
   echo "Still Working... Hang in there"
-  salt-call state.highstate
+  #salt-call state.highstate
 
   else
 
   # Run Checkin
-  salt-call state.apply ca
-  salt-call state.apply ssl
-  salt-call state.highstate
+  salt-call state.apply ca >>~/sosetup.log 2>&1
+  salt-call state.apply ssl >>~/sosetup.log 2>&1
+  #salt-call state.highstate >>~/sosetup.log 2>&1
 
   fi
 
@@ -1795,8 +1795,15 @@ if (whiptail_you_sure); then
     echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
     echo ""
     add_socore_user_master
-    create_bond
-    saltify
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
+      create_bond
+      echo -e "XXX\n1\nInstalling saltstack... \nXXX"
+      saltify
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    #create_bond
+    #saltify
     docker_install
     install_master
     # Copy the data over

From 048976b21688cf80ba87c5cc6967d74104466280 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 15:38:22 -0400
Subject: [PATCH 12/58] Setup - Add Progress Bar test

---
 so-setup-network.sh | 70 +++++++++++++++++++++++++++++++++------------
 1 file changed, 51 insertions(+), 19 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 169f32885..be697468b 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1798,32 +1798,64 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
-      create_bond
+      create_bond >>~/sosetup.log 2>&1
       echo -e "XXX\n1\nInstalling saltstack... \nXXX"
-      saltify
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n3\nInstalling docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling master code... \nXXX"
+      install_master >>~/sosetup.log 2>&1
+      echo -e "XXX\n6\nCopying salt code... \nXXX"
+      salt_master_directories >>~/sosetup.log 2>&1
+      echo -e "XXX\n6\nupdating suduers... \nXXX"
+      update_sudoers >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nFixing some permissions... \nXXX"
+      chown_salt_master >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nCreating the static pillar... \nXXX"
+      # Set the static values
+      master_static >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nCreating the master pillar... \nXXX"
+      master_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nConfiguring minion... \nXXX"
+      configure_minion eval >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
+      set_node_type >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nStorage node pillar... \nXXX"
+      node_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n8\nCreating firewall policies... \nXXX"
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      echo -e "XXX\n10\nRegistering agent... \nXXX"
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      echo -e "XXX\n11\nAccepting Agent... \nXXX"
+      accept_salt_key_local >>~/sosetup.log 2>&1
+      echo -e "XXX\n12\nRunning the SSL states... \nXXX"
+      salt_checkin >>~/sosetup.log 2>&1
+      echo -e "XXX\n100\nSetting checkin to run on boot... \nXXX"
+      checkin_at_boot >>~/sosetup.log 2>&1
+
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
     #create_bond
     #saltify
-    docker_install
-    install_master
+    #docker_install
+    #install_master
     # Copy the data over
-    salt_master_directories
-    update_sudoers
+    #salt_master_directories
+    #update_sudoers
     # Change perms on the master dir
-    chown_salt_master
+    #chown_salt_master
     # Set the static values
-    master_static
-    echo "** Generating the master pillar **"
-    master_pillar
-    configure_minion eval
-    set_node_type
-    node_pillar
-    set_initial_firewall_policy
-    salt_firstcheckin
-    accept_salt_key_local
-    salt_checkin_message
-    salt_checkin
-    checkin_at_boot
+    #master_static
+    #echo "** Generating the master pillar **"
+    #master_pillar
+    #configure_minion eval
+    #set_node_type
+    #node_pillar
+    #set_initial_firewall_policy
+    #salt_firstcheckin
+    #accept_salt_key_local
+    #salt_checkin_message
+    #salt_checkin
+    #checkin_at_boot
     whiptail_setup_complete
   fi
 

From da66cae3368055995760662a5c57cd4a4b90c03b Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 16:50:18 -0400
Subject: [PATCH 13/58] Setup - Added status bar for eval install

---
 so-setup-network.sh | 122 ++++++++++++++++++++++++++------------------
 1 file changed, 73 insertions(+), 49 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index be697468b..b55337e2f 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -24,19 +24,22 @@ LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\"
 RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
 NODE_ES_PORT="9200"
 
+# Reset the Install Log
+date -u >>~/sosetup.log 2>&1
+
 # End Global Variable Section
 
 # Functions
 
 accept_salt_key_local() {
-
+  echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
   # Accept the key locally on the master
   salt-key -ya $HOSTNAME
 
 }
 
 accept_salt_key_remote() {
-
+  echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
   # Delete the key just in case.
   ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
   salt-call state.apply ca
@@ -45,6 +48,7 @@ accept_salt_key_remote() {
 }
 
 add_master_hostfile() {
+  echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
   # Pop up an input to get the IP address
   local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
   "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -56,6 +60,7 @@ add_master_hostfile() {
 }
 
 add_socore_user_master() {
+  echo "Add socore on the master" >>~/sosetup.log 2>&1
   if [ $OS == 'centos' ]; then
     local ADDUSER=adduser
   else
@@ -70,7 +75,7 @@ add_socore_user_master() {
 }
 
 add_socore_user_notmaster() {
-
+  echo "Add socore user on non master" >>~/sosetup.log 2>&1
   # Add socore user to the non master system. Probably not a bad idea to make system user
   groupadd --gid 939 socore
   $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -81,7 +86,7 @@ add_socore_user_notmaster() {
 auth_pillar(){
 
   if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
-    echo "Creating Auth Pillar"
+    echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
     mkdir -p /opt/so/saltstack/pillar
     echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
     echo "  mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
@@ -92,6 +97,7 @@ auth_pillar(){
 
 # Enable Bro Logs
 bro_logs_enabled() {
+  echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
 
   echo "brologs:" > pillar/brologs.sls
   echo "  enabled:" >> pillar/brologs.sls
@@ -157,12 +163,13 @@ calculate_useable_cores() {
 }
 
 checkin_at_boot() {
+  echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
   echo "startup_states: highstate" >> /etc/salt/minion
 }
 
 chown_salt_master() {
 
-  # Chown the salt dirs on the master for socore
+  echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
   chown -R socore:socore /opt/so
 
 }
@@ -171,6 +178,7 @@ clear_master() {
   # Clear out the old master public key in case this is a re-install.
   # This only happens if you re-install the master.
   if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
+    echo "Clearing old master key" >>~/sosetup.log 2>&1
     rm /etc/salt/pki/minion/minion_master.pub
     service salt-minion restart
   fi
@@ -181,7 +189,7 @@ configure_minion() {
 
   # You have to pass the TYPE to this function so it knows if its a master or not
   local TYPE=$1
-  echo "Configuring minion type as $TYPE"
+  echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
   touch /etc/salt/grains
   echo "role: so-$TYPE" > /etc/salt/grains
   if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
@@ -221,7 +229,7 @@ copy_minion_pillar() {
   local TYPE=$1
 
   # Copy over the pillar
-  echo "Copying the pillar over"
+  echo "Copying the pillar over" >>~/sosetup.log 2>&1
   scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
 
   }
@@ -240,7 +248,7 @@ copy_ssh_key() {
 create_bond() {
 
   # Create the bond interface
-  echo "Setting up Bond"
+  echo "Setting up Bond" >>~/sosetup.log 2>&1
 
   # Set the MTU
   if [ $NSMSETUP != 'ADVANCED' ]; then
@@ -269,17 +277,17 @@ create_bond() {
       echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
       echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
     done
-    nmcli con reload
-    systemctl restart network
+    nmcli con reload >>~/sosetup.log 2>&1
+    systemctl restart network >>~/sosetup.log 2>&1
 
   else
 
     # Need to add 17.04 support still
-    apt-get -y install ifenslave
+    apt-get -y install ifenslave >>~/sosetup.log 2>&1
     if ! grep -q bonding /etc/modules; then
       echo "bonding" >> /etc/modules
     fi
-    modprobe bonding
+    modprobe bonding >>~/sosetup.log 2>&1
 
     local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
     local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
@@ -336,14 +344,14 @@ create_bond() {
 detect_os() {
 
   # Detect Base OS
-  echo "Detecting Base OS"
+  echo "Detecting Base OS" >>~/sosetup.log 2>&1
   if [ -f /etc/redhat-release ]; then
     OS=centos
     yum -y install bind-utils
   elif [ -f /etc/os-release ]; then
     OS=ubuntu
   else
-    echo "We were unable to determine if you are using a supported OS."
+    echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
     exit
   fi
 
@@ -358,7 +366,7 @@ docker_install() {
     yum -y update
     yum -y install docker-ce docker-python python-docker
     docker_registry
-    echo "Restarting Docker"
+    echo "Restarting Docker" >>~/sosetup.log 2>&1
     systemctl restart docker
     systemctl enable docker
 
@@ -366,17 +374,17 @@ docker_install() {
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       apt-get update >>~/sosetup.log 2>&1
       apt-get -y install docker-ce >>~/sosetup.log 2>&1
-      docker_registry
-      echo "Restarting Docker"
-      systemctl restart docker
+      docker_registry >>~/sosetup.log 2>&1
+      echo "Restarting Docker" >>~/sosetup.log 2>&1
+      systemctl restart docker >>~/sosetup.log 2>&1
     else
-      apt-key add $TMP/gpg/docker.pub
-      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+      apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
+      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
       apt-get update >>~/sosetup.log 2>&1
       apt-get -y install docker-ce >>~/sosetup.log 2>&1
-      docker_registry
-      echo "Restarting Docker"
-      systemctl restart docker
+      docker_registry >>~/sosetup.log 2>&1
+      echo "Restarting Docker" >>~/sosetup.log 2>&1
+      systemctl restart docker >>~/sosetup.log 2>&1
     fi
   fi
 
@@ -384,13 +392,13 @@ docker_install() {
 
 docker_registry() {
 
-  echo "Setting up Docker Registry"
-  mkdir -p /etc/docker
+  echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
+  mkdir -p /etc/docker >>~/sosetup.log 2>&1
   # Make the host use the master docker registry
   echo "{" > /etc/docker/daemon.json
   echo "  \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
   echo "}" >> /etc/docker/daemon.json
-  echo "Docker Registry Setup - Complete"
+  echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
 
 }
 
@@ -489,7 +497,7 @@ install_master() {
 
   # Install the salt master package
   if [ $OS == 'centos' ]; then
-    yum -y install wget salt-common salt-master
+    yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
 
     # Create a place for the keys for Ubuntu minions
     mkdir -p /opt/so/gpg
@@ -1830,32 +1838,48 @@ if (whiptail_you_sure); then
       accept_salt_key_local >>~/sosetup.log 2>&1
       echo -e "XXX\n12\nRunning the SSL states... \nXXX"
       salt_checkin >>~/sosetup.log 2>&1
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n15\nInstalling core components... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      echo -e "XXX\n25\nInstalling master components... \nXXX"
+      salt-call state.apply master >>~/sosetup.log 2>&1
+      salt-call state.apply idstools >>~/sosetup.log 2>&1
+      if [ $EVALOSQUERY == 0 ]; then
+        salt-call state.apply mysql >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n35\nInstalling Elastic components... \nXXX"
+      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      salt-call state.apply kibana >>~/sosetup.log 2>&1
+      echo -e "XXX\n50\nInstalling NSM components... \nXXX"
+      salt-call state.apply pcap >>~/sosetup.log 2>&1
+      salt-call state.apply suricata >>~/sosetup.log 2>&1
+      salt-call state.apply bro >>~/sosetup.log 2>&1
+      salt-call state.apply curator >>~/sosetup.log 2>&1
+      salt-call state.apply elastalert >>~/sosetup.log 2>&1
+      if [ $EVALOSQUERY == 0 ]; then
+        echo -e "XXX\n60\nInstalling fleet... \nXXX"
+        salt-call state.apply fleet >>~/sosetup.log 2>&1
+        salt-call state.apply redis >>~/sosetup.log 2>&1
+      fi
+      if [ $EVALWAZUH == 0 ]; then
+        echo -e "XXX\n65\nInstalling Elastic components... \nXXX"
+        salt-call state.apply wazuh >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n85\nInstalling filebeat... \nXXX"
+      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      salt-call state.apply utility >>~/sosetup.log 2>&1
+      echo -e "XXX\n95\nInstalling misc components... \nXXX"
+      salt-call state.apply schedule >>~/sosetup.log 2>&1
+      salt-call state.apply soctopus >>~/sosetup.log 2>&1
       echo -e "XXX\n100\nSetting checkin to run on boot... \nXXX"
+      sleep 5
       checkin_at_boot >>~/sosetup.log 2>&1
 
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    #create_bond
-    #saltify
-    #docker_install
-    #install_master
-    # Copy the data over
-    #salt_master_directories
-    #update_sudoers
-    # Change perms on the master dir
-    #chown_salt_master
-    # Set the static values
-    #master_static
-    #echo "** Generating the master pillar **"
-    #master_pillar
-    #configure_minion eval
-    #set_node_type
-    #node_pillar
-    #set_initial_firewall_policy
-    #salt_firstcheckin
-    #accept_salt_key_local
-    #salt_checkin_message
-    #salt_checkin
-    #checkin_at_boot
     whiptail_setup_complete
   fi
 

From ff7159727f9d2bcd87f564862610c048ac86c662 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 19:14:30 -0400
Subject: [PATCH 14/58] Setup - Adding verification step 1

---
 so-setup-network.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index b55337e2f..3aa252d62 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1875,10 +1875,11 @@ if (whiptail_you_sure); then
       echo -e "XXX\n95\nInstalling misc components... \nXXX"
       salt-call state.apply schedule >>~/sosetup.log 2>&1
       salt-call state.apply soctopus >>~/sosetup.log 2>&1
-      echo -e "XXX\n100\nSetting checkin to run on boot... \nXXX"
-      sleep 5
+      echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
       checkin_at_boot >>~/sosetup.log 2>&1
-
+      echo -e "XXX\n99\nVerifying Setup... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+      
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
     whiptail_setup_complete
   fi

From ebb59ce72977799196a2eaeda3668add17b767e1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 19:31:16 -0400
Subject: [PATCH 15/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 3aa252d62..c6ae9bf2d 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1492,6 +1492,14 @@ whiptail_setup_complete() {
 
 }
 
+whiptail_setup_failed() {
+
+  whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
+  install_cleanup
+  exit
+
+}
+
 whiptail_shard_count() {
 
   SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
@@ -1879,9 +1887,21 @@ if (whiptail_you_sure); then
       checkin_at_boot >>~/sosetup.log 2>&1
       echo -e "XXX\n99\nVerifying Setup... \nXXX"
       salt-call state.highstate >>~/sosetup.log 2>&1
-      
+
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    whiptail_setup_complete
+    GOODSETUP=$(tail -10 sosetup.log | grep Failed | awk '{ print $2}')
+    if [ $OS == 'centos' ]; then
+      if [ $GOODSETUP == 1 ]; then
+        whiptail_setup_complete
+      else
+        whiptail_setup_failed
+      fi
+    else
+      if [ $GOODSETUP == 0 ]; then
+        whiptail_setup_complete
+      else
+        whiptail_setup_failed
+    fi
   fi
 
   ###################

From 890df7af21a4f01cfa43ed785f8cfd1006c56fd7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 19:32:27 -0400
Subject: [PATCH 16/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index c6ae9bf2d..938f527cf 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1901,6 +1901,7 @@ if (whiptail_you_sure); then
         whiptail_setup_complete
       else
         whiptail_setup_failed
+      fi
     fi
   fi
 

From 8907c8316f93e20311e30769920061ef71eaccb8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 19:45:38 -0400
Subject: [PATCH 17/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 938f527cf..5a36b04b7 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1855,26 +1855,26 @@ if (whiptail_you_sure); then
       echo -e "XXX\n25\nInstalling master components... \nXXX"
       salt-call state.apply master >>~/sosetup.log 2>&1
       salt-call state.apply idstools >>~/sosetup.log 2>&1
-      if [ $EVALOSQUERY == 0 ]; then
+      if [ $EVALOSQUERY == '0' ]; then
         salt-call state.apply mysql >>~/sosetup.log 2>&1
       fi
       echo -e "XXX\n35\nInstalling Elastic components... \nXXX"
       salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
       salt-call state.apply logstash >>~/sosetup.log 2>&1
       salt-call state.apply kibana >>~/sosetup.log 2>&1
-      echo -e "XXX\n50\nInstalling NSM components... \nXXX"
+      echo -e "XXX\n50\nInstalling pcap... \nXXX"
       salt-call state.apply pcap >>~/sosetup.log 2>&1
       salt-call state.apply suricata >>~/sosetup.log 2>&1
       salt-call state.apply bro >>~/sosetup.log 2>&1
       salt-call state.apply curator >>~/sosetup.log 2>&1
       salt-call state.apply elastalert >>~/sosetup.log 2>&1
-      if [ $EVALOSQUERY == 0 ]; then
+      if [ $EVALOSQUERY == '0' ]; then
         echo -e "XXX\n60\nInstalling fleet... \nXXX"
         salt-call state.apply fleet >>~/sosetup.log 2>&1
         salt-call state.apply redis >>~/sosetup.log 2>&1
       fi
-      if [ $EVALWAZUH == 0 ]; then
-        echo -e "XXX\n65\nInstalling Elastic components... \nXXX"
+      if [ $EVALWAZUH == '0' ]; then
+        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
         salt-call state.apply wazuh >>~/sosetup.log 2>&1
       fi
       echo -e "XXX\n85\nInstalling filebeat... \nXXX"
@@ -1891,13 +1891,13 @@ if (whiptail_you_sure); then
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
     GOODSETUP=$(tail -10 sosetup.log | grep Failed | awk '{ print $2}')
     if [ $OS == 'centos' ]; then
-      if [ $GOODSETUP == 1 ]; then
+      if [ $GOODSETUP == '1' ]; then
         whiptail_setup_complete
       else
         whiptail_setup_failed
       fi
     else
-      if [ $GOODSETUP == 0 ]; then
+      if [ $GOODSETUP == '0' ]; then
         whiptail_setup_complete
       else
         whiptail_setup_failed

From 3c2651fd6ff157ffba32601da90321d93bb4a6dc Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 19:50:19 -0400
Subject: [PATCH 18/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 5a36b04b7..a7fda81ab 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1858,15 +1858,21 @@ if (whiptail_you_sure); then
       if [ $EVALOSQUERY == '0' ]; then
         salt-call state.apply mysql >>~/sosetup.log 2>&1
       fi
-      echo -e "XXX\n35\nInstalling Elastic components... \nXXX"
+      echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
       salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      echo -e "XXX\n40\nInstalling Logstash... \nXXX"
       salt-call state.apply logstash >>~/sosetup.log 2>&1
+      echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
       salt-call state.apply kibana >>~/sosetup.log 2>&1
       echo -e "XXX\n50\nInstalling pcap... \nXXX"
       salt-call state.apply pcap >>~/sosetup.log 2>&1
+      echo -e "XXX\n52\nInstalling Suricata... \nXXX"
       salt-call state.apply suricata >>~/sosetup.log 2>&1
+      echo -e "XXX\n54\nInstalling Zeek... \nXXX"
       salt-call state.apply bro >>~/sosetup.log 2>&1
+      echo -e "XXX\n56\nInstalling curator... \nXXX"
       salt-call state.apply curator >>~/sosetup.log 2>&1
+      echo -e "XXX\n58\nInstalling elastalert... \nXXX"
       salt-call state.apply elastalert >>~/sosetup.log 2>&1
       if [ $EVALOSQUERY == '0' ]; then
         echo -e "XXX\n60\nInstalling fleet... \nXXX"

From 709b03c32fef373f41e149989a5406619bcf019f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 20:11:27 -0400
Subject: [PATCH 19/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index a7fda81ab..ad089d0f1 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1855,7 +1855,7 @@ if (whiptail_you_sure); then
       echo -e "XXX\n25\nInstalling master components... \nXXX"
       salt-call state.apply master >>~/sosetup.log 2>&1
       salt-call state.apply idstools >>~/sosetup.log 2>&1
-      if [ $EVALOSQUERY == '0' ]; then
+      if [[ $EVALOSQUERY == '0' ]]; then
         salt-call state.apply mysql >>~/sosetup.log 2>&1
       fi
       echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
@@ -1874,12 +1874,12 @@ if (whiptail_you_sure); then
       salt-call state.apply curator >>~/sosetup.log 2>&1
       echo -e "XXX\n58\nInstalling elastalert... \nXXX"
       salt-call state.apply elastalert >>~/sosetup.log 2>&1
-      if [ $EVALOSQUERY == '0' ]; then
+      if [[ $EVALOSQUERY == '0' ]]; then
         echo -e "XXX\n60\nInstalling fleet... \nXXX"
         salt-call state.apply fleet >>~/sosetup.log 2>&1
         salt-call state.apply redis >>~/sosetup.log 2>&1
       fi
-      if [ $EVALWAZUH == '0' ]; then
+      if [[ $EVALWAZUH == '0' ]]; then
         echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
         salt-call state.apply wazuh >>~/sosetup.log 2>&1
       fi

From 30d6de90ae9fd2d04f910bc8fedcc419e3e4a2a2 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 20:46:41 -0400
Subject: [PATCH 20/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index ad089d0f1..9ad12cda7 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1897,13 +1897,13 @@ if (whiptail_you_sure); then
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
     GOODSETUP=$(tail -10 sosetup.log | grep Failed | awk '{ print $2}')
     if [ $OS == 'centos' ]; then
-      if [ $GOODSETUP == '1' ]; then
+      if [[ $GOODSETUP == '1' ]]; then
         whiptail_setup_complete
       else
         whiptail_setup_failed
       fi
     else
-      if [ $GOODSETUP == '0' ]; then
+      if [[ $GOODSETUP == '0' ]]; then
         whiptail_setup_complete
       else
         whiptail_setup_failed

From c1663d50964e5f378699e9ed7367f9749efc6106 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 8 Apr 2019 20:49:31 -0400
Subject: [PATCH 21/58] Setup - Make sure install completes properly

---
 so-setup-network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 9ad12cda7..748819a63 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -25,7 +25,7 @@ RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
 NODE_ES_PORT="9200"
 
 # Reset the Install Log
-date -u >>~/sosetup.log 2>&1
+date -u >~/sosetup.log 2>&1
 
 # End Global Variable Section
 

From 5c82ce29cb745e5049e09eb79a0187855dc81f97 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 9 Apr 2019 11:05:25 -0400
Subject: [PATCH 22/58] Grafana Module - Fix monint for grafana dash

---
 salt/common/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 9ae72d360..d47220b75 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -357,7 +357,7 @@ dashboard-{{ SN }}:
     - defaults:
       SERVERNAME: {{ SN }}
       MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.monint }}
       CPUS: {{ SNDATA.totalcpus }}
       UID: {{ SNDATA.guid }}
       ROOTFS: {{ SNDATA.rootfs }}
@@ -369,7 +369,7 @@ dashboard-{{ SN }}:
 # Install the docker. This needs to be behind nginx at some point
 so-grafana:
   docker_container.running:
-    - image: soshybridhunter/so-grafana:HH1.0.7
+    - image: soshybridhunter/so-grafana:HH1.0.8
     - hostname: grafana
     - user: socore
     - binds:

From 58eeed1d71151aa169f840a47a00761010644df8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 9 Apr 2019 11:28:52 -0400
Subject: [PATCH 23/58] Setup - Fix log location

---
 so-setup-network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 748819a63..8e1207fd5 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1895,7 +1895,7 @@ if (whiptail_you_sure); then
       salt-call state.highstate >>~/sosetup.log 2>&1
 
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 sosetup.log | grep Failed | awk '{ print $2}')
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
     if [ $OS == 'centos' ]; then
       if [[ $GOODSETUP == '1' ]]; then
         whiptail_setup_complete

From 46688907986b0836fb6c02423686b253adbf3318 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 9 Apr 2019 12:33:09 -0400
Subject: [PATCH 24/58] Grafana - Fix Eval Dashboard

---
 salt/common/grafana/grafana_dashboards/eval/eval.json | 4 ++--
 salt/common/init.sls                                  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json
index 11efd3f98..d3f0e95af 100644
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -3037,7 +3037,7 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": "{{ MANINT }}"
+              "value": "{{ MONINT }}"
             }
           ]
         },
@@ -3101,7 +3101,7 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": "{{ MANINT }}"
+              "value": "{{ MONINT }}"
             }
           ]
         }
diff --git a/salt/common/init.sls b/salt/common/init.sls
index d47220b75..b9f6c3a44 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -336,7 +336,7 @@ dashboard-{{ SN }}:
     - defaults:
       SERVERNAME: {{ SN }}
       MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.monint }}
       CPUS: {{ SNDATA.totalcpus }}
       UID: {{ SNDATA.guid }}
       ROOTFS: {{ SNDATA.rootfs }}

From 5a09b18258a127aec6d6ed4c1e925ddb3739741f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 9 Apr 2019 12:46:04 -0400
Subject: [PATCH 25/58] Grafana - Fix Eval Dashboard

---
 .../grafana/grafana_dashboards/eval/eval.json      | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json
index d3f0e95af..2b13c6598 100644
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -3037,7 +3037,7 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": "{{ MONINT }}"
+              "value": "{{ MANINT }}"
             }
           ]
         },
@@ -3101,7 +3101,7 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": "{{ MONINT }}"
+              "value": "{{ MANINT }}"
             }
           ]
         }
@@ -3110,7 +3110,7 @@
       "timeFrom": null,
       "timeRegions": [],
       "timeShift": null,
-      "title": "{{ SERVERNAME }} - Monitor Traffic",
+      "title": "{{ SERVERNAME }} - Managemnt Traffic",
       "tooltip": {
         "msResolution": true,
         "shared": true,
@@ -3862,12 +3862,12 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": " {{ MANINT }}"
+              "value": " {{ MONINT }}"
             }
           ]
         },
         {
-          "alias": "OutBound",
+          "alias": "InBound",
           "dsType": "influxdb",
           "groupBy": [
             {
@@ -3926,7 +3926,7 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": "{{ MANINT }}"
+              "value": "{{ MONINT }}"
             }
           ]
         }
@@ -3935,7 +3935,7 @@
       "timeFrom": null,
       "timeRegions": [],
       "timeShift": null,
-      "title": "{{ SERVERNAME }} - Management Traffic",
+      "title": "{{ SERVERNAME }} - Monitor Traffic",
       "tooltip": {
         "msResolution": true,
         "shared": true,

From 7acdbefa3eda345fd4b5e0748e6b66f28e78dbf8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 9 Apr 2019 13:48:34 -0400
Subject: [PATCH 26/58] Grafana - Fix Eval Dashboard

---
 salt/common/grafana/grafana_dashboards/eval/eval.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json
index 2b13c6598..3dccde9ab 100644
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -3862,12 +3862,12 @@
               "condition": "AND",
               "key": "interface",
               "operator": "=",
-              "value": " {{ MONINT }}"
+              "value": "{{ MONINT }}"
             }
           ]
         },
         {
-          "alias": "InBound",
+          "alias": "OutBound",
           "dsType": "influxdb",
           "groupBy": [
             {
@@ -3984,10 +3984,10 @@
       "fill": 1,
       "grid": {},
       "gridPos": {
-        "h": 7,
+        "h": 6,
         "w": 8,
-        "x": 0,
-        "y": 29
+        "x": 16,
+        "y": 15
       },
       "id": 15,
       "legend": {

From b7ea3b71902fe8138cbc50e3d7a3b6b571367151 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Apr 2019 10:21:58 -0400
Subject: [PATCH 27/58] Setup Script - Update Eval

---
 salt/top.sls        |  8 +++---
 so-setup-network.sh | 59 +++++++++++++++++++++------------------------
 2 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index 2a34c7548..ac6e909f0 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,6 +1,8 @@
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
-{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
-{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
+{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
+{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%}
+{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
+{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
+{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 base:
   'G@role:so-sensor':
     - ca
diff --git a/so-setup-network.sh b/so-setup-network.sh
index 8e1207fd5..ef8e64b19 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -543,27 +543,6 @@ master_pillar() {
     echo "  ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
     echo "  ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
     echo "  mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    if [ $EVALADVANCED == 'ADVANCED' ]; then
-      if [ $EVALGRAFANA == '0' ]; then
-        echo "  grafana: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      else
-        echo "  grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      fi
-      if [ $EVALOSQUERY == '0' ]; then
-        echo "  osquery: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      else
-        echo "  osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      fi
-      if [ $EVALWAZUH == '0' ]; then
-        echo "  wazuh: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      else
-        echo "  wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      fi
-    else
-      echo "  grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      echo "  osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-      echo "  wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    fi
 
   else
     echo "  freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
@@ -582,7 +561,10 @@ master_pillar() {
   echo "  cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
   #echo "  mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
   #echo "  fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-
+  echo "  grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  hive: $HIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
   }
 
 master_static() {
@@ -638,6 +620,20 @@ node_pillar() {
 
 }
 
+process_components() {
+  CLEAN=${COMPONENTS//\"}
+  GRAFANA=0
+  OSQUERY=0
+  WAZUH=0
+  THEHIVE=0
+
+  IFS=$' '
+  for item in $(echo "$CLEAN"); do
+	  set $item=1
+  done
+  unset IFS
+}
+
 saltify() {
 
   # Install updates and Salt
@@ -1153,6 +1149,14 @@ whiptail_cur_close_days() {
   whiptail_check_exitstatus $exitstatus
 
 }
+whiptail_enable_components() {
+  COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
+  "Select Components to install" 20 78 8 \
+  "GRAFANA" "Enable Grafana for system monitoring" OFF \
+  "OSQUERY" "Enable Fleet with osquery" OFF \
+  "WAZUH" "Enable Wazuh" OFF \
+  "THEHIVE" "Enable TheHive" OFF 3>&1 1>&2 2>&3 )
+}
 
 whiptail_eval_adv() {
   EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
@@ -1772,15 +1776,7 @@ if (whiptail_you_sure); then
 
     # Snag the HOME_NET
     whiptail_homenet_master
-
-    # Ask about advanced mode
-    whiptail_eval_adv
-    if [ $EVALADVANCED == 'ADVANCED' ]; then
-      whiptail_eval_adv_warning
-      whiptail_eval_adv_service_grafana
-      whiptail_eval_adv_service_osquery
-      whiptail_eval_adv_service_wazuh
-    fi
+    whiptail_enable_components
 
     # Set a bunch of stuff since this is eval
     es_heapsize
@@ -1796,6 +1792,7 @@ if (whiptail_you_sure); then
     NIDS=Suricata
     BROVERSION=ZEEK
     CURCLOSEDAYS=30
+    process_components
     whiptail_make_changes
     #eval_mode_hostsfile
     generate_passwords

From bf664e5f7c1b60016994ee0f2856b738e9ef86e7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Apr 2019 10:35:38 -0400
Subject: [PATCH 28/58] Setup Script - Update Eval

---
 so-setup-network.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index ef8e64b19..cd08a2d1c 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -564,7 +564,7 @@ master_pillar() {
   echo "  grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
   echo "  osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
   echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  hive: $HIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
   }
 
 master_static() {
@@ -621,6 +621,7 @@ node_pillar() {
 }
 
 process_components() {
+  echo $COMPONENTS >> /root/components
   CLEAN=${COMPONENTS//\"}
   GRAFANA=0
   OSQUERY=0

From 3ba399e06587bfd9e52c033b1d7f20eba74d7429 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Apr 2019 10:37:43 -0400
Subject: [PATCH 29/58] Setup Script - Update Eval

---
 so-setup-network.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index cd08a2d1c..cc536e4b6 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -621,7 +621,6 @@ node_pillar() {
 }
 
 process_components() {
-  echo $COMPONENTS >> /root/components
   CLEAN=${COMPONENTS//\"}
   GRAFANA=0
   OSQUERY=0
@@ -630,7 +629,7 @@ process_components() {
 
   IFS=$' '
   for item in $(echo "$CLEAN"); do
-	  set $item=1
+	  let $item=1
   done
   unset IFS
 }

From 734887c2945d7458c6453988d89e18eab3bb3bdb Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Apr 2019 11:11:23 -0400
Subject: [PATCH 30/58] Setup Script - Update Eval

---
 salt/top.sls        | 13 +++++++++++++
 so-setup-network.sh | 39 ++++++++++++---------------------------
 2 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index ac6e909f0..cdce0904c 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -47,6 +47,9 @@ base:
     - utility
     - schedule
     - soctopus
+    {%- if THEHIVE != 0 %}
+    - hive
+    {%- endif %}
 
 
   'G@role:so-master':
@@ -57,17 +60,27 @@ base:
     - master
     - idstools
     - redis
+    {%- if OSQUERY != 0 %}
     - mysql
+    {%- endif %}
     - elasticsearch
     - logstash
     - kibana
     - elastalert
+    {%- if WAZUH != 0 %}
     - wazuh
+    {%- endif %}
     - filebeat
     - utility
     - schedule
+    {%- if OSQUERY != 0 %}
     - fleet
+    {%- endif %}
     - soctopus
+    {%- if THEHIVE != 0 %}
+    - hive
+    {%- endif %}
+
 
   # Storage node logic
 
diff --git a/so-setup-network.sh b/so-setup-network.sh
index cc536e4b6..d3bc6ef3e 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1152,10 +1152,10 @@ whiptail_cur_close_days() {
 whiptail_enable_components() {
   COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
   "Select Components to install" 20 78 8 \
-  "GRAFANA" "Enable Grafana for system monitoring" OFF \
-  "OSQUERY" "Enable Fleet with osquery" OFF \
-  "WAZUH" "Enable Wazuh" OFF \
-  "THEHIVE" "Enable TheHive" OFF 3>&1 1>&2 2>&3 )
+  "GRAFANA" "Enable Grafana for system monitoring" ON \
+  "OSQUERY" "Enable Fleet with osquery" ON \
+  "WAZUH" "Enable Wazuh" ON \
+  "THEHIVE" "Enable TheHive" ON 3>&1 1>&2 2>&3 )
 }
 
 whiptail_eval_adv() {
@@ -1361,23 +1361,6 @@ whiptail_master_adv_service_brologs() {
   "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
 }
 
-whiptail_master_adv_service_grafana() {
-  echo "blah"
-}
-
-whiptail_master_adv_service_osquery() {
-  #MOSQ=$()
-  echo "blah"
-
-}
-
-whiptail_master_adv_service_wazuh() {
-  echo "blah"
-}
-
-
-
-
 whiptail_network_notice() {
 
   whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78
@@ -1622,6 +1605,8 @@ if (whiptail_you_sure); then
 
     # Find out how to handle updates
     whiptail_master_updates
+    whiptail_enable_components
+    process_components
 
     # Do Advacned Setup if they chose it
     if [ $MASTERADV == 'ADVANCED' ]; then
@@ -1629,9 +1614,6 @@ if (whiptail_you_sure); then
       if [ $BROVERSION != 'SURICATA' ]; then
         whiptail_master_adv_service_brologs
       fi
-      whiptail_master_adv_service_osquery
-      whiptail_master_adv_service_grafana
-      whiptail_master_adv_service_wazuh
     fi
 
     # Last Chance to back out
@@ -1852,7 +1834,7 @@ if (whiptail_you_sure); then
       echo -e "XXX\n25\nInstalling master components... \nXXX"
       salt-call state.apply master >>~/sosetup.log 2>&1
       salt-call state.apply idstools >>~/sosetup.log 2>&1
-      if [[ $EVALOSQUERY == '0' ]]; then
+      if [[ $OSQUERY == '1' ]]; then
         salt-call state.apply mysql >>~/sosetup.log 2>&1
       fi
       echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
@@ -1871,12 +1853,12 @@ if (whiptail_you_sure); then
       salt-call state.apply curator >>~/sosetup.log 2>&1
       echo -e "XXX\n58\nInstalling elastalert... \nXXX"
       salt-call state.apply elastalert >>~/sosetup.log 2>&1
-      if [[ $EVALOSQUERY == '0' ]]; then
+      if [[ $OSQUERY == '1' ]]; then
         echo -e "XXX\n60\nInstalling fleet... \nXXX"
         salt-call state.apply fleet >>~/sosetup.log 2>&1
         salt-call state.apply redis >>~/sosetup.log 2>&1
       fi
-      if [[ $EVALWAZUH == '0' ]]; then
+      if [[ $WAZUH == '1' ]]; then
         echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
         salt-call state.apply wazuh >>~/sosetup.log 2>&1
       fi
@@ -1886,6 +1868,9 @@ if (whiptail_you_sure); then
       echo -e "XXX\n95\nInstalling misc components... \nXXX"
       salt-call state.apply schedule >>~/sosetup.log 2>&1
       salt-call state.apply soctopus >>~/sosetup.log 2>&1
+      if [[ $WAZUH == '1' ]]; then
+        salt-call state.apply hive >>~/sosetup.log 2>&1
+      fi
       echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
       checkin_at_boot >>~/sosetup.log 2>&1
       echo -e "XXX\n99\nVerifying Setup... \nXXX"

From 0d8906b77f01883642ddb52ec1ecedf407f94415 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Apr 2019 11:13:42 -0400
Subject: [PATCH 31/58] Setup Script - Update Eval

---
 so-setup-network.sh | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index d3bc6ef3e..5bf0fc147 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1165,24 +1165,6 @@ whiptail_eval_adv() {
   "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
 }
 
-whiptail_eval_adv_service_grafana() {
-  whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Grafana for detailed monitoring?" 8 78
-  local exitstatus=$?
-  EVALGRAFANA=$exitstatus
-}
-
-whiptail_eval_adv_service_osquery() {
-  whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable OSquery for client monitoring?" 8 78
-  local exitstatus=$?
-  EVALOSQUERY=$exitstatus
-}
-
-whiptail_eval_adv_service_wazuh() {
-  whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Wazuh for client monitoring?" 8 78
-  local exitstatus=$?
-  EVALWAZUH=$exitstatus
-}
-
 whiptail_eval_adv_warning() {
   whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
 }
@@ -1758,6 +1740,7 @@ if (whiptail_you_sure); then
 
     # Snag the HOME_NET
     whiptail_homenet_master
+    whiptail_eval_adv_warning
     whiptail_enable_components
 
     # Set a bunch of stuff since this is eval

From 73b90dd4ba790ec5e40943d607ec278f27ef65b4 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 22 Apr 2019 19:29:23 -0400
Subject: [PATCH 32/58] Fleet Module - Updated launcher docker

---
 salt/fleet/so-fleet-setup.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 64d7fe435..fbf5ce9df 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -2,12 +2,12 @@
 
 if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
         echo "so-fleet container not running... Exiting..."
-        exit 1 
+        exit 1
 fi
 
 initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
 
-docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify        
+docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify
 docker exec so-fleet fleetctl setup --email $2 --password $initpw
 
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
@@ -26,7 +26,7 @@ mkdir /opt/so/conf/fleet/packages
 docker run \
   --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
   --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
-  defensivedepth/hh-launcher "$esecret" "$1":8080
+  soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
 
 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html

From 9aa46fe08e6266ccffff943525b6d0053b7f3880 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Tue, 23 Apr 2019 14:25:35 -0400
Subject: [PATCH 33/58] Fix naming issue

docker is looking for `launcher.crt`
---
 salt/fleet/so-fleet-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index fbf5ce9df..e4eedf93b 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -18,7 +18,7 @@ docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
 esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
 
 #Concat fleet.crt & ca.crt  - this is required for launcher connectivity
-cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/fleet-launcher.crt
+cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
 
 #Create the output directory
 mkdir /opt/so/conf/fleet/packages

From 1f07b46a536335bdfbeb3a5274bdc305c93e4766 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Tue, 23 Apr 2019 16:21:09 -0400
Subject: [PATCH 34/58] Spelling fix....

---
 salt/common/grafana/grafana_dashboards/eval/eval.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json
index 3dccde9ab..8dd5532d1 100644
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -3110,7 +3110,7 @@
       "timeFrom": null,
       "timeRegions": [],
       "timeShift": null,
-      "title": "{{ SERVERNAME }} - Managemnt Traffic",
+      "title": "{{ SERVERNAME }} - Management Traffic",
       "tooltip": {
         "msResolution": true,
         "shared": true,

From c3fb7259d0e70737239533cd321a2f261c90efce Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 25 Apr 2019 11:12:57 -0400
Subject: [PATCH 35/58] Update so-fleet-setup.sh

---
 salt/fleet/so-fleet-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index e4eedf93b..2d438a973 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -25,7 +25,7 @@ mkdir /opt/so/conf/fleet/packages
 
 docker run \
   --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
-  --mount type=bind,source=/etc/pki/fleet-launcher.crt,target=/var/launcher/launcher.crt \
+  --mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
   soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
 
 #Update timestamp on packages webpage

From ff4c34b5fafc6fcaaef26c75afc6fbb133e1c91d Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Sat, 27 Apr 2019 08:17:54 -0400
Subject: [PATCH 36/58] Update `Generated` timestamp on both confg & src files

Otherwise /opt/so/conf/fleet/packages/index.html gets overwritten.
---
 salt/fleet/so-fleet-setup.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 2d438a973..548e1d2ec 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -30,6 +30,7 @@ docker run \
 
 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
 
 echo "Fleet Setup Complete - Login here: https://$1"
 echo "Your username is $2 and your password is $initpw"

From e5ac4cb7113a391670d3dbfc988bb5ba5fe82968 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Sat, 27 Apr 2019 08:36:26 -0400
Subject: [PATCH 37/58] Added missing packs

---
 salt/fleet/so-fleet-setup.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 548e1d2ec..bc1f208bd 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -14,6 +14,7 @@ docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.y
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
 docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
+docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
 
 esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
 

From c23153b91e8a7e492a16bd4605dc859ab547949c Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Sun, 28 Apr 2019 14:50:30 -0400
Subject: [PATCH 38/58] Install osquery locally

---
 salt/fleet/so-fleet-setup.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index bc1f208bd..eb2ad0d96 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -33,5 +33,12 @@ docker run \
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
 
+#Install osquery locally
+if cat /etc/os-release | grep -q 'debian'; then
+   dpkg -i /opt/so/conf/fleet/packages/launcher.deb
+else
+   rpm -i /opt/so/conf/fleet/packages/launcher.rpm
+fi
+
 echo "Fleet Setup Complete - Login here: https://$1"
 echo "Your username is $2 and your password is $initpw"

From 85f7137901f6693238f61d660d3c63a2b00d3e3e Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 30 Apr 2019 09:35:29 -0400
Subject: [PATCH 39/58] Fleet Module - Added auto install of launcher if osq
 enabled

---
 pillar/data/addtotab.sh         |  6 ++++++
 salt/fleet/so-fleet-setup.sh    | 17 +++++++++++------
 salt/launcher/init.sls          | 12 ++++++++++++
 salt/launcher/packages/info.txt |  1 +
 salt/top.sls                    | 20 ++++++++++++++++++++
 so-setup-network.sh             |  1 +
 6 files changed, 51 insertions(+), 6 deletions(-)
 create mode 100644 salt/launcher/init.sls
 create mode 100644 salt/launcher/packages/info.txt

diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh
index 1a1ac7984..ad302607c 100644
--- a/pillar/data/addtotab.sh
+++ b/pillar/data/addtotab.sh
@@ -11,6 +11,8 @@ MANINT=$6
 ROOTFS=$7
 NSM=$8
 MONINT=$9
+#NODETYPE=$10
+#HOTNAME=$11
 
 echo "Seeing if this host is already in here. If so delete it"
 if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
@@ -49,3 +51,7 @@ if [ $TYPE == 'evaltab' ]; then
   salt-call state.apply common queue=True
   salt-call state.apply utility queue=True
 fi
+#if [ $TYPE == 'nodestab' ]; then
+#  echo "    nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#fi
diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index eb2ad0d96..f56066412 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -29,16 +29,21 @@ docker run \
   --mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
   soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
 
+cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
 
-#Install osquery locally
-if cat /etc/os-release | grep -q 'debian'; then
-   dpkg -i /opt/so/conf/fleet/packages/launcher.deb
-else
-   rpm -i /opt/so/conf/fleet/packages/launcher.rpm
-fi
+# Enable Fleet on all the other parts of the infrastructure
+sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/salt/saltstack/pillar/static.sls
 
+# Install osquery locally
+#if cat /etc/os-release | grep -q 'debian'; then
+#   dpkg -i /opt/so/conf/fleet/packages/launcher.deb
+#else
+#   rpm -i /opt/so/conf/fleet/packages/launcher.rpm
+#fi
+echo "Installing launcher via salt"
+salt-call state.apply launcher queue=True > /root/launcher.log
 echo "Fleet Setup Complete - Login here: https://$1"
 echo "Your username is $2 and your password is $initpw"
diff --git a/salt/launcher/init.sls b/salt/launcher/init.sls
new file mode 100644
index 000000000..f8767654e
--- /dev/null
+++ b/salt/launcher/init.sls
@@ -0,0 +1,12 @@
+{%- set FLEETSETUP = salt['pillar.get']('static:fleetsetup', '0') -%}
+
+{%- if FLEETSETUP != 0 %}
+launcherpkg:
+  pkg.installed:
+    - sources:
+      {% if grains['os'] == 'CentOS' %}
+      - launcher: salt://launcher/packages/launcher.rpm
+      {% elif grains['os'] == 'Ubuntu' %}
+      - launcher: salt://launcher/packages/launcher.deb
+      {% endif %}
+{%- endif %}
diff --git a/salt/launcher/packages/info.txt b/salt/launcher/packages/info.txt
new file mode 100644
index 000000000..5529d123c
--- /dev/null
+++ b/salt/launcher/packages/info.txt
@@ -0,0 +1 @@
+Fleet Packages will be copied to this folder
diff --git a/salt/top.sls b/salt/top.sls
index cdce0904c..f95dba3c9 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -16,6 +16,9 @@ base:
     {%- endif %}
     - wazuh
     - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
     - schedule
 
   'G@role:so-eval':
@@ -39,6 +42,7 @@ base:
     {%- if OSQUERY != 0 %}
     - fleet
     - redis
+    - launcher
     {%- endif %}
     {%- if WAZUH != 0 %}
     - wazuh
@@ -75,6 +79,7 @@ base:
     - schedule
     {%- if OSQUERY != 0 %}
     - fleet
+    - launcher
     {%- endif %}
     - soctopus
     {%- if THEHIVE != 0 %}
@@ -89,6 +94,9 @@ base:
     - common
     - firewall
     - logstash
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
     - schedule
 
   'G@role:so-node and I@node:node_type:hot':
@@ -98,6 +106,9 @@ base:
     - logstash
     - elasticsearch
     - curator
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
     - schedule
 
   'G@role:so-node and I@node:node_type:warm':
@@ -105,6 +116,9 @@ base:
     - common
     - firewall
     - elasticsearch
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
     - schedule
 
   'G@role:so-node and I@node:node_type:storage':
@@ -118,6 +132,9 @@ base:
     - curator
     - wazuh
     - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
     - schedule
 
   'G@role:mastersensor':
@@ -125,4 +142,7 @@ base:
     - firewall
     - sensor
     - master
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
     - schedule
diff --git a/so-setup-network.sh b/so-setup-network.sh
index 5bf0fc147..fdaee16de 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -582,6 +582,7 @@ master_static() {
   echo "  hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
   echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
   echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "  fleetsetup: 0" >> /opt/so/salt/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else

From 89786c16c612b99578fb0c0686db40fb2f342ac6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 30 Apr 2019 09:44:58 -0400
Subject: [PATCH 40/58] Fleet Module - Add some default firewall rules

---
 salt/firewall/init.sls | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 7ff009495..cfde43365 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -217,6 +217,17 @@ enable_masternode_mysql_3306_{{ip}}:
     - position: 1
     - save: True
 
+enable_master_osquery_8080_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 8080
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 # Make it so all the minions can talk to salt and update etc.
@@ -277,6 +288,17 @@ enable_minions_influxdb_8086_{{ip}}:
     - position: 1
     - save: True
 
+enable_minion_osquery_8080_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 8080
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 # Allow Forward Nodes to send their beats traffic

From e4614f91f349eeb8308f7b5306c73cb5a6c7fb02 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 30 Apr 2019 12:59:45 -0400
Subject: [PATCH 41/58] Suricata Module - Update Suricata Version to 4.1.4

---
 salt/suricata/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 48106a83a..a37ac153d 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -72,7 +72,7 @@ suriconfigsync:
 
 so-suricata:
   docker_container.running:
-    - image: soshybridhunter/so-suricata:HH1.0.7
+    - image: soshybridhunter/so-suricata:HH1.0.8
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}

From d90099179491ec33c49bc1d36eaeafdb7fd70438 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 30 Apr 2019 13:12:11 -0400
Subject: [PATCH 42/58] Launcher Module - Fix logic

---
 salt/launcher/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/launcher/init.sls b/salt/launcher/init.sls
index f8767654e..7367f39f0 100644
--- a/salt/launcher/init.sls
+++ b/salt/launcher/init.sls
@@ -1,6 +1,6 @@
 {%- set FLEETSETUP = salt['pillar.get']('static:fleetsetup', '0') -%}
 
-{%- if FLEETSETUP != 0 %}
+{%- if FLEETSETUP != '0' %}
 launcherpkg:
   pkg.installed:
     - sources:

From fd9f26128e4829f5fb53df6497fbdcba0dd9cea0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 30 Apr 2019 13:20:38 -0400
Subject: [PATCH 43/58] Setup Script - Fix static.sls

---
 salt/fleet/so-fleet-setup.sh | 2 +-
 so-setup-network.sh          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index f56066412..85f8716e1 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -35,7 +35,7 @@ sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packa
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
 
 # Enable Fleet on all the other parts of the infrastructure
-sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/salt/saltstack/pillar/static.sls
+sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/saltstack/pillar/static.sls
 
 # Install osquery locally
 #if cat /etc/os-release | grep -q 'debian'; then
diff --git a/so-setup-network.sh b/so-setup-network.sh
index fdaee16de..ad77c492a 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -582,7 +582,7 @@ master_static() {
   echo "  hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
   echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
   echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
-  echo "  fleetsetup: 0" >> /opt/so/salt/saltstack/pillar/static.sls
+  echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else

From bc7d6430233636ea3d4ac3c3fc59a50b100ef797 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 30 Apr 2019 14:15:16 -0400
Subject: [PATCH 44/58] Setup Script - Remove -G setting

---
 salt/launcher/init.sls | 2 +-
 so-setup-network.sh    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/launcher/init.sls b/salt/launcher/init.sls
index 7367f39f0..f8767654e 100644
--- a/salt/launcher/init.sls
+++ b/salt/launcher/init.sls
@@ -1,6 +1,6 @@
 {%- set FLEETSETUP = salt['pillar.get']('static:fleetsetup', '0') -%}
 
-{%- if FLEETSETUP != '0' %}
+{%- if FLEETSETUP != 0 %}
 launcherpkg:
   pkg.installed:
     - sources:
diff --git a/so-setup-network.sh b/so-setup-network.sh
index ad77c492a..461946694 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -319,7 +319,7 @@ create_bond() {
       echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
       echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
       echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
-      echo "  post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
+      echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
       echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
       echo "  bond-master bond0" >> /etc/network/interfaces.d/$BNIC
       echo "  mtu $MTU" >> /etc/network/interfaces.d/$BNIC
@@ -335,7 +335,7 @@ create_bond() {
     echo "  mtu $MTU" >> /etc/network/interfaces.d/bond0
     echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
     echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
-    echo "  post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
+    echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
     echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
   fi
 

From 264c9f792bd6f583c32c0339c9bc70ca6dbc4886 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 1 May 2019 11:00:41 -0400
Subject: [PATCH 45/58] Setup Script - Added progress bars for master install

---
 so-setup-network.sh | 139 +++++++++++++++++++++++++++-----------------
 1 file changed, 85 insertions(+), 54 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 461946694..dda535d04 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1620,60 +1620,91 @@ if (whiptail_you_sure); then
     add_socore_user_master
 
     # Install salt and dependencies
-    echo " ** Installing Salt and Dependencies **"
-    saltify >>~/sosetup.log 2>&1
-    docker_install
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
+      echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling Docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
+      echo " ** Configuring Minion **" >>~/sosetup.log
+      configure_minion master >>~/sosetup.log 2>&1
+      echo " ** Installing Salt Master **" >>~/sosetup.log
+      install_master >>~/sosetup.log 2>&1
+      salt_master_directories >>~/sosetup.log 2>&1
+      update_sudoers >>~/sosetup.log 2>&1
+      chown_salt_master >>~/sosetup.log 2>&1
+      es_heapsize >>~/sosetup.log 2>&1
+      ls_heapsize >>~/sosetup.log 2>&1
+      echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
+      master_static >>~/sosetup.log 2>&1
+      echo "** Generating the master pillar **" >>~/sosetup.log
+      master_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
+      # Do a checkin to push the key up
+      echo "** Pushing the key up to Master **" >>~/sosetup.log
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      # Accept the Master Key
+      echo "** Accepting the key on the master **" >>~/sosetup.log
+      accept_salt_key_local >>~/sosetup.log 2>&1
+      echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
+      # Open the firewall
+      echo "** Setting the initial firewall policy **" >>~/sosetup.log
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      # Do the big checkin but first let them know it will take a bit.
+      echo -e "XXX\n40\nGenerating CA... \nXXX"
+      salt_checkin >>~/sosetup.log 2>&1
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n43\nInstalling Common Components... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      echo -e "XXX\n45\nApplying firewall rules... \nXXX"
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      salt-call state.apply master >>~/sosetup.log 2>&1
+      salt-call state.apply idstools >>~/sosetup.log 2>&1
+      echo -e "XXX\n40\nInstalling Redis... \nXXX"
+      salt-call state.apply redis >>~/sosetup.log 2>&1
+      if [[ $OSQUERY == '1' ]]; then
+        echo -e "XXX\n41\nInstalling MySQL... \nXXX"
+        salt-call state.apply mysql >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      salt-call state.apply kibana >>~/sosetup.log 2>&1
+      salt-call state.apply elastalert >>~/sosetup.log 2>&1
+      if [[ $WAZUH == '1' ]]; then
+        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
+        salt-call state.apply wazuh >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
+      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      salt-call state.apply utility >>~/sosetup.log 2>&1
+      salt-call state.apply schedule >>~/sosetup.log 2>&1
+      if [[ $OSQUERY == '1' ]]; then
+        echo -e "XXX\n79\nInstalling Fleet... \nXXX"
+        salt-call state.apply fleet >>~/sosetup.log 2>&1
+        salt-call state.apply launcher >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
+      salt-call state.apply soctopus >>~/sosetup.log 2>&1
+      if [[ $THEHIVE == '1' ]]; then
+        echo -e "XXX\n87\nInstalling TheHive... \nXXX"
+        salt-call state.apply hive >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
+      checkin_at_boot >>~/sosetup.log 2>&1
+      echo -e "XXX\n95\nVerifying Install... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
 
-    # Configure the Minion
-    echo " ** Configuring Minion **"
-    configure_minion master >>~/sosetup.log 2>&1
-
-    # Install the salt master
-    echo " ** Installing Salt Master **"
-    install_master >>~/sosetup.log 2>&1
-
-    # Copy the data over
-    salt_master_directories >>~/sosetup.log 2>&1
-
-    # Update sudoers file to allow keys and firewalls to be changed
-    update_sudoers
-
-    # Change perms on the master dir
-    chown_salt_master
-
-    # Determine the ES Heap Size
-    es_heapsize
-
-    # Determine the Logstash Heap Size
-    ls_heapsize
-
-    # Set the static values
-    master_static
-
-    echo "** Generating the master pillar **"
-    master_pillar
-
-    # Do a checkin to push the key up
-    echo "** Pushing the key up to Master **"
-    salt_firstcheckin >>~/sosetup.log 2>&1
-
-    # Accept the Master Key
-    echo "** Accepting the key on the master **"
-    accept_salt_key_local
-
-    # Open the firewall
-    echo "** Setting the initial firewall policy **"
-    set_initial_firewall_policy
-
-    # Do the big checkin but first let them know it will take a bit.
-    salt_checkin_message
-    salt_checkin
-
-    # Enable salt to run a checking when the service starts
-    checkin_at_boot
-
-    # We are done!
-    whiptail_setup_complete
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+    else
+      whiptail_setup_failed
+    fi
 
   fi
 
@@ -1852,7 +1883,7 @@ if (whiptail_you_sure); then
       echo -e "XXX\n95\nInstalling misc components... \nXXX"
       salt-call state.apply schedule >>~/sosetup.log 2>&1
       salt-call state.apply soctopus >>~/sosetup.log 2>&1
-      if [[ $WAZUH == '1' ]]; then
+      if [[ $THEHIVE == '1' ]]; then
         salt-call state.apply hive >>~/sosetup.log 2>&1
       fi
       echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"

From bd9df6bfeeb397526ee51ad121331812d1a32a04 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 1 May 2019 14:02:27 -0400
Subject: [PATCH 46/58] Setup Script - Added progress bars for sensor install

---
 so-setup-network.sh | 57 +++++++++++++++++++++++++++++++--------------
 1 file changed, 40 insertions(+), 17 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index dda535d04..70a0dc06b 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1737,23 +1737,46 @@ if (whiptail_you_sure); then
     get_filesystem_root
     get_filesystem_nsm
     copy_ssh_key
-    set_initial_firewall_policy
-    create_bond
-    sensor_pillar
-    saltify
-    docker_install
-    configure_minion sensor
-    copy_minion_pillar sensors
-    salt_firstcheckin
-    # Accept the Salt Key
-    accept_salt_key_remote
-    # Do the big checkin but first let them know it will take a bit.
-    salt_checkin_message
-    salt_checkin
-    checkin_at_boot
-
-    whiptail_setup_complete
-
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
+      create_bond >>~/sosetup.log 2>&1
+      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
+      sensor_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
+      configure_minion sensor >>~/sosetup.log 2>&1
+      echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
+      copy_minion_pillar sensors >>~/sosetup.log 2>&1
+      echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
+      # Accept the Salt Key
+      accept_salt_key_remote >>~/sosetup.log 2>&1
+      echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n35\nInstalling Core Components... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
+      salt-call state.apply pcap >>~/sosetup.log 2>&1
+      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
+      salt-call state.apply suricata >>~/sosetup.log 2>&1
+      echo -e "XXX\n80\nVerifying Install... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+    else
+      whiptail_setup_failed
+    fi
   fi
 
   #######################

From 2725eaac98eaf1cd9b1800cfdaf8a42136a5b6f6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 13:44:40 -0400
Subject: [PATCH 47/58] Setup Script - Added progress bars for node install

---
 salt/top.sls        |  2 ++
 so-setup-network.sh | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/salt/top.sls b/salt/top.sls
index f95dba3c9..0b22afa03 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -130,7 +130,9 @@ base:
     - logstash
     - elasticsearch
     - curator
+    {%- if WAZUH != 0 %}
     - wazuh
+    {%- endif %}
     - filebeat
     {%- if OSQUERY != 0 %}
     - launcher
diff --git a/so-setup-network.sh b/so-setup-network.sh
index 70a0dc06b..20d30d4e6 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1770,6 +1770,7 @@ if (whiptail_you_sure); then
       salt-call state.apply suricata >>~/sosetup.log 2>&1
       echo -e "XXX\n80\nVerifying Install... \nXXX"
       salt-call state.highstate >>~/sosetup.log 2>&1
+      checkin_at_boot >>~/sosetup.log 2>&1
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
     GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
     if [[ $GOODSETUP == '0' ]]; then
@@ -1968,6 +1969,46 @@ if (whiptail_you_sure); then
     get_filesystem_root
     get_filesystem_nsm
     copy_ssh_key
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy
+      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
+      saltify
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install
+      echo -e "XXX\n30\nInitializing Minion... \nXXX"
+      configure_minion node
+      set_node_type
+      node_pillar
+      copy_minion_pillar nodes
+      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
+      salt_firstcheckin
+      # Accept the Salt Key
+      accept_salt_key_remote
+      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      salt-call state.apply curator >>~/sosetup.log 2>&1
+      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      echo -e "XXX\n90\nVerifying Install... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+      checkin_at_boot >>~/sosetup.log 2>&1
+        
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+    else
+      whiptail_setup_failed
+    fi
+
     set_initial_firewall_policy
     saltify
     docker_install

From d6826a31971644310e2b40b5885211d6c40daaff Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 13:49:56 -0400
Subject: [PATCH 48/58] Setup Script - Added progress bars for node install

---
 so-setup-network.sh | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 20d30d4e6..b61f81f8f 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1972,20 +1972,20 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
-      set_initial_firewall_policy
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
       echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
-      saltify
+      saltify >>~/sosetup.log 2>&1
       echo -e "XXX\n20\nInstalling Docker... \nXXX"
-      docker_install
+      docker_install >>~/sosetup.log 2>&1
       echo -e "XXX\n30\nInitializing Minion... \nXXX"
-      configure_minion node
-      set_node_type
-      node_pillar
-      copy_minion_pillar nodes
+      configure_minion node >>~/sosetup.log 2>&1
+      set_node_type >>~/sosetup.log 2>&1
+      node_pillar >>~/sosetup.log 2>&1
+      copy_minion_pillar nodes >>~/sosetup.log 2>&1
       echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
-      salt_firstcheckin
+      salt_firstcheckin >>~/sosetup.log 2>&1
       # Accept the Salt Key
-      accept_salt_key_remote
+      accept_salt_key_remote >>~/sosetup.log 2>&1
       echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
       salt-call state.apply ca >>~/sosetup.log 2>&1
       salt-call state.apply ssl >>~/sosetup.log 2>&1
@@ -2000,7 +2000,7 @@ if (whiptail_you_sure); then
       echo -e "XXX\n90\nVerifying Install... \nXXX"
       salt-call state.highstate >>~/sosetup.log 2>&1
       checkin_at_boot >>~/sosetup.log 2>&1
-        
+
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
     GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
     if [[ $GOODSETUP == '0' ]]; then

From f6ba41782c547a6ef0987dffc31b4a66d13024f7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 15:41:20 -0400
Subject: [PATCH 49/58] SOcotpus module - testing signed repo

---
 salt/soctopus/init.sls | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 3902124e9..caa0ae713 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -13,9 +13,14 @@ soctopussync:
     - group: 939
     - template: jinja
 
+#so-soctopusimage:
+#  cmd.run:
+#    - name: docker pull --disable-content-trust=false so-soctopus:HH1.0.8
+
 so-soctopus:
-  docker_container.running:
-    - image: soshybridhunter/so-soctopus:HH1.0.7
+  docker_container.run:
+    - onlyif: docker pull --disable-content-trust=false so-soctopus:HH1.0.8
+    - image: soshybridhunter/so-soctopus:HH1.0.8
     - hostname: soctopus
     - name: so-soctopus
     - binds:

From b53146f7111c350969276e3262539a83c5cae67e Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 15:53:12 -0400
Subject: [PATCH 50/58] SOcotpus module - testing signed repo

---
 salt/soctopus/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index caa0ae713..d17108459 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -19,7 +19,7 @@ soctopussync:
 
 so-soctopus:
   docker_container.run:
-    - onlyif: docker pull --disable-content-trust=false so-soctopus:HH1.0.8
+    - onlyif: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
     - image: soshybridhunter/so-soctopus:HH1.0.8
     - hostname: soctopus
     - name: so-soctopus

From 9273b6caddea6ef4364bab883b4ed259fa9c52fc Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 15:55:22 -0400
Subject: [PATCH 51/58] SOcotpus module - testing signed repo

---
 salt/soctopus/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index d17108459..5041d4f16 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -19,8 +19,8 @@ soctopussync:
 
 so-soctopus:
   docker_container.run:
-    - onlyif: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
-    - image: soshybridhunter/so-soctopus:HH1.0.8
+    - onlyif: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.9
+    - image: soshybridhunter/so-soctopus:HH1.0.9
     - hostname: soctopus
     - name: so-soctopus
     - binds:

From f1e015edcfe12d87e59b4a6d4d90e91b81d323ac Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 16:53:19 -0400
Subject: [PATCH 52/58] Add content trust to all modules

---
 salt/bro/init.sls           | 12 ++++++++++++
 salt/common/init.sls        | 17 +++++++++++++++++
 salt/curator/init.sls       |  5 +++++
 salt/elastalert/init.sls    |  6 ++++++
 salt/elasticsearch/init.sls | 18 ++++++++++++++++++
 salt/filebeat/init.sls      |  5 +++++
 salt/fleet/init.sls         | 10 ++++++++--
 salt/hive/init.sls          | 30 +++++++++++++++++++++++-------
 salt/idstools/init.sls      |  7 +++++--
 salt/kibana/init.sls        |  6 ++++++
 salt/logstash/init.sls      |  5 +++++
 salt/master/init.sls        |  6 ++++++
 salt/mysql/init.sls         |  6 ++++++
 salt/pcap/init.sls          |  6 ++++++
 salt/redis/init.sls         |  6 ++++++
 salt/soctopus/init.sls      |  3 +--
 salt/suricata/init.sls      |  6 ++++++
 salt/wazuh/init.sls         |  6 ++++++
 18 files changed, 147 insertions(+), 13 deletions(-)

diff --git a/salt/bro/init.sls b/salt/bro/init.sls
index 285762a71..eada1103c 100644
--- a/salt/bro/init.sls
+++ b/salt/bro/init.sls
@@ -90,8 +90,14 @@ localbrosync:
     - group: 939
     - template: jinja
 
+so-communitybroimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-communitybro:HH1.0.3
+
 so-bro:
   docker_container.running:
+    - require:
+      - so-communitybroimage
     - image: soshybridhunter/so-communitybro:HH1.0.3
     - privileged: True
     - binds:
@@ -117,8 +123,14 @@ localbrosync:
     - group: 939
     - template: jinja
 
+so-broimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6
+
 so-bro:
   docker_container.running:
+    - require:
+      - so-broimage
     - image: soshybridhunter/so-bro:HH1.0.6
     - privileged: True
     - binds:
diff --git a/salt/common/init.sls b/salt/common/init.sls
index b9f6c3a44..059c9efea 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -101,8 +101,13 @@ nginxtmp:
     - makedirs: True
 
 # Start the core docker
+so-coreimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7
+
 so-core:
   docker_container.running:
+    - require: so-coreimage
     - image: soshybridhunter/so-core:HH1.0.7
     - hostname: so-core
     - user: socore
@@ -155,8 +160,14 @@ tgrafconf:
     - template: jinja
     - source: salt://common/telegraf/etc/telegraf.conf
 
+so-telegrafimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7
+
 so-telegraf:
   docker_container.running:
+    - require:
+      - so-telegrafimage
     - image: soshybridhunter/so-telegraf:HH1.0.7
     - environment:
       - HOST_PROC=/host/proc
@@ -210,8 +221,14 @@ influxdbconf:
     - template: jinja
     - source: salt://common/influxdb/etc/influxdb.conf
 
+so-influximage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7
+
 so-influxdb:
   docker_container.running:
+    - require:
+      - so-influximage
     - image: soshybridhunter/so-influxdb:HH1.0.7
     - hostname: influxdb
     - environment:
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index adbf4f6b0..7e6f01544 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -112,9 +112,14 @@ curdel:
    - month: '*'
    - dayweek: '*'
 
+so-curatorimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3
 
 so-curator:
   docker_container.running:
+    - require:
+      - so-curatorimage
     - image: soshybridhunter/so-curator:HH1.0.3
     - hostname: curator
     - name: so-curator
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 28722fe01..298a56523 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -79,8 +79,14 @@ elastarules:
 #    - group: 939
 #    - template: jinja
 
+so-elastalertimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3
+
 so-elastalert:
   docker_container.running:
+    - require:
+      - so-elastalertimage
     - image: soshybridhunter/so-elastalert:HH1.0.3
     - hostname: elastalert
     - name: so-elastalert
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 693cb3de0..3c6337afc 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -90,8 +90,14 @@ eslogdir:
     - group: 939
     - makedirs: True
 
+so-elasticsearchimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6
+
 so-elasticsearch:
   docker_container.running:
+    - require:
+      - so-elasticsearchimage
     - image: soshybridhunter/so-elasticsearch:HH1.0.6
     - hostname: elasticsearch
     - name: so-elasticsearch
@@ -143,8 +149,14 @@ freqlogdir:
     - group: 935
     - makedirs: True
 
+so-freqimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-freqserver:HH1.0.3
+
 so-freq:
   docker_container.running:
+    - require:
+      - so-freqimage
     - image: soshybridhunter/so-freqserver:HH1.0.3
     - hostname: freqserver
     - name: so-freqserver
@@ -179,8 +191,14 @@ dstatslogdir:
     - group: 939
     - makedirs: True
 
+so-domainstatsimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-domainstats:HH1.0.3
+
 so-domainstats:
   docker_container.running:
+    - require:
+      - so-domainstatsimage
     - image: soshybridhunter/so-domainstats:HH1.0.3
     - hostname: domainstats
     - name: so-domainstats
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 1396b34fb..d8abb6470 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -49,9 +49,14 @@ filebeatconfsync:
 #    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
 #    - source: salt://filebeat/files/filebeat.key
 
+so-filebeatimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6
 
 so-filebeat:
   docker_container.running:
+    - require:
+      - so-filebeatimage
     - image: soshybridhunter/so-filebeat:HH1.0.6
     - hostname: so-filebeat
     - user: root
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 9986d40a9..2ec83502b 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -30,12 +30,12 @@ fleetlogdir:
     - user: 939
     - group: 939
     - makedirs: True
-    
+
 fleetsetupscript:
   file.managed:
     - name: /opt/so/conf/fleet/so-fleet-setup.sh
     - source: salt://fleet/so-fleet-setup.sh
-    
+
 osquerypackageswebpage:
   file.managed:
     - name: /opt/so/conf/fleet/packages/index.html
@@ -59,8 +59,14 @@ fleetdbpriv:
     - user: fleetdbuser
     - host: 172.17.0.0/255.255.0.0
 
+so-fleetimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6
+
 so-fleet:
   docker_container.running:
+    - require:
+      - so-fleetimage
     - image: soshybridhunter/so-fleet:HH1.0.6
     - hostname: so-fleet
     - port_bindings:
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 371e790de..0fff5f488 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -30,8 +30,14 @@ hiveesdata:
     - user: 939
     - group: 939
 
+so-thehive-esimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7
+
 so-thehive-es:
   docker_container.running:
+    - require:
+      - so-thehive-esimage
     - image: soshybridhunter/so-thehive-es:HH1.0.7
     - hostname: so-thehive-es
     - name: so-thehive-es
@@ -60,16 +66,26 @@ so-thehive-es:
 
 # Install Cortex
 
-so-cortex:
-  docker_container.running:
-    - image: thehiveproject/cortex:latest
-    - hostname: so-cortex
-    - name: so-cortex
-    - port_bindings:
-      - 0.0.0.0:9001:9001
+#so-corteximage:
+# cmd.run:
+#   - name: docker pull --disable-content-trust=false soshybridhunter/so-cortex:HH1.0.3
+
+#so-cortex:
+#  docker_container.running:
+#    - image: thehiveproject/cortex:latest
+#    - hostname: so-cortex
+#    - name: so-cortex
+#    - port_bindings:
+#      - 0.0.0.0:9001:9001
+
+so-thehiveimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.7
 
 so-thehive:
   docker_container.running:
+    - require:
+      - so-thehiveimage
     - image: soshybridhunter/so-thehive:HH1.0.7
     - hostname: so-thehive
     - name: so-thehive
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 62a338769..17de745fb 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -48,11 +48,14 @@ ruleslink:
     - name: /opt/so/saltstack/salt/suricata/rules
     - target: /opt/so/rules/nids
 
-toosmooth/so-idstools:test2:
-  docker_image.present
+so-idstoolsimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3
 
 so-idstools:
   docker_container.running:
+    - require:
+      - so-idstoolsimage
     - image: soshybridhunter/so-idstools:HH1.0.3
     - hostname: so-idstools
     - user: socore
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 050582c82..f1015410e 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -54,9 +54,15 @@ synckibanacustom:
 
 # File.Recurse for custom saved dashboards
 
+so-kibanaimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7
+
 # Start the kibana docker
 so-kibana:
   docker_container.running:
+    - require:
+      - so-kibanaimage
     - image: soshybridhunter/so-kibana:HH1.0.7
     - hostname: kibana
     - user: kibana
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index a583338ce..eff920150 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -146,9 +146,14 @@ lslogdir:
     - makedirs: True
 
 # Add the container
+so-logstashimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6
 
 so-logstash:
   docker_container.running:
+    - require:
+      - so-logstashimage
     - image: soshybridhunter/so-logstash:HH1.0.6
     - hostname: so-logstash
     - name: so-logstash
diff --git a/salt/master/init.sls b/salt/master/init.sls
index 8f20ef69f..b6d240863 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -46,9 +46,15 @@ acngcopyconf:
     - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
     - source: salt://master/files/acng/acng.conf
 
+so-acngimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7
+
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
+    - require:
+      - so-acngimage
     - image: soshybridhunter/so-acng:HH1.0.7
     - hostname: so-acng
     - port_bindings:
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index b1e875578..f956a37bc 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -48,8 +48,14 @@ mysqldatadir:
     - group: 939
     - makedirs: True
 
+so-mysqlimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7
+
 so-mysql:
   docker_container.running:
+    - require:
+      - so-mysqlimage
     - image: soshybridhunter/so-mysql:HH1.0.7
     - hostname: so-mysql
     - user: socore
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 26fdf2910..bb381cb10 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -85,8 +85,14 @@ stenolog:
     - group: 941
     - makedirs: True
 
+so-stenoimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3
+
 so-steno:
   docker_container.running:
+    - require:
+      - so-stenoimage
     - image: soshybridhunter/so-steno:HH1.0.3
     - network_mode: host
     - privileged: True
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 6dfbb473d..369f39966 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -47,8 +47,14 @@ redisconfsync:
 toosmooth/so-redis:test2:
   docker_image.present
 
+so-redisimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7
+
 so-redis:
   docker_container.running:
+    - require:
+      - so-redisimage
     - image: soshybridhunter/so-redis:HH1.0.7
     - hostname: so-redis
     - user: socore
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 5041d4f16..0cd30d3ef 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -18,8 +18,7 @@ soctopussync:
 #    - name: docker pull --disable-content-trust=false so-soctopus:HH1.0.8
 
 so-soctopus:
-  docker_container.run:
-    - onlyif: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.9
+  docker_container.running:
     - image: soshybridhunter/so-soctopus:HH1.0.9
     - hostname: soctopus
     - name: so-soctopus
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a37ac153d..0453988f0 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -70,8 +70,14 @@ suriconfigsync:
     - group: 940
     - template: jinja
 
+so-suricataimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8
+
 so-suricata:
   docker_container.running:
+    - require:
+      - so-suricataimage
     - image: soshybridhunter/so-suricata:HH1.0.8
     - privileged: True
     - environment:
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 4e5c136b5..eb0fa5cb9 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -56,8 +56,14 @@ wazuhagentregister:
     - mode: 755
     - template: jinja
 
+so-wazuhimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7
+
 so-wazuh:
   docker_container.running:
+    - require:
+      - so-wazuhimage
     - image: soshybridhunter/so-wazuh:HH1.0.7
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh

From 27441cefcdfb383a762d46a167ee08f3282e7114 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 2 May 2019 17:21:34 -0400
Subject: [PATCH 53/58] Common Module - Fix list

---
 salt/common/init.sls | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 059c9efea..84153f7ed 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -107,7 +107,8 @@ so-coreimage:
 
 so-core:
   docker_container.running:
-    - require: so-coreimage
+    - require:
+      - so-coreimage
     - image: soshybridhunter/so-core:HH1.0.7
     - hostname: so-core
     - user: socore

From 8158c0259fb49f46fb6ba907998faf1f61b8b1f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Fri, 3 May 2019 10:29:20 -0400
Subject: [PATCH 54/58] Common Module - Fix list

---
 salt/soctopus/init.sls | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 0cd30d3ef..ed2ce8900 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -13,13 +13,15 @@ soctopussync:
     - group: 939
     - template: jinja
 
-#so-soctopusimage:
-#  cmd.run:
-#    - name: docker pull --disable-content-trust=false so-soctopus:HH1.0.8
+so-soctopusimage:
+  cmd.run:
+    - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
 
 so-soctopus:
   docker_container.running:
-    - image: soshybridhunter/so-soctopus:HH1.0.9
+    - require:
+      - so-soctopusimage
+    - image: soshybridhunter/so-soctopus:HH1.0.8
     - hostname: soctopus
     - name: so-soctopus
     - binds:

From 56749cae6e798cc1f0b8d952b5cdfca94c466ecb Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 6 May 2019 10:47:27 -0400
Subject: [PATCH 55/58] Launcher Module - Fix Package naming

---
 salt/launcher/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/launcher/init.sls b/salt/launcher/init.sls
index f8767654e..3ba9ad3a6 100644
--- a/salt/launcher/init.sls
+++ b/salt/launcher/init.sls
@@ -5,8 +5,8 @@ launcherpkg:
   pkg.installed:
     - sources:
       {% if grains['os'] == 'CentOS' %}
-      - launcher: salt://launcher/packages/launcher.rpm
+      - launcher-final: salt://launcher/packages/launcher.rpm
       {% elif grains['os'] == 'Ubuntu' %}
-      - launcher: salt://launcher/packages/launcher.deb
+      - launcher-final: salt://launcher/packages/launcher.deb
       {% endif %}
 {%- endif %}

From a283fbde4b3e979e4b095756c6d80753335aa1ad Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 6 May 2019 11:16:46 -0400
Subject: [PATCH 56/58] Update README for 1.0.8

---
 README.md | 27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 12d4f48b0..aba137ab5 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,15 @@
-# Security Onion Hybrid Hunter Tech Preview 1.0.7
+## Hybrid Hunter 1.0.8
 
 ### Changes:
-- Suricata 4.1.3
-- Updated Influxdb to 1.7.5
-- Updated Telegraf to 1.10.1
-- Grafana is now 6.0.2
-- Added support for TheHive!!! See the docs ->
-- You are now forced to select interfaces during setup. If you skipped this test the install was not happy [#26](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26)
-- Reduced the RAM usage for ES in Eval mode [#25](https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/26)
-- Eval Mode setup is now choose your own adventure style
-- Fresh dockers for all the things to bring everything to 1.0.7
-- New utility docker called SOctopus
-- New html landing page now in dark mode
-
-
-### Notes:
-- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
-- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
+- Suricata 4.1.4
+- Eval and Master installs now ask which components you would like to install
+- Fleet (osquery) now has it's own additional setup script
+- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
+- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
+- We now have a progress bar during install!
+- The setup script will now tell you if it was successful
+- Added Grafana plugin Pie Chart
+- The Hive Docker moved to Centos 7 based container
 
 ### Warnings and Disclaimers
 

From 8e59f6637821215dbd7bf35681a632157e00fa00 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 6 May 2019 15:20:33 -0400
Subject: [PATCH 57/58] Core Module - Update version to 1.0.8

---
 salt/common/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 84153f7ed..15ba20e83 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -109,7 +109,7 @@ so-core:
   docker_container.running:
     - require:
       - so-coreimage
-    - image: soshybridhunter/so-core:HH1.0.7
+    - image: soshybridhunter/so-core:HH1.0.8
     - hostname: so-core
     - user: socore
     - binds:

From 5824e3c11d95b222d9ed5805935a7a38e640bbb4 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 6 May 2019 15:23:32 -0400
Subject: [PATCH 58/58] Update README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index aba137ab5..928b1b74e 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 ### Changes:
 - Suricata 4.1.4
 - Eval and Master installs now ask which components you would like to install
-- Fleet (osquery) now has it's own additional setup script
+- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion)
 - Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
 - When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
 - We now have a progress bar during install!