Merge remote-tracking branch 'origin/2.4/dev' into issue/10050

2026-04-27 06:57:50 +02:00 · 2023-04-18 11:31:00 -04:00
parent 7c8ba04820 aade62491c
commit b0f9585da1
32 changed files with 331 additions and 301 deletions
@@ -25,6 +25,7 @@ config_backup_script:
 so_config_backup:
  cron.present:
    - name: /usr/sbin/so-config-backup > /dev/null 2>&1
+    - identifier: so_config_backup
    - user: root
    - minute: '1'
    - hour: '0'
@@ -133,8 +133,10 @@ so-status_script:

 {% if GLOBALS.role in GLOBALS.sensor_roles %}
 # Add sensor cleanup
-/usr/sbin/so-sensor-clean:
+so-sensor-clean:
  cron.present:
+    - name: /usr/sbin/so-sensor-clean
+    - identifier: so-sensor-clean
    - user: root
    - minute: '*'
    - hour: '*'
@@ -154,8 +156,10 @@ sensorrotateconf:
    - source: salt://common/files/sensor-rotate.conf
    - mode: 644

-/usr/local/bin/sensor-rotate:
+sensor-rotate:
  cron.present:
+    - name: /usr/local/bin/sensor-rotate
+    - identifier: sensor-rotate
    - user: root
    - minute: '1'
    - hour: '0'
@@ -178,8 +182,10 @@ commonlogrotateconf:
    - template: jinja
    - mode: 644

-/usr/local/bin/common-rotate:
+common-rotate:
  cron.present:
+    - name: /usr/local/bin/common-rotate
+    - identifier: common-rotate
    - user: root
    - minute: '1'
    - hour: '0'
@@ -200,17 +206,11 @@ sostatus_log:
    - name: /opt/so/log/sostatus/status.log
    - mode: 644

-common_pip_dependencies:
-  pip.installed:
-    - user: root
-    - pkgs: 
-      - rich
-    - target: /usr/lib64/python3.6/site-packages
-
-# Install sostatus check cron
-sostatus_check_cron:
+# Install sostatus check cron. This is used to populate Grid.
+so-status_check_cron:
  cron.present:
    - name: '/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1'
+    - identifier: so-status_check_cron
    - user: root
    - minute: '*/1'
    - hour: '*'
@@ -220,7 +220,7 @@ sostatus_check_cron:

 remove_post_setup_cron:
  cron.absent:
-    - name: 'salt-call state.highstate'
+    - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
    - identifier: post_setup_cron

 {% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %}
@@ -234,7 +234,7 @@ soversionfile:
    
 {% endif %}

-{% if GLOBALS.so_model %}
+{% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
  {% if GLOBALS.os == 'Rocky' %}     
 # Install Raid tools
 raidpkgs:
@@ -246,9 +246,10 @@ raidpkgs:
  {% endif %}

 # Install raid check cron
-so_raid_status:
+so-raid-status:
  cron.present:
    - name: '/usr/sbin/so-raid-status > /dev/null 2>&1'
+    - identifier: so-raid-status
    - user: root
    - minute: '*/15'
    - hour: '*'
@@ -5,28 +5,37 @@ commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
-      - chrony
      - apache2-utils
      - wget
      - ntpdate
      - jq
-      - python3-docker
      - curl
      - ca-certificates
      - software-properties-common
      - apt-transport-https
      - openssl
      - netcat
-      - python3-mysqldb
      - sqlite3
      - libssl-dev
      - python3-dateutil
-      - python3-m2crypto
-      - python3-mysqldb
      - python3-packaging
+      - python3-watchdog
      - python3-lxml
      - git
      - vim
+
+# since Ubuntu requires and internet connection we can use pip to install modules
+python3-pip:
+  pkg.installed
+
+python-rich:
+  pip.installed:
+    - name: rich
+    - target: /usr/local/lib/python3.8/dist-packages/
+    - require:
+      - pkg: python3-pip
+  
+
 {% elif GLOBALS.os == 'Rocky' %}     
 commonpkgs:
  pkg.installed:
@@ -51,6 +60,7 @@ commonpkgs:
      - python3-m2crypto
      - rsync
      - python3-rich
+      - python3-pyyaml
      - python3-watchdog
      - python3-packaging
      - unzip
@@ -61,7 +61,7 @@ if [ -f "$pillar_file" ]; then

      reboot;
    else
-      echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/logs/salt/minion."
+      echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/log/salt/minion."
    fi
  else # workstation is already added
    echo "The workstation pillar already exists in $pillar_file."
@@ -21,16 +21,34 @@ Security Onion Elastic Clear
  -y         Skip interactive mode
 EOF
 }
-while getopts "h:y" OPTION
+while getopts "h:cdely" OPTION
 do
        case $OPTION in
                h)
                        usage
                        exit 0
                        ;;
-                
-                y)
+                c)
+			DELETE_CASES_DATA=1
+			SKIP=1
+                        ;;
+                d)
+			DONT_STOP_SERVICES=1
                        SKIP=1
+			;;
+                e)
+			DELETE_ELASTALERT_DATA=1
+                        SKIP=1
+                        ;;
+		l)
+			DELETE_LOG_DATA=1
+			SKIP=1
+			;;
+                y)
+                        DELETE_CASES_DATA=1
+                        DELETE_ELASTALERT_DATA=1
+			DELETE_LOG_DATA=1
+			SKIP=1
                        ;;
                *)
                        usage
@@ -54,41 +72,83 @@ if [ $SKIP -ne 1 ]; then
        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
 fi

-# Check to see if Logstash are running
-LS_ENABLED=$(so-status | grep logstash)
-EA_ENABLED=$(so-status | grep elastalert)

-if [ ! -z "$LS_ENABLED" ]; then
+if [ -z "$DONT_STOP_SERVICES" ]; then
+	# Stop Elastic Agent
+	for i in $(pgrep elastic-agent | grep -v grep); do
+		kill -9 $i;
+	done 

-        /usr/sbin/so-logstash-stop
+	# Check to see if Elastic Fleet, Logstash, Elastalert are running
+	#EF_ENABLED=$(so-status | grep elastic-fleet)
+	LS_ENABLED=$(so-status | grep logstash)
+	EA_ENABLED=$(so-status | grep elastalert)

+	#if [ ! -z "$EF_ENABLED" ]; then
+        #	/usr/sbin/so-elastic-fleet-stop
+	#fi
+
+	if [ ! -z "$LS_ENABLED" ]; then
+        	/usr/sbin/so-logstash-stop
+	fi
+
+	if [ ! -z "$EA_ENABLED" ]; then
+        	/usr/sbin/so-elastalert-stop
+	fi
 fi

-if [ ! -z "$EA_ENABLED" ]; then
-
-        /usr/sbin/so-elastalert-stop
-
+if [ ! -z "$DELETE_CASES_DATA" ]; then
+        # Delete Cases data
+        echo "Deleting Cases data..."
+        INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "so-case")
+        for INDX in ${INDXS}
+        do
+                echo "Deleting $INDX"
+                /usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
+        done
 fi

-# Delete data
-echo "Deleting data..."
-
-INDXS=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
-for INDX in ${INDXS}
-do
-    curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
-done
-
-#Start Logstash
-if [ ! -z "$LS_ENABLED" ]; then
-
-        /usr/sbin/so-logstash-start
-
+# Delete Elastalert data
+if [ ! -z "$DELETE_ELASTALERT_DATA" ]; then
+        # Delete Elastalert data
+        echo "Deleting Elastalert data..."
+        INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "elastalert")
+        for INDX in ${INDXS}
+        do
+                echo "Deleting $INDX"
+                /usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
+        done
 fi

-if [ ! -z "$EA_ENABLED" ]; then
-
-        /usr/sbin/so-elastalert-start
-
+# Delete log data
+if [ ! -z "$DELETE_LOG_DATA" ]; then
+	echo "Deleting log data ..."
+	DATASTREAMS=$(/usr/sbin/so-elasticsearch-query _data_stream | jq -r '.[] |.[].name')
+	for DATASTREAM in ${DATASTREAMS}
+	do
+		# Delete the data stream
+        	echo "Deleting $DATASTREAM..."
+        	/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE > /dev/null 2>&1
+	done
 fi

+if [ -z "$DONT_STOP_SERVICES" ]; then
+	#Start Logstash
+	if [ ! -z "$LS_ENABLED" ]; then
+        	/usr/sbin/so-logstash-start
+
+	fi
+
+	#Start Elastic Fleet
+	#if [ ! -z "$EF_ENABLED" ]; then
+        # 	/usr/sbin/so-elastic-fleet-start
+	#fi
+
+	#Start Elastalert
+	if [ ! -z "$EA_ENABLED" ]; then
+        	/usr/sbin/so-elastalert-start
+	fi
+
+	# Start Elastic Agent
+	/usr/bin/elastic-agent restart
+fi
@@ -9,4 +9,4 @@

 . /usr/sbin/so-common

-/usr/sbin/so-restart elastic-fleet $1
+/usr/sbin/so-restart elasticfleet $1
@@ -9,4 +9,4 @@

 . /usr/sbin/so-common

-/usr/sbin/so-start elastic-fleet $1
+/usr/sbin/so-start elasticfleet $1
@@ -9,4 +9,4 @@

 . /usr/sbin/so-common

-/usr/sbin/so-stop elastic-fleet $1
+/usr/sbin/so-stop elasticfleet $1
@@ -170,7 +170,8 @@ def main():
  if "-h" in options or "--help" in options or "-?" in options:
    showUsage(options, None)

-  if os.environ["USER"] != "root":
+  proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
+  if proc.stdout.strip() != "0":
    fail("This program must be run as root")
  
  console = Console()
@@ -1,6 +1,6 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

@@ -16,70 +16,38 @@ overlimit() {
         [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]]
 }

-closedindices() {
-	# If we can't query Elasticsearch, then immediately return false.
-        /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close > /dev/null 2>&1
-        [ $? -eq 1 ] && return false 
-	# First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'.
-	# Next, filter out any so-case indices.
-	# Finally, use grep's -q option to return true if there are any remaining logstash-, so-, or .ds-logs- indices.
-        /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -q -E "(logstash-|so-|.ds-logs-)"
-}
-
-# Check for 2 conditions:
-# 1. Are Elasticsearch indices using more disk space than LOG_SIZE_LIMIT?
-# 2. Are there any closed indices that we can delete?
-# If both conditions are true, keep on looping until one of the conditions is false.
-
-while overlimit && closedindices; do
-        CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
-        # We iterate through the closed indices
-	for CLOSED_INDEX in ${CLOSED_INDICES}; do
-	  # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
-          # To do so, we need to identify to which data stream this index is associated
-          # We extract the data stream name using the pattern below
-          DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
-          DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN")
-	  # We look up the data stream, and determine the write index
-          CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
-	  # We make sure we are not trying to delete a write index
-          if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then      
-            # This should not be a write index, so we should be allowed to delete it
-            /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE
-            # Finally, write a log entry that says we deleted it.
-            echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG}
-          fi
-          if ! overlimit; then
-            exit
-          fi
-        done
-done
-
+# Check to see if Elasticsearch indices using more disk space than LOG_SIZE_LIMIT
+# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, we will break out of the loop.
 while overlimit; do
-
-	# We need to determine the oldest open index.
-	# First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'.
-        # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices.
-        # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field.
-	OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
-	# We iterate through the open indices
-        for OPEN_INDEX in ${OPEN_INDICES}; do
+  # If we can't query Elasticsearch, then immediately return false.
+  /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status > /dev/null 2>&1
+  [ $? -eq 1 ] && echo "$(date) - Could not query Elasticsearch." >> ${LOG} && exit
+  # We iterate through the closed and open indices
+  CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
+  OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
+	for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do
 	  # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
-          # To do so, we need to identify to which data stream this index is associated
-          # We extract the data stream name using the pattern below
-          DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
-          DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN")
-	  # We look up the data stream, and determine the write index
-          CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
-	  # We make sure we are not trying to delete a write index
-          if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then      
-            # This should not be a write index, so we should be allowed to delete it
-            /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE
-            # Finally, write a log entry that says we deleted it.
-            echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG}
-          fi
-          if ! overlimit; then
-            exit
-          fi
-        done
+    # To do so, we need to identify to which data stream this index is associated
+    # We extract the data stream name using the pattern below
+    DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
+    DATASTREAM=$(echo "${INDEX}" | grep -oE "$DATASTREAM_PATTERN")
+    # We look up the data stream, and determine the write index. If there is only one backing index, we delete the entire data stream
+	  BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length')
+	  if [ "$BACKING_INDICES" -gt 1 ]; then
+      CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
+	    # We make sure we are not trying to delete a write index
+      if [ "${INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then
+        # This should not be a write index, so we should be allowed to delete it
+        printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${INDEX} index...\n" >> ${LOG}
+        /usr/sbin/so-elasticsearch-query ${INDEX} -XDELETE >> ${LOG} 2>&1
+      fi
+	  else
+      # We delete the entire data stream, since there is only one backing index
+	    printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${DATASTREAM} data stream...\n" >> ${LOG}
+      /usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE >> ${LOG} 2>&1
+	  fi
+    if ! overlimit; then
+      exit
+    fi
+  done
 done
@@ -126,9 +126,10 @@ delete_so-curator_so-status.disabled:
    - regex: ^so-curator$
  {% endif %}

-so-curatorclusterclose:
+so-curator-cluster-close:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
+    - identifier: so-curator-cluster-close
    - user: root
    - minute: '2'
    - hour: '*/1'
@@ -136,9 +137,10 @@ so-curatorclusterclose:
    - month: '*'
    - dayweek: '*'

-so-curatorclusterdeletecron:
+so-curator-cluster-delete:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
+    - identifier: so-curator-cluster-delete
    - user: root
    - minute: '*/5'
    - hour: '*'
@@ -1,21 +1,21 @@
 {
  "description" : "suricata.dns",
  "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.type", 	"target_field": "dns.query.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.tx_id",	"target_field": "dns.id",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.version", 	"target_field": "dns.version",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rrname", 	"target_field": "dns.query.name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rrtype", 	"target_field": "dns.query.type_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.flags", 	"target_field": "dns.flags",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.qr", 		"target_field": "dns.qr",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rd", 		"target_field": "dns.recursion.desired",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.ra", 		"target_field": "dns.recursion.available",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rcode", 	"target_field": "dns.response.code_name",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.A", 	"target_field": "dns.answers.data",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.CNAME", 	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
-    { "pipeline": 	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"			} },
-    { "pipeline": { "name": "common" } }
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.query.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrtype", 		"target_field": "dns.query.type_name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.flags", 		"target_field": "dns.flags",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.qr", 			"target_field": "dns.qr",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rd", 			"target_field": "dns.recursion.desired",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.ra", 			"target_field": "dns.recursion.available",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rcode", 		"target_field": "dns.response.code_name",	"ignore_missing": true 	} },
+    { "rename":		{ "field": "message2.dns.grouped.A", 		"target_field": "dns.answers.data",		"ignore_missing": true 	} },
+    { "rename":		{ "field": "message2.dns.grouped.CNAME",	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
+    { "pipeline":	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"				} },
+    { "pipeline": 	{ "name": "common"													} }
  ]
 }
@@ -177,6 +177,7 @@ esyml:
        ESCONFIG: {{ ESCONFIG }}
    - template: jinja

+{% if GLOBALS.role != "so-searchnode" %}
 escomponenttemplates:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/templates/component
@@ -219,6 +220,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
      - cmd: so-elasticsearch-templates
 {% endfor %}
 {% endif %}
+{% endif %}

 esroles:
  file.recurse:
@@ -363,6 +365,8 @@ append_so-elasticsearch_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elasticsearch

+{% if GLOBALS.role != "so-searchnode" %}
+
 so-es-cluster-settings:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-cluster-settings
@@ -406,7 +410,7 @@ so-elasticsearch-roles-load:
    - require:
      - docker_container: so-elasticsearch
      - file: es_sync_scripts
-
+{% endif %}
 {% else %}

 {{sls}}_state_not_allowed:
@@ -20,9 +20,10 @@ idstoolslogdir:
    - group: 939
    - makedirs: True

-so-ruleupdatecron:
+so-rule-update:
  cron.present:
    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
+    - identifier: so-rule-update
    - user: root
    - minute: '1'
    - hour: '7'
@@ -127,6 +127,7 @@ metrics_link_file:
 get_influxdb_size:
  cron.present:
    - name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1'
+    - identifier: get_influxdb_size
    - user: root
    - minute: '*/1'
    - hour: '*'
@@ -51,7 +51,7 @@ repo_sync_script:
    - group: root
    - mode: 755

-reposync_cron:
+so-repo-sync:
  {% if MANAGERMERGED.reposync.enabled %}
  cron.present:
  {% else %}
@@ -59,6 +59,7 @@ reposync_cron:
  {% endif %}
    - user: socore
    - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
+    - identifier: so-repo-sync
    - hour: '{{ MANAGERMERGED.reposync.hour }}'
    - minute: '{{ MANAGERMERGED.reposync.minute }}'

@@ -83,10 +84,11 @@ yara_update_script:
        ISAIRGAP: {{ GLOBALS.airgap }}
        EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}

-strelka_yara_update:
+strelka-yara-update:
  cron.present:
    - user: root
    - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1'
+    - identifier: strelka-yara-update
    - hour: '7'
    - minute: '1'

@@ -24,8 +24,9 @@ sync_es_users:

 # we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
 # is in the minion config. That line is added before the final highstate during setup
-sosyncusers:
+so-user_sync:
  cron.present:
    - user: root
    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
+    - identifier: so-user_sync
    - onlyif: "grep 'startup_states: highstate' /etc/salt/minion"
@@ -2,8 +2,13 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}

+chrony_pkg:
+  pkg.installed:
+    - name: chrony
+
 chronyconf:
  file.managed:
    - name: /etc/chrony.conf
@@ -12,8 +17,14 @@ chronyconf:
    - defaults:
        NTPCONFIG: {{ NTPCONFIG }}

+{% if GLOBALS.os == 'Rocky' %}
 chronyd:
+{% else %}
+chrony:
+{% endif %}
  service.running:
    - enable: True
    - watch: 
-      - file: chronyconf
+      - file: chronyconf
+    - require:
+      - pkg: chrony_pkg
@@ -113,15 +113,17 @@ append_so-playbook_so-status.conf:

 {% endif %}

-so-playbooksynccron:
+so-playbook-sync_cron:
  cron.present:
    - name: /usr/sbin/so-playbook-sync > /opt/so/log/playbook/sync.log 2>&1
+    - identifier: so-playbook-sync_cron
    - user: root
    - minute: '*/5'

-so-playbookruleupdatecron:
+so-playbook-ruleupdate_cron:
  cron.present:
    - name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1
+    - identifier: so-playbook-ruleupdate_cron
    - user: root
    - minute: '1'
    - hour: '6'
@@ -1,20 +0,0 @@
-# this removes the repo file left by bootstrap-salt.sh without -r
-remove_salt.list:
-  file.absent:
-    - name: /etc/apt/sources.list.d/salt.list
-
-saltstack.list:
-  file.managed:
-    - name: /etc/apt/sources.list.d/saltstack.list
-    - contents:
-      - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main
-
-apt_update:
-  cmd.run:
-    - name: apt-get update
-    - onchanges:
-      - file: saltstack.list
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
@@ -1,16 +1,8 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{% if GLOBALS.os != 'Rocky' %}    
+{% if grains.oscodename == 'focal' %}
 saltpymodules:
  pkg.installed:
    - pkgs:
-      {% if grains['oscodename'] == 'bionic' %}
-      - python-m2crypto
-      - python-docker
-      {% elif grains['oscodename'] == 'focal' %}
-      - python3-m2crypto
      - python3-docker
-      {% endif %}
 {% endif %}

 salt_bootstrap:
@@ -12,8 +12,9 @@ state-apply-test:
       start: 0
       end: 180

-/usr/sbin/so-salt-minion-check -q:
+so-salt-minion-check_cron:
  cron.present:
-    - identifier: so-salt-minion-check
+    - name: /usr/sbin/so-salt-minion-check -q
+    - identifier: so-salt-minion-check_cron
    - user: root
    - minute: '*/5'
@@ -1,6 +1,7 @@
 post_setup_cron:
  cron.present:
    - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
+    - identifier: post_setup_cron
    - user: root
    - minute: '*/1'
    - identifier: post_setup_cron
@@ -6,7 +6,8 @@

 PIPE_OWNER=${PIPE_OWNER:-socore}
 PIPE_GROUP=${PIPE_GROUP:-socore}
-SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt/pipe}
+SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
+CMD_PREFIX=${CMD_PREFIX:-""}
 PATH=${PATH}:/usr/sbin

 function log() {
@@ -26,7 +27,7 @@ function make_pipe() {
 make_pipe "${SOC_PIPE}"

 function list_minions() {
-  response=$(so-minion -o=list)
+  response=$($CMD_PREFIX so-minion -o=list)
  exit_code=$?
  if [[ $exit_code -eq 0 ]]; then
    log "Successful command execution"
@@ -42,7 +43,7 @@ function manage_minion() {
  op=$(echo "$request" | jq -r .operation)
  id=$(echo "$request" | jq -r .id)

-  response=$(so-minion "-o=$op" "-m=$id")
+  response=$($CMD_PREFIX so-minion "-o=$op" "-m=$id")
  exit_code=$?
  if [[ exit_code -eq 0 ]]; then
    log "Successful command execution"
@@ -75,14 +76,14 @@ function manage_user() {
      add|enable|disable|delete)
        email=$(echo "$request" | jq -r .email)
        log "Performing user '$op' for user '$email'"
-        response=$(so-user "$op" --email "$email" --skip-sync)
+        response=$($CMD_PREFIX so-user "$op" --email "$email" --skip-sync)
        exit_code=$?
        ;;
      addrole|delrole)
        email=$(echo "$request" | jq -r .email)
        role=$(echo "$request" | jq -r .role)
        log "Performing '$op' for user '$email' with role '$role'"
-        response=$(so-user "$op" --email "$email" --role "$role" --skip-sync)
+        response=$($CMD_PREFIX so-user "$op" --email "$email" --role "$role" --skip-sync)
        exit_code=$?
        ;;
      password)
@@ -98,12 +99,12 @@ function manage_user() {
        lastName=$(echo "$request" | jq -r .lastName)
        note=$(echo "$request" | jq -r .note)
        log "Performing '$op' update for user '$email' with firstname '$firstName', lastname '$lastName', and note '$note'"
-        response=$(so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
+        response=$($CMD_PREFIX so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
        exit_code=$?
        ;;
      sync)
        log "Performing '$op'"
-        response=$(so-user "$op")
+        response=$($CMD_PREFIX so-user "$op")
        exit_code=$?
        ;;
      *)
@@ -142,17 +143,17 @@ function manage_salt() {
    state)
      log "Performing '$op' for '$state' on minion '$minion'"
      state=$(echo "$request" | jq -r .state)
-      response=$(salt --async "$minion" state.apply "$state" queue=True)
+      response=$($CMD_PREFIX salt --async "$minion" state.apply "$state" queue=True)
      exit_code=$?
      ;;
    highstate)
      log "Performing '$op' on minion $minion"
-      response=$(salt --async "$minion" state.highstate queue=True)
+      response=$($CMD_PREFIX salt --async "$minion" state.highstate queue=True)
      exit_code=$?
      ;;
    activejobs)
+      response=$($CMD_PREFIX salt-run jobs.active -out json -l quiet)
      log "Querying active salt jobs"
-      response=$(salt-run jobs.active -out json -l quiet)
      $(echo "$response" > "${SOC_PIPE}")
      return
      ;;
@@ -91,6 +91,7 @@ socusersroles:
 salt-relay:
  cron.present:
  - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
+  - identifier: salt-relay

 so-soc:
  docker_container.running:
@@ -205,11 +205,13 @@ filecheck_restart:
 filecheck_run:
  cron.present:
    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run
    - user: {{ filecheck_runas }}

 filcheck_history_clean:
  cron.present:
    - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1'
+    - identifier: filecheck_history_clean
    - minute: '33'
 # End Filecheck Section

@@ -79,8 +79,10 @@ surilogscript:
    - source: salt://suricata/cron/surilogcompress
    - mode: 755

-/usr/local/bin/surilogcompress:
+surilogcompress:
  cron.present:
+    - name: /usr/local/bin/surilogcompress
+    - identifier: surilogcompress
    - user: suricata
    - minute: '17'
    - hour: '*'
@@ -181,16 +183,6 @@ delete_so-suricata_so-status.disabled:
    - regex: ^so-suricata$
  {% endif %}

-surirotate:
-  cron.absent:
-    - name: /usr/local/bin/surirotate
-    - user: root
-    - minute: '11'
-    - hour: '*'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
 so-suricata-eve-clean:
  file.managed:
    - name: /usr/sbin/so-suricata-eve-clean
@@ -204,6 +196,7 @@ so-suricata-eve-clean:
 clean_suricata_eve_files:
  cron.present:
    - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
+    - identifier: clean_suricata_eve_files
    - user: root
    - minute: '*/5'
    - hour: '*'
@@ -21,6 +21,7 @@ zeek:
      SpoolDir: /nsm/zeek/spool
      CfgDir: /opt/zeek/etc
      CompressLogs: 1
+      ZeekPort: 27760
    local:
      load:
        - misc/loaded-scripts