Merge remote-tracking branch 'remotes/origin/dev' into bugfix/playbook-mysql

2025-12-06 17:22:49 +01:00 · 2020-05-06 08:30:45 -04:00
parent 2e3bcf600f 981801f23c
commit bc34c67f47
46 changed files with 2733 additions and 2826 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,59 @@
+
+# Created by https://www.gitignore.io/api/macos,windows
+# Edit at https://www.gitignore.io/?templates=macos,windows
+
+### macOS ###
+# General
 .DS_Store
-.idea
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.gitignore.io/api/macos,windows
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,7 +1,10 @@
 base:
  '*':
    - patch.needs_restarting
-    - docker.config
+
+  '*_eval or *_helix or *_heavynode or *_sensor':
+    - match: compound
+    - zeek

  '*_mastersearch or *_heavynode':
    - match: compound
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -0,0 +1,55 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc
+    CompressLogs: 1
+  local:
+    '@load':
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    '@load-sigs':
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;
--- a/salt/common/maps/broversion.map.jinja
+++ b/salt/common/maps/broversion.map.jinja
@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-zeek'
+  ]
+} %}
--- a/salt/common/maps/domainstats.map.jinja
+++ b/salt/common/maps/domainstats.map.jinja
@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-domainstats'
+  ]
+} %}
--- a/salt/common/maps/eval.map.jinja
+++ b/salt/common/maps/eval.map.jinja
@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-dockerregistry',
+    'so-soc',
+    'so-kratos',
+    'so-idstools',
+    'so-elasticsearch',
+    'so-kibana',
+    'so-steno',
+    'so-suricata',
+    'so-zeek',
+    'so-curator',
+    'so-elastalert',
+    'so-soctopus'
+  ]
+} %}
--- a/salt/common/maps/fleet.map.jinja
+++ b/salt/common/maps/fleet.map.jinja
@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis',
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf'
+  ]
+} %}
--- a/salt/common/maps/fleet_master.map.jinja
+++ b/salt/common/maps/fleet_master.map.jinja
@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis'
+  ]
+} %}
--- a/salt/common/maps/freq.map.jinja
+++ b/salt/common/maps/freq.map.jinja
@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-freqserver'
+  ]
+} %}
--- a/salt/common/maps/grafana.map.jinja
+++ b/salt/common/maps/grafana.map.jinja
@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-influxdb',
+    'so-grafana'
+  ]
+} %}
--- a/salt/common/maps/heavynode.map.jinja
+++ b/salt/common/maps/heavynode.map.jinja
@@ -0,0 +1,14 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-steno',
+    'so-suricata',
+    'so-wazuh',
+    'so-filebeat
+  ]
+} %}
--- a/salt/common/maps/helixsensor.map.jinja
+++ b/salt/common/maps/helixsensor.map.jinja
@@ -0,0 +1,12 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-idstools',
+    'so-steno',
+    'so-zeek',
+    'so-redis',
+    'so-logstash',
+    'so-filebeat
+  ]
+} %}
--- a/salt/common/maps/hotnode.map.jinja
+++ b/salt/common/maps/hotnode.map.jinja
@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+     'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+   ]
+} %}
--- a/salt/common/maps/master.map.jinja
+++ b/salt/common/maps/master.map.jinja
@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-dockerregistry',
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-acng',
+    'so-idstools',
+    'so-redis',
+    'so-elasticsearch',
+    'so-logstash',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}
--- a/salt/common/maps/mastersearch.map.jinja
+++ b/salt/common/maps/mastersearch.map.jinja
@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-acng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}
--- a/salt/common/maps/playbook.map.jinja
+++ b/salt/common/maps/playbook.map.jinja
@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-playbook',
+    'so-navigator'
+  ]
+} %}
--- a/salt/common/maps/searchnode.map.jinja
+++ b/salt/common/maps/searchnode.map.jinja
@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-filebeat'
+  ]
+} %}
--- a/salt/common/maps/sensor.map.jinja
+++ b/salt/common/maps/sensor.map.jinja
@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-steno',
+    'so-suricata',
+    'so-filebeat'
+  ]
+} %}
--- a/salt/common/maps/so-status.map.jinja
+++ b/salt/common/maps/so-status.map.jinja
@@ -0,0 +1,61 @@
+{% set role = grains.id.split('_') | last %}
+{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
+
+# Check if the service is enabled and append it's required containers
+# to the list predefined by the role / minion id affix
+{% macro append_containers(pillar_name, k, compare )%}
+  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
+    {% for li in d['containers'] %}
+      {{ docker['containers'].append(li) }}
+    {% endfor %}
+  {% endif %}
+{% endmacro %}
+
+{% set docker = salt['grains.filter_by']({
+  '*_'~role: {
+    'containers': docker['containers']
+  } 
+},grain='id', merge=salt['pillar.get']('docker')) %}
+
+{% if role == 'eval' %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role == 'heavynode' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}
+
+{% if role == 'mastersearch' %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role == 'master' %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role == 'searchnode' %}
+  {{ append_containers('master', 'wazuh', 0) }}
+{% endif %}
+
+{% if role == 'sensor' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}
--- a/salt/common/maps/thehive.map.jinja
+++ b/salt/common/maps/thehive.map.jinja
@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-thehive',
+    'so-thehive-es',
+    'so-cortex'
+  ]
+} %}
--- a/salt/common/maps/warmnode.map.jinja
+++ b/salt/common/maps/warmnode.map.jinja
@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-elasticsearch'
+  ]
+} %}
--- a/salt/common/maps/wazuh.map.jinja
+++ b/salt/common/maps/wazuh.map.jinja
@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-wazuh'
+  ]
+} %}
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -14,35 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-{%- set pillar_suffix = ':containers' -%}
-{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
-    {%- set pillar_val = 'master_search' -%}
-{%- elif (salt['grains.get']('role') == 'so-master') -%}
-    {%- set pillar_val = 'master' -%}
-{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
-    {%- set pillar_val = 'heavy_node' -%}
-{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
-    {%- set pillar_val = 'sensor' -%}
-{%- elif (salt['grains.get']('role') == 'so-eval') -%}
-    {%- set pillar_val = 'eval' -%}
-{%- elif (salt['grains.get']('role') == 'so-fleet') -%}
-    {%- set pillar_val = 'fleet' -%}
-{%- elif (salt['grains.get']('role') == 'so-helix') -%}
-    {%- set pillar_val = 'helix' -%}
-{%- elif (salt['grains.get']('role') == 'so-node') -%}
-    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
-        {%- set pillar_val = 'parser_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
-        {%- set pillar_val = 'hot_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
-        {%- set pillar_val = 'warm_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
-        {%- set pillar_val = 'search_node' -%}
-    {%- endif -%}
-{%- endif -%}
-{%- set pillar_name = pillar_val ~ pillar_suffix -%}
-{%- set container_list = salt['pillar.get'](pillar_name) %}
+{%- from 'common/maps/so-status.map.jinja' import docker with context %}
+{%- set container_list = docker['containers'] %}

 if ! [ "$(id -u)" = 0 ]; then
   echo "This command must be run as root"
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -13,6 +13,9 @@
  {% set MAINIP = salt['pillar.get']('static:masterip') %}
 {% endif %}

+include:
+  - mysql
+
 #{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %}
 #so/fleet:
 #  event.send:
@@ -86,6 +89,8 @@ fleetdb:
    - connection_port: 3306
    - connection_user: root
    - connection_pass: {{ MYSQLPASS }}
+    - require: 
+      - sls: mysql

 fleetdbuser:
  mysql_user.present:
@@ -95,6 +100,8 @@ fleetdbuser:
    - connection_port: 3306
    - connection_user: root
    - connection_pass: {{ MYSQLPASS }}
+    - require: 
+      - fleetdb

 fleetdbpriv:
  mysql_grants.present:
@@ -106,6 +113,8 @@ fleetdbpriv:
    - connection_port: 3306
    - connection_user: root
    - connection_pass: {{ MYSQLPASS }}
+    - require: 
+      - fleetdb


 {% if FLEETPASS == None or FLEETJWT == None %}
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -1,6 +1,7 @@
 #!/bin/bash

 {%- set MASTER = salt['pillar.get']('static:masterip', '') %}
+{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
 {%- set FLEET = salt['pillar.get']('static:fleet_ip', '') %}
 {%- set KRATOS = salt['pillar.get']('kratos:redirect', '') %}

@@ -28,8 +29,10 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o
 # SOCtopus and Master
 sed -i "s/PLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson

+{% if FLEET_NODE %}
 # Fleet IP
 sed -i "s/FLEETPLACEHOLDER/{{ FLEET }}/g" /opt/so/conf/kibana/saved_objects.ndjson
+{% endif %}

 # Kratos redirect
 sed -i "s/PCAPPLACEHOLDER/{{ KRATOS }}/g" /opt/so/conf/kibana/saved_objects.ndjson
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -85,4 +85,9 @@ so-mysql:
      - /opt/so/log/mysql:/var/log/mysql:rw
    - watch:
      - /opt/so/conf/mysql/etc
+  cmd.run:
+    - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
+    - timeout: 120
+    - onchanges:
+      - docker_container: so-mysql
 {% endif %}
--- a/salt/nginx/etc/nginx.conf.so-eval
+++ b/salt/nginx/etc/nginx.conf.so-eval
@@ -146,6 +146,20 @@ http {

        }

+        location /cyberchef/ {
+          auth_request          /auth/sessions/whoami;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+
+        location /cyberchef {
+          rewrite               ^ /cyberchef/ permanent;
+        }
+
        location /packages/ {
          try_files $uri =206;
          auth_request          /auth/sessions/whoami;
--- a/salt/nginx/etc/nginx.conf.so-master
+++ b/salt/nginx/etc/nginx.conf.so-master
@@ -146,6 +146,20 @@ http {

        }

+        location /cyberchef/ {
+          auth_request          /auth/sessions/whoami;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+
+        location /cyberchef {
+          rewrite               ^ /cyberchef/ permanent;
+        }
+
        location /packages/ {
          try_files $uri =206;
          auth_request          /auth/sessions/whoami;
--- a/salt/nginx/etc/nginx.conf.so-mastersearch
+++ b/salt/nginx/etc/nginx.conf.so-mastersearch
@@ -146,6 +146,20 @@ http {

        }

+        location /cyberchef/ {
+          auth_request          /auth/sessions/whoami;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+
+        location /cyberchef {
+          rewrite               ^ /cyberchef/ permanent;
+        }
+
        location /packages/ {
          try_files $uri =206;
          auth_request          /auth/sessions/whoami;
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -21,7 +21,6 @@ base:
    - ssl
    - registry
    - common
-    - nginx
    - telegraf
    - firewall
    - idstools
@@ -37,7 +36,6 @@ base:
    - ca
    - ssl
    - common
-    - nginx
    - telegraf
    - firewall
    - pcap
@@ -192,7 +190,6 @@ base:
    - ca
    - ssl
    - common
-    - nginx
    - telegraf
    - firewall
    {%- if WAZUH != 0 %}
@@ -271,7 +268,6 @@ base:
    - ca
    - ssl
    - common
-    - nginx
    - telegraf
    - firewall
    - redis
--- a/salt/zeek/defaults.yml
+++ b/salt/zeek/defaults.yml
@@ -1,17 +0,0 @@
-zeek:
-  zeekctl:
-    MailTo: root@localhost
-    MailConnectionSummary: 1
-    MinDiskSpace: 5
-    MailHostUpDown: 1
-    LogRotationInterval: 3600
-    LogExpireInterval: 0
-    StatsLogEnable: 1
-    StatsLogExpireInterval: 0
-    StatusCmdShowAll: 0
-    CrashExpireInterval: 0
-    SitePolicyScripts: local.zeek
-    LogDir: /nsm/zeek/logs
-    SpoolDir: /nsm/zeek/spool
-    CfgDir: /opt/zeek/etc
-    CompressLogs: 1
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -1,132 +0,0 @@
-##! Local site policy. Customize as appropriate.
-##!
-##! This file will not be overwritten when upgrading or reinstalling!
-
-# This script logs which scripts were loaded during each run.
-@load misc/loaded-scripts
-
-# Apply the default tuning scripts for common tuning settings.
-@load tuning/defaults
-
-# Estimate and log capture loss.
-@load misc/capture-loss
-
-# Enable logging of memory, packet and lag statistics.
-@load misc/stats
-
-# Load the scan detection script.  It's disabled by default because
-# it often causes performance issues.
-#@load misc/scan
-
-# Detect traceroute being run on the network. This could possibly cause
-# performance trouble when there are a lot of traceroutes on your network.
-# Enable cautiously.
-#@load misc/detect-traceroute
-
-# Generate notices when vulnerable versions of software are discovered.
-# The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more
-# information.
-@load frameworks/software/vulnerable
-
-# Detect software changing (e.g. attacker installing hacked SSHD).
-@load frameworks/software/version-changes
-
-# This adds signatures to detect cleartext forward and reverse windows shells.
-@load-sigs frameworks/signatures/detect-windows-shells
-
-# Load all of the scripts that detect software in various protocols.
-@load protocols/ftp/software
-@load protocols/smtp/software
-@load protocols/ssh/software
-@load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when
-# running on live traffic.  Enable it cautiously.
-#@load protocols/http/detect-webapps
-
-# This script detects DNS results pointing toward your Site::local_nets
-# where the name is not part of your local DNS zone and is being hosted
-# externally.  Requires that the Site::local_zones variable is defined.
-@load protocols/dns/detect-external-names
-
-# Script to detect various activity in FTP sessions.
-@load protocols/ftp/detect
-
-# Scripts that do asset tracking.
-@load protocols/conn/known-hosts
-@load protocols/conn/known-services
-@load protocols/ssl/known-certs
-
-# This script enables SSL/TLS certificate validation.
-@load protocols/ssl/validate-certs
-
-# This script prevents the logging of SSL CA certificates in x509.log
-@load protocols/ssl/log-hostcerts-only
-
-# Uncomment the following line to check each SSL certificate hash against the ICSI
-# certificate notary service; see http://notary.icsi.berkeley.edu .
-# @load protocols/ssl/notary
-
-# If you have GeoIP support built in, do some geographic detections and
-# logging for SSH traffic.
-@load protocols/ssh/geo-data
-# Detect hosts doing SSH bruteforce attacks.
-@load protocols/ssh/detect-bruteforcing
-# Detect logins using "interesting" hostnames.
-@load protocols/ssh/interesting-hostnames
-
-# Detect SQL injection attacks.
-@load protocols/http/detect-sqli
-
-#### Network File Handling ####
-
-# Enable MD5 and SHA1 hashing for all files.
-@load frameworks/files/hash-all-files
-
-# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
-@load frameworks/files/detect-MHR
-
-# Extend email alerting to include hostnames
-@load policy/frameworks/notice/extend-email/hostnames
-
-# Uncomment the following line to enable detection of the heartbleed attack. Enabling
-# this might impact performance a bit.
-# @load policy/protocols/ssl/heartbleed
-
-# Uncomment the following line to enable logging of connection VLANs. Enabling
-# this adds two VLAN fields to the conn.log file.
-# @load policy/protocols/conn/vlan-logging
-
-# Uncomment the following line to enable logging of link-layer addresses. Enabling
-# this adds the link-layer address for each connection endpoint to the conn.log file.
-# @load policy/protocols/conn/mac-logging
-
-# JA3 - SSL Detection Goodness
-@load ja3
-
-# HASSH
-@load hassh
-
-# You can load your own intel into:
-# /opt/so/saltstack/bro/policy/intel/ on the master
-@load intel
-
-# Load a custom Bro policy
-# /opt/so/saltstack/bro/policy/custom/ on the master
-#@load custom/somebropolicy.bro
-
-# Write logs in JSON
-redef LogAscii::use_json = T;
-redef LogAscii::json_timestamps = JSON::TS_ISO8601;
-
-# CVE-2020-0601
-@load cve-2020-0601
-
-# BPF Configuration
-@load securityonion/bpfconf
-
-# Community ID
-@load securityonion/communityid
-
-# Extracted files
-@load securityonion/file-extraction
--- a/salt/zeek/files/local.zeek.jinja
+++ b/salt/zeek/files/local.zeek.jinja
@@ -0,0 +1,11 @@
+##! Local site policy.
+
+{%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %}
+
+{%- for k, v in LOCAL.items() %}
+  {%- if k|lower in ALLOWEDOPTIONS %}
+    {%- for li in v|sort %}
+{{ k }} {{ li }}
+    {%- endfor %}
+  {%- endif %}
+{%- endfor %}
--- a/salt/zeek/files/zeekctl.cfg.jinja
+++ b/salt/zeek/files/zeekctl.cfg.jinja
@@ -2,7 +2,7 @@

 {%- set ALLOWEDOPTIONS = ['commtimeout','commandtimeout','compresscmd','compressextension','compresslogs','compresslogsinflight','controltopic','crashexpireinterval','croncmd','debug','env_vars','havenfs','keeplogs','logdir','logexpireinterval','logrotationinterval','mailalarmsinterval','mailalarmsto','mailarchivelogfail','mailconnectionsummary','mailfrom','mailhostupdown','mailreceivingpackets','mailreplyto','mailsubjectprefix','mailto','makearchivename','memlimit','mindiskspace','pfringclusterid','pfringclustertype','pfringfirstappinstance','prefixes','savetraces','sendmail','sitepluginpath','sitepolicypath','sitepolicyscripts','statslogenable','statslogexpireinterval','statuscmdshowall','stoptimeout','stopwait','timefmt','timemachinehost','timemachineport','zeekargs','zeekport','bindir','capstatspath','cfgdir','debuglog','defaultstoredir','helperdir','libdir','libdir64','libdirinternal','localnetscfg','lockfile','logexpireminutes','nodecfg','os','pcapbufsize','pcapsnaplen','plugindir','pluginzeekdir','policydir','policydirsiteinstall','policydirsiteinstallauto','postprocdir','scriptsdir','spooldir','standalone','statefile','staticdir','statsdir','statslog','time','tmpdir','tmpexecdir','tracesummary','version','zeek','zeekbase'] %}

-{%- for option in ZEEKCTL %}
+{%- for option in ZEEKCTL|sort %}
  {%- if option|lower in ALLOWEDOPTIONS %}
 {{ option }} = {{ ZEEKCTL[option] }}
  {%- endif %}
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -4,8 +4,7 @@
 {% set BPF_STATUS = 0  %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}

-{% import_yaml 'zeek/defaults.yml' as ZEEKDEFAULTS %}
-{% set ZEEK = salt['pillar.get']('zeek', default=ZEEKDEFAULTS.zeek, merge=True) %}
+{% set ZEEK = salt['pillar.get']('zeek', {}) %}

 # Zeek Salt State

@@ -144,13 +143,16 @@ zeekbpf:
      - "ip or not ip"
 {% endif %}

+
 localzeeksync:
  file.managed:
    - name: /opt/so/conf/zeek/local.zeek
-    - source: salt://zeek/files/local.zeek
+    - source: salt://zeek/files/local.zeek.jinja
    - user: 937
    - group: 939
    - template: jinja
+    - defaults:
+        LOCAL: {{ ZEEK.local | tojson }}

 so-zeek:
  docker_container.running:
--- a/setup/install_scripts/99-so-checksum-offload-disable
+++ b/setup/install_scripts/99-so-checksum-offload-disable
@@ -1,6 +1,6 @@
 #!/bin/bash

-if [[ "$DEVICE_IFACE" != "$MAININT" && "$DEVICE_IFACE" != *"docker"* ]]; then
+if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then
 	for i in rx tx sg tso ufo gso gro lro; do
 		ethtool -K "$DEVICE_IFACE" "$i" off;
  	done
--- a/setup/public_keys/salt.pem
+++ b/setup/public_keys/salt.pem
@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9
+m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW
+tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw
+WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts
+kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA
+gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr
+YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT
+qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q
+WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1
+yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o
+nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU
+4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA
+/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q
+9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb
+9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx
+uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ
+zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr
+GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E
+PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ
+AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK
+WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4
+vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f
+T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N
+1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx
+fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS
+MA==
+=dtMN
+-----END PGP PUBLIC KEY BLOCK-----
--- a/setup/so-common-functions
+++ b/setup/so-common-functions
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+source ./so-variables
+
+# Helper functions
+
+filter_unused_nics() {
+
+	if [[ $MNIC ]]; then local grep_string="$MNIC\|bond0"; else local grep_string="bond0"; fi
+
+	# If we call this function and NICs have already been assigned to the bond interface then add them to the grep search string
+	if [[ $BNICS ]]; then
+		grep_string="$grep_string"
+		for BONDNIC in "${BNICS[@]}"; do
+			grep_string="$grep_string\|$BONDNIC"
+		done
+	fi
+
+	# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
+	filtered_nics=$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
+	readarray -t filtered_nics <<< "$filtered_nics"
+	
+	nic_list=()
+	for nic in "${filtered_nics[@]}"; do
+		nic_list+=("$nic" "" "OFF")
+	done
+
+	export nic_list
+}
+
+calculate_useable_cores() {
+
+	# Calculate reasonable core usage
+	local cores_for_bro=$(( (num_cpu_cores/2) - 1 ))
+	local lb_procs_round
+	lb_procs_round=$(printf "%.0f\n" $cores_for_bro)
+
+	if [ "$lb_procs_round" -lt 1 ]; then lb_procs=1; else lb_procs=$lb_procs_round; fi
+    export lb_procs
+}
+
+set_defaul_log_size() {
+    local percentage
+
+	case $INSTALLTYPE in
+		EVAL | HEAVYNODE)
+			percentage=50
+			;;
+		*)
+            percentage=80
+			;;
+		esac
+
+	local disk_dir="/"
+	if [ -d /nsm ]; then
+		disk_dir="/nsm"
+	fi
+	local disk_size_1k
+	disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}')
+
+    local ratio="1048576"
+
+    local disk_size_gb
+    disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' )
+
+	log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}')
+	export log_size_limit
+}
--- a/setup/so-functions
+++ b/setup/so-functions
--- a/setup/so-setup
+++ b/setup/so-setup
--- a/setup/so-variables
+++ b/setup/so-variables
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//')
+export total_mem
+
+total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1024/1024); }')
+export total_mem_hr
+
+num_cpu_cores=$(nproc)
+export num_cpu_cores
+
+readarray -t cpu_core_list <<< "$(grep "processor" /proc/cpuinfo | grep -v "KVM" | awk '{print $3}')"
+export cpu_core_list
+
+random_uid=$(</dev/urandom tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
+export random_uid
+
+node_es_port=9200
+export node_es_port
+
+setup_log="/root/sosetup.log"
+export setup_log
+
+filesystem_root=$(df / | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
+export filesystem_root
+
+mkdir -p /nsm
+filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
+export filesystem_nsm
+
+mkdir -p /root/installtmp/pillar/minions
+export temp_install_dir=/root/installtmp
+
+export percentage_str='Getting started'
+
+export DEBIAN_FRONTEND=noninteractive
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
--- a/setup/yum_repos/salt-2019-2.repo
+++ b/setup/yum_repos/salt-2019-2.repo
@@ -0,0 +1,6 @@
+[saltstack-repo]
+name=SaltStack repo for RHEL/CentOS $releasever PY3
+baseurl=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/2019.2
+enabled=1
+gpgcheck=1
+gpgkey=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/2019.2/SALTSTACK-GPG-KEY.pub
--- a/setup/yum_repos/salt-latest.repo
+++ b/setup/yum_repos/salt-latest.repo
@@ -0,0 +1,7 @@
+[salt-latest]
+name=SaltStack Latest Release Channel for RHEL/Centos $releasever
+baseurl=https://repo.saltstack.com/py3/redhat/7/$basearch/latest
+failovermethod=priority
+enabled=1
+gpgcheck=1
+gpgkey=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub
--- a/setup/yum_repos/wazuh.repo
+++ b/setup/yum_repos/wazuh.repo
@@ -0,0 +1,7 @@
+[wazuh_repo]
+gpgcheck=1
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://packages.wazuh.com/3.x/yum/
+protect=1
--- a/upgrade/so-update-functions
+++ b/upgrade/so-update-functions
@@ -156,12 +156,12 @@ salt_highstate() {
 update_held_packages() {

    if [ $OS == "centos" ]
-      SALTVER=2019.2.3
+      SALTVER=2019.2.4
      DOCKERVER=
      yum -y --disableexcludes=all update salt-$SALTVER
      yum -y --disableexcludes=all update docker-ce-$DOCKERVER
    else
-      SALTVER=2019.2.3+ds-1
+      SALTVER=2019.2.4+ds-1
      DOCKERVER=5:19.03.8~3-0~ubuntu-xenial
    fi