Merge pull request #10 from TOoSmOotH/master

Hybrid Hunter 1.0.1
2025-12-07 17:52:46 +01:00 · 2018-11-02 15:58:10 -04:00
parent 656eb799d0 f555683643
commit cbace5fb59
41 changed files with 581 additions and 136 deletions
--- a/README.md
+++ b/README.md
@@ -1,11 +1,62 @@
-# Security Onion NP Tech Preview  
+# Security Onion Hybrid Hunter Tech Preview 1.0.1

-Installation:
+**Warnings and Disclaimers**
+
+- This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!  
+- If this breaks your system, you get to keep both pieces!  
+- This script is a work in progress and is in constant flux.  
+- This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like.  This configuration will change drastically over time leading up to the final - release.  
+- Do NOT run this on a system that you care about!  
+- Do NOT run this on a system that has data that you care about!  
+- This script should only be run on a TEST box with TEST data!  
+- This script is only designed for standalone boxes and does NOT support distributed deployments.  
+- Use of this script may result in nausea, vomiting, or a burning sensation.  
+
+**Requirements**
+
+Evaluation Mode:
+
+- Single Ubuntu 16.04 or CentOS 7 VM
+- Minimum 8GB of RAM
+- Minimum 4 CPU cores
+- Minimum 2 NICs
+
+Distributed:
+
+- 3 VMs running Ubuntu 16.04 or CentOS 7 (You can mix and match)
+- Minimum 8GB of RAM per VM
+- Minimum 4 CPU cores per VM
+- Minimum 2 NICs for forward nodes
+
+
+**Installation**
+
+If you are using CentOS 7 there are a couple pre-requisites:
+
+```
+sudo yum -y install bind-utils
+sudo hostnamectl set-hostname YOURHOSTNAME
+sudo reboot
+```
+Once you resolve those requirements or are using Ubuntu 16.04 do the following:

 ```
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
 cd securityonion-saltstack
 sudo bash so-setup-network.sh
 ```
+**Allow Access to Kibana**

-See the [FAQ](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ) on the TP wiki.
+For a single host:
+```
+sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.1
+```
+For a network range:
+```
+sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.0/24
+```
+Then connect to your master via https://YOURMASTER
+
+See the [FAQ](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ) on the Hybrid Hunter wiki.
+
+For issues not covered in the FAQ please use the mailing list with the subject prefix of [Hybrid Hunter]. 
--- a/1
+++ b/1
@@ -0,0 +1 @@
+1.0.1
--- a/pillar/static/example.sls
+++ b/pillar/static/example.sls
@@ -1,6 +0,0 @@
-# This is for global salt items such as ntp servers etc.
-static:
-  ntpserver:
-  homenet:
-  proxy:
-  masterupdate:
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -13,6 +13,14 @@ base:
    - firewall.*
    - data.*

+  'G@role:so-eval':
+    - masters.schedule
+    - masters.{{ grains.host }}
+    - static
+    - firewall.*
+    - data.*
+    - brologs
+
  'G@role:so-node':
    - nodes.schedule
    - nodes.{{ grains.host }}
--- a/salt/bro/files/local.bro
+++ b/salt/bro/files/local.bro
@@ -139,3 +139,6 @@
 # Load a custom Bro policy
 # /opt/so/saltstack/bro/policy/custom/ on the master
 #@load custom/somebropolicy.bro
+
+# Write logs in JSON
+#redef LogAscii::use_json = T;
--- a/salt/bro/files/local.bro.community
+++ b/salt/bro/files/local.bro.community
@@ -127,3 +127,6 @@
 # Load a custom Bro policy
 # /opt/so/saltstack/bro/policy/custom/ on the master
 #@load custom/somebropolicy.bro
+
+# Use JSON
+#redef LogAscii::use_json = T;
--- a/salt/bro/files/node.cfg
+++ b/salt/bro/files/node.cfg
@@ -1,4 +1,4 @@
-{%- set interface = salt['pillar.get']('sensor:interface', '') %}
+{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}

 {%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %}
 {%- if salt['pillar.get']('sensor:bro_proxies') %}
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -0,0 +1,110 @@
+{%- set masterip = salt['pillar.get']('master:mainip', '') %}
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    #server {
+    #    listen       80 default_server;
+    #    listen       [::]:80 default_server;
+    #    server_name  _;
+    #    root         /opt/socore/html;
+    #    index        index.html;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+    #    location / {
+    #    }
+
+    #    error_page 404 /404.html;
+    #        location = /40x.html {
+    #    }
+
+    #    error_page 500 502 503 504 /50x.html;
+    #        location = /50x.html {
+    #    }
+    #}
+    server {
+	      listen 80 default_server;
+	      server_name _;
+	      return 301 https://$host$request_uri;
+    }
+
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        #listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+        #location / {
+    #      try_files $uri $uri.html /index.html;
+    #    }
+
+        location / {
+          proxy_pass http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+}
--- a/salt/elasticsearch/files/elasticsearch.yml
+++ b/salt/elasticsearch/files/elasticsearch.yml
@@ -1,4 +1,4 @@
-{% if grains['role'] == 'so-master' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 {%- set esclustername = salt['pillar.get']('master:esclustername', '') %}
 cluster.name: "{{ esclustername }}"
 network.host: 0.0.0.0
@@ -19,6 +19,6 @@ discovery.zen.minimum_master_nodes: 1
 path.logs: /var/log/elasticsearch
 action.destructive_requires_name: true
 transport.bind_host: 0.0.0.0
-transport.publish_host: {{ nodeip }} 
+transport.publish_host: {{ nodeip }}
 transport.publish_port: 9300
 {%- endif %}
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -20,6 +20,14 @@
 {% set dstats = salt['pillar.get']('master:dstats', '0') %}
 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}

+{% elif grains['role'] == 'so-eval' %}
+
+{% set esclustername = salt['pillar.get']('master:esclustername', '') %}
+{% set esheap = salt['pillar.get']('master:esheap', '') %}
+{% set freq = salt['pillar.get']('master:freq', '0') %}
+{% set dstats = salt['pillar.get']('master:dstats', '0') %}
+{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
+
 {% elif grains['role'] == 'so-node' %}

 {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -14,7 +14,7 @@ filebeat.prospectors:
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
  - type: log
    paths:
-      - /nsm/bro/spool/{{ LOGNAME }}.log
+      - /nsm/bro/logs/current/{{ LOGNAME }}.log
    fields:
      type: bro_{{ LOGNAME }}
    fields_under_root: true
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -59,7 +59,7 @@ so-filebeat:
    - binds:
      - /opt/so/log/filebeat:/var/log/filebeat:rw
      - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
-      - /nsm/bro/spool/manager:/nsm/bro/spool:ro
+      - /nsm/bro:/nsm/bro:ro
      - /opt/so/log/suricata:/suricata:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -87,7 +87,7 @@ enable_docker_user_established:
    - ctstate: 'RELATED,ESTABLISHED'

 # Rules if you are a Master
-{% if grains['role'] == 'so-master' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 #This should be more granular
 iptables_allow_master_docker:
  iptables.insert:
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -12,8 +12,8 @@
 /usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.so/0006_input_beats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
+/usr/share/logstash/pipeline.so/0008_input_eval.conf
 /usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
 /usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
 /usr/share/logstash/pipeline.so/1002_preprocess_json.conf
@@ -74,33 +74,36 @@
 /usr/share/logstash/pipeline.so/6500_ossec.conf
 /usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
 /usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
+/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
+/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
 /usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
 /usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
-/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
-/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
+#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
+#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
 /usr/share/logstash/pipeline.so/8007_postprocess_http.conf
-/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
+#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
 /usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
-/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
-/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
-/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
-/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
+#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
+#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
+#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
+#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
 /usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
 /usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
-/usr/share/logstash/pipeline.so/9000_output_bro.conf
-/usr/share/logstash/pipeline.so/9001_output_switch.conf
-/usr/share/logstash/pipeline.so/9002_output_import.conf
-/usr/share/logstash/pipeline.so/9004_output_flow.conf
-/usr/share/logstash/pipeline.so/9026_output_dhcp.conf
-/usr/share/logstash/pipeline.so/9029_output_esxi.conf
-/usr/share/logstash/pipeline.so/9030_output_greensql.conf
-/usr/share/logstash/pipeline.so/9031_output_iis.conf
-/usr/share/logstash/pipeline.so/9032_output_mcafee.conf
-/usr/share/logstash/pipeline.so/9033_output_snort.conf
-/usr/share/logstash/pipeline.so/9034_output_syslog.conf
-/usr/share/logstash/pipeline.so/9200_output_firewall.conf
-/usr/share/logstash/pipeline.so/9300_output_windows.conf
-/usr/share/logstash/pipeline.so/9301_output_dns_windows.conf
-/usr/share/logstash/pipeline.so/9400_output_suricata.conf
-/usr/share/logstash/pipeline.so/9500_output_beats.conf
-/usr/share/logstash/pipeline.so/9998_output_test_data.conf
+/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
+/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
+/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
+/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
+/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
+/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
+/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
+/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
+/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
+/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
+/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
+/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
+/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
+/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
+/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
+/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
+/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
+/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
--- a/salt/logstash/files/dynamic/9000_output_bro.conf
+++ b/salt/logstash/files/dynamic/9000_output_bro.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -25,4 +28,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9001_output_switch.conf
+++ b/salt/logstash/files/dynamic/9001_output_switch.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -22,4 +25,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9002_output_import.conf
+++ b/salt/logstash/files/dynamic/9002_output_import.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Updated by: Doug Burks
 # Last Update: 5/16/2017

@@ -22,4 +25,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9004_output_flow.conf
+++ b/salt/logstash/files/dynamic/9004_output_flow.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -22,4 +25,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9026_output_dhcp.conf
+++ b/salt/logstash/files/dynamic/9026_output_dhcp.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -21,4 +24,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9029_output_esxi.conf
+++ b/salt/logstash/files/dynamic/9029_output_esxi.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -20,4 +23,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9030_output_greensql.conf
+++ b/salt/logstash/files/dynamic/9030_output_greensql.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -20,4 +23,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9031_output_iis.conf
+++ b/salt/logstash/files/dynamic/9031_output_iis.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -21,4 +24,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9032_output_mcafee.conf
+++ b/salt/logstash/files/dynamic/9032_output_mcafee.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -21,4 +24,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9033_output_snort.conf
+++ b/salt/logstash/files/dynamic/9033_output_snort.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -24,4 +27,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9034_output_syslog.conf
+++ b/salt/logstash/files/dynamic/9034_output_syslog.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Updated by: Doug Burks
@@ -23,4 +26,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9200_output_firewall.conf
+++ b/salt/logstash/files/dynamic/9200_output_firewall.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -24,4 +27,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9300_output_windows.conf
+++ b/salt/logstash/files/dynamic/9300_output_windows.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -22,4 +25,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9301_output_dns_windows.conf
+++ b/salt/logstash/files/dynamic/9301_output_dns_windows.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -22,4 +25,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9400_output_suricata.conf
+++ b/salt/logstash/files/dynamic/9400_output_suricata.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -22,4 +25,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9500_output_beats.conf
+++ b/salt/logstash/files/dynamic/9500_output_beats.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Wes Lambert
 # Last Update: 09/14/2018
 filter {
@@ -20,4 +23,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9600_output_ossec.conf
+++ b/salt/logstash/files/dynamic/9600_output_ossec.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Updated by: Doug Burks
@@ -24,4 +27,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/files/dynamic/9998_output_test_data.conf
+++ b/salt/logstash/files/dynamic/9998_output_test_data.conf
@@ -1,5 +1,8 @@
-{%- if grains['role'] != 'so-master' -%}
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
 # Author: Justin Henderson
 #         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
 # Email: justin@hasecuritysolution.com
@@ -21,4 +24,3 @@ output {
    }
  }
 }
-{%- endif %}
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -32,6 +32,14 @@
 {% set dstats = salt['pillar.get']('master:domainstats', '0') %}
 {% set nodetype = salt['grains.get']('role', '')  %}

+{% elif grains['role'] == 'so-eval' %}
+
+{% set lsheap = salt['pillar.get']('master:lsheap', '') %}
+{% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
+{% set freq = salt['pillar.get']('master:freq', '0') %}
+{% set dstats = salt['pillar.get']('master:domainstats', '0') %}
+{% set nodetype = salt['grains.get']('role', '')  %}
+
 {% endif %}

 # Create the logstash group
@@ -133,3 +141,7 @@ so-logstash:
      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
+      {%- if grains['role'] == 'so-eval' %}
+      - /nsm/bro:/nsm/bro:ro
+      - /opt/so/log/suricata:/suricata:ro
+      {%- endif %}
--- a/salt/master/files/acng/acng.conf
+++ b/salt/master/files/acng/acng.conf
@@ -19,11 +19,12 @@ Remap-yarn:   registry.yarnpkg.com
 Remap-npm:    registry.npmjs.org
 Remap-node:   nodejs.org
 Remap-apache: file:apache_mirrors ; file:backends_apache.us
+Remap-salt:   repo.saltstack.com; https://repo.saltstack.com
 # Remap-secdeb: security.debian.org
 ReportPage: acng-report.html
 # SocketPath:/var/run/apt-cacher-ng/socket
 UnbufferLogs: 1
-VerboseLog: 2
+VerboseLog: 1
 ForeGround: 1
 # PidFile: /var/run/apt-cacher-ng/pid
 # Offlinemode: 0
@@ -78,7 +79,7 @@ RedirMax: 6
 VfileUseRangeOps: 0
 # PassThroughPattern: private-ppa\.launchpad\.net:443$
 # PassThroughPattern: .* # this would allow CONNECT to everything
-PassThroughPattern: (download\.docker\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/
+PassThroughPattern: (download\.docker\.com:443|mirrors\.fedoraproject\.org:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/
 # ResponseFreezeDetectTime: 500
 # ReuseConnections: 1
 # PipelineDepth: 255
@@ -87,4 +88,4 @@ PassThroughPattern: (download\.docker\.com:443|repo\.saltstack\.com:443|yum\.doc
 # OptProxyTimeout: -1
 # MaxDlSpeed: 500
 # MaxInresponsiveDlSize: 64000
-# BadRedirDetectMime: text/html
+# BadRedirDetectMime: text/html
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -46,17 +46,17 @@ acngcopyconf:
    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
    - source: salt://master/files/acng/acng.conf

-# Install the apt-cacher-ng container - TODO Create a so-docker for it
+# Install the apt-cacher-ng container
 so-aptcacherng:
  docker_container.running:
-    - image: deployable/acng:latest-us
-    - hostname: so-aptcacherng
+    - image: toosmooth/so-acng:techpreview
+    - hostname: so-acng
    - port_bindings:
      - 0.0.0.0:3142:3142
    - binds:
      - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw
-      - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apr-cacher-ng/acng.conf:ro
      - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
+      - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro


 # Create the config directory for the docker registry
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -16,7 +16,8 @@ m2cryptopkgs:
      - python-m2crypto
 {% endif %}

-{% if grains['role'] == 'so-master' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
  x509.certificate_managed:
@@ -78,7 +79,7 @@ fbcrtlink:
        backup: True

 {% endif %}
-{% if grains['role'] == 'so-SENSOR' %}
+{% if grains['role'] == 'so-SENSOR' or grains['role'] == 'so-eval' %}

 fbcertdir:
  file.directory:
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -1,6 +1,6 @@
 %YAML 1.1
 ---
-{%- set interface = salt['pillar.get']('sensor:interface', '') %}
+{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
 {%- if salt['pillar.get']('sensor:homenet') %}
  {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %}
 {%- else %}
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -8,11 +8,22 @@ base:
    - bro
    - filebeat

-  'G@role:eval':
+  'G@role:so-eval':
+    - ca
+    - ssl
    - common
-    - sensor
+    - firewall
    - master
-    - eval
+    - idstools
+    - redis
+    - elasticsearch
+    - logstash
+    - kibana
+    - pcap
+    - suricata
+    - bro
+    - utility
+

  'G@role:so-master':
    - ca
--- a/salt/utility/bin/eval.sh
+++ b/salt/utility/bin/eval.sh
@@ -0,0 +1,30 @@
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set MASTER = grains['master'] %}
+# Wait for ElasticSearch to come up, so that we can query for version infromation
+echo -n "Waiting for ElasticSearch..."
+COUNT=0
+ELASTICSEARCH_CONNECTED="no"
+while [[ "$COUNT" -le 30 ]]; do
+  curl --output /dev/null --silent --head --fail http://{{ ES }}:9200
+  if [ $? -eq 0 ]; then
+    ELASTICSEARCH_CONNECTED="yes"
+    echo "connected!"
+    break
+  else
+    ((COUNT+=1))
+    sleep 1
+    echo -n "."
+  fi
+done
+if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+  echo
+  echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+  echo
+
+  exit
+fi
+
+echo "Applying cross cluster search config..."
+    curl -s -XPUT http://{{ ES }}:9200/_cluster/settings \
+         -H 'Content-Type: application/json' \
+         -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MASTER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}"
--- a/salt/utility/init.sls
+++ b/salt/utility/init.sls
@@ -11,3 +11,11 @@ crossclusterson:

 {% endif %}
 {% endif %}
+{% if grains['role'] == 'so-eval' %}
+fixsearch:
+  cmd.script:
+    - shell: /bin/bash
+    - runas: socore
+    - source: salt://utility/bin/eval.sh
+    - template: jinja
+{% endif %}
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -30,12 +30,13 @@ accept_salt_key_local() {

  # Accept the key locally on the master
  salt-key -ya $HOSTNAME
+
 }

 accept_salt_key_remote() {

  # Accept the key remotely so the device can check in
-  ssh -i ~/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y
+  ssh -v -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y

 }

@@ -102,7 +103,7 @@ configure_minion() {
  echo "Configuring minion type as $TYPE"
  touch /etc/salt/grains
  echo "role: so-$TYPE" > /etc/salt/grains
-  if [ $TYPE == 'master' ]; then
+  if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
    echo "master: $HOSTNAME" > /etc/salt/minion
    echo "id: $HOSTNAME" >> /etc/salt/minion
  else
@@ -131,18 +132,18 @@ copy_minion_pillar() {

  # Copy over the pillar
  echo "Copying the pillar over"
-  scp -i ~/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
+  scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls

  }

 copy_ssh_key() {

  # Generate SSH key
-  mkdir -p ~/.ssh
-  cat /dev/zero | ssh-keygen -f ~/.ssh/so.key -t rsa -q -N ""
-  chown -R $SUDO_USER:$SUDO_USER ~/.ssh
+  mkdir -p /root/.ssh
+  cat /dev/zero | ssh-keygen -f /root/.ssh/so.key -t rsa -q -N ""
+  chown -R $SUDO_USER:$SUDO_USER /root/.ssh
  #Copy the key over to the master
-  ssh-copy-id -f -i ~/.ssh/so.key socore@$MSRV
+  ssh-copy-id -f -i /root/.ssh/so.key socore@$MSRV

 }

@@ -161,12 +162,13 @@ create_bond() {
    echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
    echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
    echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "ONBOOT=yes"

    # Create Bond configs for the selected monitor interface
    for BNIC in ${BNICS[@]}; do
      BONDNIC="${BNIC%\"}"
      BONDNIC="${BONDNIC#\"}"
-      sed -i 's/ONBOOT=\"no\"/ONBOOT=\"yes\"/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
+      sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
      echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
      echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
    done
@@ -334,6 +336,7 @@ install_cleanup() {
  rm -rf ./installtmp

 }
+
 install_prep() {

  # Create a tmp space that isn't in /tmp
@@ -346,7 +349,13 @@ install_master() {

  # Install the salt master package
  if [ $OS == 'centos' ]; then
-    yum -y install salt-master
+    yum -y install salt-master wget
+
+    # Create a place for the keys for Ubuntu minions
+    mkdir -p /opt/so/gpg
+    wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
+    wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
+
  else
    apt-get install -y salt-master
  fi
@@ -373,13 +382,11 @@ master_pillar() {
  touch /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  echo "master:" > /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  echo "  mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  esaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  echo "  esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  echo "  esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  if [ $INSTALLTYPE == 'EVALMODE' ]; then
    echo "  freq: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
    echo "  domainstats: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
    echo "  ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
    echo "  ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
    echo "  ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
@@ -393,8 +400,8 @@ master_pillar() {
  echo "  ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  echo "  nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
  echo "  oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  #echo "  access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  #echo "  access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls

  }

@@ -425,17 +432,16 @@ minio_generate_keys() {
  ACCESS_SECRET=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 40)

 }
+
 node_pillar() {

  # Create the node pillar
  touch $TMP/$HOSTNAME.sls
  echo "node:" > $TMP/$HOSTNAME.sls
  echo "  mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
-  echo "  esaccessip: 127.0.0.1" >> $TMP/$HOSTNAME.sls
  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
  echo "  esclustername: {{ grains.host }}" >> $TMP/$HOSTNAME.sls
  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
-  echo "  lsaccessip: 127.0.0.1" >> $TMP/$HOSTNAME.sls
  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $TMP/$HOSTNAME.sls
  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $TMP/$HOSTNAME.sls
  echo "  ls_input_threads: $LSINPUTTHREADS" >> $TMP/$HOSTNAME.sls
@@ -457,9 +463,48 @@ saltify() {
    else

      if [ $MASTERUPDATES == 'MASTER' ]; then
-        yum -y install wget
-        export http_proxy=http://$MSRV:3142; wget -O $TMP/salt-repo-latest-2.el7.noarch.rpm http://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
-        yum -y install $TMP/salt-repo-latest-2.el7.noarch.rpm
+
+        # Create the GPG Public Key for the Salt Repo
+        echo "-----BEGIN PGP PUBLIC KEY BLOCK-----" > /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "Version: GnuPG v2.0.22 (GNU/Linux)" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "MA==" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "=dtMN" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "-----END PGP PUBLIC KEY BLOCK-----" >> /etc/pki/rpm-gpg/saltstack-signing-key
+
+        # Proxy is hating on me.. Lets just set it manually
+        echo "[salt-latest]" > /etc/yum.repos.d/salt-latest.repo
+        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-latest.repo
+        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/latest" >> /etc/yum.repos.d/salt-latest.repo
+        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-latest.repo
+        echo "enabled=1" >> /etc/yum.repos.d/salt-latest.repo
+        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-latest.repo
+        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-latest.repo
      else
        yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
      fi
@@ -468,10 +513,12 @@ saltify() {
    yum clean expire-cache
    yum -y install salt-minion yum-utils device-mapper-persistent-data lvm2 openssl
    yum -y update
+    systemctl enable salt-minion

    # Nasty hack but required for now
    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
      yum -y install salt-master python-m2crypto salt-minion m2crypto
+      systemctl enable salt-master
    else
      yum -y install salt-minion python-m2m2crypto m2crypto
    fi
@@ -525,7 +572,7 @@ saltify() {

 salt_checkin() {
  # Master State to Fix Mine Usage
-  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
+  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
  salt-call state.apply ca >>~/sosetup.log 2>&1
  # salt-call state.apply ssl >>~/sosetup.log 2>&1
  # salt-call state.apply common >>~/sosetup.log 2>&1
@@ -615,7 +662,7 @@ sensor_pillar() {
  echo "  pcapbpf:" >> $TMP/$HOSTNAME.sls
  echo "  nidsbpf:" >> $TMP/$HOSTNAME.sls
  echo "  master: $MSRV" >> $TMP/$HOSTNAME.sls
-  if [ $HNSENSOR != 'inherit']; then
+  if [ $HNSENSOR != 'inherit' ]; then
  echo "  hnsensor: $HNSENSOR" >> $TMP/$HOSTNAME.sls
  fi
  echo "  access_key: $ACCESS_KEY" >> $TMP/$HOSTNAME.sls
@@ -629,19 +676,24 @@ set_initial_firewall_policy() {
  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
-
-
  fi
+
+  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/storage_nodes.sls
+  fi
+
  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
-
-    ssh -i ~/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i ~/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
-
+    ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
  fi
+
  if [ $INSTALLTYPE == 'STORAGENODE' ]; then
-    ssh -i ~/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i ~/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP
-    ssh -i ~/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $HOSTNAME $MAINIP
+    ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP
+    ssh -v -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $HOSTNAME $MAINIP
  fi

  if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
@@ -661,7 +713,7 @@ set_initial_firewall_policy() {
 set_node_type() {

  # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'STORAGENODE' ]; then
+  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
    NODETYPE='storage'
  fi
  if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
@@ -739,7 +791,7 @@ whiptail_bro_pins() {

 whiptail_bro_version() {

-  BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "Which version of Bro would you like to use?" 20 78 4 "COMMUNITY" "Install Community Bro" ON "BRO" "Install Standard Bro" OFF 3>&1 1>&2 2>&3)
+  BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "Which version of Bro would you like to use?" 20 78 4 "COMMUNITY" "Install Community Bro" ON "ZEEK" "Install Zeek" OFF 3>&1 1>&2 2>&3)

  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
@@ -789,6 +841,9 @@ whiptail_homenet_master() {
  HNMASTER=$(whiptail --title "Security Onion Setup" --inputbox \
  "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_homenet_sensor() {
@@ -804,20 +859,20 @@ whiptail_homenet_sensor() {
    "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
  fi

-
 }
+
 whiptail_install_type() {

  # What kind of install are we doing?
  INSTALLTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
  "Choose Install Type:" 20 78 8 \
  "SENSORONLY" "Create a forward only sensor" ON \
-  "MASTERONLY" "Start a new grid" OFF \
  "STORAGENODE" "Add a Storage Hot Node with parsing" OFF \
+  "MASTERONLY" "Start a new grid" OFF \
  "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
  "HOTNODE" "TODO Add a Hot Node (Storage Node without Parsing)" OFF \
-  "EVALMODE" "TODO Evaluate all the things" OFF \
-  "WARMNODE" "TODO Add a Warm Node to an existing Hot or Storage node" OFF 3>&1 1>&2 2>&3 )
+  "WARMNODE" "TODO Add a Warm Node to an existing Hot or Storage node" OFF \
+  "EVALMODE" "Evaluate all the things" OFF 3>&1 1>&2 2>&3 )

  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
@@ -867,7 +922,7 @@ whiptail_make_changes() {
 whiptail_management_server() {

  MSRV=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter your Master Server HOSTNAME" 10 60 XXXX 3>&1 1>&2 2>&3)
+  "Enter your Master Server HOSTNAME. It is CASE SENSITIVE!" 10 60 XXXX 3>&1 1>&2 2>&3)

  # See if it resolves. Otherwise prompt to add to host file
  TESTHOST=$(host $MSRV)
@@ -898,6 +953,9 @@ whiptail_node_advanced() {
  "NODEBASIC" "Install Storage Node with recommended settings" ON \
  "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 )

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_es_heap() {
@@ -906,6 +964,9 @@ whiptail_node_es_heap() {
  NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter ES Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $ES_HEAP_SIZE 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_ls_heap() {
@@ -914,6 +975,9 @@ whiptail_node_ls_heap() {
  NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $LS_HEAP_SIZE 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_ls_pipeline_worker() {
@@ -921,6 +985,9 @@ whiptail_node_ls_pipeline_worker() {
  LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Pipeline Workers: \n \n(Recommended value is pre-populated)" 10 60 $CPUCORES 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_ls_pipline_batchsize() {
@@ -928,6 +995,9 @@ whiptail_node_ls_pipline_batchsize() {
  LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Pipeline Batch Size: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_ls_input_threads() {
@@ -935,6 +1005,9 @@ whiptail_node_ls_input_threads() {
  LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \
    "\nEnter LogStash Input Threads: \n \n(Default value is pre-populated)" 10 60 1 3>&1 1>&2 2>&3)

+    local exitstatus=$?
+    whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_ls_input_batch_count() {
@@ -942,6 +1015,9 @@ whiptail_node_ls_input_batch_count() {
  LSINPUTBATCHCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter LogStash Input Batch Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_rule_setup() {
@@ -984,6 +1060,9 @@ whiptail_shard_count() {
  SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
  "\nEnter ES Shard Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_suricata_pins() {
@@ -1003,6 +1082,9 @@ whiptail_master_updates() {
  "MASTER" "Have the master node act as a proxy for OS/Docker updates." ON \
  "OPEN" "Have each node connect to the Internet for updates" OFF 3>&1 1>&2 2>&3 )

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_node_updates() {
@@ -1012,6 +1094,9 @@ whiptail_node_updates() {
  "MASTER" "Download OS/Docker updates from the Master." ON \
  "OPEN" "Download updates directly from the Internet" OFF 3>&1 1>&2 2>&3 )

+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
 }

 whiptail_you_sure() {
@@ -1019,6 +1104,7 @@ whiptail_you_sure() {
  whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78

 }
+
 ########################
 ##                    ##
 ##   End Functions    ##
@@ -1041,30 +1127,38 @@ if [ $OS == ubuntu ]; then
 fi

 # Question Time
-
 if (whiptail_you_sure); then

-  # Create a dir to get started
+  # Create a temp dir to get started
  install_prep

  # Let folks know they need their management interface already set up.
  whiptail_network_notice

-  # Go ahead and gen the keys so we can use them for any sensor type
+  # Go ahead and gen the keys so we can use them for any sensor type - Disabled for now
  #minio_generate_keys
+
  # What kind of install are we doing?
  whiptail_install_type

+  ####################
+  ##     Master     ##
+  ####################
+
  if [ $INSTALLTYPE == 'MASTERONLY' ]; then

    # Pick the Management NIC
    whiptail_management_nic
-    # Choose your bro
+
+    # Choose Zeek or Community Bro
    whiptail_bro_version
+
    # Select Snort or Suricata
    whiptail_nids
+
    # Snag the HOME_NET
    whiptail_homenet_master
+
    # Pick your Ruleset
    whiptail_rule_setup

@@ -1079,6 +1173,8 @@ if (whiptail_you_sure); then

    # Last Chance to back out
    whiptail_make_changes
+
+    # Figure out the main IP address
    get_main_ip

    # Add the user so we can sit back and relax
@@ -1091,39 +1187,64 @@ if (whiptail_you_sure); then
    echo " ** Installing Salt and Dependencies **"
    saltify >>~/sosetup.log 2>&1
    docker_install
+
    # Configure the Minion
    echo " ** Configuring Minion **"
    configure_minion master >>~/sosetup.log 2>&1
+
+    # Install the salt master
    echo " ** Installing Salt Master **"
    install_master >>~/sosetup.log 2>&1
+
    # Copy the data over
    salt_master_directories >>~/sosetup.log 2>&1

+    # Update sudoers file to allow keys and firewalls to be changed
    update_sudoers
+
+    # Change perms on the master dir
    chown_salt_master
+
+    # Determine the ES Heap Size
    es_heapsize
+
+    # Determine the Logstash Heap Size
    ls_heapsize
+
    # Set the static values
    master_static
+
    echo "** Generating the master pillar **"
    master_pillar
+
    # Do a checkin to push the key up
    echo "** Pushing the key up to Master **"
    salt_firstcheckin >>~/sosetup.log 2>&1
+
    # Accept the Master Key
    echo "** Accepting the key on the master **"
    accept_salt_key_local
+
+    # Open the firewall
    echo "** Setting the initial firewall policy **"
    set_initial_firewall_policy
+
    # Do the big checkin but first let them know it will take a bit.
    salt_checkin_message
    salt_checkin
+
+    # Enable salt to run a checking when the service starts
    checkin_at_boot

+    # We are done!
    whiptail_setup_complete

  fi

+  ####################
+  ##     Sensor     ##
+  ####################
+
  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
    whiptail_management_nic
    filter_nics
@@ -1164,28 +1285,72 @@ if (whiptail_you_sure); then

  fi

+  #######################
+  ##     Eval Mode     ##
+  #######################
+
  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+    # Select the management NIC
    whiptail_management_nic
+
+    # Filter out the management NIC
    filter_nics
+
+    # Select which NICs are in the bond
    whiptail_bond_nics
-    whiptail_management_server
-    whiptail_nids
-    whiptail_sensor_config
+
+    # Snag the HOME_NET
+    whiptail_homenet_master
+
+    # Set a bunch of stuff since this is eval
+    es_heapsize
+    ls_heapsize
+    NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
+    NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
+    LSPIPELINEWORKERS=1
+    LSPIPELINEBATCH=125
+    LSINPUTTHREADS=1
+    LSINPUTBATCHCOUNT=125
+    RULESETUP=ETOPEN
+    NSMSETUP=BASIC
+    NIDS=Suricata
+    BROVERSION=COMMUNITY
    whiptail_make_changes
-    configure_minion
-    copy_ssh_key
+    get_main_ip
+    # Add the user so we can sit back and relax
+    echo ""
+    echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
+    echo ""
+    add_socore_user_master
    create_bond
    saltify
    docker_install
-    configure_minion sensor
-    copy_minion_pillar sensors
+    install_master
+    # Copy the data over
+    salt_master_directories
+    update_sudoers
+    # Change perms on the master dir
+    chown_salt_master
+    # Set the static values
+    master_static
+    echo "** Generating the master pillar **"
+    master_pillar
+    configure_minion eval
+    set_node_type
+    node_pillar
+    set_initial_firewall_policy
    salt_firstcheckin
    accept_salt_key_local
    salt_checkin_message
    salt_checkin
    checkin_at_boot
+    whiptail_setup_complete
  fi

+  ###################
+  ##     Nodes     ##
+  ###################
+
  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'PARSINGNODE' ] || [ $INSTALLTYPE == 'HOTNODE' ] || [ $INSTALLTYPE == 'WARMNODE' ]; then
    whiptail_management_nic
    whiptail_management_server