update references of /opt/so/saltstack to /opt/so/saltstack/default. use var default_salt_dir where appropriate - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749

salt/common/tools/sbin/so-allow

@@ -17,6 +17,7 @@
 
 . /usr/sbin/so-common
 
+default_salt_dir=/opt/so/saltstack/default
 SKIP=0
 
 while getopts "abowi:" OPTION
@@ -80,10 +81,10 @@ if [ "$SKIP" -eq 0 ]; then
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
-/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+$default_salt_dir/pillar/firewall/addfirewall.sh $FULLROLE $IP
 
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
           WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"

salt/common/tools/sbin/so-bro-logs

@@ -1,11 +1,12 @@
 #!/bin/bash
+default_salt_dir=/opt/so/saltstack/default
 
 bro_logs_enabled() {
 
-  echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls
-  echo "  enabled:" >> /opt/so/saltstack/pillar/brologs.sls
+  echo "brologs:" > $default_salt_dir/pillar/brologs.sls
+  echo "  enabled:" >> $default_salt_dir/pillar/brologs.sls
   for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $default_salt_dir/pillar/brologs.sls
   done
 
 }

salt/common/tools/sbin/so-elasticsearch-templates

@@ -15,12 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+default_salt_dir=/opt/so/saltstack/default
 ELASTICSEARCH_HOST="{{ MASTERIP}}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
 
 # Define a default directory to load pipelines from
-ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/"
+ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/"
 
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."

salt/common/tools/sbin/so-features-enable

@@ -15,10 +15,11 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 . /usr/sbin/so-common
+default_salt_dir=/opt/so/saltstack/default
 
-VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+VERSION=$(grep soversion $default_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
 # Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+sed -i 's/features: False/features: True/' $default_salt_dir/pillar/static.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
   "so-elasticsearch:$VERSION$SUFFIX" \

salt/common/tools/sbin/so-helix-apikey

@@ -1,4 +1,7 @@
 #!/bin/bash
+
+default_salt_dir=/opt/so/saltstack/default
+
 got_root() {
 
   # Make sure you are root
@@ -10,13 +13,13 @@ got_root() {
 }
 
 got_root
-if [ ! -f /opt/so/saltstack/pillar/fireeye/init.sls ]; then
+if [ ! -f $default_salt_dir/pillar/fireeye/init.sls ]; then
   echo "This is nto configured for Helix Mode. Please re-install."
   exit
 else
   echo "Enter your Helix API Key: "
   read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" /opt/so/saltstack/pillar/fireeye/init.sls
+  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $default_salt_dir/pillar/fireeye/init.sls
   docker stop so-logstash
   docker rm so-logstash
   echo "Restarting Logstash for updated key"

salt/deprecated-bro/files/local.bro

@@ -127,11 +127,11 @@
 @load policy/hassh
 
 # You can load your own intel into:
-# /opt/so/saltstack/bro/policy/intel/ on the master
+# $default_salt_dir/bro/policy/intel/ on the master
 @load intel
 
 # Load a custom Bro policy
-# /opt/so/saltstack/bro/policy/custom/ on the master
+# $default_salt_dir/bro/policy/custom/ on the master
 #@load custom/somebropolicy.bro
 
 # Write logs in JSON

salt/fleet/files/scripts/so-fleet-packages

@@ -2,6 +2,7 @@
 {% set MAIN_HOSTNAME = salt['grains.get']('host') %}
 {% set MAIN_IP = salt['pillar.get']('node:mainip') %}
 
+default_salt_dir=/opt/so/saltstack/default
 
 #so-fleet-packages $FleetHostname/IP 
 
@@ -26,8 +27,8 @@ docker run \
   --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \
   docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090
 
-cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
+cp /opt/so/conf/fleet/packages/launcher.* $default_salt_dir/salt/launcher/packages/
 
 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/files/dedicated-index.html
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $default_salt_dir/salt/fleet/files/dedicated-index.html

salt/hive/thehive/scripts/cortex_init

@@ -7,6 +7,8 @@
 {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
 {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
 
+default_salt_dir=/opt/so/saltstack/default
+
 cortex_init(){
     sleep 60
     CORTEX_IP="{{MASTERIP}}"
@@ -17,7 +19,7 @@ cortex_init(){
     CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup"
     CORTEX_ORG_USER="{{CORTEXORGUSER}}"
     CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}"
-    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"
 
 
     # Migrate DB

salt/hive/thehive/scripts/hive_init

@@ -4,13 +4,15 @@
 {%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
 {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
 
+default_salt_dir=/opt/so/saltstack/default
+
 hive_init(){
     sleep 120
     HIVE_IP="{{MASTERIP}}"
     HIVE_USER="{{HIVEUSER}}"
     HIVE_PASSWORD="{{HIVEPASSWORD}}"
     HIVE_KEY="{{HIVEKEY}}"
-    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"
 
     echo -n "Waiting for TheHive..."
     COUNT=0

salt/idstools/init.sls

@@ -60,7 +60,7 @@ synclocalnidsrules:
 
 ruleslink:
   file.symlink:
-    - name: /opt/so/saltstack/salt/suricata/rules
+    - name: /opt/so/saltstack/default/salt/suricata/rules
     - target: /opt/so/rules/nids
 
 so-idstools:

salt/master/files/add_minion.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 
 # This script adds pillar and schedule files securely
-
+default_salt_dir=/opt/so/saltstack/default
 MINION=$1
 
   echo "Adding $1" 
-  cp /tmp/$MINION/pillar/$MINION.sls /opt/so/saltstack/pillar/minions/
-  cp /tmp/$MINION/schedules/* /opt/so/saltstack/salt/patch/os/schedules/
+  cp /tmp/$MINION/pillar/$MINION.sls $default_salt_dir/pillar/minions/
+  cp /tmp/$MINION/schedules/* $default_salt_dir/salt/patch/os/schedules/
   rm -rf /tmp/$MINION

salt/nodered/files/nodered_load_flows

@@ -1,5 +1,6 @@
 {%- set ip = salt['pillar.get']('static:masterip', '') -%}
 #!/bin/bash
+default_salt_dir=/opt/so/saltstack/default
 
 echo "Waiting for connection"
 until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do
@@ -7,5 +8,5 @@ until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do
     sleep 1
 done
 echo "Loading flows..."
-curl -XPOST -v -H "Content-Type: application/json" -d @/opt/so/saltstack/salt/nodered/so_flows.json {{ ip }}:1880/flows
+curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json {{ ip }}:1880/flows
 echo "Done loading..."

salt/nodered/init.sls

@@ -36,7 +36,7 @@ nodered:
 
 noderedflows:
   file.recurse:
-    - name: /opt/so/saltstack/salt/nodered/
+    - name: /opt/so/saltstack/default/salt/nodered/
     - source: salt://nodered/files
     - user: 947
     - group: 939

salt/playbook/files/playbook_db_init.sh

@@ -1,5 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
 #!/bin/sh
 
-docker cp /opt/so/saltstack/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql
+default_salt_dir=/opt/so/saltstack/default
+
+docker cp $default_salt_dir/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql
 docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b  -uroot -p{{MYSQLPASS}}  < /tmp/playbook_db_init.sql"

salt/reactor/fleet.sls

@@ -13,11 +13,12 @@ def run():
   ROLE = data['data']['role']
   ESECRET = data['data']['enroll-secret']
   MAINIP = data['data']['mainip']
-
-  STATICFILE = '/opt/so/saltstack/pillar/static.sls'
-  SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls'
+  default_salt_dir = /opt/so/saltstack/default
+  STATICFILE = default_salt_dir + '/pillar/static.sls'
+  SECRETSFILE = default_salt_dir + '/pillar/secrets.sls'
 
   if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
+    
     if ACTION == 'enablefleet':
       logging.info('so/fleet enablefleet reactor')
 
@@ -54,7 +55,7 @@ def run():
       PACKAGEVERSION += 1
 
       # Run Docker container that will build the packages
-      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \
+      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + default_salt_dir + "/salt/fleet/packages,target=/output", \
          "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \
          f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
       

salt/ssl/init.sls

@@ -84,17 +84,17 @@ chownilogstashfilebeatp8:
 # Create Symlinks to the keys so I can distribute it to all the things
 filebeatdir:
   file.directory:
-    - name: /opt/so/saltstack/salt/filebeat/files
+    - name: /opt/so/saltstack/default/salt/filebeat/files
     - mkdirs: True
 
 fbkeylink:
   file.symlink:
-    - name: /opt/so/saltstack/salt/filebeat/files/filebeat.p8
+    - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.p8
     - target: /etc/pki/filebeat.p8
 
 fbcrtlink:
   file.symlink:
-    - name: /opt/so/saltstack/salt/filebeat/files/filebeat.crt
+    - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.crt
     - target: /etc/pki/filebeat.crt
 
 # Create a cert for the docker registry

salt/wazuh/files/wazuh-manager-whitelist

@@ -1,5 +1,6 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 #!/bin/bash
+default_salt_dir=/opt/so/saltstack/default
 
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
@@ -17,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then
       WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
       if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
               DATE=`date`