update references of /opt/so/saltstack to /opt/so/saltstack/default. use var default_salt_dir where appropriate - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749

files/master

@@ -37,7 +37,7 @@ log_file: /opt/so/log/salt/master
 #
 file_roots:
   base:
-    - /opt/so/saltstack/salt
+    - /opt/so/saltstack/default/salt
 
 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
@@ -53,7 +53,7 @@ file_roots:
 
 pillar_roots:
   base:
-    - /opt/so/saltstack/pillar
+    - /opt/so/saltstack/default/pillar
 
 peer:
   .*:

pillar/data/addtotab.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # This script adds sensors/nodes/etc to the nodes tab
-
+default_salt_dir=/opt/so/saltstack/default
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
@@ -15,7 +15,7 @@ MONINT=$9
 #HOTNAME=$11
 
 echo "Seeing if this host is already in here. If so delete it"
-if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
+if grep -q $NAME "$default_salt_dir/pillar/data/$TYPE.sls"; then
   echo "Node Already Present - Let's re-add it"
   awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
 {
@@ -31,27 +31,27 @@ if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
     if ( print_flag == 1 )
         print $0
 
-} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls
+} ' $default_salt_dir/pillar/data/$TYPE.sls > $default_salt_dir/pillar/data/tmp.$TYPE.sls
-mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls
+mv $default_salt_dir/pillar/data/tmp.$TYPE.sls $default_salt_dir/pillar/data/$TYPE.sls
 echo "Deleted $NAME from the tab. Now adding it in again with updated info"
 fi
-echo "  $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "  $NAME:" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> $default_salt_dir/pillar/data/$TYPE.sls
 if [ $TYPE == 'sensorstab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  echo "    monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls
   salt-call state.apply common queue=True
 fi
 if [ $TYPE == 'evaltab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  echo "    monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls
   salt-call state.apply common queue=True
   salt-call state.apply utility queue=True
 fi
 #if [ $TYPE == 'nodestab' ]; then
-#  echo "    nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    nodetype: $NODETYPE" >> $default_salt_dir/pillar/data/$TYPE.sls
-#  echo "    hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> $default_salt_dir/pillar/data/$TYPE.sls
 #fi

pillar/firewall/addfirewall.sh

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
 # This script adds ip addresses to specific rule sets defined by the user
-
+default_salt_dir=/opt/so/saltstack/default
 POLICY=$1
 IPADDRESS=$2
 
-if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
+if grep -q $2 "$default_salt_dir/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
-  echo "  - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "  - $2" >> $default_salt_dir/pillar/firewall/$1.sls
   salt-call state.apply firewall queue=True
 fi

salt/common/tools/sbin/so-allow

@@ -17,6 +17,7 @@
 
 . /usr/sbin/so-common
 
+default_salt_dir=/opt/so/saltstack/default
 SKIP=0
 
 while getopts "abowi:" OPTION
@@ -80,10 +81,10 @@ if [ "$SKIP" -eq 0 ]; then
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
-/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+$default_salt_dir/pillar/firewall/addfirewall.sh $FULLROLE $IP
 
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
           WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"

salt/common/tools/sbin/so-bro-logs

@@ -1,11 +1,12 @@
 #!/bin/bash
+default_salt_dir=/opt/so/saltstack/default
 
 bro_logs_enabled() {
 
-  echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls
+  echo "brologs:" > $default_salt_dir/pillar/brologs.sls
-  echo "  enabled:" >> /opt/so/saltstack/pillar/brologs.sls
+  echo "  enabled:" >> $default_salt_dir/pillar/brologs.sls
   for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $default_salt_dir/pillar/brologs.sls
   done
 
 }

salt/common/tools/sbin/so-elasticsearch-templates

@@ -15,12 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+default_salt_dir=/opt/so/saltstack/default
 ELASTICSEARCH_HOST="{{ MASTERIP}}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
 
 # Define a default directory to load pipelines from
-ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/"
+ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/"
 
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."

salt/common/tools/sbin/so-features-enable

@@ -15,10 +15,11 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 . /usr/sbin/so-common
+default_salt_dir=/opt/so/saltstack/default
 
-VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+VERSION=$(grep soversion $default_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
 # Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+sed -i 's/features: False/features: True/' $default_salt_dir/pillar/static.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
   "so-elasticsearch:$VERSION$SUFFIX" \

salt/common/tools/sbin/so-helix-apikey

@@ -1,4 +1,7 @@
 #!/bin/bash
+
+default_salt_dir=/opt/so/saltstack/default
+
 got_root() {
 
   # Make sure you are root
@@ -10,13 +13,13 @@ got_root() {
 }
 
 got_root
-if [ ! -f /opt/so/saltstack/pillar/fireeye/init.sls ]; then
+if [ ! -f $default_salt_dir/pillar/fireeye/init.sls ]; then
   echo "This is nto configured for Helix Mode. Please re-install."
   exit
 else
   echo "Enter your Helix API Key: "
   read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" /opt/so/saltstack/pillar/fireeye/init.sls
+  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $default_salt_dir/pillar/fireeye/init.sls
   docker stop so-logstash
   docker rm so-logstash
   echo "Restarting Logstash for updated key"

salt/deprecated-bro/files/local.bro

@@ -127,11 +127,11 @@
 @load policy/hassh
 
 # You can load your own intel into:
-# /opt/so/saltstack/bro/policy/intel/ on the master
+# $default_salt_dir/bro/policy/intel/ on the master
 @load intel
 
 # Load a custom Bro policy
-# /opt/so/saltstack/bro/policy/custom/ on the master
+# $default_salt_dir/bro/policy/custom/ on the master
 #@load custom/somebropolicy.bro
 
 # Write logs in JSON

salt/fleet/files/scripts/so-fleet-packages

@@ -2,6 +2,7 @@
 {% set MAIN_HOSTNAME = salt['grains.get']('host') %}
 {% set MAIN_IP = salt['pillar.get']('node:mainip') %}
 
+default_salt_dir=/opt/so/saltstack/default
 
 #so-fleet-packages $FleetHostname/IP 
 
@@ -26,8 +27,8 @@ docker run \
   --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \
   docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090
 
-cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
+cp /opt/so/conf/fleet/packages/launcher.* $default_salt_dir/salt/launcher/packages/
 
 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/files/dedicated-index.html
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $default_salt_dir/salt/fleet/files/dedicated-index.html

salt/hive/thehive/scripts/cortex_init

@@ -7,6 +7,8 @@
 {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
 {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
 
+default_salt_dir=/opt/so/saltstack/default
+
 cortex_init(){
     sleep 60
     CORTEX_IP="{{MASTERIP}}"
@@ -17,7 +19,7 @@ cortex_init(){
     CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup"
     CORTEX_ORG_USER="{{CORTEXORGUSER}}"
     CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}"
-    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"
 
 
     # Migrate DB

salt/hive/thehive/scripts/hive_init

@@ -4,13 +4,15 @@
 {%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
 {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
 
+default_salt_dir=/opt/so/saltstack/default
+
 hive_init(){
     sleep 120
     HIVE_IP="{{MASTERIP}}"
     HIVE_USER="{{HIVEUSER}}"
     HIVE_PASSWORD="{{HIVEPASSWORD}}"
     HIVE_KEY="{{HIVEKEY}}"
-    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"
 
     echo -n "Waiting for TheHive..."
     COUNT=0

salt/idstools/init.sls

@@ -60,7 +60,7 @@ synclocalnidsrules:
 
 ruleslink:
   file.symlink:
-    - name: /opt/so/saltstack/salt/suricata/rules
+    - name: /opt/so/saltstack/default/salt/suricata/rules
     - target: /opt/so/rules/nids
 
 so-idstools:

salt/master/files/add_minion.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 
 # This script adds pillar and schedule files securely
-
+default_salt_dir=/opt/so/saltstack/default
 MINION=$1
 
   echo "Adding $1" 
-  cp /tmp/$MINION/pillar/$MINION.sls /opt/so/saltstack/pillar/minions/
+  cp /tmp/$MINION/pillar/$MINION.sls $default_salt_dir/pillar/minions/
-  cp /tmp/$MINION/schedules/* /opt/so/saltstack/salt/patch/os/schedules/
+  cp /tmp/$MINION/schedules/* $default_salt_dir/salt/patch/os/schedules/
   rm -rf /tmp/$MINION

salt/nodered/files/nodered_load_flows

@@ -1,5 +1,6 @@
 {%- set ip = salt['pillar.get']('static:masterip', '') -%}
 #!/bin/bash
+default_salt_dir=/opt/so/saltstack/default
 
 echo "Waiting for connection"
 until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do
@@ -7,5 +8,5 @@ until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do
     sleep 1
 done
 echo "Loading flows..."
-curl -XPOST -v -H "Content-Type: application/json" -d @/opt/so/saltstack/salt/nodered/so_flows.json {{ ip }}:1880/flows
+curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json {{ ip }}:1880/flows
 echo "Done loading..."

salt/nodered/init.sls

@@ -36,7 +36,7 @@ nodered:
 
 noderedflows:
   file.recurse:
-    - name: /opt/so/saltstack/salt/nodered/
+    - name: /opt/so/saltstack/default/salt/nodered/
     - source: salt://nodered/files
     - user: 947
     - group: 939

salt/playbook/files/playbook_db_init.sh

@@ -1,5 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
 #!/bin/sh
 
-docker cp /opt/so/saltstack/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql
+default_salt_dir=/opt/so/saltstack/default
+
+docker cp $default_salt_dir/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql
 docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b  -uroot -p{{MYSQLPASS}}  < /tmp/playbook_db_init.sql"

salt/reactor/fleet.sls

@@ -13,11 +13,12 @@ def run():
   ROLE = data['data']['role']
   ESECRET = data['data']['enroll-secret']
   MAINIP = data['data']['mainip']
-
+  default_salt_dir = /opt/so/saltstack/default
-  STATICFILE = '/opt/so/saltstack/pillar/static.sls'
+  STATICFILE = default_salt_dir + '/pillar/static.sls'
-  SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls'
+  SECRETSFILE = default_salt_dir + '/pillar/secrets.sls'
 
   if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
+    
     if ACTION == 'enablefleet':
       logging.info('so/fleet enablefleet reactor')
 
@@ -54,7 +55,7 @@ def run():
       PACKAGEVERSION += 1
 
       # Run Docker container that will build the packages
-      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \
+      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + default_salt_dir + "/salt/fleet/packages,target=/output", \
          "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \
          f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
       

salt/ssl/init.sls

@@ -84,17 +84,17 @@ chownilogstashfilebeatp8:
 # Create Symlinks to the keys so I can distribute it to all the things
 filebeatdir:
   file.directory:
-    - name: /opt/so/saltstack/salt/filebeat/files
+    - name: /opt/so/saltstack/default/salt/filebeat/files
     - mkdirs: True
 
 fbkeylink:
   file.symlink:
-    - name: /opt/so/saltstack/salt/filebeat/files/filebeat.p8
+    - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.p8
     - target: /etc/pki/filebeat.p8
 
 fbcrtlink:
   file.symlink:
-    - name: /opt/so/saltstack/salt/filebeat/files/filebeat.crt
+    - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.crt
     - target: /etc/pki/filebeat.crt
 
 # Create a cert for the docker registry

salt/wazuh/files/wazuh-manager-whitelist

@@ -1,5 +1,6 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 #!/bin/bash
+default_salt_dir=/opt/so/saltstack/default
 
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
@@ -17,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then
       WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
       if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
               DATE=`date`

setup/so-functions

@@ -116,16 +116,16 @@ add_web_user() {
 
 # Create an secrets pillar so that passwords survive re-install
 secrets_pillar(){
-  if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
+  if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then
 	echo "Creating Secrets Pillar" >> "$setup_log" 2>&1
-	mkdir -p /opt/so/saltstack/pillar
+	mkdir -p $default_salt_dir/pillar
 	printf '%s\n'\
 		"secrets:"\
 		"  mysql: $MYSQLPASS"\
 		"  playbook: $PLAYBOOKPASS"\
 		"  fleet: $FLEETPASS"\
 		"  fleet_jwt: $FLEETJWT"\
-		"  fleet_enroll-secret: False" > /opt/so/saltstack/pillar/secrets.sls
+		"  fleet_enroll-secret: False" > $default_salt_dir/pillar/secrets.sls
   fi
 }
 
@@ -327,10 +327,10 @@ configure_minion() {
 				"mysql.host: '$MAINIP'"\
 				"mysql.port: 3306"\
 				"mysql.user: 'root'" >> "$minion_config"
-			if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
+			if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then
 				echo "mysql.pass: '$MYSQLPASS'" >> "$minion_config"
 			else
-				OLDPASS=$(grep "mysql" /opt/so/saltstack/pillar/secrets.sls | awk '{print $2}')
+				OLDPASS=$(grep "mysql" $default_salt_dir/pillar/secrets.sls | awk '{print $2}')
 				echo "mysql.pass: '$OLDPASS'" >> "$minion_config"
 			fi
 			;;
@@ -409,20 +409,20 @@ copy_master_config() {
 copy_minion_tmp_files() {
 	case "$install_type" in
 		'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE')
-			echo "Copying pillar and salt files in $temp_install_dir to /opt/so/saltstack"
+			echo "Copying pillar and salt files in $temp_install_dir to $default_salt_dir"
-			cp -Rv "$temp_install_dir"/pillar/ /opt/so/saltstack/ >> "$setup_log" 2>&1
+			cp -Rv "$temp_install_dir"/pillar/ $default_salt_dir/ >> "$setup_log" 2>&1
 			if [ -d "$temp_install_dir"/salt ] ; then
-				cp -Rv "$temp_install_dir"/salt/ /opt/so/saltstack/ >> "$setup_log" 2>&1
+				cp -Rv "$temp_install_dir"/salt/ $default_salt_dir/ >> "$setup_log" 2>&1
 			fi
 			;;
 		*)
 			{
-				echo "scp pillar and salt files in $temp_install_dir to master /opt/so/saltstack";
+				echo "scp pillar and salt files in $temp_install_dir to master $default_salt_dir";
 				ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar;
 				ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules;
 				scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/;
 				scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules;
-				ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/salt/master/files/add_minion.sh "$MINION_ID";
+				ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/master/files/add_minion.sh "$MINION_ID";
 			} >> "$setup_log" 2>&1
 			;;
 	esac
@@ -695,7 +695,7 @@ docker_seed_registry() {
 
 fireeye_pillar() {
 
-	local fireeye_pillar_path=/opt/so/saltstack/pillar/fireeye
+	local fireeye_pillar_path=$default_salt_dir/pillar/fireeye
 	mkdir -p "$fireeye_pillar_path"
 
 	printf '%s\n'\
@@ -709,7 +709,7 @@ fireeye_pillar() {
 # Generate Firewall Templates
 firewall_generate_templates() {
 
-	local firewall_pillar_path=/opt/so/saltstack/pillar/firewall
+	local firewall_pillar_path=$default_salt_dir/pillar/firewall
 	mkdir -p "$firewall_pillar_path"
 
 	for i in analyst beats_endpoint forward_nodes masterfw minions osquery_endpoint search_nodes wazuh_endpoint
@@ -851,7 +851,7 @@ master_pillar() {
   }
 
 master_static() {
-	local static_pillar="/opt/so/saltstack/pillar/static.sls"
+	local static_pillar="$default_salt_dir/pillar/static.sls"
 
 	# Create a static file for global values
 	printf '%s\n'\
@@ -1195,16 +1195,18 @@ set_main_ip() {
 
 setup_salt_master_dirs() {
 	# Create salt paster directories
-	mkdir -p /opt/so/saltstack/salt
+	mkdir -p $default_salt_dir/pillar
-	mkdir -p /opt/so/saltstack/pillar
+	mkdir -p $default_salt_dir/salt
+	mkdir -p $custom_salt_dir/pillar
+	mkdir -p $custom_salt_dir/salt
 
 	# Copy over the salt code and templates
 	if [ "$setup_type" = 'iso' ]; then
-		rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ >> "$setup_log" 2>&1
+		rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
-		rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/ >> "$setup_log" 2>&1
+		rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
 	else
-		cp -R ../pillar/* /opt/so/saltstack/pillar/ >> "$setup_log" 2>&1
+		cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
-		cp -R ../salt/* /opt/so/saltstack/salt/ >> "$setup_log" 2>&1
+		cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
 	fi
 
 	echo "Chown the salt dirs on the master for socore" >> "$setup_log" 2>&1
@@ -1306,49 +1308,49 @@ set_initial_firewall_policy() {
 
   set_main_ip
 
-  if [ -f /opt/so/saltstack/pillar/data/addtotab.sh ]; then chmod +x /opt/so/saltstack/pillar/data/addtotab.sh; fi
+  if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi
-  if [ -f /opt/so/saltstack/pillar/firewall/addfirewall.sh ]; then chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh; fi
+  if [ -f $default_salt_dir/pillar/firewall/addfirewall.sh ]; then chmod +x $default_salt_dir/pillar/firewall/addfirewall.sh; fi
 
 	case "$install_type" in
 		'MASTER')
-			printf "  - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls
+			printf "  - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls $default_salt_dir/pillar/firewall/masterfw.sls
-			/opt/so/saltstack/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
+			$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 			;;
 		'EVAL' | 'MASTERSEARCH')
-			printf "  - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\
+			printf "  - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\
-				/opt/so/saltstack/pillar/firewall/masterfw.sls\
+				$default_salt_dir/pillar/firewall/masterfw.sls\
-				/opt/so/saltstack/pillar/firewall/forward_nodes.sls\
+				$default_salt_dir/pillar/firewall/forward_nodes.sls\
-				/opt/so/saltstack/pillar/firewall/search_nodes.sls
+				$default_salt_dir/pillar/firewall/search_nodes.sls
 			case "$install_type" in 
 				'EVAL')
-					/opt/so/saltstack/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
+					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
 					;;
 				'MASTERSEARCH')
-					/opt/so/saltstack/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
+					$default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 			esac
 			;;
 		'HELIXSENSOR')
-			printf "  - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\
+			printf "  - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\
-				/opt/so/saltstack/pillar/firewall/masterfw.sls\
+				$default_salt_dir/pillar/firewall/masterfw.sls\
-				/opt/so/saltstack/pillar/firewall/forward_nodes.sls
+				$default_salt_dir/pillar/firewall/forward_nodes.sls
 			;;
 		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
-			ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions "$MAINIP"
+			ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh minions "$MAINIP"
 			case "$install_type" in
 				'SENSOR')
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
 					;;
 				'SEARCHNODE')
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 				'HEAVYNODE')
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 			esac
 			;;
@@ -1426,9 +1428,9 @@ update_sudoers() {
 	if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
 		# Update Sudoers so that soremote can accept keys without a password
 		echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
-		echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
-		echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers
-		echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/salt/master/files/add_minion.sh" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers
 	else
 		echo "User soremote already granted sudo privileges" >> "$setup_log" 2>&1
 	fi

setup/so-variables

@@ -34,3 +34,6 @@ export temp_install_dir=/root/installtmp
 export percentage_str='Getting started'
 
 export DEBIAN_FRONTEND=noninteractive
+
+export default_salt_dir=/opt/so/saltstack/default
+export custom_salt_dir=/opt/so/saltstack/custom

upgrade/so-update-functions

@@ -95,9 +95,9 @@ copy_new_files() {
 
   # Copy new files over to the salt dir
   cd /tmp/sogh/securityonion-saltstack
-  rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/
+  rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
-  chown -R socore:socore /opt/so/saltstack/salt
+  chown -R socore:socore $default_salt_dir/salt
-  chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
+  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
   cd /tmp
 }