merge with 2.4/dev

salt/common/tools/sbin/so-elastic-clear

@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 
 SKIP=0

salt/common/tools/sbin/so-elasticsearch-component-templates-list

@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
     curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort

salt/common/tools/sbin/so-elasticsearch-index-templates-list

@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
     curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort

salt/common/tools/sbin/so-elasticsearch-indices-list

@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 . /usr/sbin/so-common
 

salt/common/tools/sbin/so-elasticsearch-pipeline-stats

@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 . /usr/sbin/so-common
 

salt/common/tools/sbin/so-elasticsearch-pipeline-view

@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 . /usr/sbin/so-common
 

salt/common/tools/sbin/so-elasticsearch-pipelines-list

@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
     curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'

salt/common/tools/sbin/so-elasticsearch-shards-list

@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 . /usr/sbin/so-common
 

salt/common/tools/sbin/so-elasticsearch-template-remove

@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 . /usr/sbin/so-common
 

salt/common/tools/sbin/so-elasticsearch-template-view

@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 
 . /usr/sbin/so-common
 

salt/common/tools/sbin/so-elasticsearch-templates-list

@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
     curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'

salt/common/tools/sbin/so-image-common

@@ -27,6 +27,7 @@ container_list() {
       "so-elasticsearch"
       "so-filebeat"
       "so-idstools"
+      "so-influxdb"
       "so-kibana"
       "so-kratos"
       "so-nginx"
@@ -34,6 +35,7 @@ container_list() {
       "so-soc"
       "so-steno"
       "so-suricata"
+      "so-telegraf"
       "so-zeek" 
     )
   elif [ $MANAGERCHECK != 'so-helix' ]; then

salt/common/tools/sbin/so-import-evtx

@@ -5,15 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- set VERSION = salt['pillar.get']('global:soversion') %}
 {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
-{% set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{% set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 
 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)

salt/common/tools/sbin/so-import-pcap

@@ -5,12 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- set VERSION = salt['pillar.get']('global:soversion') %}
 {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
 
 . /usr/sbin/so-common

salt/common/tools/sbin/so-kibana-config-export

@@ -1,16 +1,14 @@
 #!/bin/bash
 #
-# {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
-# {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) -%}
-# {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
-# {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
-#
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
+{%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) %}
+{%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
+{%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
 
 KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601

salt/common/tools/sbin/so-redis-count

@@ -4,9 +4,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}
 
 . /usr/sbin/so-common
-
-docker exec so-redis redis-cli llen logstash:unparsed
+docker exec so-redis /bin/sh -c "export REDISCLI_AUTH={{ REDIS_PASS }} && redis-cli llen logstash:unparsed"

salt/common/tools/sbin/so-soc-restart

@@ -9,5 +9,6 @@
 
 . /usr/sbin/so-common
 
+rm -f /opt/so/conf/soc/salt/pipe
 pkill salt-relay.sh
 /usr/sbin/so-restart soc $1

salt/common/tools/sbin/so-user

@@ -230,7 +230,7 @@ function updatePassword() {
     # Generate password hash
     passwordHash=$(hashPassword "$password")
     # Update DB with new hash
-    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     # Deactivate MFA
     echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"