more requires

salt/manager/init.sls

@@ -60,8 +60,7 @@ aptcacherlogdir:
     - group: 939
     - makedirs: true
 
-# Copy the config
-acngcopyconf:
+acngconf:
   file.managed:
     - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
     - source: salt://manager/files/acng/acng.conf
@@ -80,6 +79,8 @@ so-aptcacherng:
       - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw
       - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
       - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
+    - require:
+      - file: acngconf
 
 append_so-aptcacherng_so-status.conf:
   file.append:

salt/minio/init.sls

@@ -21,6 +21,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 
+include:
+ - ssl
+
 # Minio Setup
 minioconfdir:
   file.directory:
@@ -59,6 +62,9 @@ so-minio:
       - /etc/pki/minio.key:/.minio/certs/private.key:ro
       - /etc/pki/minio.crt:/.minio/certs/public.crt:ro
     - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"
+    - require:
+      - file: minio_key
+      - file: minio_crt
 
 append_so-minio_so-status.conf:
   file.append:

salt/mysql/init.sls

@@ -45,13 +45,14 @@ mysqlpiddir:
     - group: 939
     - makedirs: True
 
-mysqletcsync:
+mysqletc:
   file.recurse:
     - name: /opt/so/conf/mysql/etc
     - source: salt://mysql/etc
     - user: 939
     - group: 939
     - template: jinja
+    - mode: 640
 
 mysqllogdir:
   file.directory:
@@ -88,12 +89,13 @@ so-mysql:
       - MYSQL_ROOT_HOST={{ MAINIP }}
       - MYSQL_ROOT_PASSWORD=/etc/mypass
     - binds:
-      - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro
-      - /opt/so/conf/mysql/etc/mypass:/etc/mypass
+      - /opt/so/conf/mysql/etc/:/etc/:ro
       - /nsm/mysql:/var/lib/mysql:rw
       - /opt/so/log/mysql:/var/log/mysql:rw
     - watch:
       - /opt/so/conf/mysql/etc
+    - require:
+      - file: mysqletc
   cmd.run:
     - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
     - timeout: 600

salt/nginx/init.sls

@@ -8,6 +8,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap') %}
 
+include:
+  - ssl
+
 # Drop the correct nginx config based on role
 nginxconfdir:
   file.directory:
@@ -95,6 +98,12 @@ so-nginx:
     - watch:
       - file: nginxconf
       - file: nginxconfdir
+    - require:
+      - file: nginxconf
+      - x509: managerssl_key
+      - x509: managerssl_crt
+      - file: navigatorconfig
+      - file: navigatordefaultlayer
 
 append_so-nginx_so-status.conf:
   file.append:

salt/pcap/init.sls

@@ -127,7 +127,9 @@ so-steno:
       - /nsm/pcaptmp:/tmp:rw
       - /opt/so/log/stenographer:/var/log/stenographer:rw
     - watch:
-      - file: /opt/so/conf/steno/config
+      - file: stenoconf
+    - require:
+      - file: stenoconf
   {% else %} {# if stenographer isn't enabled, then stop and remove the container #}
     - force: True
   {% endif %}

salt/redis/init.sls

@@ -19,6 +19,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 
+include:
+  - ssl
+
 # Redis Setup
 redisconfdir:
   file.directory:
@@ -41,10 +44,10 @@ redislogdir:
     - group: 939
     - makedirs: True
 
-redisconfsync:
-  file.recurse:
-    - name: /opt/so/conf/redis/etc
-    - source: salt://redis/etc
+redisconf:
+  file.managed:
+    - name: /opt/so/conf/redis/etc/redis.conf
+    - source: salt://redis/etc/redis.conf
     - user: 939
     - group: 939
     - template: jinja
@@ -67,6 +70,11 @@ so-redis:
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
     - watch:
       - file: /opt/so/conf/redis/etc
+    - require:
+      - file: redisconf
+      - x509: redis_crt
+      - x509: redis_key
+      - x509: pki_public_ca_crt
 
 append_so-redis_so-status.conf:
   file.append:

salt/registry/init.sls

@@ -47,6 +47,10 @@ so-dockerregistry:
     - retry:
         attempts: 5
         interval: 30
+    - require:
+      - file: dockerregistryconf
+      - x509: registry_crt
+      - x509: registry_key
 
 append_so-dockerregistry_so-status.conf:
   file.append:

salt/sensoroni/init.sls

@@ -38,6 +38,8 @@ so-sensoroni:
       - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
     - watch:
       - file: /opt/so/conf/sensoroni/sensoroni.json
+    - require:
+      - file: sensoroniagentconf
 
 append_so-sensoroni_so-status.conf:
   file.append:

salt/soctopus/init.sls

@@ -8,6 +8,9 @@
 {% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 
+include:
+  - nginx
+
 soctopusdir:
   file.directory:
     - name: /opt/so/conf/soctopus/sigma-import
@@ -71,6 +74,9 @@ so-soctopus:
       - 0.0.0.0:7000:7000
     - extra_hosts:
       - {{MANAGER_URL}}:{{MANAGER_IP}}
+    - require:
+      - file: soctopusconf
+      - file: navigatordefaultlayer
 
 append_so-soctopus_so-status.conf:
   file.append:

salt/ssl/init.sls

@@ -117,8 +117,9 @@ influxkeyperms:
 
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %}
 # Create a cert for Redis encryption
-/etc/pki/redis.key:
+redis_key:
   x509.private_key_managed:
+    - name: /etc/pki/redis.key
     - CN: {{ COMMONNAME }}
     - bits: 4096
     - days_remaining: 0
@@ -134,8 +135,9 @@ influxkeyperms:
         attempts: 5
         interval: 30
 
-/etc/pki/redis.crt:
+redis_crt:
   x509.certificate_managed:
+    - name: /etc/pki/redis.crt
     - ca_server: {{ ca_server }}
     - signing_policy: registry
     - public_key: /etc/pki/redis.key
@@ -244,8 +246,9 @@ fbcrtlink:
     - user: socore
     - group: socore
 
-/etc/pki/registry.key:
+registry_key:
   x509.private_key_managed:
+    - name: /etc/pki/registry.key
     - CN: {{ manager }}
     - bits: 4096
     - days_remaining: 0
@@ -262,8 +265,9 @@ fbcrtlink:
         interval: 30
 
 # Create a cert for the docker registry
-/etc/pki/registry.crt:
+registry_crt:
   x509.certificate_managed:
+    - name: /etc/pki/registry.crt
     - ca_server: {{ ca_server }}
     - signing_policy: registry
     - public_key: /etc/pki/registry.key
@@ -287,8 +291,9 @@ regkeyperms:
     - mode: 640
     - group: 939
 
-/etc/pki/minio.key:
+minio_key:
   x509.private_key_managed:
+    - name: /etc/pki/minio.key
     - CN: {{ manager }}
     - bits: 4096
     - days_remaining: 0
@@ -305,8 +310,9 @@ regkeyperms:
         interval: 30
 
 # Create a cert for minio
-/etc/pki/minio.crt:
+minio_crt:
   x509.certificate_managed:
+    - name: /etc/pki/minio.crt
     - ca_server: {{ ca_server }}
     - signing_policy: registry
     - public_key: /etc/pki/minio.key
@@ -386,8 +392,9 @@ elasticp12perms:
     - mode: 640
     - group: 930
 
-/etc/pki/managerssl.key:
+managerssl_key:
   x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
     - CN: {{ manager }}
     - bits: 4096
     - days_remaining: 0
@@ -404,8 +411,9 @@ elasticp12perms:
         interval: 30
 
 # Create a cert for the reverse proxy
-/etc/pki/managerssl.crt:
+managerssl_crt:
   x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
     - ca_server: {{ ca_server }}
     - signing_policy: managerssl
     - public_key: /etc/pki/managerssl.key
@@ -548,8 +556,9 @@ chownfilebeatp8:
 
 {% if grains['role'] == 'so-fleet' %}
 
-/etc/pki/managerssl.key:
+managerssl_key:
   x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
     - CN: {{ manager }}
     - bits: 4096
     - days_remaining: 0
@@ -566,8 +575,9 @@ chownfilebeatp8:
         interval: 30
 
 # Create a cert for the reverse proxy
-/etc/pki/managerssl.crt:
+managerssl_crt:
   x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
     - ca_server: {{ ca_server }}
     - signing_policy: managerssl
     - public_key: /etc/pki/managerssl.key

salt/suricata/init.sls

@@ -93,7 +93,7 @@ surilogscript:
     - month: '*'
     - dayweek: '*'
 
-suriconfigsync:
+suriconfig:
   file.managed:
     - name: /opt/so/conf/suricata/suricata.yaml
     - source: salt://suricata/files/suricata.yaml.jinja
@@ -155,10 +155,14 @@ so-suricata:
       - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
     - network_mode: host
     - watch:
-      - file: /opt/so/conf/suricata/suricata.yaml
+      - file: suriconfig
       - file: surithresholding
       - file: /opt/so/conf/suricata/rules/
       - file: /opt/so/conf/suricata/bpf
+    - require:
+      - file: suriconfig
+      - file: surithresholding
+      - file: suribpf
 
   {% else %} {# if Suricata isn't enabled, then stop and remove the container #}
     - force: True

salt/telegraf/init.sls

@@ -88,7 +88,16 @@ so-telegraf:
       - file: tgrafconf
       - file: tgrafsyncscripts
       - file: node_config
-
+    - require: 
+      - file: tgrafconf
+      - file: node_config
+      {% if grains['role'] == 'so-manager' or grains['role'] == 'so-eval' or grains['role'] == 'so-managersearch' %}
+      - x509: pki_public_ca_crt
+      {% else %}
+      - x509: trusttheca
+      {% endif %}
+      - x509: influxdb_crt
+      - x509: influxdb_key
 append_so-telegraf_so-status.conf:
   file.append:
     - name: /opt/so/conf/so-status/so-status.conf

salt/thehive/init.sls

@@ -83,8 +83,7 @@ so-thehive-es:
     - tty: True
     - binds:
       - /nsm/thehive/esdata:/usr/share/elasticsearch/data:rw
-      - /opt/so/conf/thehive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
-      - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
+      - /opt/so/conf/thehive/etc/es/:/usr/share/elasticsearch/config/:ro
       - /opt/so/log/thehive:/var/log/elasticsearch:rw
     - environment:
       - ES_JAVA_OPTS=-Xms512m -Xmx512m
@@ -97,6 +96,14 @@ append_so-thehive-es_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-thehive-es
 
+cortex_application_conf:
+  file.exists:
+    - name: /opt/so/conf/thehive/etc/cortex-application.conf
+
+application_conf:
+  file.exists:
+    - name: /opt/so/conf/thehive/etc/application.conf
+
 # Install Cortex
 so-cortex:
   docker_container.running:
@@ -110,6 +117,8 @@ so-cortex:
       - /opt/so/conf/cortex/custom-responders:/custom-responders:ro
     - port_bindings:
       - 0.0.0.0:9001:9001
+    - require:
+      - file: cortex_application_conf
 
 append_so-cortex_so-status.conf:
   file.append:
@@ -135,6 +144,8 @@ so-thehive:
       - /opt/so/conf/thehive/etc/application.conf:/opt/thehive/conf/application.conf:ro
     - port_bindings:
       - 0.0.0.0:9000:9000
+    - require:
+      - file: application_conf
 
 append_so-thehive_so-status.conf:
   file.append:

salt/zeek/init.sls

@@ -116,7 +116,7 @@ zeekctlcfg:
         ZEEKCTL: {{ ZEEK.zeekctl | tojson }}
 
 # Sync node.cfg
-nodecfgsync:
+nodecfg:
   file.managed:
     - name: /opt/so/conf/zeek/node.cfg
     - source: salt://zeek/files/node.cfg
@@ -182,7 +182,7 @@ zeekbpf:
 {% endif %}
 
 
-localzeeksync:
+localzeek:
   file.managed:
     - name: /opt/so/conf/zeek/local.zeek
     - source: salt://zeek/files/local.zeek.jinja
@@ -219,6 +219,11 @@ so-zeek:
       - file: /opt/so/conf/zeek/zeekctl.cfg
       - file: /opt/so/conf/zeek/policy
       - file: /opt/so/conf/zeek/bpf
+    - require:
+      - file: localzeek
+      - file: nodecfg
+      - file: zeekctlcfg
+      - file: zeekbpf
   {% else %} {# if Zeek isn't enabled, then stop and remove the container #}
     - force: True
   {% endif %}