diff --git a/salt/ca/init.sls b/salt/ca/init.sls
index 62b89d351..84c74ef3d 100644
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'ca' in top_states %}
+
{% set manager = salt['grains.get']('master') %}
/etc/salt/minion.d/signing_policies.conf:
file.managed:
@@ -51,4 +56,12 @@ cakeyperms:
- replace: False
- name: /etc/pki/ca.key
- mode: 640
- - group: 939
\ No newline at end of file
+ - group: 939
+
+{% else %}
+
+ca_state_not_allowed:
+ test.fail_without_changes:
+ - name: ca_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/common/init.sls b/salt/common/init.sls
index c950e6036..896e0f025 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'common' in top_states %}
+
{% set role = grains.id.split('_') | last %}
# Remove variables.txt from /tmp - This is temp
@@ -190,4 +195,12 @@ sensorrotateconf:
# Make sure Docker is always running
docker:
service.running:
- - enable: True
\ No newline at end of file
+ - enable: True
+
+{% else %}
+
+common_state_not_allowed:
+ test.fail_without_changes:
+ - name: common_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja
index 21dd14ec9..fb23e6708 100644
--- a/salt/common/maps/so-status.map.jinja
+++ b/salt/common/maps/so-status.map.jinja
@@ -5,6 +5,9 @@
# to the list predefined by the role / minion id affix
{% macro append_containers(pillar_name, k, compare )%}
{% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+ {% if k == 'enabled' %}
+ {% set k = pillar_name %}
+ {% endif %}
{% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
{% for li in d['containers'] %}
{{ docker['containers'].append(li) }}
@@ -21,7 +24,7 @@
{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
{{ append_containers('manager', 'grafana', 0) }}
{{ append_containers('global', 'fleet_manager', 0) }}
- {{ append_containers('manager', 'wazuh', 0) }}
+ {{ append_containers('global', 'wazuh', 0) }}
{{ append_containers('manager', 'thehive', 0) }}
{{ append_containers('manager', 'playbook', 0) }}
{{ append_containers('manager', 'freq', 0) }}
@@ -29,7 +32,7 @@
{% endif %}
{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
- {{ append_containers('global', 'strelka', 0) }}
+ {{ append_containers('strelka', 'enabled', 0) }}
{% endif %}
{% if role in ['heavynode', 'standalone'] %}
diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable
index 070ecedc0..ae8981fe9 100755
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -17,6 +17,28 @@
. /usr/sbin/so-common
local_salt_dir=/opt/so/saltstack/local
+cat << EOF
+This program will switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license.
+If you proceed, then we will download new Docker images and restart services.
+
+Please review the Elastic license:
+https://raw.githubusercontent.com/elastic/elasticsearch/master/licenses/ELASTIC-LICENSE.txt
+
+Please also note that, if you have a distributed deployment and continue with this change, Elastic traffic between nodes will change from encrypted to cleartext!
+(We expect to support Elastic Features Security at some point in the future.)
+
+Do you agree to the terms of the Elastic license and understand the note about encryption?
+
+If so, type AGREE to accept the Elastic license and continue. Otherwise, just press Enter to exit this program without making any changes.
+EOF
+
+read INPUT
+if [ "$INPUT" != "AGREE" ]; then
+ exit
+fi
+
+echo "Please wait while switching to Elastic Features."
+
manager_check() {
# Check to see if this is a manager
MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 7a7d6c783..8658f4757 100755
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
{%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set container_list = docker['containers'] | sort %}
+{%- set container_list = docker['containers'] | sort | unique %}
if ! [ "$(id -u)" = 0 ]; then
echo "This command must be run as root"
@@ -71,9 +71,9 @@ compare_lists() {
# {% endraw %}
create_expected_container_list() {
- {% for item in container_list%}
+ {% for item in container_list -%}
expected_container_list+=("{{ item }}")
- {% endfor %}
+ {% endfor -%}
}
populate_container_lists() {
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index b98eaf6cb..31f738349 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'curator' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -131,3 +136,11 @@ so-curator:
# End Curator Cron Jobs
{% endif %}
+
+{% else %}
+
+curator_state_not_allowed:
+ test.fail_without_changes:
+ - name: curator_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/docker/init.sls b/salt/docker/init.sls
index 3021552ab..273dbae91 100644
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'docker' in top_states %}
+
installdocker:
pkg.installed:
- name: docker-ce
@@ -5,4 +10,12 @@ installdocker:
# Make sure Docker is running!
docker:
service.running:
- - enable: True
\ No newline at end of file
+ - enable: True
+
+{% else %}
+
+docker_state_not_allowed:
+ test.fail_without_changes:
+ - name: docker_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls
index 764435e5f..daac87387 100644
--- a/salt/domainstats/init.sls
+++ b/salt/domainstats/init.sls
@@ -12,6 +12,10 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'domainstats' in top_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -51,3 +55,11 @@ so-domainstats:
- user: domainstats
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats
+
+{% else %}
+
+domainstats_state_not_allowed:
+ test.fail_without_changes:
+ - name: domainstats_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 741f9ff2a..a97a3f512 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'elastalert' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -125,3 +130,11 @@ so-elastalert:
- require:
- module: wait_for_elasticsearch
{% endif %}
+
+{% else %}
+
+elastalert_state_not_allowed:
+ test.fail_without_changes:
+ - name: elastalert_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/elasticsearch/files/ingest/import.wel b/salt/elasticsearch/files/ingest/import.wel
index 64add2f44..5a04324b7 100644
--- a/salt/elasticsearch/files/ingest/import.wel
+++ b/salt/elasticsearch/files/ingest/import.wel
@@ -1,7 +1,7 @@
{
"description" : "import.wel",
"processors" : [
- { "remove": { "field": ["event.created","timestamp", "winlog.event_data.UtcTime"], "ignore_failure": true } },
+ { "remove": { "field": ["event.created","timestamp", "winlog.event_data.UtcTime", "event_record_id"], "ignore_failure": true } },
{ "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } },
{ "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } },
{ "pipeline": { "name": "common" } }
diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs
index 7bd6e9a5a..f7f9d6bac 100644
--- a/salt/elasticsearch/files/ingest/win.eventlogs
+++ b/salt/elasticsearch/files/ingest/win.eventlogs
@@ -4,7 +4,8 @@
{ "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } },
{ "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } },
{ "set": { "if": "ctx.winlog?.computer_name != null", "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true } },
- { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } },
+ { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } },
+ { "set": { "field": "event.category", "value": "host", "override": true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }
]
diff --git a/salt/elasticsearch/files/ingest/zeek.intel b/salt/elasticsearch/files/ingest/zeek.intel
index 1f6e7829e..8be25c9ef 100644
--- a/salt/elasticsearch/files/ingest/zeek.intel
+++ b/salt/elasticsearch/files/ingest/zeek.intel
@@ -3,6 +3,7 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
+ { "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.indicator", "target_field": "intel.indicator", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.indicator_type", "target_field": "intel.indicator_type", "ignore_missing": true } },
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index cc2d91537..c87afc65c 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'elasticsearch' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -237,4 +242,12 @@ so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates
- cwd: /opt/so
+{% endif %}
+
+{% else %}
+
+elasticsearch_state_not_allowed:
+ test.fail_without_changes:
+ - name: elasticsearch_state_not_allowed
+
{% endif %}
\ No newline at end of file
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index ee7c5ae10..8937d8e13 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -11,6 +11,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'filebeat' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -69,3 +74,11 @@ so-filebeat:
- 0.0.0.0:514:514/udp
- watch:
- file: /opt/so/conf/filebeat/etc/filebeat.yml
+
+{% else %}
+
+filebeat_state_not_allowed:
+ test.fail_without_changes:
+ - name: filebeat_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 7d4dab0bf..07871fa74 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'firewall' in top_states %}
+
# Firewall Magic for the grid
{% from 'firewall/map.jinja' import hostgroups with context %}
{% from 'firewall/map.jinja' import assigned_hostgroups with context %}
@@ -128,3 +133,11 @@ iptables_drop_all_the_things:
- chain: LOGGING
- jump: DROP
- save: True
+
+{% else %}
+
+firewall_state_not_allowed:
+ test.fail_without_changes:
+ - name: firewall_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index b2a3bb516..220f3c4cb 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -132,4 +132,4 @@ so-fleet:
- watch:
- /opt/so/conf/fleet/etc
-{% endif %}
+{% endif %}
\ No newline at end of file
diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls
index f48b66cff..668e33079 100644
--- a/salt/freqserver/init.sls
+++ b/salt/freqserver/init.sls
@@ -12,6 +12,10 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'freqserver' in top_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -52,3 +56,11 @@ so-freq:
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw
+{% else %}
+
+freqserver_state_not_allowed:
+ test.fail_without_changes:
+ - name: freqserver_state_not_allowed
+
+{% endif %}
+
diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls
index 9fdd26b12..401d2d7d7 100644
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'grafana' in top_states %}
+
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -230,4 +235,12 @@ so-grafana:
- watch:
- file: /opt/so/conf/grafana/*
+{% endif %}
+
+{% else %}
+
+grafana_state_not_allowed:
+ test.fail_without_changes:
+ - name: grafana_state_not_allowed
+
{% endif %}
\ No newline at end of file
diff --git a/salt/healthcheck/init.sls b/salt/healthcheck/init.sls
index 94f8028ba..af1de6d83 100644
--- a/salt/healthcheck/init.sls
+++ b/salt/healthcheck/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'healthcheck' in top_states %}
+
{% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %}
{% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %}
{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 300) %}
@@ -23,3 +28,11 @@ healthcheck_schedule_{{ STATUS[0] }}:
healthcheck_schedule_{{ STATUS[1] }}:
schedule.{{ STATUS[1] }}:
- name: healthcheck
+
+{% else %}
+
+healthcheck_state_not_allowed:
+ test.fail_without_changes:
+ - name: healthcheck_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 7788faac4..439c778aa 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'idstools' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -69,3 +74,11 @@ so-idstools:
- /opt/so/rules/nids:/opt/so/rules/nids:rw
- watch:
- file: idstoolsetcsync
+
+{% else %}
+
+idstools_state_not_allowed:
+ test.fail_without_changes:
+ - name: idstools_state_not_allowed
+
+{% endif%}
\ No newline at end of file
diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls
index d35ab6cae..6f95cfec2 100644
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'influxdb' in top_states %}
+
{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -40,4 +45,12 @@ so-influxdb:
- watch:
- file: influxdbconf
+{% endif %}
+
+{% else %}
+
+influxdb_state_not_allowed:
+ test.fail_without_changes:
+ - name: influxdb_state_not_allowed
+
{% endif %}
\ No newline at end of file
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 8711d47d1..7f91719d4 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'kibana' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -114,4 +119,12 @@ so-kibana-config-load:
# - shell: /bin/bash
# - runas: socore
# - source: salt://kibana/bin/keepkibanahappy.sh
-# - template: jinja
\ No newline at end of file
+# - template: jinja
+
+{% else %}
+
+kibana_state_not_allowed:
+ test.fail_without_changes:
+ - name: kibana_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 33fc496dc..ad11bf567 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'logstash' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -195,3 +200,11 @@ so-logstash:
{% for TEMPLATE in TEMPLATES %}
- file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
{% endfor %}
+
+{% else %}
+
+logstash_state_not_allowed:
+ test.fail_without_changes:
+ - name: logstash_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/manager/init.sls b/salt/manager/init.sls
index 0046deb95..66e614b62 100644
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'manager' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -84,3 +89,10 @@ strelka_yara_update:
- name: '/usr/sbin/so-yara-update > /dev/null 2>&1'
- hour: '7'
- minute: '1'
+{% else %}
+
+manager_state_not_allowed:
+ test.fail_without_changes:
+ - name: manager_state_not_allowed
+
+{% endif %}
diff --git a/salt/minio/init.sls b/salt/minio/init.sls
index ece8673bd..c1a681747 100644
--- a/salt/minio/init.sls
+++ b/salt/minio/init.sls
@@ -12,6 +12,10 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'minio' in top_states %}
{% set access_key = salt['pillar.get']('minio:access_key', '') %}
{% set access_secret = salt['pillar.get']('minio:access_secret', '') %}
@@ -56,4 +60,12 @@ so-minio:
- /opt/so/conf/minio/etc:/.minio:rw
- /etc/pki/minio.key:/.minio/certs/private.key:ro
- /etc/pki/minio.crt:/.minio/certs/public.crt:ro
- - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"
\ No newline at end of file
+ - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data"
+
+{% else %}
+
+minio_state_not_allowed:
+ test.fail_without_changes:
+ - name: minio_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/motd/init.sls b/salt/motd/init.sls
index 06ad270a1..bf9d276a6 100644
--- a/salt/motd/init.sls
+++ b/salt/motd/init.sls
@@ -1,5 +1,18 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'motd' in top_states %}
+
so_motd:
file.managed:
- name: /etc/motd
- source: salt://motd/files/so_motd.jinja
- template: jinja
+
+{% else %}
+
+motd_state_not_allowed:
+ test.fail_without_changes:
+ - name: motd_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index c9c6fde41..818b5c303 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'mysql' in top_states %}
+
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -93,3 +98,11 @@ so-mysql:
- onchanges:
- docker_container: so-mysql
{% endif %}
+
+{% else %}
+
+mysql_state_not_allowed:
+ test.fail_without_changes:
+ - name: mysql_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls
index 7df33aa74..a3f6f33fd 100644
--- a/salt/nginx/init.sls
+++ b/salt/nginx/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'nginx' in top_states %}
+
{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -92,3 +97,11 @@ so-nginx:
- watch:
- file: nginxconf
- file: nginxconfdir
+
+{% else %}
+
+nginx_state_not_allowed:
+ test.fail_without_changes:
+ - name: nginx_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls
index 34aacbd81..ac886a6b7 100644
--- a/salt/nodered/init.sls
+++ b/salt/nodered/init.sls
@@ -12,6 +12,10 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'nodered' in top_states %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -75,3 +79,10 @@ so-nodered-flows:
- name: /usr/sbin/so-nodered-load-flows
- cwd: /
+{% else %}
+
+nodered_state_not_allowed:
+ test.fail_without_changes:
+ - name: nodered_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 135b49334..a82e0fb8d 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'pcap' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -160,3 +165,11 @@ so-sensoroni:
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- watch:
- file: /opt/so/conf/sensoroni/sensoroni.json
+
+{% else %}
+
+pcap_state_not_allowed:
+ test.fail_without_changes:
+ - name: pcap_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index d390a36fb..9d02dfce2 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'playbook' in top_states %}
+
{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -96,4 +101,12 @@ so-playbookruleupdatecron:
- name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1
- user: root
- minute: '1'
- - hour: '6'
\ No newline at end of file
+ - hour: '6'
+
+{% else %}
+
+playbook_state_not_allowed:
+ test.fail_without_changes:
+ - name: playbook_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 3f24ba079..1b7611eab 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -12,6 +12,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'redis' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -64,3 +69,11 @@ so-redis:
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch:
- file: /opt/so/conf/redis/etc
+
+{% else %}
+
+redis_state_not_allowed:
+ test.fail_without_changes:
+ - name: redis_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index 6e17d639e..c98577ca2 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'registry' in top_states %}
+
# Create the config directory for the docker registry
dockerregistryconfdir:
file.directory:
@@ -51,3 +56,11 @@ so-dockerregistry:
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
- /etc/pki/registry.key:/etc/pki/registry.key:ro
+
+{% else %}
+
+registry_state_not_allowed:
+ test.fail_without_changes:
+ - name: registry_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/salt/master.sls b/salt/salt/master.sls
index ca1bead2d..20a204909 100644
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'salt.master' in top_states %}
+
include:
- salt.minion
@@ -26,4 +31,12 @@ engines_config:
- name: /etc/salt/minion.d/engines.conf
- source: salt://salt/files/engines.conf
- watch_in:
- - service: salt_minion_service
\ No newline at end of file
+ - service: salt_minion_service
+
+{% else %}
+
+salt_master_state_not_allowed:
+ test.fail_without_changes:
+ - name: salt_master_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index f3c103dc4..bbb600a6b 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -70,7 +70,7 @@
"::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.id" ],
":firewall:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "direction", "interface", "action", "reason" ],
":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
- ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ],
+ ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ],
":strelka:file": ["soc_timestamp", "scan.exiftool.OriginalFileName", "file.size", "hash.md5", "scan.exiftool.CompanyName", "scan.exiftool.Description", "scan.exiftool.Directory", "scan.exiftool.FileType", "scan.exiftool.FileOS", "log.id.fuid" ],
":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.name", "rule.category", "rule.rev", "event.severity", "event.severity_label" ],
":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
@@ -84,8 +84,8 @@
{ "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name"},
{ "name": "Wazuh/OSSEC Alerts", "description": "Show all Wazuh alerts grouped by category", "query": "event.module:ossec AND event.dataset:alert | groupby rule.category"},
{ "name": "Wazuh/OSSEC Commands", "description": "Show all Wazuh alerts grouped by command line", "query": "event.module:ossec AND event.dataset:alert | groupby process.command_line"},
- { "name": "Wazuh/OSSEC Processes", "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"},
- { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.name"},
+ { "name": "Wazuh/OSSEC Processes", "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name.keyword"},
+ { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword"},
{ "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"},
{ "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"},
{ "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"},
@@ -114,7 +114,7 @@
{ "name": "HTTP", "description": "HTTP grouped by user agent", "query": "event.dataset:http | groupby http.useragent"},
{ "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"},
{ "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"},
- { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator"},
+ { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"},
{ "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"},
{ "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"},
{ "name": "MODBUS", "description": "MODBUS grouped by function", "query": "event.dataset:modbus | groupby modbus.function"},
@@ -124,7 +124,7 @@
{ "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"},
{ "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"},
{ "name": "RDP", "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"},
- { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name"},
+ { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"},
{ "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"},
{ "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"},
@@ -135,7 +135,7 @@
{ "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version"},
{ "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"},
{ "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"},
- { "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.dataset:tunnels | groupby event.action"},
+ { "name": "Tunnel", "description": "Tunnels grouped by action", "query": "event.dataset:tunnel | groupby event.action"},
{ "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"},
{ "name": "x509", "description": "x.509 grouped by key length", "query": "event.dataset:x509 | groupby x509.certificate.key.length"},
{ "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"},
@@ -143,10 +143,10 @@
{ "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"}
],
"actions": [
- { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" },
- { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" },
- { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" },
- { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" }
+ { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "_blank" },
+ { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}", "target": "_blank" },
+ { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" },
+ { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" }
]
}
}
diff --git a/salt/soc/init.sls b/salt/soc/init.sls
index 1c25f42a1..ca40eb4f3 100644
--- a/salt/soc/init.sls
+++ b/salt/soc/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'soc' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -98,3 +103,11 @@ so-kratos:
- 0.0.0.0:4434:4434
- watch:
- file: /opt/so/conf/kratos
+
+{% else %}
+
+soc_state_not_allowed:
+ test.fail_without_changes:
+ - name: soc_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index f57ce216d..2c9e721ac 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'soctopus' in top_states %}
+
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
@@ -67,3 +72,11 @@ so-soctopus:
- 0.0.0.0:7000:7000
- extra_hosts:
- {{MANAGER_URL}}:{{MANAGER_IP}}
+
+{% else %}
+
+soctopus_state_not_allowed:
+ test.fail_without_changes:
+ - name: soctopus_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 416e13af5..1283c581d 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'ssl' in top_states %}
+
{% set manager = salt['grains.get']('master') %}
{% set managerip = salt['pillar.get']('global:managerip', '') %}
{% set HOSTNAME = salt['grains.get']('host') %}
@@ -570,3 +575,11 @@ elastickeyperms:
- group: 930
{%- endif %}
+
+{% else %}
+
+ssl_state_not_allowed:
+ test.fail_without_changes:
+ - name: ssl_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
index 61d0ce8ad..dabd58fe5 100644
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -12,8 +12,13 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-{% set MANAGER = salt['grains.get']('master') %}
-{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'strelka' in top_states %}
+
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
@@ -134,3 +139,11 @@ strelka_zeek_extracted_sync:
- user: root
- name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1'
- minute: '*'
+
+{% else %}
+
+strelka_state_not_allowed:
+ test.fail_without_changes:
+ - name: strelka_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 79e06db66..45b99586c 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -12,6 +12,10 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'suricata' in top_states %}
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{% set ZEEKVER = salt['pillar.get']('global:zeekversion', '') %}
@@ -173,3 +177,11 @@ surilogrotate:
- daymonth: '*'
- month: '*'
- dayweek: '*'
+
+{% else %}
+
+suricata_state_not_allowed:
+ test.fail_without_changes:
+ - name: suricata_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls
index a828c72f1..2634e6c15 100644
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -12,4 +12,10 @@ so-tcpreplay:
- interactive: True
- tty: True
+{% else %}
+
+tcpreplay_state_not_allowed:
+ test.fail_without_changes:
+ - name: tcpreplay_state_not_allowed
+
{% endif %}
diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls
index c252cdb5b..0bbf131f7 100644
--- a/salt/telegraf/init.sls
+++ b/salt/telegraf/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'telegraf' in top_states %}
+
{% set MANAGER = salt['grains.get']('master') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -66,4 +71,12 @@ so-telegraf:
- /opt/so/log/suricata:/var/log/suricata:ro
- watch:
- file: tgrafconf
- - file: tgrafsyncscripts
\ No newline at end of file
+ - file: tgrafsyncscripts
+
+{% else %}
+
+telegraf_state_not_allowed:
+ test.fail_without_changes:
+ - name: telegraf_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls
index ffbb50f0c..443ac9a8f 100644
--- a/salt/thehive/init.sls
+++ b/salt/thehive/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'thehive' in top_states %}
+
{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -137,3 +142,11 @@ thehivescript:
- cwd: /opt/so
- template: jinja
- hide_output: True
+
+{% else %}
+
+thehive_state_not_allowed:
+ test.fail_without_changes:
+ - name: thehive_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/top.sls b/salt/top.sls
index 2fa33c2d3..7120c15b7 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -62,6 +62,7 @@ base:
- common
- telegraf
- firewall
+ - nginx
- pcap
- suricata
- healthcheck
@@ -127,6 +128,7 @@ base:
{%- endif %}
{%- if PLAYBOOK != 0 %}
- playbook
+ - redis
{%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
@@ -158,6 +160,7 @@ base:
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ - elasticsearch
- logstash
- redis
- kibana
@@ -285,6 +288,7 @@ base:
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ - elasticsearch
- logstash
- curator
- filebeat
@@ -330,6 +334,7 @@ base:
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ - elasticsearch
- logstash
- redis
- curator
@@ -367,6 +372,7 @@ base:
{%- if WAZUH != 0 %}
- wazuh
{%- endif %}
+ - elasticsearch
- logstash
- redis
- curator
diff --git a/salt/utility/init.sls b/salt/utility/init.sls
index 4779f9c1d..d18ad5e1c 100644
--- a/salt/utility/init.sls
+++ b/salt/utility/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'utility' in top_states %}
+
# This state is for checking things
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %}
# Make sure Cross Cluster is good. Will need some logic once we have hot/warm
@@ -19,3 +24,11 @@ fixsearch:
- source: salt://utility/bin/eval
- template: jinja
{% endif %}
+
+{% else %}
+
+utility_state_not_allowed:
+ test.fail_without_changes:
+ - name: utility_state_not_allowed
+
+{% endif %}
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 94b16b199..f2a4ae05b 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'wazuh' in top_states %}
+
{%- set HOSTNAME = salt['grains.get']('host', '') %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -141,3 +146,11 @@ hidsruledir:
/opt/so/rules/hids/ruleset:
file.symlink:
- target: /nsm/wazuh/ruleset
+
+{% else %}
+
+wazuh_state_not_allowed:
+ test.fail_without_changes:
+ - name: wazuh_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/yum/init.sls b/salt/yum/init.sls
index c91de908e..b8a4df9ee 100644
--- a/salt/yum/init.sls
+++ b/salt/yum/init.sls
@@ -1,6 +1,19 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'yum' in top_states %}
+
yumconf:
file.managed:
- name: /etc/yum.conf
- source: salt://yum/etc/yum.conf.jinja
- mode: 644
- - template: jinja
\ No newline at end of file
+ - template: jinja
+
+{% else %}
+
+yum_state_not_allowed:
+ test.fail_without_changes:
+ - name: yum_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index f6e1e999e..712ca53fd 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,3 +1,8 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'zeek' in top_states %}
+
{% from "zeek/map.jinja" import START with context %}
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
@@ -190,4 +195,11 @@ so-zeek:
- file: /opt/so/conf/zeek/zeekctl.cfg
- file: /opt/so/conf/zeek/policy
- file: /opt/so/conf/zeek/bpf
-
\ No newline at end of file
+
+{% else %}
+
+zeek_state_not_allowed:
+ test.fail_without_changes:
+ - name: zeek_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/setup/so-setup b/setup/so-setup
index 25b877910..4101e8c8c 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -683,8 +683,13 @@ fi
fi
if [[ "$STRELKA" = 1 ]]; then
- set_progress_str 80 "$(print_salt_state_apply 'strelka')"
- salt-call state.apply -l info strelka >> $setup_log 2>&1
+ if [[ $is_sensor ]]; then
+ set_progress_str 80 "$(print_salt_state_apply 'strelka')"
+ salt-call state.apply -l info strelka >> $setup_log 2>&1
+ fi
+ if [[ $STRELKARULES == 1 ]]; then
+ /usr/sbin/so-yara-update >> $setup_log 2>&1
+ fi
fi
if [[ $is_manager || $is_helix || $is_import ]]; then
diff --git a/setup/so-whiptail b/setup/so-whiptail
index ce8b22011..2996969fa 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -412,6 +412,13 @@ whiptail_enable_components() {
[ -n "$TESTING" ] && return
+ GRAFANA=0
+ OSQUERY=0
+ WAZUH=0
+ THEHIVE=0
+ PLAYBOOK=0
+ STRELKA=0
+
COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
"Select Components to install" 20 75 8 \
GRAFANA "Enable Grafana for system monitoring" ON \