Merge pull request #862 from Security-Onion-Solutions/dev

1.4.0

.gitignore

@@ -1,2 +1,59 @@
+
+# Created by https://www.gitignore.io/api/macos,windows
+# Edit at https://www.gitignore.io/?templates=macos,windows
+
+### macOS ###
+# General
 .DS_Store
-.idea
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.gitignore.io/api/macos,windows

README.md

@@ -1,37 +1,75 @@
-## Hybrid Hunter Alpha 1.1.4 - Feature Parity Release
+## Hybrid Hunter Beta 1.4.0 - Beta 3
+
+- Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local.
+- The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier. 
+- Users can now change their own password in SOC.
+- Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc.
+- Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history.
+- Zeek 3.0.7
+- Elastic 7.7.1
+- Suricata can now be used for meta data generation.
+- Suricata eve.json has been moved to `/nsm` to align with storage of other data.
+- Suricata will now properly rotate its logs.
+- Grafana dashboards now work properly in standalone mode.
+- Kibana Dashboard updates including osquery, community_id.  
+- New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields.  
+- Community_id generated for additional logs: Zeek HTTP/SMTP/ , Sysmon shipped with Osquery or Winlogbeat.  
+- Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore. 
+- Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to. 
+- Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon.
+- SOC Downloads section now includes a link to the supported version of Winlogbeat.     
+- Basic syslog ingestion capability now included.
+- Elasticsearch index name transition fixes for various components.
+- Updated URLs for pivot fields in Kibana.
+- Instances of `hive` renamed to `thehive`. 
+ 
+### Known Issues:
+
+- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
+- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
+- Navigator is currently not working when using hostname to access SOC. IP mode works correctly.
+- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
+- The osquery MacOS package does not install correctly.
+
+
+## Hybrid Hunter Beta 1.3.0 - Beta 2
 
 ### Changes:
 
-- Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).
-- Web user creation is done via the browser now instead of so-user-add.
-- New Logstash pipeline setup. Now uses multiple pipelines.
-- New Master + Search node type and well as a Heavy Node type in the install. 
-- Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
-- Zeek 3.0.1
-- Elastic 6.8.6
-- New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).
-- BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).
-- Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
-- Added so-status script which gives an easy to read look at container status.
-- Manage threshold.conf for Suricata using the thresholding pillar.
-- The ISO now includes all the docker containers for faster install speeds.
-- You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup. 
-- Updated Helix parsers for better compatibility.
-- Updated telegraf docker to include curl and jq.
-- CVE-2020-0601 Zeek Detection Script. 
-- ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.
+- New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries! 
+- Improved ECS support.
+- Complete refactor of the setup to make it easier to follow.
+- Improved setup script logging to better assist on any issues.
+- Setup now checks for minimal requirements during install.
+- Updated Cyberchef to version 9.20.3.
+- Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
+- Updated Redis to 5.0.9 and switched to alpine to reduce container size.
+- Updated Salt to 2019.2.5
+- Updated Grafana to 6.7.3.
+- Zeek 3.0.6
+- Suricata 4.1.8
+- Fixes so-status to now display correct containers and status.
+- local.zeek is now controlled by a pillar instead of modifying the file directly.
+- Renamed so-core to so-nginx and switched to alpine to reduce container size.
+- Playbook now uses MySQL instead of SQLite.
+- Sigma rules have all been updated.
+- Kibana dashboard improvements for ECS.
+- Fixed an issue where geoip was not properly parsed.
+- ATT&CK Navigator is now it's own state.
+- Standlone mode is now supported.
+- Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.
+ 
+### Known Issues:
 
-## Version 1.1.4 ISO Download
-
-[HH1.1.4-44.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.1.4-44.iso)  
-
-MD5: C881536D55C5791F69596E474513E953  
-SHA1: 1CF503A46279EDDC5C84AA9F02167839004E7723  
-SHA256: F5C2FB52DFD314540019953BFE1960AF130AB09CD75E60E66CAA122DAD4DA414  
+- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
+- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
+- Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
+- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
+- The osquery MacOS package does not install correctly.
 
 ### Warnings and Disclaimers
 
-- This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
+- This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
 - If this breaks your system, you get to keep both pieces!  
 - This script is a work in progress and is in constant flux.  
 - This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like.  This configuration will change drastically over time leading up to the final release.  
@@ -44,33 +82,36 @@ SHA256: F5C2FB52DFD314540019953BFE1960AF130AB09CD75E60E66CAA122DAD4DA414
 
 Evaluation Mode:
 
-- ISO or a Single VM running Ubuntu 16.04 or CentOS 7
+- ISO or a Single VM running Ubuntu 18.04 or CentOS 7
 - Minimum 12GB of RAM
 - Minimum 4 CPU cores
 - Minimum 2 NICs
 
 Distributed:
 
-- 3 VMs running the ISO or Ubuntu 16.04 or CentOS 7 (You can mix and match)
+- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match)
 - Minimum 8GB of RAM per VM
 - Minimum 4 CPU cores per VM
 - Minimum 2 NICs for forward nodes
 
-### Prerequisites for Network Based Install
+### Installation
 
-Install git if using a Centos 7 Minimal install:
+For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO).
+
+If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04.
+
+If using CentOS 7 Minimal, you will need to install git:
 
 ```sudo yum -y install git```
 
-### Installation
-
-Once you resolve those requirements or are using Ubuntu 16.04 do the following:
+Once you have git, then do the following:
 
 ```
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
 cd securityonion-saltstack
-sudo bash so-setup-network.sh
+sudo bash so-setup-network
 ```
+
 Follow the prompts and reboot if asked to do so.
 
 Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide).

VERSION

@@ -1 +1 @@
-1.0.6
+1.4.0

exclude-list.txt

@@ -1,2 +0,0 @@
-salt/bro/files/local.bro
-salt/bro/files/local.bro.community

files/firewall/assigned_hostgroups.local.map.yaml

@@ -0,0 +1,20 @@
+{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
+{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
+{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% if local_portgroups.firewall.aliases.ports %}
+  {% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% else %}
+  {% set local_portgroups = {} %}
+{% endif %}
+{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
+
+role:
+  eval:
+  fleet:
+  heavynode:
+  helixsensor:
+  master:
+  mastersearch:
+  standalone:
+  searchnode:
+  sensor:

files/firewall/hostgroups.local.yaml

@@ -0,0 +1,62 @@
+firewall:
+  hostgroups:
+    analyst:
+      ips:
+        delete:
+        insert:
+    beats_endpoint:
+      ips:
+        delete:
+        insert:
+    beats_endpoint_ssl:
+      ips:
+        delete:
+        insert:
+    fleet:
+      ips:
+        delete:
+        insert:
+    heavy_node:
+      ips:
+        delete:
+        insert:
+    master:
+      ips:
+        delete:
+        insert:
+    minion:
+      ips:
+        delete:
+        insert:
+    node:
+      ips:
+        delete:
+        insert:
+    osquery_endpoint:
+      ips:
+        delete:
+        insert:
+    search_node:
+      ips:
+        delete:
+        insert:
+    sensor:
+      ips:
+        delete:
+        insert:
+    syslog:
+      ips:
+        delete:
+        insert:
+    wazuh_agent:
+      ips:
+        delete:
+        insert:
+    wazuh_api:
+      ips:
+        delete:
+        insert:
+    wazuh_authd:
+      ips:
+        delete:
+        insert:

files/firewall/portgroups.local.yaml

@@ -0,0 +1,3 @@
+firewall:
+  aliases:
+    ports:

files/master

@@ -12,6 +12,7 @@
 # modified files cause conflicts, set verify_env to False.
 # user: socore
 
+log_file: /opt/so/log/salt/master
 
 #####      File Server settings      #####
 ##########################################
@@ -36,7 +37,9 @@
 #
 file_roots:
   base:
-    - /opt/so/saltstack/salt
+    - /opt/so/saltstack/local/salt
+    - /opt/so/saltstack/default/salt
+
 
 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
@@ -52,8 +55,13 @@ file_roots:
 
 pillar_roots:
   base:
-    - /opt/so/saltstack/pillar
+    - /opt/so/saltstack/local/pillar
+    - /opt/so/saltstack/default/pillar
 
 peer:
   .*:
     - x509.sign_remote_certificate
+
+reactor:
+  - 'so/fleet':
+    - salt://reactor/fleet.sls

pillar/data/addtotab.sh

@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 
 # This script adds sensors/nodes/etc to the nodes tab
-
+default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
@@ -15,7 +16,7 @@ MONINT=$9
 #HOTNAME=$11
 
 echo "Seeing if this host is already in here. If so delete it"
-if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
+if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then
   echo "Node Already Present - Let's re-add it"
   awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
 {
@@ -31,27 +32,29 @@ if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
     if ( print_flag == 1 )
         print $0
 
-} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls
-mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls
+} ' $local_salt_dir/pillar/data/$TYPE.sls > $local_salt_dir/pillar/data/tmp.$TYPE.sls
+mv $local_salt_dir/pillar/data/tmp.$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls
 echo "Deleted $NAME from the tab. Now adding it in again with updated info"
 fi
-echo "  $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "  $NAME:" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
 if [ $TYPE == 'sensorstab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-  salt-call state.apply common queue=True
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+  salt-call state.apply grafana queue=True
 fi
-if [ $TYPE == 'evaltab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-  salt-call state.apply common queue=True
-  salt-call state.apply utility queue=True
+if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+  if [ ! $10 ]; then
+    salt-call state.apply grafana queue=True
+    salt-call state.apply utility queue=True
+  fi
 fi
 #if [ $TYPE == 'nodestab' ]; then
-#  echo "    nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-#  echo "    hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> $local_salt_dir/pillar/data/$TYPE.sls
 #fi

pillar/data/evaltab.sls

@@ -1 +0,0 @@
-evaltab:

pillar/data/mastertab.sls

@@ -1 +0,0 @@
-mastertab:

pillar/data/nodestab.sls

@@ -1 +0,0 @@
-nodestab:

pillar/data/sensorstab.sls

@@ -1 +0,0 @@
-sensorstab:

pillar/docker/config.sls

@@ -1,4 +1,5 @@
-{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
@@ -7,21 +8,19 @@
 {% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 
-
 eval:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     {% if  GRAFANA == '1' %}
     - so-influxdb
     - so-grafana
     {% endif %}
     - so-dockerregistry
-    - so-sensoroni
+    - so-soc
+    - so-kratos
     - so-idstools
-    - so-auth-api
-    - so-auth-ui
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -55,7 +54,7 @@ eval:
     {% endif %}
 heavy_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-redis
     - so-logstash
@@ -70,7 +69,7 @@ heavy_node:
     {% endif %}
 helix:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-idstools
     - so-steno
@@ -80,21 +79,20 @@ helix:
     - so-filebeat
 hot_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-logstash
     - so-elasticsearch
     - so-curator
 master_search:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
-    - so-sensoroni
+    - so-soc
+    - so-kratos
     - so-acng
     - so-idstools
     - so-redis
-    - so-auth-api
-    - so-auth-ui
     - so-logstash
     - so-elasticsearch
     - so-curator
@@ -102,7 +100,7 @@ master_search:
     - so-elastalert
     - so-filebeat
     - so-soctopus
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -129,24 +127,23 @@ master_search:
 master:
   containers:
     - so-dockerregistry
-    - so-core
+    - so-nginx
     - so-telegraf
     {% if  GRAFANA == '1' %}
     - so-influxdb
     - so-grafana
     {% endif %}
-    - so-sensoroni
+    - so-soc
+    - so-kratos
     - so-acng
     - so-idstools
     - so-redis
-    - so-auth-api
-    - so-auth-ui
     - so-elasticsearch
     - so-logstash
     - so-kibana
     - so-elastalert
     - so-filebeat
-    {% if OSQUERY != '0' %}
+    {% if FLEETMASTER %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -172,12 +169,12 @@ master:
     {% endif %}
 parser_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-logstash
 search_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-logstash
     - so-elasticsearch
@@ -188,7 +185,7 @@ search_node:
     {% endif %}
 sensor:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-steno
     - so-suricata
@@ -199,7 +196,16 @@ sensor:
     - so-filebeat
 warm_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-elasticsearch
-    
+fleet:
+  containers:
+    {% if FLEETNODE %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    - so-filebeat
+    - so-nginx
+    - so-telegraf
+    {% endif %}

pillar/firewall/addfirewall.sh

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
 # This script adds ip addresses to specific rule sets defined by the user
-
+local_salt_dir=/opt/so/saltstack/local
 POLICY=$1
 IPADDRESS=$2
 
-if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
+if grep -q $2 "$local_salt_dir/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
-  echo "  - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "  - $2" >> $local_salt_dir/pillar/firewall/$1.sls
   salt-call state.apply firewall queue=True
-fi
+fi

pillar/firewall/analyst.sls

@@ -1,3 +0,0 @@
-analyst:
-  - 127.0.0.1
-  

pillar/firewall/beats_endpoint.sls

@@ -1,3 +0,0 @@
-beats_endpoint:
-  - 127.0.0.1
-  

pillar/firewall/forward_nodes.sls

@@ -1,3 +0,0 @@
-forward_nodes:
-  - 127.0.0.1
-  

pillar/firewall/masterfw.sls

@@ -1,2 +0,0 @@
-masterfw:
-  - 127.0.0.1

pillar/firewall/minions.sls

@@ -1,3 +0,0 @@
-minions:
-  - 127.0.0.1
-  

pillar/firewall/osquery_endpoint.sls

@@ -1,3 +0,0 @@
-osquery_endpoint:
-  - 127.0.0.1
-  

pillar/firewall/ports.sls

@@ -0,0 +1,62 @@
+firewall:
+  analyst:
+    ports:
+      tcp:
+        - 80
+        - 443
+      udp:
+  beats_endpoint:
+    ports:
+      tcp:
+        - 5044
+  forward_nodes:
+    ports:
+      tcp:
+        - 443
+        - 5044
+        - 5644
+        - 9822
+      udp:
+  master:
+    ports:
+      tcp:
+        - 1514
+        - 3200
+        - 3306
+        - 4200
+        - 5601
+        - 6379
+        - 8086
+        - 8090
+        - 9001
+        - 9200
+        - 9300
+        - 9400  
+        - 9500
+      udp:
+        - 1514
+  minions:
+    ports:
+      tcp:
+        - 3142
+        - 4505
+        - 4506
+        - 5000
+        - 8080
+        - 8086
+        - 55000      
+  osquery_endpoint:
+    ports:
+      tcp:
+        - 8090
+  search_nodes:
+    ports:
+      tcp:
+        - 6379
+        - 9300
+  wazuh_endpoint:
+    ports:
+      tcp:
+        - 1514
+      udp: 
+        -1514

pillar/firewall/search_nodes.sls

@@ -1,2 +0,0 @@
-search_nodes:
-  - 127.0.0.1

pillar/firewall/wazuh_endpoint.sls

@@ -1,2 +0,0 @@
-wazuh_endpoint:
-  - 127.0.0.1

pillar/healthcheck/eval.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/healthcheck/sensor.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/healthcheck/standalone.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/logstash/eval.sls

@@ -1,4 +1,21 @@
 logstash:
   pipelines:
     eval:
-      config: "/usr/share/logstash/pipelines/eval/*.conf"
+      config:
+        - so/0800_input_eval.conf
+        - so/1002_preprocess_json.conf
+        - so/1033_preprocess_snort.conf
+        - so/7100_osquery_wel.conf
+        - so/8999_postprocess_rename_type.conf
+        - so/9000_output_bro.conf.jinja
+        - so/9002_output_import.conf.jinja
+        - so/9033_output_snort.conf.jinja
+        - so/9100_output_osquery.conf.jinja
+        - so/9400_output_suricata.conf.jinja
+        - so/9500_output_beats.conf.jinja
+        - so/9600_output_ossec.conf.jinja
+        - so/9700_output_strelka.conf.jinja
+  templates:
+    - so/so-beats-template.json
+    - so/so-common-template.json
+    - so/so-zeek-template.json

pillar/logstash/helix.sls

@@ -1,4 +1,42 @@
 logstash:
   pipelines:
     helix:
-      config: "/usr/share/logstash/pipelines/helix/*.conf"
+      config:
+        - so/0010_input_hhbeats.conf
+        - so/1033_preprocess_snort.conf
+        - so/1100_preprocess_bro_conn.conf
+        - so/1101_preprocess_bro_dhcp.conf
+        - so/1102_preprocess_bro_dns.conf
+        - so/1103_preprocess_bro_dpd.conf
+        - so/1104_preprocess_bro_files.conf
+        - so/1105_preprocess_bro_ftp.conf
+        - so/1106_preprocess_bro_http.conf
+        - so/1107_preprocess_bro_irc.conf
+        - so/1108_preprocess_bro_kerberos.conf
+        - so/1109_preprocess_bro_notice.conf
+        - so/1110_preprocess_bro_rdp.conf
+        - so/1111_preprocess_bro_signatures.conf
+        - so/1112_preprocess_bro_smtp.conf
+        - so/1113_preprocess_bro_snmp.conf
+        - so/1114_preprocess_bro_software.conf
+        - so/1115_preprocess_bro_ssh.conf
+        - so/1116_preprocess_bro_ssl.conf
+        - so/1117_preprocess_bro_syslog.conf
+        - so/1118_preprocess_bro_tunnel.conf
+        - so/1119_preprocess_bro_weird.conf
+        - so/1121_preprocess_bro_mysql.conf
+        - so/1122_preprocess_bro_socks.conf
+        - so/1123_preprocess_bro_x509.conf
+        - so/1124_preprocess_bro_intel.conf
+        - so/1125_preprocess_bro_modbus.conf
+        - so/1126_preprocess_bro_sip.conf
+        - so/1127_preprocess_bro_radius.conf
+        - so/1128_preprocess_bro_pe.conf
+        - so/1129_preprocess_bro_rfb.conf
+        - so/1130_preprocess_bro_dnp3.conf
+        - so/1131_preprocess_bro_smb_files.conf
+        - so/1132_preprocess_bro_smb_mapping.conf
+        - so/1133_preprocess_bro_ntlm.conf
+        - so/1134_preprocess_bro_dce_rpc.conf
+        - so/8001_postprocess_common_ip_augmentation.conf
+        - so/9997_output_helix.conf.jinja

pillar/logstash/init.sls

@@ -0,0 +1,11 @@
+logstash:
+  docker_options:
+    port_bindings:
+      - 0.0.0.0:514:514
+      - 0.0.0.0:5044:5044
+      - 0.0.0.0:5644:5644
+      - 0.0.0.0:6050:6050
+      - 0.0.0.0:6051:6051
+      - 0.0.0.0:6052:6052
+      - 0.0.0.0:6053:6053
+      - 0.0.0.0:9600:9600

pillar/logstash/master.sls

@@ -1,4 +1,7 @@
 logstash:
   pipelines:
     master:
-      config: "/usr/share/logstash/pipelines/master/*.conf"
+      config:
+        - so/0009_input_beats.conf      
+        - so/0010_input_hhbeats.conf
+        - so/9999_output_redis.conf.jinja

pillar/logstash/search.sls

@@ -1,4 +1,16 @@
 logstash:
   pipelines:
     search:
-      config: "/usr/share/logstash/pipelines/search/*.conf"
+      config:
+        - so/0900_input_redis.conf.jinja
+        - so/9000_output_zeek.conf.jinja
+        - so/9002_output_import.conf.jinja
+        - so/9034_output_syslog.conf.jinja
+        - so/9100_output_osquery.conf.jinja
+        - so/9400_output_suricata.conf.jinja
+        - so/9500_output_beats.conf.jinja
+        - so/9600_output_ossec.conf.jinja
+        - so/9700_output_strelka.conf.jinja
+  templates:
+    - so/so-common-template.json
+    - so/so-zeek-template.json

pillar/masters/example.sls

@@ -1,10 +0,0 @@
-# Example Pillar file for a master
-master:
-  esaccessip: 127.0.0.1
-  esheap: CHANGEME
-  esclustername: {{ grains.host }}
-  freq: 0
-  domainstats: 0
-  lsheap: 1500m
-  lsaccessip: 127.0.0.1
-  elastalert: 1

pillar/nodes/example.sls

@@ -1,5 +0,0 @@
-# Example Pillar file for a sensor
-node:
-  ls_heapsize: CHANGEME
-  es_heapsize: CHANGEME
-  node_type: CHANGEME

pillar/sensors/example.sls

@@ -1,14 +0,0 @@
-# Example Pillar file for a sensor
-sensor:
-  interface: CHANGEME
-  bro_pins:
-    - 1
-    - 2
-    - 3
-    - 4
-  brobpf:
-  pcapbpf:
-  nidsbpf:
-  s3bucket:
-  s3key:
-

pillar/top.sls

@@ -1,55 +1,78 @@
 base:
   '*':
     - patch.needs_restarting
-    - docker.config
 
-  'G@role:so-mastersearch or G@role:so-heavynode':
+  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone':
     - match: compound
+    - zeek
+
+  '*_mastersearch or *_heavynode':
+    - match: compound
+    - logstash
     - logstash.master
     - logstash.search
 
-  'G@role:so-sensor':
+  '*_sensor':
     - static
-    - firewall.*
     - brologs
+    - healthcheck.sensor
     - minions.{{ grains.id }}
 
-  'G@role:so-master or G@role:so-mastersearch':
+  '*_master or *_mastersearch':
     - match: compound
     - static
-    - firewall.*
     - data.*
-    - auth
+    - secrets
     - minions.{{ grains.id }}
 
-  'G@role:so-master':
+  '*_master':
+    - logstash
     - logstash.master
 
-  'G@role:so-eval':
+  '*_eval':
     - static
-    - firewall.*
     - data.*
     - brologs
-    - auth
-    - logstash.eval
+    - secrets
+    - healthcheck.eval
     - minions.{{ grains.id }}
 
-  'G@role:so-node':
+  '*_standalone':
+    - logstash
+    - logstash.master
+    - logstash.search
+    - data.*
+    - brologs
+    - secrets
+    - healthcheck.standalone
     - static
-    - firewall.*
     - minions.{{ grains.id }}
 
-  'G@role:so-heavynode':
+  '*_node':
+    - static
+    - minions.{{ grains.id }}
+
+  '*_heavynode':
     - static
-    - firewall.*
     - brologs
     - minions.{{ grains.id }}
 
-  'G@role:so-helix':
+  '*_helix':
     - static
-    - firewall.*
     - fireeye
     - brologs
+    - logstash
     - logstash.helix
-    - static
+    - minions.{{ grains.id }}
+
+  '*_fleet':
+    - static
+    - data.*
+    - secrets
+    - minions.{{ grains.id }}
+
+  '*_searchnode':
+    - static
+    - logstash
+    - logstash.search
     - minions.{{ grains.id }}

pillar/zeek/init.sls

@@ -0,0 +1,55 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc
+    CompressLogs: 1
+  local:
+    '@load':
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    '@load-sigs':
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;

salt/_beacons/zeek.py

@@ -0,0 +1,33 @@
+import logging
+
+
+def status():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
+
+ return retval
+
+
+def beacon(config):
+
+  retval = []
+
+  is_enabled = __salt__['healthcheck.is_enabled']()
+  logging.info('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
+
+  if is_enabled:
+    zeekstatus = status().lower().split(' ')
+    logging.info('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
+    if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus:
+     zeek_restart = True
+    else:
+     zeek_restart = False
+
+    __salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
+    retval.append({'zeek_restart': zeek_restart})
+    logging.info('zeek_beacon: retval: %s' % str(retval))
+
+  return retval
+

salt/_modules/healthcheck.py

@@ -0,0 +1,96 @@
+#!py
+
+import logging
+import sys
+
+allowed_functions = ['is_enabled', 'zeek']
+states_to_apply = []
+
+
+def apply_states(states=''):
+
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: apply_states function caller: %s' % calling_func)
+
+  if not states:
+    states = ','.join(states_to_apply)
+ 
+  if states: 
+    logging.info('healthcheck_module: apply_states states: %s' % str(states))
+    __salt__['state.apply'](states)
+
+
+def docker_stop(container):
+  
+  try:
+    stopdocker = __salt__['docker.rm'](container, 'stop=True')
+  except Exception as e:
+    logging.error('healthcheck_module: %s' % e)
+
+
+def is_enabled():
+  
+  if __salt__['pillar.get']('healthcheck:enabled', 'False'):
+    retval = True
+  else:
+    retval = False
+  
+  return retval
+  
+
+def run(checks=''):
+  
+  retval = []
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: run function caller: %s' % calling_func)
+  
+  if checks:
+    checks = checks.split(',')
+  else:  
+    checks = __salt__['pillar.get']('healthcheck:checks', {})
+  
+  logging.debug('healthcheck_module: run checks to be run: %s' % str(checks))
+  for check in checks:
+    if check in allowed_functions:
+      retval.append(check)
+      check = getattr(sys.modules[__name__], check)
+      check()
+    else:
+      logging.warning('healthcheck_module: attempted to run function %s' % check)
+
+  # If you want to apply states at the end of the run,
+  # be sure to append the state name to states_to_apply[]
+  apply_states()
+
+  return retval
+
+
+def send_event(tag, eventdata):
+  __salt__['event.send'](tag, eventdata[0])
+
+
+def zeek():
+
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: zeek function caller: %s' % calling_func)
+  retval = []
+
+  retcode = __salt__['zeekctl.status'](verbose=False)
+  logging.debug('healthcheck_module: zeekctl.status retcode: %i' % retcode)
+  if retcode:
+    zeek_restart = 1
+    if calling_func != 'beacon':
+      docker_stop('so-zeek')
+      states_to_apply.append('zeek')
+  else:
+    zeek_restart = 0
+
+  __salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
+  
+  if calling_func == 'execute' and zeek_restart:
+    apply_states()
+  
+  retval.append({'zeek_restart': zeek_restart})
+
+  send_event('so/healthcheck/zeek', retval)
+  return retval

salt/_modules/telegraf.py

@@ -0,0 +1,16 @@
+#!py
+
+import logging
+import socket
+
+
+def send(data):
+
+  mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('master:mainint'))
+  mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+  dstport = 8094
+
+  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  sent = sock.sendto(data.encode('utf-8'), (mainip, dstport))
+
+  return sent

salt/_modules/zeekctl.py

@@ -0,0 +1,160 @@
+#!py
+
+import logging
+
+
+def capstats(interval=10):
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats %i'" % interval
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ 
+ return retval
+
+
+def check():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl check'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ 
+ return retval
+
+
+def cleanup(all=''):
+
+ retval = ''
+
+ if all: 
+   if all == 'all':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl cleanup --all'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl cleanup'"
+
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def config():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl config'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def deploy():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl deploy'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def df():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl df'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def diag():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl diag'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def install(local=''):
+
+ retval = ''
+
+ if local:
+   if local == 'local':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl install --local'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options' 
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl install'"
+ 
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def netstats():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def nodes():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl nodes'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def restart(clean=''):
+
+ retval = ''
+
+ if clean:
+   if clean == 'clean':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl restart --clean'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl restart'"
+ 
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def scripts(c=''):
+
+ retval = ''
+
+ if c:
+   if c == 'c':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl scripts -c'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl scripts'"
+
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def start():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl start'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def status(verbose=True):
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ if not verbose:
+   retval = __context__['retcode']
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
+ return retval
+
+
+def stop():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl stop'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def top():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl top'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval

salt/auth/init.sls

@@ -1,30 +0,0 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
-{% set MASTER = salt['grains.get']('master') %}
-
-so-auth-api-dir:
-  file.directory:
-    - name: /opt/so/conf/auth/api
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-so-auth-api:
-    docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
-        - hostname: so-auth-api
-        - name: so-auth-api
-        - environment:
-            - BASE_PATH: "/so-auth/api"
-            - AUTH_TOKEN_TIMEOUT: 32400
-        - binds:
-            - /opt/so/conf/auth/api:/data
-        - port_bindings:
-            - 0.0.0.0:5656:5656
-
-so-auth-ui:
-    docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
-        - hostname: so-auth-ui
-        - name: so-auth-ui
-        - port_bindings:
-            - 0.0.0.0:4242:80

salt/ca/init.sls

@@ -44,5 +44,3 @@ send_x509_pem_entries_to_mine:
     - mine.send:
       - func: x509.get_pem_entries
       - glob_path: /etc/pki/ca.crt
-    - onchanges:
-      - x509: /etc/pki/ca.crt

salt/common/init.sls

@@ -1,6 +1,3 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
-{% set MASTER = salt['grains.get']('master') %}
-{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -17,7 +14,6 @@ socore:
     - shell: /bin/bash
 
 # Create a state directory
-
 statedir:
   file.directory:
     - name: /opt/so/state
@@ -32,24 +28,85 @@ salttmp:
     - group: 939
     - makedirs: True
 
-# Install packages needed for the sensor
-
-sensorpkgs:
+# Install epel
+{% if grains['os'] == 'CentOS' %}
+epel:
   pkg.installed:
-    - skip_suggestions: False
+    - skip_suggestions: True
+    - pkgs:
+      - epel-release
+{% endif %}
+
+# Install common packages
+{% if grains['os'] != 'CentOS' %}     
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
     - pkgs:
-      - docker-ce
-      - wget
-      - jq
-      {% if grains['os'] != 'CentOS' %}
-      - python-docker
-      - python-m2crypto
       - apache2-utils
-      {% else %}
-      - net-tools
+      - wget
+      - ntpdate
+      - jq
+      - python3-docker
+      - docker-ce
+      - curl
+      - ca-certificates
+      - software-properties-common
+      - apt-transport-https
+      - openssl
+      - netcat
+      - python3-mysqldb
+      - sqlite3
+      - argon2
+      - libssl-dev
+      - python3-dateutil
+      - python3-m2crypto
+      - python3-mysqldb
+      - git
+heldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.2.13-2
+      - docker-ce: 5:19.03.9~3-0~ubuntu-bionic
+    - hold: True
+    - update_holds: True
+
+{% else %}
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - wget
+      - ntpdate
+      - bind-utils
+      - jq
       - tcpdump
       - httpd-tools
-      {% endif %}
+      - net-tools
+      - curl
+      - sqlite
+      - argon2
+      - mariadb-devel
+      - nmap-ncat
+      - python3
+      - python36-docker
+      - python36-dateutil
+      - python36-m2crypto
+      - python36-mysql
+      - yum-utils
+      - device-mapper-persistent-data
+      - lvm2
+      - openssl
+      - git
+
+heldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.2.13-3.2.el7
+      - docker-ce: 3:19.03.11-3.el7
+    - hold: True
+    - update_holds: True
+{% endif %}
 
 # Always keep these packages up to date
 
@@ -62,7 +119,6 @@ alwaysupdated:
     - skip_suggestions: True
 
 # Set time to UTC
-
 Etc/UTC:
   timezone.system
 
@@ -75,338 +131,3 @@ utilsyncscripts:
     - file_mode: 755
     - template: jinja
     - source: salt://common/tools/sbin
-
-# Make sure Docker is running!
-docker:
-  service.running:
-    - enable: True
-
-salt-minion:
-  service.running:
-    - enable: True
-
-# Drop the correct nginx config based on role
-
-nginxconfdir:
-  file.directory:
-    - name: /opt/so/conf/nginx
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxconf:
-  file.managed:
-    - name: /opt/so/conf/nginx/nginx.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/nginx/nginx.conf.{{ grains.role }}
-
-copyindex:
-  file.managed:
-    - name: /opt/so/conf/nginx/index.html
-    - user: 939
-    - group: 939
-    - source: salt://common/nginx/index.html
-
-nginxlogdir:
-  file.directory:
-    - name: /opt/so/log/nginx/
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxtmp:
-  file.directory:
-    - name: /opt/so/tmp/nginx/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-so-core:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
-    - hostname: so-core
-    - user: socore
-    - binds:
-      - /opt/so:/opt/so:rw
-      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - /opt/so/conf/nginx/index.html:/opt/socore/html/index.html:ro
-      - /opt/so/log/nginx/:/var/log/nginx:rw
-      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
-      - /opt/so/tmp/nginx/:/run:rw
-      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
-      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
-      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
-    - cap_add: NET_BIND_SERVICE
-    - port_bindings:
-      - 80:80
-      - 443:443
-    - watch:
-      - file: /opt/so/conf/nginx/nginx.conf
-
-# Add Telegraf to monitor all the things.
-tgraflogdir:
-  file.directory:
-    - name: /opt/so/log/telegraf
-    - makedirs: True
-
-tgrafetcdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/etc
-    - makedirs: True
-
-tgrafetsdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/scripts
-    - makedirs: True
-
-tgrafsyncscripts:
-  file.recurse:
-    - name: /opt/so/conf/telegraf/scripts
-    - user: 939
-    - group: 939
-    - file_mode: 755
-    - template: jinja
-    - source: salt://common/telegraf/scripts
-
-tgrafconf:
-  file.managed:
-    - name: /opt/so/conf/telegraf/etc/telegraf.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/telegraf/etc/telegraf.conf
-
-so-telegraf:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
-    - environment:
-      - HOST_PROC=/host/proc
-      - HOST_ETC=/host/etc
-      - HOST_SYS=/host/sys
-      - HOST_MOUNT_PREFIX=/host
-    - network_mode: host
-    - binds:
-      - /opt/so/log/telegraf:/var/log/telegraf:rw
-      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
-      - /var/run/utmp:/var/run/utmp:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /:/host/root:ro
-      - /sys:/host/sys:ro
-      - /proc:/host/proc:ro
-      - /nsm:/host/nsm:ro
-      - /etc:/host/etc:ro
-      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
-      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
-      - /opt/so/conf/telegraf/scripts:/scripts:ro
-      - /opt/so/log/stenographer:/var/log/stenographer:ro
-      - /opt/so/log/suricata:/var/log/suricata:ro
-    - watch:
-      - /opt/so/conf/telegraf/etc/telegraf.conf
-      - /opt/so/conf/telegraf/scripts
-
-# If its a master or eval lets install the back end for now
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
-
-# Influx DB
-influxconfdir:
-  file.directory:
-    - name: /opt/so/conf/influxdb/etc
-    - makedirs: True
-
-influxdbdir:
-  file.directory:
-    - name: /nsm/influxdb
-    - makedirs: True
-
-influxdbconf:
-  file.managed:
-    - name: /opt/so/conf/influxdb/etc/influxdb.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/influxdb/etc/influxdb.conf
-
-so-influxdb:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
-    - hostname: influxdb
-    - environment:
-      - INFLUXDB_HTTP_LOG_ENABLED=false
-    - binds:
-      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
-      - /nsm/influxdb:/var/lib/influxdb:rw
-      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
-      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
-    - port_bindings:
-      - 0.0.0.0:8086:8086
-    - watch:
-      - file: /opt/so/conf/influxdb/etc/influxdb.conf
-
-# Grafana all the things
-grafanadir:
-  file.directory:
-    - name: /nsm/grafana
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconfdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashmdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashevaldir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashfndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/forward_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashsndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconf:
-  file.recurse:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/etc
-
-{% if salt['pillar.get']('mastertab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
-dashboard-master:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/master/master.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{%- endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('sensorstab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/forward_nodes/{{ SN }}-Sensor.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/forward_nodes/sensor.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MONINT: {{ SNDATA.monint }}
-      MANINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('nodestab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboardsearch-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('evaltab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/eval/eval.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.monint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-so-grafana:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
-    - hostname: grafana
-    - user: socore
-    - binds:
-      - /nsm/grafana:/var/lib/grafana:rw
-      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
-      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
-      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
-      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
-    - environment:
-      - GF_SECURITY_ADMIN_PASSWORD=augusta
-    - port_bindings:
-      - 0.0.0.0:3000:3000
-    - watch:
-      - file: /opt/so/conf/grafana/*
-
-{% endif %}

salt/common/maps/broversion.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-zeek'
+  ]
+} %}

salt/common/maps/domainstats.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-domainstats'
+  ]
+} %}

salt/common/maps/eval.map.jinja

@@ -0,0 +1,19 @@
+{% set docker = {
+  'containers': [
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf',
+    'so-dockerregistry',
+    'so-soc',
+    'so-kratos',
+    'so-idstools',
+    'so-elasticsearch',
+    'so-kibana',
+    'so-steno',
+    'so-suricata',
+    'so-zeek',
+    'so-curator',
+    'so-elastalert',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/fleet.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis',
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf'
+  ]
+} %}

salt/common/maps/fleet_master.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis'
+  ]
+} %}

salt/common/maps/freq.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-freqserver'
+  ]
+} %}

salt/common/maps/grafana.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-influxdb',
+    'so-grafana'
+  ]
+} %}

salt/common/maps/heavynode.map.jinja

@@ -0,0 +1,14 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-steno',
+    'so-suricata',
+    'so-wazuh',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/helixsensor.map.jinja

@@ -0,0 +1,12 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-idstools',
+    'so-steno',
+    'so-zeek',
+    'so-redis',
+    'so-logstash',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/hotnode.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+     'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+   ]
+} %}

salt/common/maps/master.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-dockerregistry',
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-elasticsearch',
+    'so-logstash',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/mastersearch.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/playbook.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-playbook',
+    'so-navigator'
+  ]
+} %}

salt/common/maps/searchnode.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/sensor.map.jinja

@@ -0,0 +1,8 @@
+{% set docker = {
+  'containers': [
+    'so-telegraf',
+    'so-steno',
+    'so-suricata',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/so-status.map.jinja

@@ -0,0 +1,45 @@
+{% set role = grains.id.split('_') | last %}
+{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
+
+# Check if the service is enabled and append it's required containers
+# to the list predefined by the role / minion id affix
+{% macro append_containers(pillar_name, k, compare )%}
+  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
+    {% for li in d['containers'] %}
+      {{ docker['containers'].append(li) }}
+    {% endfor %}
+  {% endif %}
+{% endmacro %}
+
+{% set docker = salt['grains.filter_by']({
+  '*_'~role: {
+    'containers': docker['containers']
+  } 
+},grain='id', merge=salt['pillar.get']('docker')) %}
+
+{% if role in ['eval', 'mastersearch', 'master', 'standalone'] %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
+  {{ append_containers('static', 'strelka', 0) }}
+{% endif %}
+
+{% if role in ['heavynode', 'standalone'] %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}
+
+{% if role == 'searchnode' %}
+  {{ append_containers('master', 'wazuh', 0) }}
+{% endif %}
+
+{% if role == 'sensor' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}

salt/common/maps/standalone.map.jinja

@@ -0,0 +1,21 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-suricata',
+    'so-steno',
+    'so-dockerregistry',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/strelka.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-strelka-coordinator',
+    'so-strelka-gatekeeper',
+    'so-strelka-manager',
+    'so-strelka-frontend',
+    'so-strelka-filestream'
+  ]
+} %}

salt/common/maps/thehive.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-thehive',
+    'so-thehive-es',
+    'so-cortex'
+  ]
+} %}

salt/common/maps/warmnode.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-elasticsearch'
+  ]
+} %}

salt/common/maps/wazuh.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-wazuh'
+  ]
+} %}

salt/common/nginx/index.html

@@ -1,130 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-<style>
-* {
-  box-sizing: border-box;
-  font-family: Arial, Helvetica, sans-serif;
-	padding-left: 30px;
-	padding-right: 30px;
-}
-
-body {
-  font-family: Arial, Helvetica, sans-serif;
-	background-color: #2a2a2a;
-
-}
-a {
-	color: #f2f2f2;
-	text-align: left;
-	padding: 0px;
-}
-
-.center {
-	margin: 0 auto;
-}
-
-/* Style the top navigation bar */
-.topnav {
-  overflow: hidden;
-  background-color: #333;
-  width: 1080px;
-  display: flex;
-  align-content: center;
-}
-
-/* Style the topnav links */
-.topnav a {
-  margin: auto;
-  color: #f2f2f2;
-  text-align: center;
-  padding: 14px 16px;
-  text-decoration: none;
-}
-
-/* Change color on hover */
-.topnav a:hover {
-  background-color: #ddd;
-  color: black;
-}
-
-/* Style the content */
-.content {
-  background-color: #2a2a2a;
-  padding: 10px;
-	padding-top: 20px;
-	padding-left: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-
-/* Style the footer */
-.footer {
-  background-color: #2a2a2a;
-  padding: 60px;
-  color: #E3DBCC;
-  width: 1080px;
-}
-
-</style>
-</head>
-<body>
-	<div class="center">
-		<div class="topnav center">
-			<a href="/so-auth/loginpage/create-user" target="_blank">Create New User</a>
-			<a href="/kibana/" target="_blank">Kibana</a>
-			<a href="/grafana/" target="_blank">Grafana</a>
-			<a href="/sensoroni/" target="_blank">Sensoroni</a>
-	  		<a href="/playbook/" target="_blank">Playbook</a>
-			<a href="/fleet/" target="_blank">Fleet</a>
-			<a href="/thehive/" target="_blank">TheHive</a>
-			<a href="/packages/" target="_blank">Osquery Packages</a>
-			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
-			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
-			<a href="https://blog.securityonion.net" target="_blank">Blog</a>
-		</div>
-
-		<div class="content center">
-			<center><a href="https://securityonion.net"><img STYLE="border: none;" src="alpha_logo.jpg" alt="Security Onion" align="center" target="_blank"></img></a><br></center>
-
-			<p><center><h1>Hybrid Hunter Alpha 1.1.4 - Feature Parity Release</h1></center><br>
-				<h2>Changes:</h2>
-        <ul>
-          <li>Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).</li>
-          <li>Web user creation is done via the browser now instead of so-user-add.</li>
-          <li>New Logstash pipeline setup. Now uses multiple pipelines.</li>
-          <li>New Master + Search node type and well as a Heavy Node type in the install.</li>
-          <li>Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.</li>
-          <li>Zeek 3.0.1</li>
-          <li>Elastic 6.8.6</li>
-          <li>New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).</li>
-          <li>BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).</li>
-          <li>Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.</li>
-          <li>Added so-status script which gives an easy to read look at container status.</li>
-          <li>Manage threshold.conf for Suricata using the thresholding pillar.</li>
-          <li>The ISO now includes all the docker containers for faster install speeds.</li>
-          <li>You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.</li>
-          <li>Updated Helix parsers for better compatibility.</li>
-          <li>Updated telegraf docker to include curl and jq.</li>
-          <li>CVE-2020-0601 Zeek Detection Script.</li>
-          <li>ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.</li>
-    		  <li>Check out the <a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide" target="_blank">Hybrid Hunter Quick Start Guide</a>.</li>
-		   </ul>
-	  </p>
-		</div>
-
-		<div class="footer center">
-		<b>Disclaimer of Warranty</b><br>
-			<small>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</small><br>
-			<br>
-			<b>Limitation of Liability</b><br>
-			<small>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</small><br>
-		</div>
-	</div>
-</body>
-</html>

salt/common/telegraf/scripts/influxdbsize.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'}
-
-echo "influxsize bytes=$INFLUXSIZE"

salt/common/tools/sbin/so-allow

@@ -17,6 +17,9 @@
 
 . /usr/sbin/so-common
 
+default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
+
 SKIP=0
 
 while getopts "abowi:" OPTION
@@ -42,9 +45,22 @@ do
             SKIP=1
             ;;
         w)
-            FULLROLE="wazuh_endpoint"
+            FULLROLE="wazuh_agent"
             SKIP=1
             ;;
+        s)
+            FULLROLE="syslog"
+            SKIP=1
+            ;;
+        p)
+            FULLROLE="wazuh_api"
+            SKIP=1
+            ;;
+        r)
+            FULLROLE="wazuh_authd"
+            SKIP=1
+            ;;
+
     esac
 done
 
@@ -56,9 +72,11 @@ if [ "$SKIP" -eq 0 ]; then
     echo ""
     echo "[a] - Analyst - ports 80/tcp and 443/tcp"
     echo "[b] - Logstash Beat - port 5044/tcp"
-    echo "[o] - Osquery endpoint - port 8080/tcp"
-    echo "[w] - Wazuh endpoint - port 1514"
-    echo ""
+    echo "[o] - Osquery endpoint - port 8090/tcp"
+    echo "[s] - Syslog device - 514/tcp/udp"
+    echo "[w] - Wazuh agent - port 1514/tcp/udp"
+    echo "[p] - Wazuh API - port 55000/tcp"
+    echo "[r] - Wazuh registration service - 1515/tcp"
     echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
     read ROLE
     echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
@@ -71,7 +89,13 @@ if [ "$SKIP" -eq 0 ]; then
     elif [ "$ROLE" == "o" ]; then
         FULLROLE=osquery_endpoint
     elif [ "$ROLE" == "w" ]; then
-        FULLROLE=wazuh_endpoint
+        FULLROLE=wazuh_agent
+    elif [ "$ROLE" == "s" ]; then
+        FULLROLE=syslog
+    elif [ "$ROLE" == "p" ]; then
+        FULLROLE=wazuh_api
+    elif [ "$ROLE" == "r" ]; then
+        FULLROLE=wazuh_authd
     else
         echo "I don't recognize that role"
         exit 1
@@ -80,10 +104,11 @@ if [ "$SKIP" -eq 0 ]; then
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
-/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+/usr/sbin/so-firewall includehost $FULLROLE $IP
+salt-call state.apply firewall queue=True
 
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
           WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"

salt/common/tools/sbin/so-bro-logs

@@ -1,11 +1,12 @@
 #!/bin/bash
+local_salt_dir=/opt/so/saltstack/local
 
 bro_logs_enabled() {
 
-  echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls
-  echo "  enabled:" >> /opt/so/saltstack/pillar/brologs.sls
+  echo "brologs:" > $local_salt_dir/pillar/brologs.sls
+  echo "  enabled:" >> $local_salt_dir/pillar/brologs.sls
   for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
   done
 
 }

salt/common/tools/sbin/so-cortex-restart

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
@@ -17,4 +17,5 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart cortex $1
+/usr/sbin/so-stop cortex $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-cortex-start

@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-start cortex $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-cortex-stop

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify

salt/common/tools/sbin/so-docker-refresh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+master_check() {
+  # Check to see if this is a master
+  MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then
+    echo "This is a master. We can proceed"
+  else
+    echo "Please run soup on the master. The master controls all updates."
+    exit 1
+  fi
+}
+
+update_docker_containers() {
+  
+  # Download the containers from the interwebs
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+  
+}
+
+version_check() {
+  if [ -f /etc/soversion ]; then
+    VERSION=$(cat /etc/soversion)
+  else
+    echo "Unable to detect version. I will now terminate."
+    exit 1
+  fi
+}
+got_root
+master_check
+version_check
+
+# Use the hostname
+HOSTNAME=$(hostname)
+BUILD=HH
+# List all the containers
+if [ $MASTERCHECK != 'so-helix' ]; then
+    TRUSTED_CONTAINERS=( \
+    "so-acng:$BUILD$VERSION" \
+    "so-thehive-cortex:$BUILD$VERSION" \
+    "so-curator:$BUILD$VERSION" \
+    "so-domainstats:$BUILD$VERSION" \
+    "so-elastalert:$BUILD$VERSION" \
+    "so-elasticsearch:$BUILD$VERSION" \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-fleet:$BUILD$VERSION" \
+    "so-fleet-launcher:$BUILD$VERSION" \
+    "so-freqserver:$BUILD$VERSION" \
+    "so-grafana:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-influxdb:$BUILD$VERSION" \
+    "so-kibana:$BUILD$VERSION" \
+    "so-kratos:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-mysql:$BUILD$VERSION" \
+    "so-navigator:$BUILD$VERSION" \
+    "so-nginx:$BUILD$VERSION" \
+    "so-playbook:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-soc:$BUILD$VERSION" \
+    "so-soctopus:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-strelka:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-thehive:$BUILD$VERSION" \
+    "so-thehive-es:$BUILD$VERSION" \
+    "so-wazuh:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  else
+    TRUSTED_CONTAINERS=( \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-nginx:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  fi
+
+update_docker_containers

salt/common/tools/sbin/so-elastalert-create

@@ -166,8 +166,7 @@ cat << EOF
 What elasticsearch index do you want to use?
 Below are the default Index Patterns used in Security Onion:
 
-*:logstash-*
-*:logstash-beats-*
+*:so-ids-*
 *:elastalert_status*
 
 EOF

salt/common/tools/sbin/so-elastic-download

@@ -2,9 +2,7 @@
 MASTER=MASTER
 VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
-"so-auth-api:$VERSION" \
-"so-auth-ui:$VERSION" \
-"so-core:$VERSION" \
+"so-nginx:$VERSION" \
 "so-thehive-cortex:$VERSION" \
 "so-curator:$VERSION" \
 "so-domainstats:$VERSION" \

salt/common/tools/sbin/so-elasticsearch-templates

@@ -0,0 +1,55 @@
+{% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+default_salt_dir=/opt/so/saltstack/default
+ELASTICSEARCH_HOST="{{ MASTERIP}}"
+ELASTICSEARCH_PORT=9200
+#ELASTICSEARCH_AUTH=""
+
+# Define a default directory to load pipelines from
+ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/"
+
+# Wait for ElasticSearch to initialize
+echo -n "Waiting for ElasticSearch..."
+COUNT=0
+ELASTICSEARCH_CONNECTED="no"
+while [[ "$COUNT" -le 240 ]]; do
+	curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+	if [ $? -eq 0 ]; then
+		ELASTICSEARCH_CONNECTED="yes"
+		echo "connected!"
+		break
+	else
+		((COUNT+=1))
+		sleep 1
+		echo -n "."
+	fi
+done
+if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+	echo
+	echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+	echo
+fi
+
+cd ${ELASTICSEARCH_TEMPLATES}
+
+
+echo "Loading templates..."
+for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
+echo
+
+cd - >/dev/null

salt/common/tools/sbin/so-features-enable

@@ -15,10 +15,11 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 . /usr/sbin/so-common
+local_salt_dir=/opt/so/saltstack/local
 
-VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
 # Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
   "so-elasticsearch:$VERSION$SUFFIX" \

salt/common/tools/sbin/so-firewall

@@ -0,0 +1,305 @@
+#!/usr/bin/env python3
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import subprocess
+import sys
+import yaml
+
+hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
+portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
+supportedProtocols = ['tcp', 'udp']
+
+def showUsage(args):
+  print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
+  print('  Options:')
+  print('   --apply       - After updating the firewall configuration files, apply the new firewall state')
+  print('')
+  print('  Available commands:')
+  print('   help          - Prints this usage information.')
+  print('   includedhosts - Lists the IPs included in the given group. Args: <GROUP_NAME>')
+  print('   excludedhosts - Lists the IPs excluded from the given group. Args: <GROUP_NAME>')
+  print('   includehost   - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
+  print('   excludehost   - Excludes the given IP from the given group. Args: <GROUP_NAME> <IP>')
+  print('   removehost    - Removes an excluded IP from the given group. Args: <GROUP_NAME> <IP>')
+  print('   addhostgroup  - Adds a new, custom host group. Args: <GROUP_NAME>')
+  print('   listports     - Lists ports in the given group and protocol. Args: <GROUP_NAME> <PORT_PROTOCOL>')
+  print('   addport       - Adds a PORT to the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
+  print('   removeport    - Removes a PORT from the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
+  print('   addportgroup  - Adds a new, custom port group. Args: <GROUP_NAME>')
+  print('')
+  print('  Where:')
+  print('   GROUP_NAME    - The name of an alias group (Ex: analyst)')
+  print('   IP            - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
+  print('   PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols))
+  print('   PORT          - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).')
+  sys.exit(1)
+
+def loadYaml(filename):
+  file = open(filename, "r")
+  return yaml.load(file.read())
+
+def writeYaml(filename, content):
+  file = open(filename, "w")
+  return yaml.dump(content, file)
+
+def listIps(name, mode):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is not None:
+    for ip in ips:
+      print(ip)
+  return 0
+
+def addIp(name, ip, mode):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is None:
+    ips = []
+    hostgroup['ips'][mode] = ips
+  if ip not in ips:
+    ips.append(ip)
+  else:
+    print('Already exists', file=sys.stderr)
+    return 3
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def removeIp(name, ip, mode, silence = False):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is None:
+    ips = []
+    hostgroup['ips'][mode] = ips
+  if ip in ips:
+    ips.remove(ip)
+  else:
+    if not silence:
+      print('IP does not exist', file=sys.stderr)
+      return 3
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def createProtocolMap():
+  map = {}
+  for protocol in supportedProtocols:
+    map[protocol] = []
+  return map
+
+def addhostgroup(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[1]
+  content = loadYaml(hostgroupsFilename)
+  if name in content['firewall']['hostgroups']:
+    print('Already exists', file=sys.stderr)
+    return 3
+  content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }}
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def addportgroup(args):
+  if len(args) != 1:
+    print('Missing port group name argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name in ports:
+    print('Already exists', file=sys.stderr)
+    return 3
+  ports[name] = createProtocolMap()
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def listports(args):
+  if len(args) != 2:
+    print('Missing port group name or port protocol', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is not None:
+    for port in ports:
+      print(port)
+  return 0
+
+def addport(args):
+  if len(args) != 3:
+    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  port = args[2]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is None:
+    ports = []
+    content['firewall']['aliases']['ports'][name][protocol] = ports
+  if port in ports:
+    print('Already exists', file=sys.stderr)
+    return 3
+  ports.append(port)
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def removeport(args):
+  if len(args) != 3:
+    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  port = args[2]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is None or port not in ports:
+    print('Port does not exist', file=sys.stderr)
+    return 3
+  ports.remove(port)
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def includedhosts(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
+    showUsage(args)
+  return listIps(args[0], 'insert')
+
+def excludedhosts(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
+    showUsage(args)
+  return listIps(args[0], 'delete')
+
+def includehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  result = addIp(args[0], args[1], 'insert')
+  if result == 0:
+    removeIp(args[0], args[1], 'delete', True)
+  return result
+
+def excludehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  result = addIp(args[0], args[1], 'delete')
+  if result == 0:
+    removeIp(args[0], args[1], 'insert', True)
+  return result
+
+def removehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  return removeIp(args[0], args[1], 'delete')
+
+def apply():
+  proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
+  return proc.returncode
+
+def main():
+  options = []
+  args = sys.argv[1:]
+  for option in args:
+    if option.startswith("--"):
+      options.append(option)
+      args.remove(option)
+
+  if len(args) == 0:
+    showUsage(None)
+
+  commands = {
+    "help": showUsage,
+    "includedhosts": includedhosts,
+    "excludedhosts": excludedhosts,
+    "includehost": includehost,
+    "excludehost": excludehost,
+    "removehost": removehost,
+    "listports": listports,
+    "addport": addport,
+    "removeport": removeport,
+    "addhostgroup": addhostgroup,
+    "addportgroup": addportgroup
+  }
+  
+  cmd = commands.get(args[0], showUsage)
+  code = cmd(args[1:])
+
+
+  if code == 0 and "--apply" in options:
+    code = apply()
+
+  sys.exit(code)
+
+if __name__ == "__main__":
+  main()

salt/common/tools/sbin/so-fleet-setup

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+#so-fleet-setup $FleetEmail $FleetPassword 
+
+if [[ $# -ne 2 ]] ; then
+      echo "Username or Password was not set - exiting now."
+      exit 1
+fi
+
+# Checking to see if required containers are started...
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "Starting Docker Containers..."
+        salt-call state.apply mysql queue=True >> /root/fleet-setup.log
+        salt-call state.apply fleet queue=True >> /root/fleet-setup.log
+        salt-call state.apply redis queue=True >> /root/fleet-setup.log
+fi
+
+docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
+docker exec so-fleet fleetctl setup --email $1 --password $2
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
+docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
+docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
+
+
+# Enable Fleet
+echo "Enabling Fleet..."
+salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+# Generate osquery install packages
+echo "Generating osquery install packages - this will take some time..."
+salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
+sleep 120
+
+echo "Installing launcher via salt..."
+salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
+salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
+docker stop so-nginx
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+echo "Fleet Setup Complete - Login with the username and password you ran the script with."

salt/common/tools/sbin/so-helix-apikey

@@ -1,4 +1,7 @@
 #!/bin/bash
+
+local_salt_dir=/opt/so/saltstack/local
+
 got_root() {
 
   # Make sure you are root
@@ -10,13 +13,13 @@ got_root() {
 }
 
 got_root
-if [ ! -f /opt/so/saltstack/pillar/fireeye/init.sls ]; then
+if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
   echo "This is nto configured for Helix Mode. Please re-install."
   exit
 else
   echo "Enter your Helix API Key: "
   read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" /opt/so/saltstack/pillar/fireeye/init.sls
+  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
   docker stop so-logstash
   docker rm so-logstash
   echo "Restarting Logstash for updated key"

salt/common/tools/sbin/so-kibana-config-export

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%}
+# {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%}
+# {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %}
+# {%- set MASTER = salt['pillar.get']('master:url_base', '') %}
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+KIBANA_HOST={{ MASTER }}
+KSO_PORT=5601
+OUTFILE="saved_objects.ndjson"
+curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
+
+# Clean up using PLACEHOLDER
+sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
+
+# Clean up for Fleet, if applicable
+# {% if FLEET_NODE or FLEET_MASTER %}
+# Fleet IP
+sed -i "s/{{ MASTER }}/FLEETPLACEHOLDER/g" $OUTFILE
+# {% endif %}

salt/common/tools/sbin/so-nodered-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart nodered $1

salt/common/tools/sbin/so-nodered-start

@@ -17,5 +17,5 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart auth $1
+/usr/sbin/so-start nodered $1
 

salt/common/tools/sbin/so-nodered-stop

@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-stop auth $1
+/usr/sbin/so-stop nodered $1

salt/common/tools/sbin/so-playbook-sync

@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-docker exec so-soctopus python3 playbook_play-sync.py
+docker exec so-soctopus python3 playbook_play-sync.py >> /opt/so/log/soctopus/so-playbook-sync.log 2>&1

salt/common/tools/sbin/so-restart

@@ -32,6 +32,5 @@ fi
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
    "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
-   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
    *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac

salt/common/tools/sbin/so-saltstack-update

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+default_salt_dir=/opt/so/saltstack/default
+clone_to_tmp() {
+
+  # TODO Need to add a air gap option
+  # Make a temp location for the files
+  mkdir /tmp/sogh
+  cd /tmp/sogh
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  cd /tmp
+
+}
+
+copy_new_files() {
+
+  # Copy new files over to the salt dir
+  cd /tmp/sogh/securityonion-saltstack
+  git checkout $BRANCH
+  rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
+  rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/
+  chown -R socore:socore $default_salt_dir/salt
+  chown -R socore:socore $default_salt_dir/pillar
+  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
+  rm -rf /tmp/sogh
+}
+
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+got_root
+if [ $# -ne 1 ] ; then
+  BRANCH=master
+else
+  BRANCH=$1
+fi
+clone_to_tmp
+copy_new_files

salt/common/tools/sbin/so-start

@@ -32,16 +32,5 @@ fi
 case $1 in
    "all") salt-call state.highstate queue=True;;
    "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
-   "auth") 
-      if docker ps | grep -q so-auth-api; then
-         if docker ps | grep -q so-auth-ui; then
-            printf "\n$1 is already running!\n\n"
-         else
-            docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
-         fi
-      else
-         docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
-      fi
-      ;;
-   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
+   *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac

salt/common/tools/sbin/so-status

@@ -14,33 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-{%- set pillar_suffix = ':containers' -%}
-{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
-    {%- set pillar_val = 'master_search' -%}
-{%- elif (salt['grains.get']('role') == 'so-master') -%}
-    {%- set pillar_val = 'master' -%}
-{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
-    {%- set pillar_val = 'heavy_node' -%}
-{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
-    {%- set pillar_val = 'sensor' -%}
-{%- elif (salt['grains.get']('role') == 'so-eval') -%}
-    {%- set pillar_val = 'eval' -%}
-{%- elif (salt['grains.get']('role') == 'so-helix') -%}
-    {%- set pillar_val = 'helix' -%}
-{%- elif (salt['grains.get']('role') == 'so-node') -%}
-    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
-        {%- set pillar_val = 'parser_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
-        {%- set pillar_val = 'hot_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
-        {%- set pillar_val = 'warm_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
-        {%- set pillar_val = 'search_node' -%}
-    {%- endif -%}
-{%- endif -%}
-{%- set pillar_name = pillar_val ~ pillar_suffix -%}
-{%- set container_list = salt['pillar.get'](pillar_name) %}
+{%- from 'common/maps/so-status.map.jinja' import docker with context %}
+{%- set container_list = docker['containers'] | sort %}
 
 if ! [ "$(id -u)" = 0 ]; then
    echo "This command must be run as root"
@@ -105,7 +80,7 @@ populate_container_lists() {
     systemctl is-active --quiet docker
 
     if [[ $? = 0 ]]; then
-        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
+        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
             | jq -c '.[] | { Name: .Names[0], State: .State }' \
             | tr -d '/{"}')
     else

salt/common/tools/sbin/so-stop

@@ -24,7 +24,6 @@ printf "Stopping $1...\n"
 echo $banner
 
 case $1 in
-    "auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
     *) docker stop so-$1 ; docker rm so-$1 ;;
 esac
 

salt/common/tools/sbin/so-thehive-es-restart

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop thehive-es $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-thehive-es-start

@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-start auth $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-thehive-es-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop thehive-es $1

salt/common/tools/sbin/so-thehive-restart

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify

salt/common/tools/sbin/so-thehive-stop

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify

salt/common/tools/sbin/so-user

@@ -0,0 +1,237 @@
+#!/bin/bash
+# Copyright 2020 Security Onion Solutions. All rights reserved.
+#
+# This program is distributed under the terms of version 2 of the
+# GNU General Public License.  See LICENSE for further details.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+got_root() {
+
+  # Make sure you are root
+  if [ "$(id -u)" -ne 0 ]; then
+          echo "This script must be run using sudo!"
+          exit 1
+  fi
+
+}
+
+# Make sure the user is root
+got_root
+
+if [[ $# < 1 || $# > 2 ]]; then
+  echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
+  echo ""
+  echo "     list: Lists all user email addresses currently defined in the identity system"
+  echo "      add: Adds a new user to the identity system; requires 'email' parameter"
+  echo "   update: Updates a user's password; requires 'email' parameter"
+  echo "   delete: Deletes an existing user; requires 'email' parameter"
+  echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
+  echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter"
+  echo "  valpass: Validates that a password is acceptable for defining a new user"
+  echo ""
+  echo " Note that the password can be piped into stdin to avoid prompting for it."
+  exit 1
+fi
+
+operation=$1
+email=$2
+
+kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434}
+databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
+argon2Iterations=${ARGON2_ITERATIONS:-3}
+argon2Memory=${ARGON2_MEMORY:-14}
+argon2Parallelism=${ARGON2_PARALLELISM:-2}
+argon2HashSize=${ARGON2_HASH_SIZE:-32}
+
+function fail() {
+  msg=$1
+  echo "$1"
+  exit 1
+}
+
+function require() {
+  cmd=$1
+  which "$1" 2>&1 > /dev/null
+  [[ $? != 0 ]] && fail "This script requires the following command be installed: ${cmd}"
+}
+
+# Verify this environment is capable of running this script
+function verifyEnvironment() {
+  require "argon2"
+  require "jq"
+  require "curl"
+  require "openssl"
+  require "sqlite3"
+  [[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable"
+  response=$(curl -Ss ${kratosUrl}/)
+  [[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable"
+}
+
+function findIdByEmail() {
+  email=$1
+
+  response=$(curl -Ss ${kratosUrl}/identities)
+  identityId=$(echo "${response}" | jq ".[] | select(.addresses[0].value == \"$email\") | .id")
+  echo $identityId
+}
+
+function validatePassword() {
+  password=$1
+
+  len=$(expr length "$password")
+  if [[ $len -lt 6 ]]; then
+    echo "Password does not meet the minimum requirements"
+    exit 2
+  fi
+}
+
+function validateEmail() {
+  email=$1
+  # (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])
+  if [[ ! "$email" =~ ^[[:alnum:]._%+-]+@[[:alnum:].-]+\.[[:alpha:]]{2,}$ ]]; then
+    echo "Email address is invalid"
+    exit 3
+  fi
+}
+
+function updatePassword() {
+  identityId=$1
+  
+  # Read password from stdin (show prompt only if no stdin was piped in)
+  test -t 0
+  if [[ $? == 0 ]]; then
+    echo "Enter new password:"
+  fi
+  read -s password
+
+  validatePassword "$password"
+
+  if [[ -n $identityId ]]; then
+    # Generate password hash
+    salt=$(openssl rand -hex 8)
+    passwordHash=$(echo "${password}" | argon2 ${salt} -id -t $argon2Iterations -m $argon2Memory -p $argon2Parallelism -l $argon2HashSize -e)
+
+    # Update DB with new hash
+    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"${passwordHash}\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to update password"
+  fi
+}
+
+function listUsers() {
+  response=$(curl -Ss ${kratosUrl}/identities)
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+
+  echo "${response}" | jq -r ".[] | .addresses[0].value" | sort
+}
+
+function createUser() {
+  email=$1
+
+  now=$(date -u +%FT%TZ)
+  addUserJson=$(cat <<EOF
+{
+  "addresses": [
+    {
+      "expires_at": "2099-01-31T12:00:00Z",
+      "value": "${email}",
+      "verified": true,
+      "verified_at": "${now}",
+      "via": "so-add-user"
+    }
+  ],
+  "traits": {"email":"${email}"},
+  "traits_schema_id": "default"
+}
+EOF
+  )
+  
+  response=$(curl -Ss ${kratosUrl}/identities -d "$addUserJson")
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+
+  identityId=$(echo "${response}" | jq ".id")
+  if [[ ${identityId} == "null" ]]; then
+    code=$(echo "${response}" | jq ".error.code")
+    [[ "${code}" == "409" ]] && fail "User already exists"
+
+    reason=$(echo "${response}" | jq ".error.message")
+    [[ $? == 0 ]] && fail "Unable to add user: ${reason}"
+  fi
+
+  updatePassword $identityId
+}
+
+function updateUser() {
+  email=$1
+
+  identityId=$(findIdByEmail "$email")
+  [[ ${identityId} == "" ]] && fail "User not found"
+
+  updatePassword $identityId 
+}
+
+function deleteUser() {
+  email=$1
+
+  identityId=$(findIdByEmail "$email")
+  [[ ${identityId} == "" ]] && fail "User not found"
+
+  response=$(curl -Ss -XDELETE "${kratosUrl}/identities/$identityId")
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+}
+
+case "${operation}" in
+  "add")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    validateEmail "$email"
+    createUser "$email"
+    echo "Successfully added new user"
+    ;;
+
+  "list")
+    verifyEnvironment
+    listUsers
+    ;;
+
+  "update")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateUser "$email"
+    echo "Successfully updated user"
+    ;;
+
+  "delete")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    deleteUser "$email"
+    echo "Successfully deleted user"  
+    ;;
+
+  "validate")
+    validateEmail "$email"
+    updatePassword
+    echo "Email and password are acceptable"
+    ;;
+
+  "valemail")
+    validateEmail "$email"
+    echo "Email is acceptable"
+    ;;
+
+  "valpass")
+    updatePassword
+    echo "Password is acceptable"
+    ;;
+
+  *)
+    fail "Unsupported operation: $operation"
+    ;;
+esac
+
+exit 0

salt/common/tools/sbin/so-user-add

@@ -1,17 +1,2 @@
 #!/bin/bash
-USERNAME=$1
-
-# Make sure a username is provided
-[ $# -eq 0 ] && { echo "Usage: $0 username"; exit 1; }
-
-# If the file is there already lets create it otherwise add the user
-if [ ! -f /opt/so/conf/nginx/.htpasswd ]; then
-
-  # Create the password file
-  htpasswd -c /opt/so/conf/nginx/.htpasswd $USERNAME
-
-else
-
-  htpasswd /opt/so/conf/nginx/.htpasswd $USERNAME
-
-fi
+so-user add $*

salt/common/tools/sbin/so-zeek-stats

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Show Zeek stats (capstats, netstats)
+
+show_stats() {
+  echo '##############'
+  echo '# Zeek Stats #'
+  echo '##############'
+  echo
+  echo "Average throughput:"
+  echo
+  docker exec -it so-zeek /opt/zeek/bin/zeekctl capstats
+  echo
+  echo "Average packet loss:"
+  echo
+  docker exec -it so-zeek /opt/zeek/bin/zeekctl netstats
+  echo
+}
+
+if docker ps | grep -q zeek; then
+  show_stats
+else
+  echo "Zeek is not running! Try starting it with 'so-zeek-start'." && exit 1;
+fi

salt/common/tools/sbin/soup

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+clone_to_tmp() {
+
+  # TODO Need to add a air gap option
+  # Make a temp location for the files
+  rm -rf /tmp/soup
+  mkdir -p /tmp/soup
+  cd /tmp/soup
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+
+}
+
+# Prompt the user that this requires internets
+
+clone_to_tmp
+cd /tmp/soup/securityonion-saltstack/update
+chmod +x soup
+./soup
+
+

salt/curator/files/action/close.yml

@@ -1,12 +1,8 @@
-{% if grains['role'] == 'so-node' %}
-
-{%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
-
-{% elif grains['role'] == 'so-eval' %}
-
-{%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
-
-{%- endif %}
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
+  {%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
+  {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
+{%- endif -%}
 
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -28,9 +24,8 @@ actions:
       disable_action: False
     filters:
     - filtertype: pattern
-      kind: prefix
-      value: logstash-
-      exclude:
+      kind: regex 
+      value: '^(logstash-.*|so-.*)$'
     - filtertype: age
       source: name
       direction: older