Merge pull request #1363 from Security-Onion-Solutions/dev

RC3
Update VERIFY_ISO.md
2025-12-06 17:22:49 +01:00 · 2020-09-17 15:05:33 -04:00 · 2020-09-17 11:02:16 -04:00 · 2020-09-17 10:56:29 -04:00 · 2020-09-17 10:54:18 -04:00 · 2020-09-17 10:54:01 -04:00
359 changed files with 20964 additions and 14921 deletions
--- a/51
+++ b/51
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+mQINBF7rzwEBEADBg87uJhnC3Ls7s60hbHGaywGrPtbz2WuYA/ev3YS3X7WS75p8
+PGlzTWUCujx0pEHbK2vYfExl3zksZ8ZmLyZ9VB3oSLiWBzJgKAeB7YCFEo8te+eE
+P2Z+8c+kX4eOV+2waxZyewA2TipSkhWgStSI4Ow8SyVUcUWA3hCw7mo2duNVi7KO
+C3vvI3wzirH+8/XIGo+lWTg6yYlSxdf+0xWzYvV2QCMpwzJfARw6GGXtfCZw/zoO
+o4+YPsiyztQdyI1y+g3Fbesl65E36DelbyP+lYd2VecX8ELEv0wlKCgHYlk6lc+n
+qnOotVjWbsyXuFfo06PHUd6O9n3nmo0drC6kmXGw1e8hu0t8VcGfMTKS/hszwVUY
+bHS6kbfsOoAb6LXPWKfqxk/BdreLXmcHHz88DimS3OS0JufkcmkjxEzSFRL0kb2h
+QVb1SATrbx+v2RWQXvi9sLCjT2fdOiwi1Tgc84orc7A1C3Jwu353YaX9cV+n5uyG
+OZ2AULZ5z2h13sVuiZAwfyyFs/O0CJ783hFA2TNPnyNGAgw/kaIo7nNRnggtndBo
+oQzVS+BHiFx98IF4zDqmF2r2+jOCjxSrw8KnZBe4bgXFtl89DmjoejGvWDnu2MVM
+pZDEs1DcOxHBQmTCWMIYLyNKG0xW6diyWBxEIaa7YgrP6kA+RaDfZ/xXPwARAQAB
+tD9TZWN1cml0eSBPbmlvbiBTb2x1dGlvbnMsIExMQyA8aW5mb0BzZWN1cml0eW9u
+aW9uc29sdXRpb25zLmNvbT6JAlQEEwEKAD4WIQTIBKk9Nr4Mcz6hlkR8EGC3/lBw
+EwUCXuvPAQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB8EGC3
+/lBwExB1D/42xIDGU2XFNFyTU+ZqzDA8qNC9hEKjLeizbeM8RIm3xO+3p7SdqbuJ
+7pA8gk0RiHuILb+Ba1xiSh/w/W2bOxQhsXuWHih2z3W1tI+hu6RQhIm4e6CIHHf7
+Vzj4RSvHOVS0AzITUwkHjv0x0Z8zVBPJfEHKkK2x03BqP1o12rd7n2ZMrSfN6sED
+fUwOJLDjthShtyLSPBVG8j7T5cfSCPSLhfVOKPQVcI1sSir7RLeyxt1v1kzjQdaA
+znxO8EgfZJN93wzfBrAGcVT8KmpmgwR6p46m20wJXyZC9DZxJ0o1y3toVWTC+kP
+Qj1ROPivySVn10rBoOJk8HteyhW07gTcydq+noKHV7SqJ1899xRAYP7rDCfI9iMW
+Nn22ZDLnAkIcbNR7JLJCHwsZH/Umo9KO/dIccIqVQel3UCCYZcWTZW0VkcjqVKRa
+eK+JQGaJPrBAoxIG5/sMlbk2sINSubNWlcbH6kM0V8NVwdPiOO9xLmp2hI4ICxE3
+M+O2HCNX4QYzVizzTFxEvW3ieLa4nePQ8J6lvMI2oLkFP7xHoFluvZnuwfNvoEy0
+RnlHExN1UQTUvcbCxIbzjaJ4HJXilWHjgmGaVQO1S7AYskWnNWQ7uJvxnuZBNNwm
+pIvwYEZp23fYaWl/xKqnmPMy2ADjROBKlCm7L+Ntq1r7ELGW5ZCTobkCDQRe688B
+ARAA22GzdkSAo+mwJ2S1RbJ1G20tFnLsG/NC8iMN3lEh/PSmyPdB7mBtjZ+HPDzF
+VSznXZdr3LItBBQOli2hVIj1lZBY7+s2ZufV3TFFwselUwT3b1g1KMkopD95Ckf8
+WhLbSz2yqgrvcEvbB0HFX/ZEsHGqIz2kLacixjwXXLWOMQ2LNbeW1f5zQkBnaNNQ
+/4njzTj68OxnvfplNYNJqi2pZGb2UqarYX04FqKNuocN8E7AC9FQdBXylmVctw9T
+pQVwfCI76bTe6vPWb+keb6UNN1jyXVnhIQ3Fv5sFBsmgXf/hO8tqCotrKjEiK2/i
+RkvFeqsGMXreCgYg9zW4k+DcJtVa+Q8juGOjElrubY3Ua9mCusx3vY4QYSWxQ5Ih
+k1lXiUcM5Rt38lfpKHRJ5Pd4Y5xlWSQfZ7nmzbf/GzJQz+rWrA0X6Oc6cDOPLNXK
+w1dAygre4f2bsp5kHQt6NMefxeNTDmi+4R62K0tb40f5q0Vxz8qdyD48bBsbULNx
+kb6mjOAD+FNkfNXcGeuTq9oRnjx8i93mhYsIP5LFNDXS/zSP1nv0ZUFeIlGQGjV9
+1wOvT454qkI9sKiVFtd4FrNKZJbKszxxDm+DPfB5j+hRC4oeEJ7w+sVyh3EawtfM
+V7Mwj8i+7c3YUCravXBhSwG7SCTggFUgA8lMr8oWVgCATYsAEQEAAYkCPAQYAQoA
+JhYhBMgEqT02vgxzPqGWRHwQYLf+UHATBQJe688BAhsMBQkSzAMAAAoJEHwQYLf+
+UHATTtwQAJiztPW68ykifpFdwYFp1VC7c+uGLhWBqjDY9NSUKNC9caR7bV0cnNu8
+07UG6j18gCB2GSkukXjOR/oTj6rNcW/WouPYfQOrw7+M2Ya8M8iq+E/HOXaXB3b4
+FeCcB0UuwfcHHd2KbXrRHA+9GNpmuOcfTCdsPpIr41Xg4QltATDEt/FrzuKspXg4
+vUKDXgfnbj7y0JcJM2FfcwWGlnAG5MMRyjJQAleGdiidX/9WxgJ4Mweq4qJM0jr3
+Qsrc9VuzxsLr85no3Hn5UYVgT7bBZ59HUbQoi775m78MxN3mWUSdcyLQKovI+YXr
+tshTxWIf/2Ovdzt6Wq1WWXOGGuK1qgdPJTFWrlh3amFdb70zR1p6A/Lthd7Zty+n
+QjRZRQo5jBSnYtjhMrZP6rxM3QqnQ0frEKK9HfDYONk1Bw18CUtdwFGb9OMregLR
+IjvNLp9coSh5yYAepZyUGEPRET0GsmVw2trQF0uyMSkQfiq2zjPto6WWbsmrrbLr
+cfZ/wnBw1FoNEd51U54euo9yvOgOVtJGvqLgHNwB8574FhQhoWAMhyizqdgeEt26
+m3FXecUNKL/AK71/l04vor+/WsXe8uhDg3O84qeYa9wgd8LZZVmGZJDosSwqYjtb
+LdNNm+v60Zo6rFWSREegqi/nRTTDdxdW99ybjlh+mpbq3xavyFXF
+=bhkm
+-----END PGP PUBLIC KEY BLOCK-----
--- a/README.md
+++ b/README.md
@@ -1,124 +1,37 @@
-## Hybrid Hunter Beta 1.4.0 - Beta 3
+## Security Onion 2.2.0.rc3

- Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local.
- The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier. 
- Users can now change their own password in SOC.
- Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc.
- Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history.
- Zeek 3.0.7
- Elastic 7.7.1
- Suricata can now be used for meta data generation.
- Suricata eve.json has been moved to `/nsm` to align with storage of other data.
- Suricata will now properly rotate its logs.
- Grafana dashboards now work properly in standalone mode.
- Kibana Dashboard updates including osquery, community_id.  
- New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields.  
- Community_id generated for additional logs: Zeek HTTP/SMTP/ , Sysmon shipped with Osquery or Winlogbeat.  
- Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore. 
- Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to. 
- Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon.
- SOC Downloads section now includes a link to the supported version of Winlogbeat.     
- Basic syslog ingestion capability now included.
- Elasticsearch index name transition fixes for various components.
- Updated URLs for pivot fields in Kibana.
- Instances of `hive` renamed to `thehive`. 
- 
-### Known Issues:
-
- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
- Navigator is currently not working when using hostname to access SOC. IP mode works correctly.
- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
- The osquery MacOS package does not install correctly.
-
-
-## Hybrid Hunter Beta 1.3.0 - Beta 2
-
-### Changes:
-
- New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries! 
- Improved ECS support.
- Complete refactor of the setup to make it easier to follow.
- Improved setup script logging to better assist on any issues.
- Setup now checks for minimal requirements during install.
- Updated Cyberchef to version 9.20.3.
- Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
- Updated Redis to 5.0.9 and switched to alpine to reduce container size.
- Updated Salt to 2019.2.5
- Updated Grafana to 6.7.3.
- Zeek 3.0.6
- Suricata 4.1.8
- Fixes so-status to now display correct containers and status.
- local.zeek is now controlled by a pillar instead of modifying the file directly.
- Renamed so-core to so-nginx and switched to alpine to reduce container size.
- Playbook now uses MySQL instead of SQLite.
- Sigma rules have all been updated.
- Kibana dashboard improvements for ECS.
- Fixed an issue where geoip was not properly parsed.
- ATT&CK Navigator is now it's own state.
- Standlone mode is now supported.
- Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.
- 
-### Known Issues:
-
- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
- Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
- The osquery MacOS package does not install correctly.
+Security Onion 2.2.0 RC3 is here!

 ### Warnings and Disclaimers

- This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
 - If this breaks your system, you get to keep both pieces!  
- This script is a work in progress and is in constant flux.  
- This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like.  This configuration will change drastically over time leading up to the final release.  
+- This is a work in progress and is in constant flux.  
+- This configuration may change drastically over time leading up to the final release.  
 - Do NOT run this on a system that you care about!  
 - Do NOT run this on a system that has data that you care about!  
 - This script should only be run on a TEST box with TEST data!  
 - Use of this script may result in nausea, vomiting, or a burning sensation.  

+### Release Notes
+
+https://docs.securityonion.net/en/2.2/release-notes.html
+
 ### Requirements

-Evaluation Mode:
+https://docs.securityonion.net/en/2.2/hardware.html

- ISO or a Single VM running Ubuntu 18.04 or CentOS 7
- Minimum 12GB of RAM
- Minimum 4 CPU cores
- Minimum 2 NICs
+### Download

-Distributed:
-
- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match)
- Minimum 8GB of RAM per VM
- Minimum 4 CPU cores per VM
- Minimum 2 NICs for forward nodes
+https://docs.securityonion.net/en/2.2/download.html

 ### Installation

-For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO).
-
-If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04.
-
-If using CentOS 7 Minimal, you will need to install git:
-
-```sudo yum -y install git```
-
-Once you have git, then do the following:
-
-```
-git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
-cd securityonion-saltstack
-sudo bash so-setup-network
-```
-
-Follow the prompts and reboot if asked to do so.
-
-Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide).
+https://docs.securityonion.net/en/2.2/installation.html

 ### FAQ
-See the [FAQ](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ) on the Hybrid Hunter wiki.
+
+https://docs.securityonion.net/en/2.2/faq.html

 ### Feedback
-If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with **[Hybrid Hunter]**:<br>
-https://www.reddit.com/r/securityonion/
+
+https://docs.securityonion.net/en/2.2/community-support.html
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -0,0 +1,50 @@
+### 2.2.0-rc3 ISO image built on 2020/09/17
+
+### Download and Verify
+
+2.2.0-rc3 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.2.0-rc3.iso
+
+MD5: 051883501C905653ACBCEC513C294778  
+SHA1: 0A66F6636F53B268E7FFB743A3136AC5CC3E0E96  
+SHA256: 5A9F303954AF1B1D271CE526E5DCBFC28F3FFC0621B291A29F0F7F2E8EB11C43 
+
+Signature for ISO image:  
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.2.0-rc3.iso.sig
+
+Signing key:  
+https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
+
+For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image.
+
+Download and import the signing key:  
+```
+wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -O - | gpg --import -  
+```
+
+Download the signature file for the ISO:  
+```
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.2.0-rc3.iso.sig
+```
+
+Download the ISO image:  
+```
+wget https://download.securityonion.net/file/securityonion/securityonion-2.2.0-rc3.iso
+```
+
+Verify the downloaded ISO image using the signature file:  
+```
+gpg --verify securityonion-2.2.0-rc3.iso.sig securityonion-2.2.0-rc3.iso
+```
+
+The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
+```
+gpg: Signature made Thu 17 Sep 2020 10:05:27 AM EDT using RSA key ID FE507013
+gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
+```
+
+Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
+https://docs.securityonion.net/en/2.2/installation.html
--- a/2
+++ b/2
@@ -1 +1 @@
-1.4.0
+2.2.0-rc.3
--- a/exclude-list.txt
+++ b/exclude-list.txt
--- a/files/analyst/README
+++ b/files/analyst/README
@@ -0,0 +1,79 @@
+The following GUI tools are available on the analyst workstation:
+
+chromium
+  url: https://www.chromium.org/Home
+  To run chromium, click Applications > Internet > Chromium Web Browser
+  
+Wireshark
+  url: https://www.wireshark.org/
+  To run Wireshark, click Applications > Internet > Wireshark Network Analyzer
+
+NetworkMiner
+  url: https://www.netresec.com
+  To run NetworkMiner, click Applications > Internet > NetworkMiner
+
+The following CLI tools are available on the analyst workstation:
+
+bit-twist
+  url: http://bittwist.sourceforge.net
+  To run bit-twist, open a terminal and type: bittwist -h
+
+chaosreader
+  url: http://chaosreader.sourceforge.net
+  To run chaosreader, open a terminal and type: chaosreader -h
+
+dnsiff
+  url: https://www.monkey.org/~dugsong/dsniff/
+  To run dsniff, open a terminal and type: dsniff -h
+
+foremost
+  url: http://foremost.sourceforge.net
+  To run foremost, open a terminal and type: foremost -h
+  
+hping3
+  url: http://www.hping.org/hping3.html
+  To run hping3, open a terminal and type: hping3 -h
+
+netsed
+  url: http://silicone.homelinux.org/projects/netsed/
+  To run netsed, open a terminal and type: netsed -h
+
+ngrep
+  url: https://github.com/jpr5/ngrep
+  To run ngrep, open a terminal and type: ngrep -h
+
+scapy
+  url: http://www.secdev.org/projects/scapy/
+  To run scapy, open a terminal and type: scapy
+
+ssldump
+  url: http://www.rtfm.com/ssldump/
+  To run ssldump, open a terminal and type: ssldump -h
+
+sslsplit
+  url: https://github.com/droe/sslsplit
+  To run sslsplit, open a terminal and type: sslsplit -h
+
+tcpdump
+  url: http://www.tcpdump.org
+  To run tcpdump, open a terminal and type: tcpdump -h
+
+tcpflow
+  url: https://github.com/simsong/tcpflow
+  To run tcpflow, open a terminal and type: tcpflow -h
+
+tcpstat
+  url: https://frenchfries.net/paul/tcpstat/
+  To run tcpstat, open a terminal and type: tcpstat -h
+
+tcptrace
+  url: http://www.tcptrace.org
+  To run tcptrace, open a terminal and type: tcptrace -h
+
+tcpxtract
+  url: http://tcpxtract.sourceforge.net/
+  To run tcpxtract, open a terminal and type: tcpxtract -h
+
+whois
+  url: http://www.linux.it/~md/software/
+  To run whois, open a terminal and type: whois -h
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -13,8 +13,9 @@ role:
  fleet:
  heavynode:
  helixsensor:
-  master:
-  mastersearch:
+  import:
+  manager:
+  managersearch:
  standalone:
  searchnode:
  sensor:
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -12,6 +12,10 @@ firewall:
      ips:
        delete:
        insert:
+    elasticsearch_rest:
+      ips:
+        delete:
+        insert:
    fleet:
      ips:
        delete:
@@ -20,7 +24,7 @@ firewall:
      ips:
        delete:
        insert:
-    master:
+    manager:
      ips:
        delete:
        insert:
@@ -44,6 +48,10 @@ firewall:
      ips:
        delete:
        insert:
+    strelka_frontend:
+      ips:
+        delete:
+        insert:
    syslog:
      ips:
        delete:
--- a/pillar/data/addtotab.sh
+++ b/pillar/data/addtotab.sh
@@ -44,11 +44,11 @@ echo "    guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls
 echo "    rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
 echo "    nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
 if [ $TYPE == 'sensorstab' ]; then
-  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+  echo "    monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
  salt-call state.apply grafana queue=True
 fi
 if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
-  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+  echo "    monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls
  if [ ! $10 ]; then
    salt-call state.apply grafana queue=True
    salt-call state.apply utility queue=True
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,12 +1,12 @@
-{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
-{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
-{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
-{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
-{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
-{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
-{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
-{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
+{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
+{% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
+{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}

 eval:
  containers:
@@ -20,7 +20,7 @@ eval:
    - so-soc
    - so-kratos
    - so-idstools
-    {% if FLEETMASTER %}
+    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
@@ -44,7 +44,6 @@ eval:
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
-    - so-navigator
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
@@ -64,7 +63,7 @@ heavy_node:
    - so-suricata
    - so-wazuh
    - so-filebeat
-    {% if BROVER != 'SURICATA' %}
+    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
 helix:
@@ -84,7 +83,7 @@ hot_node:
    - so-logstash
    - so-elasticsearch
    - so-curator
-master_search:
+manager_search:
  containers:
    - so-nginx
    - so-telegraf
@@ -100,7 +99,7 @@ master_search:
    - so-elastalert
    - so-filebeat
    - so-soctopus
-    {% if FLEETMASTER %}
+    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
@@ -116,7 +115,6 @@ master_search:
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
-    - so-navigator
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
@@ -124,7 +122,7 @@ master_search:
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
-master:
+manager:
  containers:
    - so-dockerregistry
    - so-nginx
@@ -143,7 +141,7 @@ master:
    - so-kibana
    - so-elastalert
    - so-filebeat
-    {% if FLEETMASTER %}
+    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
@@ -159,7 +157,6 @@ master:
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
-    - so-navigator
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
@@ -189,7 +186,7 @@ sensor:
    - so-telegraf
    - so-steno
    - so-suricata
-    {% if BROVER != 'SURICATA' %}
+    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
    - so-wazuh
--- a/pillar/elasticsearch/eval.sls
+++ b/pillar/elasticsearch/eval.sls
@@ -0,0 +1,13 @@
+elasticsearch:
+  templates:
+    - so/so-beats-template.json.jinja
+    - so/so-common-template.json
+    - so/so-firewall-template.json.jinja
+    - so/so-flow-template.json.jinja
+    - so/so-ids-template.json.jinja
+    - so/so-import-template.json.jinja
+    - so/so-osquery-template.json.jinja
+    - so/so-ossec-template.json.jinja
+    - so/so-strelka-template.json.jinja
+    - so/so-syslog-template.json.jinja
+    - so/so-zeek-template.json.jinja
--- a/pillar/elasticsearch/search.sls
+++ b/pillar/elasticsearch/search.sls
@@ -0,0 +1,13 @@
+elasticsearch:
+  templates:
+    - so/so-beats-template.json.jinja
+    - so/so-common-template.json
+    - so/so-firewall-template.json.jinja
+    - so/so-flow-template.json.jinja
+    - so/so-ids-template.json.jinja
+    - so/so-import-template.json.jinja
+    - so/so-osquery-template.json.jinja
+    - so/so-ossec-template.json.jinja
+    - so/so-strelka-template.json.jinja
+    - so/so-syslog-template.json.jinja
+    - so/so-zeek-template.json.jinja
--- a/pillar/firewall/ports.sls
+++ b/pillar/firewall/ports.sls
@@ -17,7 +17,7 @@ firewall:
        - 5644
        - 9822
      udp:
-  master:
+  manager:
    ports:
      tcp:
        - 1514
@@ -26,6 +26,7 @@ firewall:
        - 4200
        - 5601
        - 6379
+        - 7788
        - 8086
        - 8090
        - 9001
@@ -33,6 +34,8 @@ firewall:
        - 9300
        - 9400  
        - 9500
+        - 9595
+        - 9696
      udp:
        - 1514
  minions:
--- a/pillar/logstash/eval.sls
+++ b/pillar/logstash/eval.sls
@@ -1,21 +0,0 @@
-logstash:
-  pipelines:
-    eval:
-      config:
-        - so/0800_input_eval.conf
-        - so/1002_preprocess_json.conf
-        - so/1033_preprocess_snort.conf
-        - so/7100_osquery_wel.conf
-        - so/8999_postprocess_rename_type.conf
-        - so/9000_output_bro.conf.jinja
-        - so/9002_output_import.conf.jinja
-        - so/9033_output_snort.conf.jinja
-        - so/9100_output_osquery.conf.jinja
-        - so/9400_output_suricata.conf.jinja
-        - so/9500_output_beats.conf.jinja
-        - so/9600_output_ossec.conf.jinja
-        - so/9700_output_strelka.conf.jinja
-  templates:
-    - so/so-beats-template.json
-    - so/so-common-template.json
-    - so/so-zeek-template.json
--- a/pillar/logstash/init.sls
+++ b/pillar/logstash/init.sls
@@ -1,7 +1,6 @@
 logstash:
  docker_options:
    port_bindings:
-      - 0.0.0.0:514:514
      - 0.0.0.0:5044:5044
      - 0.0.0.0:5644:5644
      - 0.0.0.0:6050:6050
--- a/pillar/logstash/manager.sls
+++ b/pillar/logstash/manager.sls
@@ -1,7 +1,9 @@
+{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'redis') %}
 logstash:
  pipelines:
-    master:
+    manager:
      config:
        - so/0009_input_beats.conf      
        - so/0010_input_hhbeats.conf
        - so/9999_output_redis.conf.jinja
+        
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -1,3 +1,4 @@
+{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'minio') %}
 logstash:
  pipelines:
    search:
@@ -11,6 +12,3 @@ logstash:
        - so/9500_output_beats.conf.jinja
        - so/9600_output_ossec.conf.jinja
        - so/9700_output_strelka.conf.jinja
-  templates:
-    - so/so-common-template.json
-    - so/so-zeek-template.json
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -2,77 +2,88 @@ base:
  '*':
    - patch.needs_restarting

-  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone':
+  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone or *_import':
    - match: compound
    - zeek

-  '*_mastersearch or *_heavynode':
+  '*_managersearch or *_heavynode':
    - match: compound
    - logstash
-    - logstash.master
+    - logstash.manager
    - logstash.search
+    - elasticsearch.search

  '*_sensor':
-    - static
-    - brologs
+    - global
+    - zeeklogs
    - healthcheck.sensor
    - minions.{{ grains.id }}

-  '*_master or *_mastersearch':
+  '*_manager or *_managersearch':
    - match: compound
-    - static
+    - global
    - data.*
    - secrets
    - minions.{{ grains.id }}

-  '*_master':
+  '*_manager':
    - logstash
-    - logstash.master
+    - logstash.manager

  '*_eval':
-    - static
    - data.*
-    - brologs
+    - zeeklogs
    - secrets
    - healthcheck.eval
+    - elasticsearch.eval
+    - global
    - minions.{{ grains.id }}

  '*_standalone':
    - logstash
-    - logstash.master
+    - logstash.manager
    - logstash.search
+    - elasticsearch.search
    - data.*
-    - brologs
+    - zeeklogs
    - secrets
    - healthcheck.standalone
-    - static
+    - global
    - minions.{{ grains.id }}

  '*_node':
-    - static
+    - global
    - minions.{{ grains.id }}

  '*_heavynode':
-    - static
-    - brologs
+    - global
+    - zeeklogs
    - minions.{{ grains.id }}

  '*_helix':
-    - static
+    - global
    - fireeye
-    - brologs
+    - zeeklogs
    - logstash
    - logstash.helix
    - minions.{{ grains.id }}

  '*_fleet':
-    - static
+    - global
    - data.*
    - secrets
    - minions.{{ grains.id }}

  '*_searchnode':
-    - static
+    - global
    - logstash
    - logstash.search
+    - elasticsearch.search
+    - minions.{{ grains.id }}
+
+  '*_import':
+    - zeeklogs
+    - secrets
+    - elasticsearch.eval
+    - global
    - minions.{{ grains.id }}
--- a/pillar/zeeklogs.sls
+++ b/pillar/zeeklogs.sls
@@ -1,4 +1,4 @@
-brologs:
+zeeklogs:
  enabled:
    - conn
    - dce_rpc
--- a/salt/_modules/healthcheck.py
+++ b/salt/_modules/healthcheck.py
@@ -2,6 +2,8 @@

 import logging
 import sys
+from time import time
+from os.path import getsize

 allowed_functions = ['is_enabled', 'zeek']
 states_to_apply = []
@@ -85,7 +87,20 @@ def zeek():
  else:
    zeek_restart = 0

-  __salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
+  #__salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
+  # write out to file in /nsm/zeek/logs/ for telegraf to read for zeek restart
+  try:
+    if getsize("/nsm/zeek/logs/zeek_restart.log") >= 1000000:
+      openmethod = "w"
+    else:
+      openmethod = "a"
+  except FileNotFoundError:
+    openmethod = "a"
+
+  influxtime = int(time() * 1000000000)
+  with open("/nsm/zeek/logs/zeek_restart.log", openmethod) as f:
+    f.write('healthcheck zeek_restart=%i %i\n' % (zeek_restart, influxtime))
+

  if calling_func == 'execute' and zeek_restart:
    apply_states()
--- a/salt/_modules/so.py
+++ b/salt/_modules/so.py
@@ -0,0 +1,4 @@
+#!py
+
+def status():
+  return __salt__['cmd.run']('/sbin/so-status')
--- a/salt/_modules/telegraf.py
+++ b/salt/_modules/telegraf.py
@@ -6,7 +6,7 @@ import socket

 def send(data):

-  mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('master:mainint'))
+  mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint'))
  mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
  dstport = 8094

--- a/salt/airgap/files/yum.conf
+++ b/salt/airgap/files/yum.conf
@@ -0,0 +1,12 @@
+[main]
+cachedir=/var/cache/yum/$basearch/$releasever
+keepcache=0
+debuglevel=2
+logfile=/var/log/yum.log
+exactarch=1
+obsoletes=1
+gpgcheck=1
+plugins=1
+installonly_limit=2
+bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
+distroverpkg=centos-release
--- a/salt/airgap/init.sls
+++ b/salt/airgap/init.sls
@@ -0,0 +1,60 @@
+{% set MANAGER = salt['grains.get']('master') %}
+airgapyum:
+  file.managed:
+    - name: /etc/yum/yum.conf
+    - source: salt://airgap/files/yum.conf
+
+airgap_repo:
+  pkgrepo.managed:
+    - humanname: Airgap Repo
+    - baseurl: https://{{ MANAGER }}/repo
+    - gpgcheck: 0
+    - sslverify: 0
+
+agbase:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Base.repo
+
+agcr:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-CR.repo
+
+agdebug:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
+
+agfasttrack:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
+
+agmedia:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Media.repo
+
+agsources:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Sources.repo
+
+agvault:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-Vault.repo
+
+agkernel:
+  file.absent:
+    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
+
+agepel:
+  file.absent:
+    - name: /etc/yum.repos.d/epel.repo
+
+agtesting:
+  file.absent:
+    - name: /etc/yum.repos.d/epel-testing.repo
+
+agssrepo:
+  file.absent:
+    - name: /etc/yum.repos.d/saltstack.repo
+
+agwazrepo:
+  file.absent:
+    - name: /etc/yum.repos.d/wazuh.repo
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -26,7 +26,7 @@ x509_signing_policies:
    - extendedKeyUsage: serverAuth
    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
-  masterssl:
+  managerssl:
    - minions: '*'
    - signing_private_key: /etc/pki/ca.key
    - signing_cert: /etc/pki/ca.crt
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -1,4 +1,9 @@
-{% set master = salt['grains.get']('master') %}
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'ca' in top_states %}
+
+{% set manager = salt['grains.get']('master') %}
 /etc/salt/minion.d/signing_policies.conf:
  file.managed:
    - source: salt://ca/files/signing_policies.conf
@@ -10,17 +15,21 @@
  file.directory: []

 pki_private_key:
-    x509.private_key_managed:
-        - name: /etc/pki/ca.key
-        - bits: 4096
-        - passphrase:
-        - cipher: aes_256_cbc
-        - backup: True
+  x509.private_key_managed:
+    - name: /etc/pki/ca.key
+    - bits: 4096
+    - passphrase:
+    - cipher: aes_256_cbc
+    - backup: True
+    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
+    - prereq:
+      - x509: /etc/pki/ca.crt
+    {%- endif %}

 /etc/pki/ca.crt:
  x509.certificate_managed:
    - signing_private_key: /etc/pki/ca.key
-    - CN: {{ master }}
+    - CN: {{ manager }}
    - C: US
    - ST: Utah
    - L: Salt Lake City
@@ -32,15 +41,27 @@ pki_private_key:
    - days_valid: 3650
    - days_remaining: 0
    - backup: True
-    - managed_private_key:
-        name: /etc/pki/ca.key
-        bits: 4096
-        backup: True
+    - replace: False
    - require:
      - file: /etc/pki

-send_x509_pem_entries_to_mine:
+x509_pem_entries:
  module.run:
    - mine.send:
-      - func: x509.get_pem_entries
-      - glob_path: /etc/pki/ca.crt
+       - name: x509.get_pem_entries
+       - glob_path: /etc/pki/ca.crt
+
+cakeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/ca.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+ca_state_not_allowed:
+  test.fail_without_changes:
+    - name: ca_state_not_allowed
+
+{% endif %}
--- a/salt/common/cron/sensor-rotate
+++ b/salt/common/cron/sensor-rotate
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1
--- a/salt/common/files/sensor-rotate.conf
+++ b/salt/common/files/sensor-rotate.conf
@@ -0,0 +1,10 @@
+/opt/so/log/sensor_clean.log
+{
+    daily
+    rotate 2
+    missingok
+    nocompress
+    create
+    sharedscripts
+    endscript
+}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,15 @@
+{% set show_top = salt['state.show_top']() %}
+{% set top_states = show_top.values() | join(', ') %}
+
+{% if 'common' in top_states %}
+
+{% set role = grains.id.split('_') | last %}
+
+# Remove variables.txt from /tmp - This is temp
+rmvariablesfile:
+  file.absent:
+    - name: /tmp/variables.txt
+
 # Add socore Group
 socoregroup:
  group.present:
@@ -13,6 +25,20 @@ socore:
    - createhome: True
    - shell: /bin/bash

+soconfperms:
+  file.directory:
+    - name: /opt/so/conf
+    - uid: 939
+    - gid: 939
+    - dir_mode: 770
+
+sosaltstackperms:
+  file.directory:
+    - name: /opt/so/saltstack
+    - uid: 939
+    - gid: 939
+    - dir_mode: 770
+
 # Create a state directory
 statedir:
  file.directory:
@@ -67,7 +93,7 @@ heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-2
-      - docker-ce: 5:19.03.9~3-0~ubuntu-bionic
+      - docker-ce: 5:19.03.12~3-0~ubuntu-bionic
    - hold: True
    - update_holds: True

@@ -103,7 +129,7 @@ heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-3.2.el7
-      - docker-ce: 3:19.03.11-3.el7
+      - docker-ce: 3:19.03.12-3.el7
    - hold: True
    - update_holds: True
 {% endif %}
@@ -131,3 +157,50 @@ utilsyncscripts:
    - file_mode: 755
    - template: jinja
    - source: salt://common/tools/sbin
+
+{% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}
+# Add sensor cleanup
+/usr/sbin/so-sensor-clean:
+  cron.present:
+    - user: root
+    - minute: '*'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+sensorrotatescript:
+  file.managed:
+    - name: /usr/local/bin/sensor-rotate
+    - source: salt://common/cron/sensor-rotate
+    - mode: 755
+
+sensorrotateconf:
+  file.managed:
+    - name: /opt/so/conf/sensor-rotate.conf
+    - source: salt://common/files/sensor-rotate.conf
+    - mode: 644
+
+/usr/local/bin/sensor-rotate:
+  cron.present:
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+{% endif %}
+
+# Make sure Docker is always running
+docker:
+  service.running:
+    - enable: True
+
+{% else %}
+
+common_state_not_allowed:
+  test.fail_without_changes:
+    - name: common_state_not_allowed
+
+{% endif %}
--- a/salt/common/maps/eval.map.jinja
+++ b/salt/common/maps/eval.map.jinja
@@ -14,6 +14,7 @@
    'so-zeek',
    'so-curator',
    'so-elastalert',
-    'so-soctopus'
+    'so-soctopus',
+    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/fleet_manager.map.jinja
+++ b/salt/common/maps/fleet_manager.map.jinja
--- a/salt/common/maps/heavynode.map.jinja
+++ b/salt/common/maps/heavynode.map.jinja
@@ -9,6 +9,7 @@
    'so-steno',
    'so-suricata',
    'so-wazuh',
-    'so-filebeat
+    'so-filebeat',
+    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/import.map.jinja
+++ b/salt/common/maps/import.map.jinja
@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-filebeat',
+    'so-nginx',
+    'so-soc',
+    'so-kratos',
+    'so-elasticsearch',
+    'so-kibana'
+  ]
+} %}
--- a/salt/common/maps/manager.map.jinja
+++ b/salt/common/maps/manager.map.jinja
--- a/salt/common/maps/managersearch.map.jinja
+++ b/salt/common/maps/managersearch.map.jinja
--- a/salt/common/maps/broversion.map.jinja
+++ b/salt/common/maps/broversion.map.jinja
--- a/salt/common/maps/playbook.map.jinja
+++ b/salt/common/maps/playbook.map.jinja
@@ -1,6 +1,5 @@
 {% set docker = {
  'containers': [
-    'so-playbook',
-    'so-navigator'
+    'so-playbook'
  ]
 } %}
--- a/salt/common/maps/sensor.map.jinja
+++ b/salt/common/maps/sensor.map.jinja
@@ -3,6 +3,7 @@
    'so-telegraf',
    'so-steno',
    'so-suricata',
-    'so-filebeat'
+    'so-filebeat',
+    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/so-status.map.jinja
+++ b/salt/common/maps/so-status.map.jinja
@@ -5,6 +5,9 @@
 # to the list predefined by the role / minion id affix
 {% macro append_containers(pillar_name, k, compare )%}
  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% if k == 'enabled' %}
+      {% set k = pillar_name %}
+    {% endif %}
    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
    {% for li in d['containers'] %}
      {{ docker['containers'].append(li) }}
@@ -18,28 +21,28 @@
  } 
 },grain='id', merge=salt['pillar.get']('docker')) %}

-{% if role in ['eval', 'mastersearch', 'master', 'standalone'] %}
-  {{ append_containers('master', 'grafana', 0) }}
-  {{ append_containers('static', 'fleet_master', 0) }}
-  {{ append_containers('master', 'wazuh', 0) }}
-  {{ append_containers('master', 'thehive', 0) }}
-  {{ append_containers('master', 'playbook', 0) }}
-  {{ append_containers('master', 'freq', 0) }}
-  {{ append_containers('master', 'domainstats', 0) }}
+{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
+  {{ append_containers('manager', 'grafana', 0) }}
+  {{ append_containers('global', 'fleet_manager', 0) }}
+  {{ append_containers('global', 'wazuh', 0) }}
+  {{ append_containers('manager', 'thehive', 0) }}
+  {{ append_containers('manager', 'playbook', 0) }}
+  {{ append_containers('manager', 'freq', 0) }}
+  {{ append_containers('manager', 'domainstats', 0) }}
 {% endif %}

 {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
-  {{ append_containers('static', 'strelka', 0) }}
+  {{ append_containers('strelka', 'enabled', 0) }}
 {% endif %}

 {% if role in ['heavynode', 'standalone'] %}
-  {{ append_containers('static', 'broversion', 'SURICATA') }}
+  {{ append_containers('global', 'mdengine', 'SURICATA') }}
 {% endif %}

 {% if role == 'searchnode' %}
-  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('manager', 'wazuh', 0) }}
 {% endif %}

 {% if role == 'sensor' %}
-  {{ append_containers('static', 'broversion', 'SURICATA') }}
+  {{ append_containers('global', 'mdengine', 'SURICATA') }}
 {% endif %}
--- a/salt/common/maps/standalone.map.jinja
+++ b/salt/common/maps/standalone.map.jinja
@@ -16,6 +16,7 @@
    'so-suricata',
    'so-steno',
    'so-dockerregistry',
-    'so-soctopus'
+    'so-soctopus',
+    'so-sensoroni'
  ]
 } %}
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -17,15 +17,37 @@

 . /usr/sbin/so-common

-default_salt_dir=/opt/so/saltstack/default
 local_salt_dir=/opt/so/saltstack/local

 SKIP=0

-while getopts "abowi:" OPTION
+function usage {
+
+cat << EOF
+
+Usage: $0 [-abefhoprsw] [ -i IP ]
+
+This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range.
+
+If you run this program with no arguments, it will present a menu for you to choose your options.
+
+If you want to automate and skip the menu, you can pass the desired options as command line arguments.
+
+EXAMPLES
+
+To add 10.1.2.3 to the analyst role:
+so-allow -a -i 10.1.2.3
+
+To add 10.1.2.0/24 to the osquery role:
+so-allow -o -i 10.1.2.0/24
+
+EOF
+
+}
+
+while getopts "ahfesprbowi:" OPTION
 do
    case $OPTION in
-
        h)
            usage
            exit 0
@@ -38,6 +60,14 @@ do
            FULLROLE="beats_endpoint"
            SKIP=1
            ;;
+	e)
+            FULLROLE="elasticsearch_rest"
+            SKIP=1
+            ;;
+        f)
+	    FULLROLE="strelka_frontend"
+            SKIP=1
+            ;;
        i)  IP=$OPTARG
            ;;
        o)
@@ -60,7 +90,10 @@ do
            FULLROLE="wazuh_authd"
            SKIP=1
            ;;
-
+        *)
+            usage
+            exit 0
+            ;;
    esac
 done

@@ -72,20 +105,27 @@ if [ "$SKIP" -eq 0 ]; then
    echo ""
    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
    echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[e] - Elasticsearch REST API - port 9200/tcp"
+    echo "[f] - Strelka frontend - port 57314/tcp"
    echo "[o] - Osquery endpoint - port 8090/tcp"
    echo "[s] - Syslog device - 514/tcp/udp"
    echo "[w] - Wazuh agent - port 1514/tcp/udp"
    echo "[p] - Wazuh API - port 55000/tcp"
    echo "[r] - Wazuh registration service - 1515/tcp"
-    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
-    read ROLE
+    echo ""
+    echo "Please enter your selection:"
+    read -r ROLE
    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
-    read IP
+    read -r IP

    if [ "$ROLE" == "a" ]; then
        FULLROLE=analyst
    elif [ "$ROLE" == "b" ]; then
        FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "e" ]; then
+        FULLROLE=elasticsearch_rest
+    elif [ "$ROLE" == "f" ]; then
+        FULLROLE=strelka_frontend
    elif [ "$ROLE" == "o" ]; then
        FULLROLE=osquery_endpoint
    elif [ "$ROLE" == "w" ]; then
@@ -111,16 +151,16 @@ salt-call state.apply firewall queue=True
 if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
    # If analyst, add to Wazuh AR whitelist
    if [ "$FULLROLE" == "analyst" ]; then
-          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
-          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
-                  DATE=`date`
-                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
-                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
-                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
-                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
-		  echo
-                  echo "Restarting OSSEC Server..."
-                  /usr/sbin/so-wazuh-restart
-          fi
-     fi
+        WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf"
+        if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+            DATE=$(date)
+            sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+            sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+            echo -e "<!--Address $IP added by /usr/sbin/so-allow on \"$DATE\"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+            echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+        echo
+            echo "Restarting OSSEC Server..."
+            /usr/sbin/so-wazuh-restart
+        fi
+    fi
 fi
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -15,16 +15,33 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

+IMAGEREPO=securityonion
+
 # Check for prerequisites
 if [ "$(id -u)" -ne 0 ]; then
-        echo "This script must be run using sudo!"
-        exit 1
+    echo "This script must be run using sudo!"
+    exit 1
 fi

 # Define a banner to separate sections
 banner="========================================================================="

 header() {
-        echo
-        printf '%s\n' "$banner" "$*" "$banner"
+	echo
+    printf '%s\n' "$banner" "$*" "$banner"
+}
+
+lookup_pillar() {
+    key=$1
+    cat /opt/so/saltstack/local/pillar/global.sls | grep $key | awk '{print $2}'
+}
+
+lookup_pillar_secret() {
+    key=$1
+    cat /opt/so/saltstack/local/pillar/secrets.sls | grep $key | awk '{print $2}'
+}
+
+check_container() {
+	docker ps | grep "$1:" > /dev/null 2>&1
+	return $?
 }
--- a/salt/common/tools/sbin/so-cortex-user-add
+++ b/salt/common/tools/sbin/so-cortex-user-add
@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <new-user-name>"
+    echo ""
+    echo "Adds a new user to Cortex. The new password will be read from STDIN."
+    exit 1
+}
+
+if [ $# -ne 1 ]; then
+  usage
+fi
+
+USER=$1
+
+CORTEX_KEY=$(lookup_pillar cortexkey)
+CORTEX_IP=$(lookup_pillar managerip)
+CORTEX_ORG_NAME=$(lookup_pillar cortexorgname)
+CORTEX_USER=$USER
+
+# Read password for new user from stdin
+test -t 0
+if [[ $? == 0 ]]; then
+  echo "Enter new password:"
+fi
+read -s CORTEX_PASS
+
+# Create new user in Cortex
+resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }")
+if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
+    echo "Successfully added user to Cortex."
+else
+    echo "Unable to add user to Cortex; user might already exist."
+    echo $resp
+    exit 2
+fi
+    
--- a/salt/common/tools/sbin/so-cortex-user-enable
+++ b/salt/common/tools/sbin/so-cortex-user-enable
@@ -0,0 +1,57 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <user-name> <true|false>"
+    echo ""
+    echo "Enables or disables a user in Cortex."
+    exit 1
+}
+
+if [ $# -ne 2 ]; then
+  usage
+fi
+
+USER=$1
+
+CORTEX_KEY=$(lookup_pillar cortexkey)
+CORTEX_IP=$(lookup_pillar managerip)
+CORTEX_USER=$USER
+
+case "${2^^}" in
+	FALSE | NO | 0)
+		CORTEX_STATUS=Locked
+		;;
+	TRUE | YES | 1)
+		CORTEX_STATUS=Ok
+		;;
+	*)
+		usage
+		;;
+esac
+
+resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }")
+if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
+    echo "Successfully updated user in Cortex."
+else
+    echo "Failed to update user in Cortex."
+    echo $resp
+    exit 2
+fi
+    
--- a/salt/common/tools/sbin/so-docker-refresh
+++ b/salt/common/tools/sbin/so-docker-refresh
@@ -14,20 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-got_root(){
-    if [ "$(id -u)" -ne 0 ]; then
-        echo "This script must be run using sudo!"
-        exit 1
-    fi
-}

-master_check() {
-  # Check to see if this is a master
-  MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
-  if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then
-    echo "This is a master. We can proceed"
+. /usr/sbin/so-common
+
+manager_check() {
+  # Check to see if this is a manager
+  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ]; then
+    echo "This is a manager. We can proceed"
  else
-    echo "Please run soup on the master. The master controls all updates."
+    echo "Please run soup on the manager. The manager controls all updates."
    exit 1
  fi
 }
@@ -39,10 +35,10 @@ update_docker_containers() {
  do
    # Pull down the trusted docker image
    echo "Downloading $i"
-    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
    # Tag it with the new registry destination
-    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
-    docker push $HOSTNAME:5000/soshybridhunter/$i
+    docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
+    docker push $HOSTNAME:5000/$IMAGEREPO/$i
  done
  
 }
@@ -55,58 +51,61 @@ version_check() {
    exit 1
  fi
 }
-got_root
-master_check
+
+manager_check
 version_check

 # Use the hostname
 HOSTNAME=$(hostname)
-BUILD=HH
 # List all the containers
-if [ $MASTERCHECK != 'so-helix' ]; then
+if [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=( \
-    "so-acng:$BUILD$VERSION" \
-    "so-thehive-cortex:$BUILD$VERSION" \
-    "so-curator:$BUILD$VERSION" \
-    "so-domainstats:$BUILD$VERSION" \
-    "so-elastalert:$BUILD$VERSION" \
-    "so-elasticsearch:$BUILD$VERSION" \
-    "so-filebeat:$BUILD$VERSION" \
-    "so-fleet:$BUILD$VERSION" \
-    "so-fleet-launcher:$BUILD$VERSION" \
-    "so-freqserver:$BUILD$VERSION" \
-    "so-grafana:$BUILD$VERSION" \
-    "so-idstools:$BUILD$VERSION" \
-    "so-influxdb:$BUILD$VERSION" \
-    "so-kibana:$BUILD$VERSION" \
-    "so-kratos:$BUILD$VERSION" \
-    "so-logstash:$BUILD$VERSION" \
-    "so-mysql:$BUILD$VERSION" \
-    "so-navigator:$BUILD$VERSION" \
-    "so-nginx:$BUILD$VERSION" \
-    "so-playbook:$BUILD$VERSION" \
-    "so-redis:$BUILD$VERSION" \
-    "so-soc:$BUILD$VERSION" \
-    "so-soctopus:$BUILD$VERSION" \
-    "so-steno:$BUILD$VERSION" \
-    "so-strelka:$BUILD$VERSION" \
-    "so-suricata:$BUILD$VERSION" \
-    "so-telegraf:$BUILD$VERSION" \
-    "so-thehive:$BUILD$VERSION" \
-    "so-thehive-es:$BUILD$VERSION" \
-    "so-wazuh:$BUILD$VERSION" \
-    "so-zeek:$BUILD$VERSION" )
+    "so-acng:$VERSION" \
+    "so-thehive-cortex:$VERSION" \
+    "so-curator:$VERSION" \
+    "so-domainstats:$VERSION" \
+    "so-elastalert:$VERSION" \
+    "so-elasticsearch:$VERSION" \
+    "so-filebeat:$VERSION" \
+    "so-fleet:$VERSION" \
+    "so-fleet-launcher:$VERSION" \
+    "so-freqserver:$VERSION" \
+    "so-grafana:$VERSION" \
+    "so-idstools:$VERSION" \
+    "so-influxdb:$VERSION" \
+    "so-kibana:$VERSION" \
+    "so-kratos:$VERSION" \
+    "so-logstash:$VERSION" \
+    "so-minio:$VERSION" \
+    "so-mysql:$VERSION" \
+    "so-nginx:$VERSION" \
+    "so-pcaptools:$VERSION" \
+    "so-playbook:$VERSION" \
+    "so-redis:$VERSION" \
+    "so-soc:$VERSION" \
+    "so-soctopus:$VERSION" \
+    "so-steno:$VERSION" \
+    "so-strelka-frontend:$VERSION" \
+		"so-strelka-manager:$VERSION" \
+		"so-strelka-backend:$VERSION" \
+		"so-strelka-filestream:$VERSION" \
+    "so-suricata:$VERSION" \
+    "so-telegraf:$VERSION" \
+    "so-thehive:$VERSION" \
+    "so-thehive-es:$VERSION" \
+    "so-wazuh:$VERSION" \
+    "so-zeek:$VERSION" )
  else
    TRUSTED_CONTAINERS=( \
-    "so-filebeat:$BUILD$VERSION" \
-    "so-idstools:$BUILD$VERSION" \
-    "so-logstash:$BUILD$VERSION" \
-    "so-nginx:$BUILD$VERSION" \
-    "so-redis:$BUILD$VERSION" \
-    "so-steno:$BUILD$VERSION" \
-    "so-suricata:$BUILD$VERSION" \
-    "so-telegraf:$BUILD$VERSION" \
-    "so-zeek:$BUILD$VERSION" )
+    "so-filebeat:$VERSION" \
+    "so-idstools:$VERSION" \
+    "so-logstash:$VERSION" \
+    "so-nginx:$VERSION" \
+    "so-redis:$VERSION" \
+    "so-steno:$VERSION" \
+    "so-suricata:$VERSION" \
+    "so-telegraf:$VERSION" \
+    "so-zeek:$VERSION" )
  fi

 update_docker_containers
--- a/salt/common/tools/sbin/so-elastalert-create
+++ b/salt/common/tools/sbin/so-elastalert-create
@@ -198,7 +198,7 @@ EOF
 read alertoption

    if [ $alertoption = "1" ] ; then
-        echo "Please enter the email address you want to send the alerts to.  Note: Ensure the Master Server is configured for SMTP."
+        echo "Please enter the email address you want to send the alerts to.  Note: Ensure the Manager Server is configured for SMTP."
            read emailaddress
    cat << EOF >> "$rulename.yaml"
 # (Required)
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%}
 . /usr/sbin/so-common

 SKIP=0
@@ -50,7 +50,7 @@ done
 if [ $SKIP -ne 1 ]; then
        # List indices
        echo 
-        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        curl {{ MANAGERIP }}:9200/_cat/indices?v
        echo
        # Inform user we are about to delete all data
        echo
@@ -63,18 +63,54 @@ if [ $SKIP -ne 1 ]; then
        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
 fi

-/usr/sbin/so-filebeat-stop
-/usr/sbin/so-logstash-stop
+# Check to see if Logstash/Filebeat are running
+LS_ENABLED=$(so-status | grep logstash)
+FB_ENABLED=$(so-status | grep filebeat)
+EA_ENABLED=$(so-status | grep elastalert)
+
+if [ ! -z "$FB_ENABLED" ]; then
+
+        /usr/sbin/so-filebeat-stop
+
+fi
+
+if [ ! -z "$LS_ENABLED" ]; then
+
+        /usr/sbin/so-logstash-stop
+
+fi
+
+if [ ! -z "$EA_ENABLED" ]; then
+
+        /usr/sbin/so-elastalert-stop
+
+fi

 # Delete data
 echo "Deleting data..."

-INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+INDXS=$(curl -s -XGET {{ MANAGERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 for INDX in ${INDXS}
 do
-    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+    curl -XDELETE "{{ MANAGERIP }}:9200/${INDX}" > /dev/null 2>&1
 done

-/usr/sbin/so-logstash-start
-/usr/sbin/so-filebeat-start
+#Start Logstash/Filebeat
+if [ ! -z "$FB_ENABLED" ]; then
+
+        /usr/sbin/so-filebeat-start
+
+fi
+
+if [ ! -z "$LS_ENABLED" ]; then
+
+        /usr/sbin/so-logstash-start
+
+fi
+
+if [ ! -z "$EA_ENABLED" ]; then
+
+        /usr/sbin/so-elastalert-start
+
+fi

--- a/salt/common/tools/sbin/so-elastic-download
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -1,44 +0,0 @@
-#!/bin/bash
-MASTER=MASTER
-VERSION="HH1.1.4"
-TRUSTED_CONTAINERS=( \
-"so-nginx:$VERSION" \
-"so-thehive-cortex:$VERSION" \
-"so-curator:$VERSION" \
-"so-domainstats:$VERSION" \
-"so-elastalert:$VERSION" \
-"so-elasticsearch:$VERSION" \
-"so-filebeat:$VERSION" \
-"so-fleet:$VERSION" \
-"so-fleet-launcher:$VERSION" \
-"so-freqserver:$VERSION" \
-"so-grafana:$VERSION" \
-"so-idstools:$VERSION" \
-"so-influxdb:$VERSION" \
-"so-kibana:$VERSION" \
-"so-logstash:$VERSION" \
-"so-mysql:$VERSION" \
-"so-navigator:$VERSION" \
-"so-playbook:$VERSION" \
-"so-redis:$VERSION" \
-"so-sensoroni:$VERSION" \
-"so-soctopus:$VERSION" \
-"so-steno:$VERSION" \
-#"so-strelka:$VERSION" \
-"so-suricata:$VERSION" \
-"so-telegraf:$VERSION" \
-"so-thehive:$VERSION" \
-"so-thehive-es:$VERSION" \
-"so-wazuh:$VERSION" \
-"so-zeek:$VERSION" )
-
-for i in "${TRUSTED_CONTAINERS[@]}"
-do
-  # Pull down the trusted docker image
-  echo "Downloading $i"
-  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
-  # Tag it with the new registry destination
-  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
-  docker push $MASTER:5000/soshybridhunter/$i
-  docker rmi soshybridhunter/$i
-done
--- a/salt/common/tools/sbin/so-elasticsearch-indices-rw
+++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
+ESPORT=9200
+THEHIVEESPORT=9400
+
+echo "Removing read only attributes for indices..."
+echo
+for p in $ESPORT $THEHIVEESPORT; do
+   curl -XPUT -H "Content-Type: application/json" http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
+done
--- a/salt/common/tools/sbin/so-elasticsearch-templates
+++ b/salt/common/tools/sbin/so-elasticsearch-templates
@@ -1,4 +1,6 @@
-{% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{%- set mainint = salt['pillar.get']('host:mainint') %}
+{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
+
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
 #
@@ -15,13 +17,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-default_salt_dir=/opt/so/saltstack/default
-ELASTICSEARCH_HOST="{{ MASTERIP}}"
+default_conf_dir=/opt/so/conf
+ELASTICSEARCH_HOST="{{ MYIP }}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""

 # Define a default directory to load pipelines from
-ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/"
+ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/"

 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -17,9 +17,43 @@
 . /usr/sbin/so-common
 local_salt_dir=/opt/so/saltstack/local

-VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
-# Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls
+cat << EOF
+This program will switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license.
+If you proceed, then we will download new Docker images and restart services.
+
+Please review the Elastic license:
+https://raw.githubusercontent.com/elastic/elasticsearch/master/licenses/ELASTIC-LICENSE.txt
+
+Please also note that, if you have a distributed deployment and continue with this change, Elastic traffic between nodes will change from encrypted to cleartext!
+(We expect to support Elastic Features Security at some point in the future.)
+
+Do you agree to the terms of the Elastic license and understand the note about encryption?
+
+If so, type AGREE to accept the Elastic license and continue.  Otherwise, just press Enter to exit this program without making any changes.
+EOF
+
+read INPUT
+if [ "$INPUT" != "AGREE" ]; then
+        exit
+fi
+
+echo "Please wait while switching to Elastic Features."
+
+manager_check() {
+  # Check to see if this is a manager
+  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then
+    echo "This is a manager. We can proceed"
+  else
+    echo "Please run so-features-enable on the manager."
+    exit 0
+  fi
+}
+
+manager_check
+VERSION=$(grep soversion $local_salt_dir/pillar/global.sls | cut -d':' -f2|sed 's/ //g')
+# Modify global.sls to enable Features
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
  "so-elasticsearch:$VERSION$SUFFIX" \
@@ -31,13 +65,8 @@ for i in "${TRUSTED_CONTAINERS[@]}"
 do
    # Pull down the trusted docker image
    echo "Downloading $i"
-    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
    # Tag it with the new registry destination
-    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
-    docker push $HOSTNAME:5000/soshybridhunter/$i
-done
-for i in "${TRUSTED_CONTAINERS[@]}"
-do
-    echo "Removing $i locally"
-    docker rmi soshybridhunter/$i
+    docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
+    docker push $HOSTNAME:5000/$IMAGEREPO/$i
 done
--- a/salt/common/tools/sbin/so-fleet-setup
+++ b/salt/common/tools/sbin/so-fleet-setup
@@ -16,6 +16,7 @@ if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
 fi

 docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
+docker exec -it so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://localhost:8080/fleet)" != "301" ]]; do sleep 5; done'
 docker exec so-fleet fleetctl setup --email $1 --password $2

 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
--- a/salt/common/tools/sbin/so-fleet-user-add
+++ b/salt/common/tools/sbin/so-fleet-user-add
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <new-user-name>"
+    echo ""
+    echo "Adds a new user to Fleet. The new password will be read from STDIN."
+    exit 1
+}
+
+if [ $# -ne 1 ]; then
+  usage
+fi
+
+USER=$1
+
+MYSQL_PASS=$(lookup_pillar_secret mysql)
+FLEET_IP=$(lookup_pillar fleet_ip)
+FLEET_USER=$USER
+
+# Read password for new user from stdin
+test -t 0
+if [[ $? == 0 ]]; then
+  echo "Enter new password:"
+fi
+read -s FLEET_PASS
+
+FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
+if [[ $? -ne 0 ]]; then
+	echo "Failed to generate Fleet password hash."
+	exit 2
+fi
+
+MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
+    "INSERT INTO users (password,salt,username,email,admin,enabled) VALUES ('$FLEET_HASH','','$FLEET_USER','$FLEET_USER',1,1)" 2>&1)
+
+if [[ $? -eq 0 ]]; then
+    echo "Successfully added user to Fleet."
+else
+    echo "Unable to add user to Fleet; user might already exist."
+    echo $resp
+    exit 2
+fi
--- a/salt/common/tools/sbin/so-fleet-user-enable
+++ b/salt/common/tools/sbin/so-fleet-user-enable
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <user-name>"
+    echo ""
+    echo "Enables or disables a user in Fleet."
+    exit 1
+}
+
+if [ $# -ne 2 ]; then
+  usage
+fi
+
+USER=$1
+
+MYSQL_PASS=$(lookup_pillar_secret mysql)
+FLEET_IP=$(lookup_pillar fleet_ip)
+FLEET_USER=$USER
+
+case "${2^^}" in
+    FALSE | NO | 0)
+        FLEET_STATUS=0
+        ;;
+    TRUE | YES | 1)
+        FLEET_STATUS=1
+        ;;
+    *)
+        usage
+        ;;
+esac
+
+MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
+    "UPDATE users SET enabled=$FLEET_STATUS WHERE username='$FLEET_USER'" 2>&1)
+
+if [[ $? -eq 0 ]]; then
+    echo "Successfully updated user in Fleet."
+else
+    echo "Failed to update user in Fleet."
+    echo $resp
+    exit 2
+fi
--- a/salt/common/tools/sbin/so-idstools-restart
+++ b/salt/common/tools/sbin/so-idstools-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart idstools $1
--- a/salt/common/tools/sbin/so-idstools-start
+++ b/salt/common/tools/sbin/so-idstools-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start idstools $1
--- a/salt/common/tools/sbin/so-idstools-stop
+++ b/salt/common/tools/sbin/so-idstools-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop idstools $1
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -0,0 +1,223 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set VERSION = salt['pillar.get']('global:soversion') %}
+{%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set URLBASE = salt['pillar.get']('global:url_base') %}
+
+. /usr/sbin/so-common
+
+function usage {
+  cat << EOF
+Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]
+
+Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and
+made available for review in the Security Onion toolset.
+EOF
+}
+
+function pcapinfo() {
+  PCAP=$1
+  ARGS=$2
+  docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS
+}
+
+function pcapfix() {
+  PCAP=$1
+  PCAP_OUT=$2
+  docker run --rm -v "$PCAP:/input.pcap" -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1
+}
+
+function suricata() {
+  PCAP=$1
+  HASH=$2
+
+  NSM_PATH=/nsm/import/${HASH}/suricata
+  mkdir -p $NSM_PATH
+  chown suricata:socore $NSM_PATH
+  LOG_PATH=/opt/so/log/suricata/import/${HASH}
+  mkdir -p $LOG_PATH
+  chown suricata:suricata $LOG_PATH
+  docker run --rm \
+    -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \
+    -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \
+    -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \
+    -v ${LOG_PATH}:/var/log/suricata/:rw \
+    -v ${NSM_PATH}/:/nsm/:rw \
+    -v "$PCAP:/input.pcap:ro" \
+    -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \
+    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \
+    --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1
+}
+
+function zeek() {
+  PCAP=$1
+  HASH=$2
+
+  NSM_PATH=/nsm/import/${HASH}/zeek
+  mkdir -p $NSM_PATH/logs
+  mkdir -p $NSM_PATH/extracted
+  mkdir -p $NSM_PATH/spool
+  chown -R zeek:socore $NSM_PATH
+  docker run --rm \
+    -v $NSM_PATH/logs:/nsm/zeek/logs:rw \
+    -v $NSM_PATH/spool:/nsm/zeek/spool:rw \
+    -v $NSM_PATH/extracted:/nsm/zeek/extracted:rw \
+    -v "$PCAP:/input.pcap:ro" \
+    -v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \
+    -v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \
+    -v /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro \
+    -v /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro \
+    -v /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro \
+    -v /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro \
+    -v /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw \
+    -v /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro \
+    --entrypoint /opt/zeek/bin/zeek \
+    -w /nsm/zeek/logs \
+    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} \
+    -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1
+}
+
+# if no parameters supplied, display usage
+if [ $# -eq 0 ]; then
+  usage
+  exit 1
+fi
+
+# ensure this is a sensor node
+if [ ! -d /opt/so/conf/suricata ]; then
+  echo "This command must be run on a sensor node."
+  exit 3
+fi
+
+# verify that all parameters are files
+for i in "$@"; do
+  if ! [ -f "$i" ]; then
+    usage
+    echo "\"$i\" is not a valid file!"
+    exit 2
+  fi
+done
+
+# track if we have any valid or invalid pcaps
+INVALID_PCAPS="no"
+VALID_PCAPS="no"
+
+# track oldest start and newest end so that we can generate the Kibana search hyperlink at the end
+START_OLDEST="2050-12-31"
+END_NEWEST="1971-01-01"
+
+# paths must be quoted in case they include spaces
+for PCAP in "$@"; do
+  PCAP=$(/usr/bin/realpath "$PCAP")
+  echo "Processing Import: ${PCAP}"
+  echo "- verifying file"
+  if ! pcapinfo "${PCAP}" > /dev/null 2>&1; then
+    # try to fix pcap and then process the fixed pcap directly
+    PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap`
+    echo "- attempting to recover corrupted PCAP file"
+    pcapfix "${PCAP}" "${PCAP_FIXED}"
+    PCAP="${PCAP_FIXED}"
+    TEMP_PCAPS+=(${PCAP_FIXED})
+  fi
+
+  # generate a unique hash to assist with dedupe checks
+  HASH=$(md5sum "${PCAP}" | awk '{ print $1 }')
+  HASH_DIR=/nsm/import/${HASH}
+  echo "- assigning unique identifier to import: $HASH"
+
+  if [ -d $HASH_DIR ]; then
+    echo "- this PCAP has already been imported; skipping"
+    INVALID_PCAPS="yes"
+  elif pcapinfo "${PCAP}" |egrep -q "Last packet time:    1970-01-01|Last packet time:    n/a"; then
+    echo "- this PCAP file is invalid; skipping"
+    INVALID_PCAPS="yes"
+  else
+    VALID_PCAPS="yes"
+
+    PCAP_DIR=$HASH_DIR/pcap
+    mkdir -p $PCAP_DIR
+
+    # generate IDS alerts and write them to standard pipeline
+    echo "- analyzing traffic with Suricata"
+    suricata "${PCAP}" $HASH
+
+    # generate Zeek logs and write them to a unique subdirectory in /nsm/import/bro/
+    # since each run writes to a unique subdirectory, there is no need for a lock file
+    echo "- analyzing traffic with Zeek"
+    zeek "${PCAP}" $HASH
+
+    START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
+    END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')
+    echo "- saving PCAP data spanning dates $START through $END"
+
+    # compare $START to $START_OLDEST
+    START_COMPARE=$(date -d $START +%s)
+    START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
+    if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
+      START_OLDEST=$START
+    fi  
+
+    # compare $ENDNEXT to $END_NEWEST
+    ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
+    ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
+    END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
+    if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
+      END_NEWEST=$ENDNEXT
+    fi  
+
+    cp -f "${PCAP}" "${PCAP_DIR}"/data.pcap
+    chmod 644 "${PCAP_DIR}"/data.pcap
+
+  fi # end of valid pcap
+
+  echo
+
+done # end of for-loop processing pcap files
+
+# remove temp files
+echo "Cleaning up:"
+for TEMP_PCAP in ${TEMP_PCAPS[@]}; do
+  echo "- removing temporary pcap $TEMP_PCAP"
+  rm -f $TEMP_PCAP
+done
+
+# output final messages
+if [ "$INVALID_PCAPS" = "yes" ]; then
+  echo
+  echo "Please note!  One or more pcaps was invalid!  You can scroll up to see which ones were invalid."
+fi
+
+START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g')
+END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g')
+
+if [ "$VALID_PCAPS" = "yes" ]; then
+cat << EOF
+
+Import complete!
+
+You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
+https://{{ URLBASE }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+
+or you can manually set your Time Range to be (in UTC):
+From: $START_OLDEST    To: $END_NEWEST
+
+Please note that it may take 30 seconds or more for events to appear in Onion Hunt.
+EOF
+fi
--- a/salt/common/tools/sbin/so-influxdb-restart
+++ b/salt/common/tools/sbin/so-influxdb-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart influxdb $1
--- a/salt/common/tools/sbin/so-influxdb-start
+++ b/salt/common/tools/sbin/so-influxdb-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start influxdb $1
--- a/salt/common/tools/sbin/so-influxdb-stop
+++ b/salt/common/tools/sbin/so-influxdb-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop influxdb $1
--- a/salt/common/tools/sbin/so-kibana-config-export
+++ b/salt/common/tools/sbin/so-kibana-config-export
@@ -1,9 +1,9 @@
 #!/bin/bash
 #
-# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%}
-# {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%}
-# {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %}
-# {%- set MASTER = salt['pillar.get']('master:url_base', '') %}
+# {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
+# {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) -%}
+# {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
+# {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
@@ -20,7 +20,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-KIBANA_HOST={{ MASTER }}
+KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601
 OUTFILE="saved_objects.ndjson"
 curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
@@ -29,7 +29,7 @@ curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_H
 sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE

 # Clean up for Fleet, if applicable
-# {% if FLEET_NODE or FLEET_MASTER %}
+# {% if FLEET_NODE or FLEET_MANAGER %}
 # Fleet IP
-sed -i "s/{{ MASTER }}/FLEETPLACEHOLDER/g" $OUTFILE
+sed -i "s/{{ MANAGER }}/FLEETPLACEHOLDER/g" $OUTFILE
 # {% endif %}
--- a/salt/common/tools/sbin/so-nginx-restart
+++ b/salt/common/tools/sbin/so-nginx-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart nginx $1
--- a/salt/common/tools/sbin/so-nginx-start
+++ b/salt/common/tools/sbin/so-nginx-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start nginx $1
--- a/salt/common/tools/sbin/so-nginx-stop
+++ b/salt/common/tools/sbin/so-nginx-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop nginx $1
--- a/salt/common/tools/sbin/so-playbook-sync
+++ b/salt/common/tools/sbin/so-playbook-sync
@@ -17,4 +17,4 @@

 . /usr/sbin/so-common

-docker exec so-soctopus python3 playbook_play-sync.py >> /opt/so/log/soctopus/so-playbook-sync.log 2>&1
+docker exec so-soctopus python3 playbook_play-sync.py
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -19,18 +19,22 @@

 . /usr/sbin/so-common

-echo $banner
-printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
-echo $banner
+if [ $# -ge 1 ]; then

-if [ "$2" = "--force" ]
-then
-   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
-   salt-call saltutil.kill_all_jobs
+        echo $banner
+        printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+        echo $banner
+
+        if [ "$2" = "--force" ]; then
+                printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+                salt-call saltutil.kill_all_jobs
+        fi
+
+        case $1 in
+                "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
+                "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
+                *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
+        esac
+else
+        echo -e "\nPlease provide an argument by running like so-restart $component, or by using the component-specific script.\nEx. so-restart filebeat, or so-filebeat-restart\n"
 fi
-
-case $1 in
-   "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
-   "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
-   *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
-esac
--- a/salt/common/tools/sbin/so-rule-update
+++ b/salt/common/tools/sbin/so-rule-update
@@ -10,4 +10,4 @@ got_root() {
 }

 got_root
-docker exec -it so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'
+docker exec -d so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'
--- a/salt/common/tools/sbin/so-saltstack-update
+++ b/salt/common/tools/sbin/so-saltstack-update
@@ -21,8 +21,8 @@ clone_to_tmp() {
  # Make a temp location for the files
  mkdir /tmp/sogh
  cd /tmp/sogh
-  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
-  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion.git
  cd /tmp

 }
@@ -30,10 +30,10 @@ clone_to_tmp() {
 copy_new_files() {

  # Copy new files over to the salt dir
-  cd /tmp/sogh/securityonion-saltstack
+  cd /tmp/sogh/securityonion
  git checkout $BRANCH
-  rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
-  rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/
+  rsync -a salt $default_salt_dir/
+  rsync -a pillar $default_salt_dir/
  chown -R socore:socore $default_salt_dir/salt
  chown -R socore:socore $default_salt_dir/pillar
  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -0,0 +1,119 @@
+#!/bin/bash
+
+# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
+
+# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SENSOR_DIR='/nsm'
+CRIT_DISK_USAGE=90
+CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+LOG="/opt/so/log/sensor_clean.log"
+TODAY=$(date -u "+%Y-%m-%d")
+
+clean () {
+                ## find the oldest Zeek logs directory
+                OLDEST_DIR=$(ls /nsm/zeek/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | head -n 1)
+                if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
+                then
+                        echo "$(date) - No old Zeek logs available to clean up in /nsm/zeek/logs/" >> $LOG
+                        #exit 0
+                else
+                        echo "$(date) - Removing directory: /nsm/zeek/logs/$OLDEST_DIR" >> $LOG
+                        rm -rf /nsm/zeek/logs/"$OLDEST_DIR"
+                fi
+
+
+                ## Remarking for now, as we are moving extracted files to /nsm/strelka/processed
+                ## find oldest files in extracted directory and exclude today
+                #OLDEST_EXTRACT=$(find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
+                #if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
+                #then
+                #        echo "$(date) - No old extracted files available to clean up in /nsm/zeek/extracted/complete" >> $LOG
+                #else
+                #        OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
+                #        OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
+                #        echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
+                #        find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
+                #        do
+                #                echo "$(date) - Removing extracted file: $FILE" >> $LOG
+                #                rm -f "$FILE"
+                #        done
+                #fi
+ 
+                ## Clean up Zeek extracted files processed by Strelka
+                STRELKA_FILES='/nsm/strelka/processed'
+                OLDEST_STRELKA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1 )
+                if [ -z "$OLDEST_STRELKA" -o "$OLDEST_STRELKA" == ".." -o "$OLDEST_STRELKA" == "." ]
+                then
+                        echo "$(date) - No old files available to clean up in $STRELKA_FILES" >> $LOG
+                else
+                        OLDEST_STRELKA_DATE=`echo $OLDEST_STRELKA | awk '{print $1}' | cut -d+ -f1`
+                        OLDEST_STRELKA_FILE=`echo $OLDEST_STRELKA | awk '{print $2}'`
+                        echo "$(date) - Removing extracted files for $OLDEST_STRELKA_DATE" >> $LOG
+                        find $STRELKA_FILES -type f -printf '%T+ %p\n' | grep $OLDEST_STRELKA_DATE | awk '{print $2}' |while read FILE
+                        do
+                                echo "$(date) - Removing file: $FILE" >> $LOG
+                                rm -f "$FILE"
+                        done
+                fi
+
+                ## Clean up Suricata log files
+                SURICATA_LOGS='/nsm/suricata'
+                OLDEST_SURICATA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1)
+                if [ -z "$OLDEST_SURICATA" -o "$OLDEST_SURICATA" == ".." -o "$OLDEST_SURICATA" == "." ]
+                then
+                        echo "$(date) - No old files available to clean up in $SURICATA_LOGS" >> $LOG
+                else
+                        OLDEST_SURICATA_DATE=`echo $OLDEST_SURICATA | awk '{print $1}' | cut -d+ -f1`
+                        OLDEST_SURICATA_FILE=`echo $OLDEST_SURICATA | awk '{print $2}'`
+                        echo "$(date) - Removing logs for $OLDEST_SURICATA_DATE" >> $LOG
+                        find $SURICATA_LOGS -type f -printf '%T+ %p\n' | grep $OLDEST_SURICATA_DATE | awk '{print $2}' |while read FILE
+                        do
+                                echo "$(date) - Removing file: $FILE" >> $LOG
+                                rm -f "$FILE"
+                        done
+                fi
+
+                ## Clean up extracted pcaps from Steno
+                PCAPS='/nsm/pcapout'
+                OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1 )
+                if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]
+                then
+                        echo "$(date) - No old files available to clean up in $PCAPS" >> $LOG
+                else
+                        OLDEST_PCAP_DATE=`echo $OLDEST_PCAP | awk '{print $1}' | cut -d+ -f1`
+                        OLDEST_PCAP_FILE=`echo $OLDEST_PCAP | awk '{print $2}'`
+                        echo "$(date) - Removing extracted files for $OLDEST_PCAP_DATE" >> $LOG
+                        find $PCAPS -type f -printf '%T+ %p\n' | grep $OLDEST_PCAP_DATE | awk '{print $2}' |while read FILE
+                        do
+                                echo "$(date) - Removing file: $FILE" >> $LOG
+                                rm -f "$FILE"
+                        done
+                fi
+}
+
+# Check to see if we are already running
+IS_RUNNING=$(ps aux | grep "sensor_clean" | grep -v grep | wc -l)
+[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >> $LOG && exit 0
+
+if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
+    while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
+        do
+         clean
+         CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+    done
+fi
+
--- a/salt/common/tools/sbin/so-soc-restart
+++ b/salt/common/tools/sbin/so-soc-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart soc $1
--- a/salt/common/tools/sbin/so-soc-start
+++ b/salt/common/tools/sbin/so-soc-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start soc $1
--- a/salt/common/tools/sbin/so-soc-stop
+++ b/salt/common/tools/sbin/so-soc-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop soc $1
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -19,18 +19,21 @@

 . /usr/sbin/so-common

-echo $banner
-printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
-echo $banner
+if [ $# -ge 1 ]; then
+	echo $banner
+	printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+	echo $banner

-if [ "$2" = "--force" ]
-then
-   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
-   salt-call saltutil.kill_all_jobs
+	if [ "$2" = "--force" ]; then
+   		printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   		salt-call saltutil.kill_all_jobs
+	fi
+
+	case $1 in
+   		"all") salt-call state.highstate queue=True;;
+   		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
+	esac
+else
+	echo -e "\nPlease provide an argument by running like so-start $component, or by using the component-specific script.\nEx. so-start filebeat, or so-filebeat-start\n"	
 fi
-
-case $1 in
-   "all") salt-call state.highstate queue=True;;
-   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
-   *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
-esac
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -15,7 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set container_list = docker['containers'] | sort %}
+{%- set container_list = docker['containers'] | sort | unique %}

 if ! [ "$(id -u)" = 0 ]; then
   echo "This command must be run as root"
@@ -27,6 +27,7 @@ ERROR_STRING="ERROR"
 SUCCESS_STRING="OK"
 PENDING_STRING="PENDING"
 MISSING_STRING='MISSING'
+CALLER=$(ps -o comm= $PPID)
 declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
 declare -a PENDING_STATUSES=("paused" "created" "restarting")
 declare -a GOOD_STATUSES=("running")
@@ -71,9 +72,9 @@ compare_lists() {
 # {% endraw %}

 create_expected_container_list() {
-    {% for item in container_list%}
+    {% for item in container_list -%}
        expected_container_list+=("{{ item }}")
-    {% endfor %}
+    {% endfor -%}
 }

 populate_container_lists() {
@@ -149,30 +150,75 @@ print_line() {
    printf "%s    \n" " ]"
 }

-main() {
-    local focus_color="\e[1;34m"
-    printf "\n"
-    printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
+non_term_print_line() {
+    local service_name=${1}
+    local service_state="$( parse_status ${2} )"

-    systemctl is-active --quiet docker
-    if [[ $? = 0 ]]; then
-        print_line "Docker" "running"
-    else
-        print_line "Docker" "exited"
-    fi
+    local PADDING_CONSTANT=10

-    populate_container_lists
-
-    printf "\n"
-    printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
-
-    local num_containers=${#container_name_list[@]}
-
-    for i in $(seq 0 $(($num_containers - 1 ))); do
-        print_line ${container_name_list[$i]} ${container_state_list[$i]}
+    printf "    $service_name "
+    for i in $(seq 0 $(( 40 - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
+        printf "-"
    done
+    printf " [ "
+    printf "$service_state"
+    printf "%s    \n" " ]"
+}

-    printf "\n"
+main() {
+
+    # if running from salt
+    if [ "$CALLER" == 'salt-call' ] ||  [ "$CALLER" == 'salt-minion' ]; then
+      printf "\n"
+      printf "Checking Docker status\n\n"
+
+      systemctl is-active --quiet docker
+      if [[ $? = 0 ]]; then
+          non_term_print_line "Docker" "running"
+      else
+          non_term_print_line "Docker" "exited"
+      fi
+
+      populate_container_lists
+
+      printf "\n"
+      printf "Checking container statuses\n\n"
+
+      local num_containers=${#container_name_list[@]}
+
+      for i in $(seq 0 $(($num_containers - 1 ))); do
+          non_term_print_line ${container_name_list[$i]} ${container_state_list[$i]}
+      done
+
+      printf "\n"
+    
+    # else if running from a terminal
+    else
+
+      local focus_color="\e[1;34m"
+      printf "\n"
+      printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
+
+      systemctl is-active --quiet docker
+      if [[ $? = 0 ]]; then
+          print_line "Docker" "running"
+      else
+          print_line "Docker" "exited"
+      fi
+
+      populate_container_lists
+
+      printf "\n"
+      printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
+
+      local num_containers=${#container_name_list[@]}
+
+      for i in $(seq 0 $(($num_containers - 1 ))); do
+          print_line ${container_name_list[$i]} ${container_state_list[$i]}
+      done
+
+      printf "\n"
+    fi
 }

 # {% endraw %}
--- a/salt/common/tools/sbin/so-stop
+++ b/salt/common/tools/sbin/so-stop
@@ -19,11 +19,15 @@

 . /usr/sbin/so-common

-echo $banner
-printf "Stopping $1...\n"
-echo $banner
+if [ $# -ge 1 ]; then
+	echo $banner
+	printf "Stopping $1...\n"
+	echo $banner

-case $1 in
-    *) docker stop so-$1 ; docker rm so-$1 ;;
-esac
+	case $1 in
+    		*) docker stop so-$1 ; docker rm so-$1 ;;
+	esac
+else
+	echo -e "\nPlease provide an argument by running like so-stop $component, or by using the component-specific script.\nEx. so-stop filebeat, or so-filebeat-stop\n"	
+fi

--- a/salt/common/tools/sbin/so-strelka-restart
+++ b/salt/common/tools/sbin/so-strelka-restart
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop strelka-filestream $1
+/usr/sbin/so-stop strelka-manager $1
+/usr/sbin/so-stop strelka-frontend $1
+/usr/sbin/so-stop strelka-backend $1
+/usr/sbin/so-stop strelka-gatekeeper $1
+/usr/sbin/so-stop strelka-coordinator $1
+/usr/sbin/so-start strelka $1
--- a/salt/common/tools/sbin/so-strelka-start
+++ b/salt/common/tools/sbin/so-strelka-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start strelka $1
--- a/salt/common/tools/sbin/so-strelka-stop
+++ b/salt/common/tools/sbin/so-strelka-stop
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop strelka-filestream $1
+/usr/sbin/so-stop strelka-manager $1
+/usr/sbin/so-stop strelka-frontend $1
+/usr/sbin/so-stop strelka-backend $1
+/usr/sbin/so-stop strelka-gatekeeper $1
+/usr/sbin/so-stop strelka-coordinator $1
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -15,7 +15,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

-# Usage: so-tcpreplay "/opt/so/samples/*"
+# Usage: so-tcpreplay "/opt/samples/*"

 REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
 REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
--- a/salt/common/tools/sbin/so-telegraf-restart
+++ b/salt/common/tools/sbin/so-telegraf-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart telegraf $1
--- a/salt/common/tools/sbin/so-telegraf-start
+++ b/salt/common/tools/sbin/so-telegraf-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start telegraf $1
--- a/salt/common/tools/sbin/so-telegraf-stop
+++ b/salt/common/tools/sbin/so-telegraf-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop telegraf $1
--- a/salt/common/tools/sbin/so-test
+++ b/salt/common/tools/sbin/so-test
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-test
+
+. /usr/sbin/so-common
+
+REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
+REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
+
+if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
+   docker cp so-tcpreplay:/opt/samples /opt/samples
+   docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 /opt/samples/*
+   echo
+   echo "PCAP's have been replayed - it is normal to see some warnings."
+   echo
+else
+  echo "Replay functionality not enabled!  Enabling Now...."
+  echo
+  echo "Note that you will need internet access to download the appropriate components"
+  /usr/sbin/so-start tcpreplay
+  echo "Replay functionality enabled.  Replaying PCAPs Now...."
+  docker cp so-tcpreplay:/opt/samples /opt/samples
+  docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 /opt/samples/*
+  echo
+  echo "PCAP's have been replayed - it is normal to see some warnings."
+  echo
+fi
+
--- a/salt/common/tools/sbin/so-thehive-user-add
+++ b/salt/common/tools/sbin/so-thehive-user-add
@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <new-user-name>"
+    echo ""
+    echo "Adds a new user to TheHive. The new password will be read from STDIN."
+    exit 1
+}
+
+if [ $# -ne 1 ]; then
+  usage
+fi
+
+USER=$1
+
+THEHIVE_KEY=$(lookup_pillar hivekey)
+THEHIVE_IP=$(lookup_pillar managerip)
+THEHIVE_USER=$USER
+
+# Read password for new user from stdin
+test -t 0
+if [[ $? == 0 ]]; then
+  echo "Enter new password:"
+fi
+read -s THEHIVE_PASS
+
+# Create new user in TheHive
+resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}")
+if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
+    echo "Successfully added user to TheHive."
+else
+    echo "Unable to add user to TheHive; user might already exist."
+    echo $resp
+    exit 2
+fi
--- a/salt/common/tools/sbin/so-thehive-user-enable
+++ b/salt/common/tools/sbin/so-thehive-user-enable
@@ -0,0 +1,57 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <user-name> <true|false>"
+    echo ""
+    echo "Enables or disables a user in thehive."
+    exit 1
+}
+
+if [ $# -ne 2 ]; then
+  usage
+fi
+
+USER=$1
+
+THEHIVE_KEY=$(lookup_pillar hivekey)
+THEHIVE_IP=$(lookup_pillar managerip)
+THEHIVE_USER=$USER
+
+case "${2^^}" in
+	FALSE | NO | 0)
+		THEHIVE_STATUS=Locked
+		;;
+	TRUE | YES | 1)
+		THEHIVE_STATUS=Ok
+		;;
+	*)
+		usage
+		;;
+esac
+
+resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }")
+if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
+    echo "Successfully updated user in thehive."
+else
+    echo "Failed to update user in thehive."
+    echo "$resp"
+    exit 2
+fi
+    
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -8,26 +8,16 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-# Make sure the user is root
-got_root
+. /usr/sbin/so-common

 if [[ $# < 1 || $# > 2 ]]; then
-  echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
+  echo "Usage: $0 <list|add|update|enable|disable|validate|valemail|valpass> [email]"
  echo ""
  echo "     list: Lists all user email addresses currently defined in the identity system"
  echo "      add: Adds a new user to the identity system; requires 'email' parameter"
  echo "   update: Updates a user's password; requires 'email' parameter"
-  echo "   delete: Deletes an existing user; requires 'email' parameter"
+  echo "   enable: Enables a user; requires 'email' parameter"
+  echo "  disable: Disables a user; requires 'email' parameter"
  echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
  echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter"
  echo "  valpass: Validates that a password is acceptable for defining a new user"
@@ -74,7 +64,7 @@ function findIdByEmail() {
  email=$1

  response=$(curl -Ss ${kratosUrl}/identities)
-  identityId=$(echo "${response}" | jq ".[] | select(.addresses[0].value == \"$email\") | .id")
+  identityId=$(echo "${response}" | jq ".[] | select(.verifiable_addresses[0].value == \"$email\") | .id")
  echo $identityId
 }

@@ -124,7 +114,7 @@ function listUsers() {
  response=$(curl -Ss ${kratosUrl}/identities)
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"

-  echo "${response}" | jq -r ".[] | .addresses[0].value" | sort
+  echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort
 }

 function createUser() {
@@ -133,17 +123,8 @@ function createUser() {
  now=$(date -u +%FT%TZ)
  addUserJson=$(cat <<EOF
 {
-  "addresses": [
-    {
-      "expires_at": "2099-01-31T12:00:00Z",
-      "value": "${email}",
-      "verified": true,
-      "verified_at": "${now}",
-      "via": "so-add-user"
-    }
-  ],
  "traits": {"email":"${email}"},
-  "traits_schema_id": "default"
+  "schema_id": "default"
 }
 EOF
  )
@@ -163,6 +144,36 @@ EOF
  updatePassword $identityId
 }

+function updateStatus() {
+  email=$1
+  status=$2
+
+  identityId=$(findIdByEmail "$email")
+  [[ ${identityId} == "" ]] && fail "User not found"
+
+  response=$(curl -Ss "${kratosUrl}/identities/$identityId")
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+
+  oldConfig=$(echo "select config from identity_credentials where identity_id=${identityId};" | sqlite3 "$databasePath")
+  if [[ "$status" == "locked" ]]; then
+    config=$(echo $oldConfig | sed -e 's/hashed/locked/')
+    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to lock credential record"
+
+    echo "delete from sessions where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to invalidate sessions"    
+  else
+    config=$(echo $oldConfig | sed -e 's/locked/hashed/')
+    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to unlock credential record"
+  fi  
+
+  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url)")
+  response=$(curl -Ss -XPUT ${kratosUrl}/identities/$identityId -d "$updatedJson")
+  [[ $? != 0 ]] && fail "Unable to mark user as locked"
+
+}
+
 function updateUser() {
  email=$1

@@ -189,7 +200,9 @@ case "${operation}" in

    validateEmail "$email"
    createUser "$email"
-    echo "Successfully added new user"
+    echo "Successfully added new user to SOC"
+    check_container thehive && echo $password | so-thehive-user-add "$email"
+    check_container fleet && echo $password | so-fleet-user-add "$email"
    ;;

  "list")
@@ -205,12 +218,34 @@ case "${operation}" in
    echo "Successfully updated user"
    ;;

+  "enable")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateStatus "$email" 'active'
+    echo "Successfully enabled user"
+    check_container thehive && so-thehive-user-enable "$email" true
+    check_container fleet && so-fleet-user-enable "$email" true   
+    ;;
+
+  "disable")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateStatus "$email" 'locked'
+    echo "Successfully disabled user"
+    check_container thehive && so-thehive-user-enable "$email" false
+    check_container fleet && so-fleet-user-enable "$email" false   
+    ;;    
+
  "delete")
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"

    deleteUser "$email"
    echo "Successfully deleted user"
+    check_container thehive && so-thehive-user-enable "$email" false
+    check_container fleet && so-fleet-user-enable "$email" false
    ;;

  "validate")
--- a/salt/common/tools/sbin/so-user-disable
+++ b/salt/common/tools/sbin/so-user-disable
@@ -0,0 +1,2 @@
+#!/bin/bash
+so-user disable $*
--- a/salt/common/tools/sbin/so-user-enable
+++ b/salt/common/tools/sbin/so-user-enable
@@ -0,0 +1,2 @@
+#!/bin/bash
+so-user enable $*
--- a/salt/common/tools/sbin/so-wazuh-agent-manage
+++ b/salt/common/tools/sbin/so-wazuh-agent-manage
@@ -15,13 +15,8 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

-SCRIPTDIR=$(dirname "$0")
-source $SCRIPTDIR/so-update-functions
-
-# Update Packages
-master_check
-update_all_packages
-update_held_packages
-
-
-
+if docker ps |grep so-wazuh >/dev/null 2>&1; then
+  docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@"
+else
+  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
+fi
--- a/salt/common/tools/sbin/so-wazuh-agent-upgrade
+++ b/salt/common/tools/sbin/so-wazuh-agent-upgrade
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if docker ps |grep so-wazuh >/dev/null 2>&1; then
+  docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@"
+else
+  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
+fi
--- a/salt/common/tools/sbin/so-yara-update
+++ b/salt/common/tools/sbin/so-yara-update
@@ -0,0 +1,165 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
+
+output_dir="/opt/so/saltstack/default/salt/strelka/rules"
+mkdir -p $output_dir
+repos="$output_dir/repos.txt"
+ignorefile="$output_dir/ignore.txt"
+
+deletecounter=0
+newcounter=0
+updatecounter=0
+
+{% if ISAIRGAP is sameas true %}
+
+
+clone_dir="/nsm/repo/rules/strelka"
+repo_name="signature-base"
+mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base
+
+[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
+
+# Copy over rules
+for i in $(find $clone_dir/yara -name "*.yar*"); do
+  rule_name=$(echo $i | awk -F '/' '{print $NF}')
+  repo_sum=$(sha256sum $i | awk '{print $1}')
+
+  # Check rules against those in ignore list -- don't copy if ignored.
+  if ! grep -iq $rule_name $ignorefile; then
+    existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
+
+    # For existing rules, check to see if they need to be updated, by comparing checksums
+    if [ $existing_rules -gt 0 ];then
+      local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
+      if [ "$repo_sum" != "$local_sum" ]; then
+        echo "Checksums do not match!"
+        echo "Updating $rule_name..."
+        cp $i $output_dir/$repo_name;
+        ((updatecounter++))
+      fi
+    else
+      # If rule doesn't exist already, we'll add it
+      echo "Adding new rule: $rule_name..."
+      cp $i $output_dir/$repo_name
+      ((newcounter++))
+    fi
+  fi;
+done
+
+# Check to see if we have any old rules that need to be removed
+for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
+  is_repo_rule=$(find $clone_dir -name "$i" | wc -l)
+  if [ $is_repo_rule -eq 0 ]; then
+    echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
+    rm $output_dir/$repo_name/$i
+    ((deletecounter++))
+  fi
+done
+
+echo "Done!"
+
+  if [ "$newcounter" -gt 0 ];then
+    echo "$newcounter new rules added."
+  fi
+
+  if [ "$updatecounter" -gt 0 ];then
+    echo "$updatecounter rules updated."
+  fi
+
+  if [ "$deletecounter" -gt 0 ];then
+    echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
+  fi
+
+{% else %}
+
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
+clone_dir="/tmp"
+if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
+
+  while IFS= read -r repo; do
+
+    # Remove old repo if existing bc of previous error condition or unexpected disruption
+    repo_name=`echo $repo | awk -F '/' '{print $NF}'`
+    [ -d $repo_name ] && rm -rf $repo_name
+
+    # Clone repo and make appropriate directories for rules
+
+    git clone $repo $clone_dir/$repo_name
+    echo "Analyzing rules from $clone_dir/$repo_name..."
+    mkdir -p $output_dir/$repo_name
+    [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
+
+    # Copy over rules
+    for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
+      rule_name=$(echo $i | awk -F '/' '{print $NF}')
+      repo_sum=$(sha256sum $i | awk '{print $1}')
+
+      # Check rules against those in ignore list -- don't copy if ignored.
+      if ! grep -iq $rule_name $ignorefile; then
+        existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
+
+        # For existing rules, check to see if they need to be updated, by comparing checksums
+        if [ $existing_rules -gt 0 ];then
+          local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
+          if [ "$repo_sum" != "$local_sum" ]; then
+            echo "Checksums do not match!"
+            echo "Updating $rule_name..."
+            cp $i $output_dir/$repo_name;
+            ((updatecounter++))
+          fi
+        else
+          # If rule doesn't exist already, we'll add it
+          echo "Adding new rule: $rule_name..."
+          cp $i $output_dir/$repo_name
+          ((newcounter++))
+        fi
+      fi;
+    done
+
+    # Check to see if we have any old rules that need to be removed
+    for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
+      is_repo_rule=$(find $clone_dir/$repo_name -name "$i" | wc -l)
+      if [ $is_repo_rule -eq 0 ]; then
+        echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
+        rm $output_dir/$repo_name/$i
+        ((deletecounter++))
+      fi
+    done
+    rm -rf $clone_dir/$repo_name
+  done < $repos
+
+  echo "Done!"
+
+  if [ "$newcounter" -gt 0 ];then
+    echo "$newcounter new rules added."
+  fi
+
+  if [ "$updatecounter" -gt 0 ];then
+    echo "$updatecounter rules updated."
+  fi
+
+  if [ "$deletecounter" -gt 0 ];then
+    echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
+  fi
+
+else
+  echo "Server returned $gh_status status code."
+  echo "No connectivity to Github...exiting..."
+  exit 1
+fi
+{%- endif -%}
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -1,17 +1,17 @@
 #!/bin/bash
 local_salt_dir=/opt/so/saltstack/local

-bro_logs_enabled() {
+zeek_logs_enabled() {

-  echo "brologs:" > $local_salt_dir/pillar/brologs.sls
-  echo "  enabled:" >> $local_salt_dir/pillar/brologs.sls
+  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
+  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
  for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
  done

 }

-whiptail_master_adv_service_brologs() {
+whiptail_manager_adv_service_zeeklogs() {

  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
  "conn" "Connection Logging" ON \
@@ -54,5 +54,5 @@ whiptail_master_adv_service_brologs() {
  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
 }

-whiptail_master_adv_service_brologs
-bro_logs_enabled
+whiptail_manager_adv_service_zeeklogs
+zeek_logs_enabled
--- a/salt/common/tools/sbin/so-zeek-stats
+++ b/salt/common/tools/sbin/so-zeek-stats
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -15,23 +15,433 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

-clone_to_tmp() {
+. /usr/sbin/so-common
+UPDATE_DIR=/tmp/sogh/securityonion
+INSTALLEDVERSION=$(cat /etc/soversion)
+INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
+DEFAULT_SALT_DIR=/opt/so/saltstack/default
+BATCHSIZE=5
+SOUP_LOG=/root/soup.log
+exec 3>&1 1>${SOUP_LOG} 2>&1

+manager_check() {
+  # Check to see if this is a manager
+  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch'|'so-import')$ ]]; then
+    echo "This is a manager. We can proceed."
+    MINIONID=$(salt-call grains.get id --out=txt|awk -F: {'print $2'}|tr -d ' ')
+  else
+    echo "Please run soup on the manager. The manager controls all updates."
+    exit 0
+  fi
+}
+
+clean_dockers() {
+  # Place Holder for cleaning up old docker images
+  echo "Trying to clean up old dockers."
+  docker system prune -a -f
+}
+
+clone_to_tmp() {
  # TODO Need to add a air gap option
+  # Clean old files
+  rm -rf /tmp/sogh
  # Make a temp location for the files
-  rm -rf /tmp/soup
-  mkdir -p /tmp/soup
-  cd /tmp/soup
-  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
-  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  mkdir -p /tmp/sogh
+  cd /tmp/sogh
+  SOUP_BRANCH=""
+  if [ -n "$BRANCH" ]; then
+    SOUP_BRANCH="-b $BRANCH"
+  fi
+  git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git
+  cd /tmp
+  if [ ! -f $UPDATE_DIR/VERSION ]; then
+    echo "Update was unable to pull from github. Please check your internet."
+    exit 0
+  fi
+}
+
+copy_new_files() {
+  # Copy new files over to the salt dir
+  cd /tmp/sogh/securityonion
+  rsync -a salt $DEFAULT_SALT_DIR/
+  rsync -a pillar $DEFAULT_SALT_DIR/
+  chown -R socore:socore $DEFAULT_SALT_DIR/
+  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
+  cd /tmp
+}
+
+detect_os() {
+	# Detect Base OS
+	echo "Determining Base OS." >> "$SOUP_LOG" 2>&1
+	if [ -f /etc/redhat-release ]; then
+		OS="centos"
+	elif [ -f /etc/os-release ]; then
+		OS="ubuntu"
+	fi
+	echo "Found OS: $OS" >> "$SOUP_LOG" 2>&1
+}
+
+highstate() {
+  # Run a highstate but first cancel a running one.
+  salt-call saltutil.kill_all_jobs
+  salt-call state.highstate -l info
+}
+
+masterlock() {
+  echo "Locking Salt Master"
+  if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
+    TOPFILE=/opt/so/saltstack/default/salt/top.sls
+    BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
+    mv -v $TOPFILE $BACKUPTOPFILE
+    echo "base:" > $TOPFILE
+    echo "  $MINIONID:" >> $TOPFILE
+    echo "    - ca" >> $TOPFILE
+    echo "    - ssl" >> $TOPFILE
+    echo "    - elasticsearch" >> $TOPFILE
+  fi
+}
+
+masterunlock() {
+  echo "Unlocking Salt Master"
+  if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
+    mv -v $BACKUPTOPFILE $TOPFILE
+  fi
+}
+
+playbook() {
+  echo "Applying playbook settings"
+  if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
+    salt-call state.apply playbook.db_init
+    rm -f /opt/so/rules/elastalert/playbook/*.yaml
+    so-playbook-ruleupdate >> /root/soup_playbook_rule_update.log 2>&1 &
+  fi
+}
+
+pillar_changes() {
+    # This function is to add any new pillar items if needed.
+    echo "Checking to see if pillar changes are needed."
+    
+    [[ "$INSTALLEDVERSION" =~ rc.1 ]] && rc1_to_rc2
+    [[ "$INSTALLEDVERSION" =~ rc.2 ]] && rc2_to_rc3

 }

-# Prompt the user that this requires internets
+rc1_to_rc2() {

+  # Move the static file to global.sls
+  echo "Migrating static.sls to global.sls"
+  mv -v /opt/so/saltstack/local/pillar/static.sls /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
+  sed -i '1c\global:' /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
+
+  # Moving baseurl from minion sls file to inside global.sls
+  local line=$(grep '^  url_base:' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls)
+  sed -i '/^  url_base:/d' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls;
+  sed -i "/^global:/a \\$line" /opt/so/saltstack/local/pillar/global.sls;
+
+  # Adding play values to the global.sls
+  local HIVEPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
+  local CORTEXPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
+  sed -i "/^global:/a \\  hiveplaysecret: $HIVEPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
+  sed -i "/^global:/a \\  cortexplaysecret: $CORTEXPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
+
+  # Move storage nodes to hostname for SSL
+  # Get a list we can use:
+  grep -A1 searchnode /opt/so/saltstack/local/pillar/data/nodestab.sls | grep -v '\-\-' | sed '$!N;s/\n/ /' | awk '{print $1,$3}' | awk '/_searchnode:/{gsub(/\_searchnode:/, "_searchnode"); print}' >/tmp/nodes.txt
+  # Remove the nodes from cluster settings
+  while read p; do
+  local NAME=$(echo $p | awk '{print $1}')
+  local IP=$(echo $p | awk '{print $2}')
+  echo "Removing the old cross cluster config for $NAME"
+  curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}'
+  done </tmp/nodes.txt
+  # Add the nodes back using hostname
+  while read p; do
+      local NAME=$(echo $p | awk '{print $1}')
+      local EHOSTNAME=$(echo $p | awk -F"_" '{print $1}')
+	    local IP=$(echo $p | awk '{print $2}')
+      echo "Adding the new cross cluster config for $NAME"
+      curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
+  done </tmp/nodes.txt
+
+  INSTALLEDVERSION=rc.2
+
+}
+
+rc2_to_rc3() {
+
+  # move location of local.rules
+  cp /opt/so/saltstack/default/salt/idstools/localrules/local.rules /opt/so/saltstack/local/salt/idstools/local.rules
+  
+  if [ -f /opt/so/saltstack/local/salt/idstools/localrules/local.rules ]; then
+    cat /opt/so/saltstack/local/salt/idstools/localrules/local.rules >> /opt/so/saltstack/local/salt/idstools/local.rules
+  fi
+  rm -rf /opt/so/saltstack/local/salt/idstools/localrules
+  rm -rf /opt/so/saltstack/default/salt/idstools/localrules
+
+  # Rename mdengine to MDENGINE
+  sed -i "s/  zeekversion/  mdengine/g" /opt/so/saltstack/local/pillar/global.sls
+  # Enable Strelka Rules
+  sed -i "/  rules:/c\  rules: 1" /opt/so/saltstack/local/pillar/global.sls
+
+}
+
+space_check() {
+  # Check to see if there is enough space
+  CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
+  if [ "$CURRENTSPACE" -lt "10" ]; then
+      echo "You are low on disk space. Upgrade will try and clean up space.";
+      clean_dockers
+  else
+      echo "Plenty of space for upgrading"
+  fi
+  
+}
+
+update_dockers() {
+    # List all the containers
+    if [ $MANAGERCHECK == 'so-import' ]; then
+      TRUSTED_CONTAINERS=( \
+      "so-idstools" \
+      "so-nginx" \
+      "so-filebeat" \
+      "so-suricata" \
+      "so-soc" \
+      "so-elasticsearch" \
+      "so-kibana" \
+      "so-kratos" \
+      "so-suricata" \
+      "so-registry" \
+      "so-pcaptools" \
+      "so-zeek" )
+    elif [ $MANAGERCHECK != 'so-helix' ]; then
+      TRUSTED_CONTAINERS=( \
+      "so-acng" \
+      "so-thehive-cortex" \
+      "so-curator" \
+      "so-domainstats" \
+      "so-elastalert" \
+      "so-elasticsearch" \
+      "so-filebeat" \
+      "so-fleet" \
+      "so-fleet-launcher" \
+      "so-freqserver" \
+      "so-grafana" \
+      "so-idstools" \
+      "so-influxdb" \
+      "so-kibana" \
+      "so-kratos" \
+      "so-logstash" \
+      "so-minio" \
+      "so-mysql" \
+      "so-nginx" \
+      "so-pcaptools" \
+      "so-playbook" \
+      "so-redis" \
+      "so-soc" \
+      "so-soctopus" \
+      "so-steno" \
+      "so-strelka-frontend" \
+      "so-strelka-manager" \
+      "so-strelka-backend" \
+      "so-strelka-filestream" \
+      "so-suricata" \
+      "so-telegraf" \
+      "so-thehive" \
+      "so-thehive-es" \
+      "so-wazuh" \
+      "so-zeek" )
+    else
+      TRUSTED_CONTAINERS=( \
+      "so-filebeat" \
+      "so-idstools" \
+      "so-logstash" \
+      "so-nginx" \
+      "so-redis" \
+      "so-steno" \
+      "so-suricata" \
+      "so-telegraf" \
+      "so-zeek" )
+    fi
+
+# Download the containers from the interwebs
+    for i in "${TRUSTED_CONTAINERS[@]}"
+    do
+      # Pull down the trusted docker image
+      echo "Downloading $i:$NEWVERSION"
+      docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION
+      # Tag it with the new registry destination
+      docker tag $IMAGEREPO/$i:$NEWVERSION $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
+      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION 
+    done
+
+}
+
+update_version() {
+  # Update the version to the latest
+  echo "Updating the Security Onion version file."
+  echo $NEWVERSION > /etc/soversion
+  sed -i "/  soversion:/c\  soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global.sls
+}
+
+upgrade_check() {
+    # Let's make sure we actually need to update.
+    NEWVERSION=$(cat $UPDATE_DIR/VERSION)
+    if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
+      echo "You are already running the latest version of Security Onion."
+      exit 0
+    fi 
+}
+
+upgrade_check_salt() {
+    NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk {'print $2'})
+    if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
+      echo "You are already running the correct version of Salt for Security Onion."
+    else
+      SALTUPGRADED=True
+      echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
+      echo ""
+      # If CentOS
+      if [ "$OS" == "centos" ]; then
+        echo "Removing yum versionlock for Salt."
+        echo ""
+        yum versionlock delete "salt-*"
+        echo "Updating Salt packages and restarting services."
+        echo ""
+        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+        echo "Applying yum versionlock for Salt."
+        echo ""
+        yum versionlock add "salt-*"
+      # Else do Ubuntu things
+      elif [ "$OS" == "ubuntu" ]; then
+        echo "Removing apt hold for Salt."
+        echo ""
+        apt-mark unhold "salt-common"
+        apt-mark unhold "salt-master"
+        apt-mark unhold "salt-minion"
+        echo "Updating Salt packages and restarting services."
+        echo ""
+        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+        echo "Applying apt hold for Salt."
+        echo ""
+        apt-mark hold "salt-common"
+        apt-mark hold "salt-master"
+        apt-mark hold "salt-minion"
+      fi
+    fi 
+}
+
+verify_latest_update_script() {
+    # Check to see if the update scripts match. If not run the new one.
+    CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup | awk '{print $1}')
+    GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup | awk '{print $1}')
+    if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then
+      echo "This version of the soup script is up to date. Proceeding."
+    else
+      echo "You are not running the latest soup version. Updating soup."
+      cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
+      salt-call state.apply common queue=True
+      echo ""
+      echo "soup has been updated. Please run soup again."
+      exit 0
+    fi
+}
+
+main () {
+while getopts ":b" opt; do
+  case "$opt" in
+    b ) # process option b
+       shift
+       BATCHSIZE=$1
+       if ! [[ "$BATCHSIZE" =~ ^[0-9]+$ ]]; then
+         echo "Batch size must be a number greater than 0."
+         exit 1
+       fi
+      ;;
+    \? ) echo "Usage: cmd [-b]"
+      ;;
+  esac
+done
+
+echo "Checking to see if this is a manager."
+echo ""
+manager_check
+echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
+echo ""
+detect_os
+echo ""
+echo "Cloning Security Onion github repo into $UPDATE_DIR."
 clone_to_tmp
-cd /tmp/soup/securityonion-saltstack/update
-chmod +x soup
-./soup
+echo ""
+echo "Verifying we have the latest soup script."
+verify_latest_update_script
+echo ""
+
+echo "Let's see if we need to update Security Onion."
+upgrade_check
+space_check
+
+echo ""
+echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
+echo ""
+echo "Stopping Salt Minion service."
+systemctl stop salt-minion
+echo ""
+echo "Stopping Salt Master service."
+systemctl stop salt-master
+echo ""
+echo "Checking for Salt Master and Minion updates."
+upgrade_check_salt


+echo "Making pillar changes."
+pillar_changes
+echo ""
+
+echo ""
+echo "Updating dockers to $NEWVERSION."
+update_dockers
+
+echo ""
+echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
+copy_new_files
+echo ""
+update_version
+
+echo ""
+echo "Locking down Salt Master for upgrade"
+masterlock
+
+echo ""
+echo "Starting Salt Master service."
+systemctl start salt-master
+
+echo ""
+echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
+highstate
+echo ""
+echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
+
+echo ""
+echo "Stopping Salt Master to remove ACL"
+systemctl stop salt-master
+
+masterunlock
+
+echo ""
+echo "Starting Salt Master service."
+systemctl start salt-master
+highstate
+playbook
+
+SALTUPGRADED="True"
+if [[ "$SALTUPGRADED" == "True" ]]; then
+  echo ""
+  echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
+  salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion 
+  echo ""
+fi
+
+}
+
+main "$@" | tee /dev/fd/3
--- a/salt/curator/files/action/delete.yml
+++ b/salt/curator/files/action/delete.yml
@@ -1,8 +1,4 @@
-{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
-  {%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%}
-{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
-  {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%}
-{%- endif %}
+{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
 # not a Python "NoneType"
--- a/salt/curator/files/action/so-beats-close.yml
+++ b/salt/curator/files/action/so-beats-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value.  None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True.  If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+  1:
+    action: close
+    description: >-
+      Close Beats indices older than {{cur_close_days}} days.
+    options:
+      delete_aliases: False
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: regex 
+      value: '^(logstash-beats.*|so-beats.*)$'
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: {{cur_close_days}}
+      exclude:
--- a/salt/curator/files/action/so-firewall-close.yml
+++ b/salt/curator/files/action/so-firewall-close.yml
@@ -1,9 +1,4 @@
-{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
-  {%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
-{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
-  {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
-{%- endif -%}
-
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
 # not a Python "NoneType"
@@ -15,8 +10,7 @@ actions:
  1:
    action: close
    description: >-
-      Close indices older than {{cur_close_days}} days (based on index name), for logstash-
-      prefixed indices.
+      Close Firewall indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
@@ -25,7 +19,7 @@ actions:
    filters:
    - filtertype: pattern
      kind: regex 
-      value: '^(logstash-.*|so-.*)$'
+      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
--- a/salt/curator/files/action/so-ids-close.yml
+++ b/salt/curator/files/action/so-ids-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value.  None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True.  If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+  1:
+    action: close
+    description: >-
+      Close IDS indices older than {{cur_close_days}} days.
+    options:
+      delete_aliases: False
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: regex 
+      value: '^(logstash-ids.*|so-ids.*)$'
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: {{cur_close_days}}
+      exclude:
--- a/salt/curator/files/action/so-import-close.yml
+++ b/salt/curator/files/action/so-import-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value.  None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True.  If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+  1:
+    action: close
+    description: >-
+      Close Import indices older than {{cur_close_days}} days.
+    options:
+      delete_aliases: False
+      timeout_override:
+      continue_if_exception: False
+      disable_action: False
+    filters:
+    - filtertype: pattern
+      kind: regex 
+      value: '^(logstash-import.*|so-import.*)$'
+    - filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: {{cur_close_days}}
+      exclude:
--- a/Show More
+++ b/Show More