Merge pull request #2003 from Security-Onion-Solutions/dev

2.3.10
Update hashes and keys
2025-12-08 02:02:50 +01:00 · 2020-11-19 16:48:53 -05:00 · 2020-11-19 16:00:40 -05:00 · 2020-11-19 15:19:50 -05:00 · 2020-11-19 15:17:58 -05:00 · 2020-11-19 15:17:11 -05:00
284 changed files with 16080 additions and 11212 deletions
--- a/.github/ISSUE_TEMPLATE
+++ b/.github/ISSUE_TEMPLATE
@@ -0,0 +1,12 @@
 PLEASE STOP AND READ THIS INFORMATION!
 If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead:
 https://securityonion.net/discuss
 If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue.
 If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
 - duplicated the issue on a fresh installation of the latest version
 - provide information about your system and how you installed Security Onion
 - include relevant log files
 - include reproduction steps
--- a/.github/workflows/leaktest.yml
+++ b/.github/workflows/leaktest.yml
@@ -0,0 +1,15 @@
 name: leak-test
 on: [push,pull_request]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: '0'
    - name: Gitleaks
      uses: zricethezav/gitleaks-action@master
--- a/1
+++ b/1
@@ -1,4 +1,5 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBF7rzwEBEADBg87uJhnC3Ls7s60hbHGaywGrPtbz2WuYA/ev3YS3X7WS75p8
 PGlzTWUCujx0pEHbK2vYfExl3zksZ8ZmLyZ9VB3oSLiWBzJgKAeB7YCFEo8te+eE
 P2Z+8c+kX4eOV+2waxZyewA2TipSkhWgStSI4Ow8SyVUcUWA3hCw7mo2duNVi7KO
--- a/README.md
+++ b/README.md
@@ -1,37 +1,35 @@
-## Security Onion 2.1.0.rc2
+## Security Onion 2.3.10
-Security Onion 2.1.0 RC2 is here!
+Security Onion 2.3.10 is here!
-### Warnings and Disclaimers
+## Screenshots
- If this breaks your system, you get to keep both pieces!  
+Alerts
- This is a work in progress and is in constant flux.  
+![Alerts](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/alerts-1.png)
- This configuration may change drastically over time leading up to the final release.  
+
- Do NOT run this on a system that you care about!  
+Hunt
- Do NOT run this on a system that has data that you care about!  
+![Hunt](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/hunt-1.png)
 - This script should only be run on a TEST box with TEST data!  
 - Use of this script may result in nausea, vomiting, or a burning sensation.  
 ### Release Notes
-https://docs.securityonion.net/en/2.1/release-notes.html
+https://docs.securityonion.net/en/2.3/release-notes.html
 ### Requirements
-https://docs.securityonion.net/en/2.1/hardware.html
+https://docs.securityonion.net/en/2.3/hardware.html
 ### Download
-https://docs.securityonion.net/en/2.1/download.html
+https://docs.securityonion.net/en/2.3/download.html
 ### Installation
-https://docs.securityonion.net/en/2.1/installation.html
+https://docs.securityonion.net/en/2.3/installation.html
 ### FAQ
-https://docs.securityonion.net/en/2.1/faq.html
+https://docs.securityonion.net/en/2.3/faq.html
 ### Feedback
-https://docs.securityonion.net/en/2.1/community-support.html
+https://docs.securityonion.net/en/2.3/community-support.html
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,16 +1,16 @@
-### 2.1.0-rc2 ISO image built on 2020/08/23
+### 2.3.10 ISO image built on 2020/11/19
 ### Download and Verify
-2.1.0-rc2 ISO image:  
+2.3.10 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.1.0-rc2.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso
-MD5: 9EAE772B64F5B3934C0DB7913E38D6D4  
+MD5: 55E10BAE3D90DF47CA4D5DCCDCB67A96  
-SHA1: D0D347AE30564871DE81203C0CE53B950F8732CE  
+SHA1: 01361123F35CEACE077803BC8074594D57EE653A  
-SHA256: 888AC7758C975FAA0A7267E5EFCB082164AC7AC8DCB3B370C06BA0B8493DAC44  
+SHA256: 772EA4EFFFF12F026593F5D1CC93DB538CC17B9BA5F60308F1976B6ED7032A8D 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.1.0-rc2.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.1.0-rc2.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.10.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.1.0-rc2.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.10.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.1.0-rc2.iso.sig securityonion-2.1.0-rc2.iso
+gpg --verify securityonion-2.3.10.iso.sig securityonion-2.3.10.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sun 23 Aug 2020 04:37:00 PM EDT using RSA key ID FE507013
+gpg: Signature made Thu 19 Nov 2020 03:38:54 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
@@ -47,4 +47,4 @@ Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
 ```
 Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
-https://docs.securityonion.net/en/2.1/installation.html
+https://docs.securityonion.net/en/2.3/installation.html
--- a/2
+++ b/2
@@ -1 +1 @@
-2.1.0-rc.2
+2.3.10
--- a/files/salt/master/master
+++ b/files/salt/master/master
--- a/files/salt/master/salt-master.service
+++ b/files/salt/master/salt-master.service
@@ -0,0 +1,14 @@
 [Unit]
 Description=The Salt Master Server
 Documentation=man:salt-master(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
 After=network.target
 [Service]
 LimitNOFILE=100000
 Type=notify
 NotifyAccess=all
 ExecStart=/usr/bin/salt-master
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -5,7 +5,7 @@
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
-{% set ZEEKVER = salt['pillar.get']('global:zeekversion', 'COMMUNITY') %}
+{% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
 eval:
--- a/pillar/elasticsearch/manager.sls
+++ b/pillar/elasticsearch/manager.sls
@@ -0,0 +1,13 @@
 elasticsearch:
  templates:
    - so/so-beats-template.json.jinja
    - so/so-common-template.json
    - so/so-firewall-template.json.jinja
    - so/so-flow-template.json.jinja
    - so/so-ids-template.json.jinja
    - so/so-import-template.json.jinja
    - so/so-osquery-template.json.jinja
    - so/so-ossec-template.json.jinja
    - so/so-strelka-template.json.jinja
    - so/so-syslog-template.json.jinja
    - so/so-zeek-template.json.jinja
--- a/pillar/firewall/ports.sls
+++ b/pillar/firewall/ports.sls
@@ -26,6 +26,7 @@ firewall:
        - 4200
        - 5601
        - 6379
        - 7788
        - 8086
        - 8090
        - 9001
--- a/pillar/logrotate/init.sls
+++ b/pillar/logrotate/init.sls
@@ -0,0 +1,11 @@
 logrotate:
  conf: | 
    daily
    rotate 14
    missingok
    copytruncate
    compress
    create
    extension .log
    dateext
    dateyesterday
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,6 +1,7 @@
 base:
  '*':
    - patch.needs_restarting
    - logrotate
  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone or *_import':
    - match: compound
@@ -13,22 +14,23 @@ base:
    - logstash.search
    - elasticsearch.search
  '*_sensor':
    - global
    - zeeklogs
    - healthcheck.sensor
    - minions.{{ grains.id }}
  '*_manager or *_managersearch':
    - match: compound
    - global
    - data.*
    - secrets
    - minions.{{ grains.id }}
  '*_manager':
    - logstash
    - logstash.manager
    - elasticsearch.manager
  '*_manager or *_managersearch':
    - match: compound
    - data.*
    - secrets
    - global
    - minions.{{ grains.id }}
  '*_sensor':
    - zeeklogs
    - healthcheck.sensor
    - global
    - minions.{{ grains.id }}
  '*_eval':
    - data.*
@@ -56,29 +58,29 @@ base:
    - minions.{{ grains.id }}
  '*_heavynode':
    - global
    - zeeklogs
    - global
    - minions.{{ grains.id }}
  '*_helix':
    - global
    - fireeye
    - zeeklogs
    - logstash
    - logstash.helix
    - global
    - minions.{{ grains.id }}
  '*_fleet':
    - global
    - data.*
    - secrets
    - global
    - minions.{{ grains.id }}
  '*_searchnode':
    - global
    - logstash
    - logstash.search
    - elasticsearch.search
    - global
    - minions.{{ grains.id }}
  '*_import':
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -53,3 +53,4 @@ zeek:
    redef:
      - LogAscii::use_json = T;
      - LogAscii::json_timestamps = JSON::TS_ISO8601;
      - CaptureLoss::watch_interval = 5 mins;
--- a/pillar/zeeklogs.sls
+++ b/pillar/zeeklogs.sls
@@ -1,42 +0,0 @@
 zeeklogs:
  enabled:
    - conn
    - dce_rpc
    - dhcp
    - dhcpv6
    - dnp3
    - dns
    - dpd
    - files
    - ftp
    - http
    - intel
    - irc
    - kerberos
    - modbus
    - mqtt
    - notice
    - ntlm
    - openvpn
    - pe
    - radius
    - rfb
    - rdp
    - signatures
    - sip
    - smb_files
    - smb_mapping
    - smtp
    - snmp
    - software
    - ssh
    - ssl
    - syslog
    - telnet
    - tunnel
    - weird
    - mysql
    - socks
    - x509
  disabled:
--- a/salt/_modules/healthcheck.py
+++ b/salt/_modules/healthcheck.py
@@ -2,6 +2,8 @@
 import logging
 import sys
 from time import time
 from os.path import getsize
 allowed_functions = ['is_enabled', 'zeek']
 states_to_apply = []
@@ -85,7 +87,20 @@ def zeek():
  else:
    zeek_restart = 0
-  __salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
+  #__salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
  # write out to file in /nsm/zeek/logs/ for telegraf to read for zeek restart
  try:
    if getsize("/nsm/zeek/logs/zeek_restart.log") >= 1000000:
      openmethod = "w"
    else:
      openmethod = "a"
  except FileNotFoundError:
    openmethod = "a"
  influxtime = int(time() * 1000000000)
  with open("/nsm/zeek/logs/zeek_restart.log", openmethod) as f:
    f.write('healthcheck zeek_restart=%i %i\n' % (zeek_restart, influxtime))
  if calling_func == 'execute' and zeek_restart:
    apply_states()
--- a/salt/_modules/so.py
+++ b/salt/_modules/so.py
@@ -0,0 +1,51 @@
 #!py
 import logging
 def status():
    return __salt__['cmd.run']('/usr/sbin/so-status')
 def mysql_conn(retry):
    log = logging.getLogger(__name__)
    from time import sleep
    try:
        from MySQLdb import _mysql
    except ImportError as e:
        log.error(e)
        return False
    mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint'))
    mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
    mysql_up = False
    for i in range(0, retry):
        log.debug(f'Connection attempt {i+1}')
        try:
            db = _mysql.connect(
                host=mainip,
                user='root',
                passwd=__salt__['pillar.get']('secrets:mysql')
            )
            log.debug(f'Connected to MySQL server on {mainip} after {i} attempts.')
            db.query("""SELECT 1;""")
            log.debug(f'Successfully completed query against MySQL server on {mainip}')
            db.close()
            mysql_up = True
            break
        except _mysql.OperationalError as e:
            log.debug(e)
        except Exception as e:
            log.error('Unexpected error occured.')
            log.error(e)
            break
        sleep(1)
    if not mysql_up:
        log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.')
    return mysql_up
--- a/salt/airgap/files/yum.conf
+++ b/salt/airgap/files/yum.conf
@@ -0,0 +1,12 @@
 [main]
 cachedir=/var/cache/yum/$basearch/$releasever
 keepcache=0
 debuglevel=2
 logfile=/var/log/yum.log
 exactarch=1
 obsoletes=1
 gpgcheck=1
 plugins=1
 installonly_limit=2
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
--- a/salt/airgap/init.sls
+++ b/salt/airgap/init.sls
@@ -0,0 +1,60 @@
 {% set MANAGER = salt['grains.get']('master') %}
 airgapyum:
  file.managed:
    - name: /etc/yum/yum.conf
    - source: salt://airgap/files/yum.conf
 airgap_repo:
  pkgrepo.managed:
    - humanname: Airgap Repo
    - baseurl: https://{{ MANAGER }}/repo
    - gpgcheck: 0
    - sslverify: 0
 agbase:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Base.repo
 agcr:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-CR.repo
 agdebug:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
 agfasttrack:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
 agmedia:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Media.repo
 agsources:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Sources.repo
 agvault:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Vault.repo
 agkernel:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
 agepel:
  file.absent:
    - name: /etc/yum.repos.d/epel.repo
 agtesting:
  file.absent:
    - name: /etc/yum.repos.d/epel-testing.repo
 agssrepo:
  file.absent:
    - name: /etc/yum.repos.d/saltstack.repo
 agwazrepo:
  file.absent:
    - name: /etc/yum.repos.d/wazuh.repo
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -1,3 +1,8 @@
 {% set show_top = salt['state.show_top']() %}
 {% set top_states = show_top.values() | join(', ') %}
 {% if 'ca' in top_states %}
 {% set manager = salt['grains.get']('master') %}
 /etc/salt/minion.d/signing_policies.conf:
  file.managed:
@@ -52,3 +57,11 @@ cakeyperms:
    - name: /etc/pki/ca.key
    - mode: 640
    - group: 939
 {% else %}
 ca_state_not_allowed:
  test.fail_without_changes:
    - name: ca_state_not_allowed
 {% endif %}
--- a/salt/common/cron/common-rotate
+++ b/salt/common/cron/common-rotate
@@ -0,0 +1,2 @@
 #!/bin/bash
 logrotate -f /opt/so/conf/log-rotate.conf >/dev/null 2>&1
--- a/salt/common/cron/sensor-rotate
+++ b/salt/common/cron/sensor-rotate
@@ -0,0 +1,2 @@
 #!/bin/bash
 /usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1
--- a/salt/common/files/analyst/README
+++ b/salt/common/files/analyst/README
@@ -0,0 +1,79 @@
 The following GUI tools are available on the analyst workstation:
 chromium
  url: https://www.chromium.org/Home
  To run chromium, click Applications > Internet > Chromium Web Browser
 Wireshark
  url: https://www.wireshark.org/
  To run Wireshark, click Applications > Internet > Wireshark Network Analyzer
 NetworkMiner
  url: https://www.netresec.com
  To run NetworkMiner, click Applications > Internet > NetworkMiner
 The following CLI tools are available on the analyst workstation:
 bit-twist
  url: http://bittwist.sourceforge.net
  To run bit-twist, open a terminal and type: bittwist -h
 chaosreader
  url: http://chaosreader.sourceforge.net
  To run chaosreader, open a terminal and type: chaosreader -h
 dnsiff
  url: https://www.monkey.org/~dugsong/dsniff/
  To run dsniff, open a terminal and type: dsniff -h
 foremost
  url: http://foremost.sourceforge.net
  To run foremost, open a terminal and type: foremost -h
 hping3
  url: http://www.hping.org/hping3.html
  To run hping3, open a terminal and type: hping3 -h
 netsed
  url: http://silicone.homelinux.org/projects/netsed/
  To run netsed, open a terminal and type: netsed -h
 ngrep
  url: https://github.com/jpr5/ngrep
  To run ngrep, open a terminal and type: ngrep -h
 scapy
  url: http://www.secdev.org/projects/scapy/
  To run scapy, open a terminal and type: scapy
 ssldump
  url: http://www.rtfm.com/ssldump/
  To run ssldump, open a terminal and type: ssldump -h
 sslsplit
  url: https://github.com/droe/sslsplit
  To run sslsplit, open a terminal and type: sslsplit -h
 tcpdump
  url: http://www.tcpdump.org
  To run tcpdump, open a terminal and type: tcpdump -h
 tcpflow
  url: https://github.com/simsong/tcpflow
  To run tcpflow, open a terminal and type: tcpflow -h
 tcpstat
  url: https://frenchfries.net/paul/tcpstat/
  To run tcpstat, open a terminal and type: tcpstat -h
 tcptrace
  url: http://www.tcptrace.org
  To run tcptrace, open a terminal and type: tcptrace -h
 tcpxtract
  url: http://tcpxtract.sourceforge.net/
  To run tcpxtract, open a terminal and type: tcpxtract -h
 whois
  url: http://www.linux.it/~md/software/
  To run whois, open a terminal and type: whois -h
--- a/salt/common/files/analyst/so-lockscreen.jpg
+++ b/salt/common/files/analyst/so-lockscreen.jpg
--- a/salt/common/files/analyst/so-login-logo-dark.svg
+++ b/salt/common/files/analyst/so-login-logo-dark.svg
@@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 87.86 105.22"><defs><style>.cls-1{fill:#fff;}.cls-2{fill:#1976d2;}</style></defs><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><g id="Onion"><path id="Flesh" class="cls-1" d="M43.37,71.34a1.27,1.27,0,0,0,.44-.51,4.74,4.74,0,0,0,.61-2.39c-.12-6.79-.22-12.88-4-14.46-4.05-1.72-9.38,3.14-10.71,4.35a19.84,19.84,0,0,0-6.17,12.34c-.1,1-.76,9.34,5.46,15.41s15.45,6.06,21.72,3.53A22.25,22.25,0,0,0,61.88,79.16c5.31-10,1.61-20.31.85-22.3C57.78,44,43.35,36.11,29.88,36.78c-2.17.11-15.82,1-24.16,12.42A30.55,30.55,0,0,0,0,67.36c.15,16.14,13.38,29.51,26.23,34.7,12.61,5.1,24,2.76,28.78,1.65s17.12-4,25.53-15.08a34.47,34.47,0,0,0,7.24-18.46,34.79,34.79,0,0,0-3.42-17.32c-1.11-2.3-6.16-12.09-17-17C57,31.21,48.52,34.37,45.65,29.12a8.46,8.46,0,0,1-.41-6.21,1,1,0,0,0-1.05-1.28l-1.6,0a1.07,1.07,0,0,0-1,.8c-.66,2.51-1.12,6,.51,9.17C46,39.08,56.87,35.31,67.56,42.78c8.29,5.79,14.14,16.69,13.21,27.29a28.06,28.06,0,0,1-6,14.65c-7,9-17,11.29-21.82,12.38-4,.9-13.19,2.87-23.54-.93-2.65-1-20.33-8.29-22.38-25C5.72,60.55,13,48.9,24.21,44.93c13-4.6,27.26,2.75,32.09,13.26.58,1.25,4.85,10.93-.59,18.72-4.05,5.79-13.07,9.94-19.77,6A13.48,13.48,0,0,1,30,68.25c1.42-5,6.37-8.72,8.13-7.84s2.94,6.14,3,9.85A1.39,1.39,0,0,0,43.37,71.34Z"/><path id="Stem" class="cls-2" d="M30,27.14l-4.17,1.27a1.16,1.16,0,0,1-1.49-.93l-.11-.72a26.93,26.93,0,0,0-4.53-11.09A1.13,1.13,0,0,1,20.06,14l1.06-.63a1.15,1.15,0,0,1,1.52.32c.41.58.82,1.17,1.23,1.78l1.48,2.2C28.42,7.27,37.14.12,46.21,0,58.09-.16,65.59,10.67,68,17.63a23.37,23.37,0,0,1,.94,3.64.91.91,0,0,1-1.14,1l-2.66-.73a1.47,1.47,0,0,1-1-1.08,19.71,19.71,0,0,0-1.9-4.8c-3-5.44-9.67-11.21-16.55-10.59-7.74.7-15.22,9.46-14.85,20.91A1.14,1.14,0,0,1,30,27.14Z"/></g></g></g></svg>
--- a/salt/common/files/analyst/so-login-logo.svg
+++ b/salt/common/files/analyst/so-login-logo.svg
@@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 87.86 105.22"><defs><style>.cls-1{fill:#1976d2;}</style></defs><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><g id="Onion"><path id="Flesh" d="M43.37,71.34a1.27,1.27,0,0,0,.44-.51,4.74,4.74,0,0,0,.61-2.39c-.12-6.79-.22-12.88-4-14.46-4.05-1.72-9.38,3.14-10.71,4.35a19.84,19.84,0,0,0-6.17,12.34c-.1,1-.76,9.34,5.46,15.41s15.45,6.06,21.72,3.53A22.25,22.25,0,0,0,61.88,79.16c5.31-10,1.61-20.31.85-22.3C57.78,44,43.35,36.11,29.88,36.78c-2.17.11-15.82,1-24.16,12.42A30.55,30.55,0,0,0,0,67.36c.15,16.14,13.38,29.51,26.23,34.7,12.61,5.1,24,2.76,28.78,1.65s17.12-4,25.53-15.08a34.47,34.47,0,0,0,7.24-18.46,34.79,34.79,0,0,0-3.42-17.32c-1.11-2.3-6.16-12.09-17-17C57,31.21,48.52,34.37,45.65,29.12a8.46,8.46,0,0,1-.41-6.21,1,1,0,0,0-1.05-1.28l-1.6,0a1.07,1.07,0,0,0-1,.8c-.66,2.51-1.12,6,.51,9.17C46,39.08,56.87,35.31,67.56,42.78c8.29,5.79,14.14,16.69,13.21,27.29a28.06,28.06,0,0,1-6,14.65c-7,9-17,11.29-21.82,12.38-4,.9-13.19,2.87-23.54-.93-2.65-1-20.33-8.29-22.38-25C5.72,60.55,13,48.9,24.21,44.93c13-4.6,27.26,2.75,32.09,13.26.58,1.25,4.85,10.93-.59,18.72-4.05,5.79-13.07,9.94-19.77,6A13.48,13.48,0,0,1,30,68.25c1.42-5,6.37-8.72,8.13-7.84s2.94,6.14,3,9.85A1.39,1.39,0,0,0,43.37,71.34Z"/><path id="Stem" class="cls-1" d="M30,27.14l-4.17,1.27a1.16,1.16,0,0,1-1.49-.93l-.11-.72a26.93,26.93,0,0,0-4.53-11.09A1.13,1.13,0,0,1,20.06,14l1.06-.63a1.15,1.15,0,0,1,1.52.32c.41.58.82,1.17,1.23,1.78l1.48,2.2C28.42,7.27,37.14.12,46.21,0,58.09-.16,65.59,10.67,68,17.63a23.37,23.37,0,0,1,.94,3.64.91.91,0,0,1-1.14,1l-2.66-.73a1.47,1.47,0,0,1-1-1.08,19.71,19.71,0,0,0-1.9-4.8c-3-5.44-9.67-11.21-16.55-10.59-7.74.7-15.22,9.46-14.85,20.91A1.14,1.14,0,0,1,30,27.14Z"/></g></g></g></svg>
--- a/salt/common/files/analyst/so-wallpaper.jpg
+++ b/salt/common/files/analyst/so-wallpaper.jpg
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -0,0 +1,24 @@
 {%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
 /opt/so/log/aptcacher-ng/*.log
 /opt/so/log/idstools/*.log
 /opt/so/log/nginx/*.log
 /opt/so/log/soc/*.log
 /opt/so/log/kratos/*.log
 /opt/so/log/kibana/*.log
 /opt/so/log/influxdb/*.log
 /opt/so/log/elastalert/*.log
 /opt/so/log/soctopus/*.log
 /opt/so/log/curator/*.log
 /opt/so/log/fleet/*.log
 /opt/so/log/suricata/*.log
 /opt/so/log/mysql/*.log
 /opt/so/log/playbook/*.log
 /opt/so/log/logstash/*.log
 /opt/so/log/filebeat/*.log
 /opt/so/log/telegraf/*.log
 /opt/so/log/redis/*.log
 /opt/so/log/salt/so-salt-minion-check
 {
    {{ logrotate_conf | indent(width=4) }}
 }
--- a/salt/common/files/sensor-rotate.conf
+++ b/salt/common/files/sensor-rotate.conf
@@ -0,0 +1,10 @@
 /opt/so/log/sensor_clean.log
 {
    daily
    rotate 2
    missingok
    nocompress
    create
    sharedscripts
    endscript
 }
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,8 @@
 {% set show_top = salt['state.show_top']() %}
 {% set top_states = show_top.values() | join(', ') %}
 {% if 'common' in top_states %}
 {% set role = grains.id.split('_') | last %}
 # Remove variables.txt from /tmp - This is temp
@@ -27,6 +32,18 @@ soconfperms:
    - gid: 939
    - dir_mode: 770
 sostatusconf:
  file.directory:
    - name: /opt/so/conf/so-status
    - uid: 939
    - gid: 939
    - dir_mode: 770
 so-status.conf:
  file.touch:
    - name: /opt/so/conf/so-status/so-status.conf
    - unless: ls /opt/so/conf/so-status/so-status.conf
 sosaltstackperms:
  file.directory:
    - name: /opt/so/saltstack
@@ -51,6 +68,12 @@ salttmp:
 # Install epel
 {% if grains['os'] == 'CentOS' %}
 repair_yumdb:
  cmd.run:
    - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all'
    - onlyif:
      - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"'
 epel:
  pkg.installed:
    - skip_suggestions: True
@@ -88,7 +111,7 @@ heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-2
-      - docker-ce: 5:19.03.9~3-0~ubuntu-bionic
+      - docker-ce: 5:19.03.12~3-0~ubuntu-bionic
    - hold: True
    - update_holds: True
@@ -124,7 +147,7 @@ heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-3.2.el7
-      - docker-ce: 3:19.03.11-3.el7
+      - docker-ce: 3:19.03.12-3.el7
    - hold: True
    - update_holds: True
 {% endif %}
@@ -147,8 +170,8 @@ Etc/UTC:
 utilsyncscripts:
  file.recurse:
    - name: /usr/sbin
-    - user: 0
+    - user: root
-    - group: 0
+    - group: root
    - file_mode: 755
    - template: jinja
    - source: salt://common/tools/sbin
@@ -163,4 +186,73 @@ utilsyncscripts:
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 sensorrotatescript:
  file.managed:
    - name: /usr/local/bin/sensor-rotate
    - source: salt://common/cron/sensor-rotate
    - mode: 755
 sensorrotateconf:
  file.managed:
    - name: /opt/so/conf/sensor-rotate.conf
    - source: salt://common/files/sensor-rotate.conf
    - mode: 644
 /usr/local/bin/sensor-rotate:
  cron.present:
    - user: root
    - minute: '1'
    - hour: '0'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% endif %}
 commonlogrotatescript:
  file.managed:
    - name: /usr/local/bin/common-rotate
    - source: salt://common/cron/common-rotate
    - mode: 755
 commonlogrotateconf:
  file.managed:
    - name: /opt/so/conf/log-rotate.conf
    - source: salt://common/files/log-rotate.conf
    - template: jinja
    - mode: 644
 /usr/local/bin/common-rotate:
  cron.present:
    - user: root
    - minute: '1'
    - hour: '0'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
 # Add config backup
 /usr/sbin/so-config-backup > /dev/null 2>&1:
  cron.present:
    - user: root
    - minute: '1'
    - hour: '0'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% endif %}
 # Make sure Docker is always running
 docker:
  service.running:
    - enable: True
 {% else %}
 common_state_not_allowed:
  test.fail_without_changes:
    - name: common_state_not_allowed
 {% endif %}
--- a/salt/common/maps/domainstats.map.jinja
+++ b/salt/common/maps/domainstats.map.jinja
@@ -1,5 +0,0 @@
 {% set docker = {
  'containers': [
    'so-domainstats'
  ]
 } %}
--- a/salt/common/maps/eval.map.jinja
+++ b/salt/common/maps/eval.map.jinja
@@ -1,20 +0,0 @@
 {% set docker = {
  'containers': [
    'so-filebeat',
    'so-nginx',
    'so-telegraf',
    'so-dockerregistry',
    'so-soc',
    'so-kratos',
    'so-idstools',
    'so-elasticsearch',
    'so-kibana',
    'so-steno',
    'so-suricata',
    'so-zeek',
    'so-curator',
    'so-elastalert',
    'so-soctopus',
    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/fleet.map.jinja
+++ b/salt/common/maps/fleet.map.jinja
@@ -1,10 +0,0 @@
 {% set docker = {
  'containers': [
    'so-mysql',
    'so-fleet',
    'so-redis',
    'so-filebeat',
    'so-nginx',
    'so-telegraf'
  ]
 } %}
--- a/salt/common/maps/fleet_manager.map.jinja
+++ b/salt/common/maps/fleet_manager.map.jinja
@@ -1,7 +0,0 @@
 {% set docker = {
  'containers': [
    'so-mysql',
    'so-fleet',
    'so-redis'
  ]
 } %}
--- a/salt/common/maps/freq.map.jinja
+++ b/salt/common/maps/freq.map.jinja
@@ -1,5 +0,0 @@
 {% set docker = {
  'containers': [
    'so-freqserver'
  ]
 } %}
--- a/salt/common/maps/grafana.map.jinja
+++ b/salt/common/maps/grafana.map.jinja
@@ -1,6 +0,0 @@
 {% set docker = {
  'containers': [
    'so-influxdb',
    'so-grafana'
  ]
 } %}
--- a/salt/common/maps/heavynode.map.jinja
+++ b/salt/common/maps/heavynode.map.jinja
@@ -1,15 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-redis',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-steno',
    'so-suricata',
    'so-wazuh',
    'so-filebeat',
    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/helixsensor.map.jinja
+++ b/salt/common/maps/helixsensor.map.jinja
@@ -1,12 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-idstools',
    'so-steno',
    'so-zeek',
    'so-redis',
    'so-logstash',
    'so-filebeat
  ]
 } %}
--- a/salt/common/maps/hotnode.map.jinja
+++ b/salt/common/maps/hotnode.map.jinja
@@ -1,9 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
     'so-logstash',
    'so-elasticsearch',
    'so-curator',
   ]
 } %}
--- a/salt/common/maps/import.map.jinja
+++ b/salt/common/maps/import.map.jinja
@@ -1,10 +0,0 @@
 {% set docker = {
  'containers': [
    'so-filebeat',
    'so-nginx',
    'so-soc',
    'so-kratos',
    'so-elasticsearch',
    'so-kibana'
  ]
 } %}
--- a/salt/common/maps/manager.map.jinja
+++ b/salt/common/maps/manager.map.jinja
@@ -1,18 +0,0 @@
 {% set docker = {
  'containers': [
    'so-dockerregistry',
    'so-nginx',
    'so-telegraf',
    'so-soc',
    'so-kratos',
    'so-aptcacherng',
    'so-idstools',
    'so-redis',
    'so-elasticsearch',
    'so-logstash',
    'so-kibana',
    'so-elastalert',
    'so-filebeat',
    'so-soctopus'
  ]
 } %}
--- a/salt/common/maps/managersearch.map.jinja
+++ b/salt/common/maps/managersearch.map.jinja
@@ -1,18 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-soc',
    'so-kratos',
    'so-aptcacherng',
    'so-idstools',
    'so-redis',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-kibana',
    'so-elastalert',
    'so-filebeat',
    'so-soctopus'
  ]
 } %}
--- a/salt/common/maps/playbook.map.jinja
+++ b/salt/common/maps/playbook.map.jinja
@@ -1,5 +0,0 @@
 {% set docker = {
  'containers': [
    'so-playbook'
  ]
 } %}
--- a/salt/common/maps/searchnode.map.jinja
+++ b/salt/common/maps/searchnode.map.jinja
@@ -1,10 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-filebeat'
  ]
 } %}
--- a/salt/common/maps/sensor.map.jinja
+++ b/salt/common/maps/sensor.map.jinja
@@ -1,9 +0,0 @@
 {% set docker = {
  'containers': [
    'so-telegraf',
    'so-steno',
    'so-suricata',
    'so-filebeat',
    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/so-status.map.jinja
+++ b/salt/common/maps/so-status.map.jinja
@@ -1,45 +0,0 @@
 {% set role = grains.id.split('_') | last %}
 {% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
 # Check if the service is enabled and append it's required containers
 # to the list predefined by the role / minion id affix
 {% macro append_containers(pillar_name, k, compare )%}
  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
    {% for li in d['containers'] %}
      {{ docker['containers'].append(li) }}
    {% endfor %}
  {% endif %}
 {% endmacro %}
 {% set docker = salt['grains.filter_by']({
  '*_'~role: {
    'containers': docker['containers']
  } 
 },grain='id', merge=salt['pillar.get']('docker')) %}
 {% if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
  {{ append_containers('manager', 'grafana', 0) }}
  {{ append_containers('global', 'fleet_manager', 0) }}
  {{ append_containers('manager', 'wazuh', 0) }}
  {{ append_containers('manager', 'thehive', 0) }}
  {{ append_containers('manager', 'playbook', 0) }}
  {{ append_containers('manager', 'freq', 0) }}
  {{ append_containers('manager', 'domainstats', 0) }}
 {% endif %}
 {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
  {{ append_containers('global', 'strelka', 0) }}
 {% endif %}
 {% if role in ['heavynode', 'standalone'] %}
  {{ append_containers('global', 'zeekversion', 'SURICATA') }}
 {% endif %}
 {% if role == 'searchnode' %}
  {{ append_containers('manager', 'wazuh', 0) }}
 {% endif %}
 {% if role == 'sensor' %}
  {{ append_containers('global', 'zeekversion', 'SURICATA') }}
 {% endif %}
--- a/salt/common/maps/standalone.map.jinja
+++ b/salt/common/maps/standalone.map.jinja
@@ -1,22 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-soc',
    'so-kratos',
    'so-aptcacherng',
    'so-idstools',
    'so-redis',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-kibana',
    'so-elastalert',
    'so-filebeat',
    'so-suricata',
    'so-steno',
    'so-dockerregistry',
    'so-soctopus',
    'so-sensoroni'
  ]
 } %}
--- a/salt/common/maps/strelka.map.jinja
+++ b/salt/common/maps/strelka.map.jinja
@@ -1,9 +0,0 @@
 {% set docker = {
  'containers': [
    'so-strelka-coordinator',
    'so-strelka-gatekeeper',
    'so-strelka-manager',
    'so-strelka-frontend',
    'so-strelka-filestream'
  ]
 } %}
--- a/salt/common/maps/thehive.map.jinja
+++ b/salt/common/maps/thehive.map.jinja
@@ -1,7 +0,0 @@
 {% set docker = {
  'containers': [
    'so-thehive',
    'so-thehive-es',
    'so-cortex'
  ]
 } %}
--- a/salt/common/maps/warmnode.map.jinja
+++ b/salt/common/maps/warmnode.map.jinja
@@ -1,7 +0,0 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-elasticsearch'
  ]
 } %}
--- a/salt/common/maps/wazuh.map.jinja
+++ b/salt/common/maps/wazuh.map.jinja
@@ -1,5 +0,0 @@
 {% set docker = {
  'containers': [
    'so-wazuh'
  ]
 } %}
--- a/salt/common/maps/zeekversion.map.jinja
+++ b/salt/common/maps/zeekversion.map.jinja
@@ -1,5 +0,0 @@
 {% set docker = {
  'containers': [
    'so-zeek'
  ]
 } %}
--- a/salt/common/scripts/dockernet.sh
+++ b/salt/common/scripts/dockernet.sh
@@ -1,8 +0,0 @@
 #!/bin/bash
 if [ ! -f /opt/so/state/dockernet.state ]; then
    docker network create -d bridge so-elastic-net
    touch /opt/so/state/dockernet.state
 else
    exit
 fi
--- a/salt/common/tools/sbin/so-allow-view
+++ b/salt/common/tools/sbin/so-allow-view
@@ -0,0 +1,23 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 echo ""
 echo "Hosts/Networks that have access to login to the Security Onion Console:"
 so-firewall includedhosts analyst
--- a/salt/common/tools/sbin/so-analyst-install
+++ b/salt/common/tools/sbin/so-analyst-install
@@ -0,0 +1,309 @@
 #!/bin/bash
 # Copyright 2014-2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 if [ "$(id -u)" -ne 0 ]; then
 	echo "This script must be run using sudo!"
 	exit 1
 fi
 INSTALL_LOG=/root/so-analyst-install.log
 exec &> >(tee -a "$INSTALL_LOG")
 log() {
 	msg=$1
 	level=${2:-I}
 	now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
 	echo -e "$now | $level | $msg" >> "$INSTALL_LOG" 2>&1
 }
 error() {
 	log "$1" "E"
 }
 info() {
 	log "$1" "I"
 }
 title() {
 	echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$INSTALL_LOG" 2>&1
 }
 logCmd() {
 	cmd=$1
 	info "Executing command: $cmd"
 	$cmd >> "$INSTALL_LOG" 2>&1
 }
 analyze_system() {
 	title "System Characteristics"
 	logCmd "uptime"
 	logCmd "uname -a"
 	logCmd "free -h"
 	logCmd "lscpu"
 	logCmd "df -h"
 	logCmd "ip a"
 }
 analyze_system
 OS=$(grep PRETTY_NAME /etc/os-release | grep 'CentOS Linux 7')
 if [ $? -ne 0 ]; then
  echo "This is an unsupported OS. Please use CentOS 7 to install the analyst node."
  exit 1
 fi
 if [[ "$manufacturer" == "Security Onion Solutions" && "$family" == "Automated" ]]; then
  INSTALL=yes
  CURLCONTINUE=no
 else
  INSTALL=''
  CURLCONTINUE=''
 fi
 FIRSTPASS=yes
 while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
  if [[ "$FIRSTPASS" == "yes" ]]; then
    clear
    echo "###########################################"
    echo "##          ** W A R N I N G **          ##"
    echo "##    _______________________________    ##"
    echo "##                                       ##"
    echo "##    Installing the Security Onion      ##"
    echo "##   analyst node on this device will    ##"
    echo "##      make permanenet changes to       ##"
    echo "##              the system.              ##"
    echo "##                                       ##"
    echo "###########################################"
    echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
    FIRSTPASS=no
  else
    echo "Please type 'yes' to continue or 'no' to exit."
  fi      
  read INSTALL
 done
 if [[ $INSTALL == "no" ]]; then
  echo "Exiting analyst node installation."
  exit 0
 fi
 echo "Testing for internet connection with curl https://securityonionsolutions.com/"
 CANCURL=$(curl -sI https://securityonionsolutions.com/ | grep "200 OK")
  if [ $? -ne 0 ]; then
    FIRSTPASS=yes
    while [[ $CURLCONTINUE != "yes" ]] && [[ $CURLCONTINUE != "no" ]]; do
      if [[ "$FIRSTPASS" == "yes" ]]; then
        echo "We could not access https://securityonionsolutions.com/."
        echo "Since packages are downloaded from the internet, internet acceess is required."
        echo "If you would like to ignore this warning and continue anyway, please type 'yes'."
        echo "Otherwise, type 'no' to exit."
        FIRSTPASS=no
      else
        echo "Please type 'yes' to continue or 'no' to exit."
      fi  
      read CURLCONTINUE
    done
    if [[ "$CURLCONTINUE" == "no" ]]; then
      echo "Exiting analyst node installation."
      exit 0
    fi
  else
    echo "We were able to curl https://securityonionsolutions.com/."
    sleep 3
  fi
 # Install a GUI text editor
 yum -y install gedit
 # Install misc utils
 yum -y install wget curl unzip epel-release yum-plugin-versionlock;
 # Install xWindows
 yum -y groupinstall "X Window System";
 yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts;
 unlink /etc/systemd/system/default.target;
 ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
 yum -y install file-roller
 # Install Mono - prereq for NetworkMiner
 yum -y install mono-core mono-basic mono-winforms expect
 # Install NetworkMiner
 yum -y install libcanberra-gtk2;
 wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
 mkdir -p /opt/networkminer/
 unzip /tmp/nm.zip -d /opt/networkminer/;
 rm /tmp/nm.zip;
 mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/
 chmod +x /opt/networkminer/NetworkMiner.exe;
 chmod -R go+w /opt/networkminer/AssembledFiles/;
 chmod -R go+w /opt/networkminer/Captures/;
 # Create networkminer shim
 cat << EOF >> /bin/networkminer
 #!/bin/bash
 /bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@"
 EOF
 chmod +x /bin/networkminer
 # Convert networkminer ico file to png format
 yum -y install ImageMagick
 convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png
 # Create menu entry
 cat << EOF >> /usr/share/applications/networkminer.desktop
 [Desktop Entry]
 Name=NetworkMiner
 Comment=NetworkMiner
 Encoding=UTF-8
 Exec=/bin/networkminer %f
 Icon=/opt/networkminer/networkminericon-4.png
 StartupNotify=true
 Terminal=false
 X-MultipleArgs=false
 Type=Application
 MimeType=application/x-pcap;
 Categories=Network;
 EOF
 # Set default monospace font to Liberation
 cat << EOF >> /etc/fonts/local.conf
 <match target="pattern">
  <test name="family" qual="any">
   <string>monospace</string>
  </test>
  <edit binding="strong" mode="prepend" name="family">
   <string>Liberation Mono</string>
  </edit>
 </match>
 EOF
 # Install Wireshark for Gnome
 yum -y install wireshark-gnome; 
 # Install dnsiff
 yum -y install dsniff;
 # Install hping3
 yum -y install hping3;
 # Install netsed
 yum -y install netsed;
 # Install ngrep
 yum -y install ngrep;
 # Install scapy
 yum -y install python36-scapy;
 # Install ssldump
 yum -y install ssldump;
 # Install tcpdump
 yum -y install tcpdump;
 # Install tcpflow
 yum -y install tcpflow;
 # Install tcpxtract
 yum -y install tcpxtract;
 # Install whois
 yum -y install whois;
 # Install foremost
 yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
 # Install chromium
 yum -y install chromium;
 # Install tcpstat
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
 # Install tcptrace
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
 # Install sslsplit
 yum -y install libevent;
 yum -y install sslsplit;
 # Install Bit-Twist
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
 # Install chaosreader
 yum -y install perl-IO-Compress perl-Net-DNS;
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
 chmod +x /bin/chaosreader;
 if [ -f ../../files/analyst/README ]; then
  cp ../../files/analyst/README /;
  cp ../../files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
  cp ../../files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
  cp ../../files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
 else
  cp /opt/so/saltstack/default/salt/common/files/analyst/README /;
  cp /opt/so/saltstack/default/salt/common/files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
  cp /opt/so/saltstack/default/salt/common/files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
  cp /opt/so/saltstack/default/salt/common/files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
 fi
 # Set background wallpaper
 cat << EOF >> /etc/dconf/db/local.d/00-background
 # Specify the dconf path
 [org/gnome/desktop/background]
 # Specify the path to the desktop background image file
 picture-uri='file:///usr/share/backgrounds/so-wallpaper.jpg'
 # Specify one of the rendering options for the background image:
 # 'none', 'wallpaper', 'centered', 'scaled', 'stretched', 'zoom', 'spanned'
 picture-options='zoom'
 # Specify the left or top color when drawing gradients or the solid color
 primary-color='000000'
 # Specify the right or bottom color when drawing gradients
 secondary-color='FFFFFF'
 EOF
 # Set lock screen
 cat << EOF >> /etc/dconf/db/local.d/00-screensaver
 [org/gnome/desktop/session]
 idle-delay=uint32 180
 [org/gnome/desktop/screensaver]
 lock-enabled=true
 lock-delay=uint32 120
 picture-options='zoom'
 picture-uri='file:///usr/share/backgrounds/so-lockscreen.jpg'
 EOF
 cat << EOF >> /etc/dconf/db/local.d/locks/screensaver
 /org/gnome/desktop/session/idle-delay
 /org/gnome/desktop/screensaver/lock-enabled
 /org/gnome/desktop/screensaver/lock-delay
 EOF
 # Do not show the user list at login screen
 cat << EOF >> /etc/dconf/db/local.d/00-login-screen
 [org/gnome/login-screen]
 logo='/usr/share/pixmaps/so-login-logo-dark.svg'
 disable-user-list=true
 EOF
 dconf update;
 echo
 echo "Analyst workstation has been installed!"
 echo "Press ENTER to reboot or Ctrl-C to cancel."
 read pause
 reboot;
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -15,18 +15,123 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 IMAGEREPO=securityonion
 # Check for prerequisites
 if [ "$(id -u)" -ne 0 ]; then
-        echo "This script must be run using sudo!"
+  echo "This script must be run using sudo!"
-        exit 1
+  exit 1
 fi
 # Define a banner to separate sections
 banner="========================================================================="
 header() {
-        echo
+	echo
-        printf '%s\n' "$banner" "$*" "$banner"
+    printf '%s\n' "$banner" "$*" "$banner"
 }
 lookup_salt_value() {
  key=$1
  group=$2
  kind=$3
  if [ -z "$kind" ]; then
    kind=pillar
  fi
  if [ -n "$group" ]; then
    group=${group}:
  fi
  salt-call --no-color  ${kind}.get ${group}${key} --out=newline_values_only
 }
 lookup_pillar() {
  key=$1
  pillar=$2
  if [ -z "$pillar" ]; then
    pillar=global
  fi
  lookup_salt_value "$key" "$pillar" "pillar"
 }
 lookup_pillar_secret() {
  lookup_pillar "$1" "secrets"
 }
 lookup_grain() {
  lookup_salt_value "$1" "" "grains"
 }
 lookup_role() {
  id=$(lookup_grain id)
  pieces=($(echo $id | tr '_' ' '))
  echo ${pieces[1]}
 }
 check_container() {
 	docker ps | grep "$1:" > /dev/null 2>&1
 	return $?
 }
 check_password() {
  local password=$1
  echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
  return $?
 }
 set_os() {
  if [ -f /etc/redhat-release ]; then
    OS=centos
  else
    OS=ubuntu
  fi
 }
 set_minionid() {
  MINIONID=$(lookup_grain id)
 }
 set_version() {
  CURRENTVERSION=0.0.0
  if [ -f /etc/soversion ]; then
    CURRENTVERSION=$(cat /etc/soversion)
  fi
  if [ -z "$VERSION" ]; then
    if [ -z "$NEWVERSION" ]; then
      if [ "$CURRENTVERSION" == "0.0.0" ]; then
        echo "ERROR: Unable to detect Security Onion version; terminating script."
        exit 1
      else
        VERSION=$CURRENTVERSION
      fi
    else
      VERSION="$NEWVERSION"
    fi
  fi
 }
 require_manager() {
  # Check to see if this is a manager
  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
  if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ] || [ $MANAGERCHECK == 'so-import' ]; then
    echo "This is a manager, We can proceed."
  else
    echo "Please run this command on the manager; the manager controls the grid."
    exit 1
  fi
 }
 is_single_node_grid() {
  role=$(lookup_role)
  if [ "$role" != "eval" ] && [ "$role" != "standalone" ] && [ "$role" != "import" ]; then
    return 1
  fi
  return 0
 }
 fail() {
  msg=$1
  echo "ERROR: $msg"
  echo "Exiting."
  exit 1
 }
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -0,0 +1,44 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.. /usr/sbin/so-common
 {% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %}
 TODAY=$(date '+%Y_%m_%d')
 BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar"
 MAXBACKUPS=7
 # Create backup dir if it does not exist
 mkdir -p /nsm/backup
 # If we haven't already written a backup file for today, let's do so
 if [ ! -f $BACKUPFILE ]; then
  # Create empty backup file
  tar -cf $BACKUPFILE -T /dev/null
  # Loop through all paths defined in global.sls, and append them to backup file
  {%- for LOCATION in BACKUPLOCATIONS %}
  tar -rf $BACKUPFILE {{ LOCATION }}
  {%- endfor %}
 fi
 # Find oldest backup file and remove it
 NUMBACKUPS=$(find /nsm/backup/ -type f -name "so-config-backup*" | wc -l)
 OLDESTBACKUP=$(find /nsm/backup/ -type f -name "so-config-backup*" | ls -1t | tail -1)
 if [ "$NUMBACKUPS" -gt "$MAXBACKUPS" ]; then
  rm -f /nsm/backup/$OLDESTBACKUP
 fi
--- a/salt/common/tools/sbin/so-cortex-user-add
+++ b/salt/common/tools/sbin/so-cortex-user-add
@@ -0,0 +1,54 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <new-user-name>"
    echo ""
    echo "Adds a new user to Cortex. The new password will be read from STDIN."
    exit 1
 }
 if [ $# -ne 1 ]; then
  usage
 fi
 USER=$1
 CORTEX_KEY=$(lookup_pillar cortexkey)
 CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api"
 CORTEX_ORG_NAME=$(lookup_pillar cortexorgname)
 CORTEX_USER=$USER
 # Read password for new user from stdin
 test -t 0
 if [[ $? == 0 ]]; then
  echo "Enter new password:"
 fi
 read -rs CORTEX_PASS
 # Create new user in Cortex
 resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }")
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully added user to Cortex."
 else
    echo "Unable to add user to Cortex; user might already exist."
    echo $resp
    exit 2
 fi
--- a/salt/common/tools/sbin/so-cortex-user-enable
+++ b/salt/common/tools/sbin/so-cortex-user-enable
@@ -0,0 +1,57 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <user-name> <true|false>"
    echo ""
    echo "Enables or disables a user in Cortex."
    exit 1
 }
 if [ $# -ne 2 ]; then
  usage
 fi
 USER=$1
 CORTEX_KEY=$(lookup_pillar cortexkey)
 CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api"
 CORTEX_USER=$USER
 case "${2^^}" in
 	FALSE | NO | 0)
 		CORTEX_STATUS=Locked
 		;;
 	TRUE | YES | 1)
 		CORTEX_STATUS=Ok
 		;;
 	*)
 		usage
 		;;
 esac
 resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }")
 if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully updated user in Cortex."
 else
    echo "Failed to update user in Cortex."
    echo $resp
    exit 2
 fi
--- a/salt/common/tools/sbin/so-docker-refresh
+++ b/salt/common/tools/sbin/so-docker-refresh
@@ -16,96 +16,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 . /usr/sbin/so-image-common
-manager_check() {
+require_manager
-  # Check to see if this is a manager
+update_docker_containers "refresh"
  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
  if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ]; then
    echo "This is a manager. We can proceed"
  else
    echo "Please run soup on the manager. The manager controls all updates."
    exit 1
  fi
 }
 update_docker_containers() {
  # Download the containers from the interwebs
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
    # Pull down the trusted docker image
    echo "Downloading $i"
    docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
    # Tag it with the new registry destination
    docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
    docker push $HOSTNAME:5000/$IMAGEREPO/$i
  done
 }
 version_check() {
  if [ -f /etc/soversion ]; then
    VERSION=$(cat /etc/soversion)
  else
    echo "Unable to detect version. I will now terminate."
    exit 1
  fi
 }
 manager_check
 version_check
 # Use the hostname
 HOSTNAME=$(hostname)
 # List all the containers
 if [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=( \
    "so-acng:$VERSION" \
    "so-thehive-cortex:$VERSION" \
    "so-curator:$VERSION" \
    "so-domainstats:$VERSION" \
    "so-elastalert:$VERSION" \
    "so-elasticsearch:$VERSION" \
    "so-filebeat:$VERSION" \
    "so-fleet:$VERSION" \
    "so-fleet-launcher:$VERSION" \
    "so-freqserver:$VERSION" \
    "so-grafana:$VERSION" \
    "so-idstools:$VERSION" \
    "so-influxdb:$VERSION" \
    "so-kibana:$VERSION" \
    "so-kratos:$VERSION" \
    "so-logstash:$VERSION" \
    "so-minio:$VERSION" \
    "so-mysql:$VERSION" \
    "so-nginx:$VERSION" \
    "so-pcaptools:$VERSION" \
    "so-playbook:$VERSION" \
    "so-redis:$VERSION" \
    "so-soc:$VERSION" \
    "so-soctopus:$VERSION" \
    "so-steno:$VERSION" \
    "so-strelka-frontend:$VERSION" \
 		"so-strelka-manager:$VERSION" \
 		"so-strelka-backend:$VERSION" \
 		"so-strelka-filestream:$VERSION" \
    "so-suricata:$VERSION" \
    "so-telegraf:$VERSION" \
    "so-thehive:$VERSION" \
    "so-thehive-es:$VERSION" \
    "so-wazuh:$VERSION" \
    "so-zeek:$VERSION" )
  else
    TRUSTED_CONTAINERS=( \
    "so-filebeat:$VERSION" \
    "so-idstools:$VERSION" \
    "so-logstash:$VERSION" \
    "so-nginx:$VERSION" \
    "so-redis:$VERSION" \
    "so-steno:$VERSION" \
    "so-suricata:$VERSION" \
    "so-telegraf:$VERSION" \
    "so-zeek:$VERSION" )
  fi
 update_docker_containers
--- a/salt/common/tools/sbin/so-elastalert-test
+++ b/salt/common/tools/sbin/so-elastalert-test
@@ -137,6 +137,3 @@ else
 fi
 echo
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%}
+{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 SKIP=0
@@ -50,7 +50,11 @@ done
 if [ $SKIP -ne 1 ]; then
        # List indices
        echo 
-        curl {{ MANAGERIP }}:9200/_cat/indices?v
+        {% if grains['role'] in ['so-node','so-heavynode'] %}
        curl -k -L https://{{ NODEIP }}:9200/_cat/indices?v
        {% else %}
        curl -L {{ NODEIP }}:9200/_cat/indices?v
        {% endif %}
        echo
        # Inform user we are about to delete all data
        echo
@@ -89,10 +93,18 @@ fi
 # Delete data
 echo "Deleting data..."
-INDXS=$(curl -s -XGET {{ MANAGERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
+{% if grains['role'] in ['so-node','so-heavynode'] %}
 INDXS=$(curl -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 {% else %}
 INDXS=$(curl -s -XGET -L {{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 {% endif %}
 for INDX in ${INDXS}
 do
-    curl -XDELETE "{{ MANAGERIP }}:9200/${INDX}" > /dev/null 2>&1
+    {% if grains['role'] in ['so-node','so-heavynode'] %}
    curl -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
    {% else %}
    curl -XDELETE -L "{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
    {% endif %}
 done
 #Start Logstash/Filebeat
--- a/salt/common/tools/sbin/so-elasticsearch-indices-rw
+++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw
@@ -22,5 +22,5 @@ THEHIVEESPORT=9400
 echo "Removing read only attributes for indices..."
 echo
 for p in $ESPORT $THEHIVEESPORT; do
-   curl -XPUT -H "Content-Type: application/json" http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
+   curl -XPUT -H "Content-Type: application/json" -L http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
 done
--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
@@ -0,0 +1,33 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
        {% if grains['role'] in ['so-node','so-heavynode'] %}
        curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
        {% else %}
        curl -s -L {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
        {% endif %}
 else
        {% if grains['role'] in ['so-node','so-heavynode'] %}
        curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
        {% else %}
        curl -s -L {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
        {% endif %}
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list
+++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list
@@ -0,0 +1,31 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    {% if grains['role'] in ['so-node','so-heavynode'] %}
    curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
    {% endif %}
 else
    {% if grains['role'] in ['so-node','so-heavynode'] %}
    curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
    {% endif %}
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-templates-list
@@ -0,0 +1,31 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    {% if grains['role'] in ['so-node','so-heavynode'] %}
    curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_template/* | jq 'keys'
    {% endif %}
 else
    {% if grains['role'] in ['so-node','so-heavynode'] %}
    curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_template/$1 | jq
    {% endif %}
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-templates-load
+++ b/salt/common/tools/sbin/so-elasticsearch-templates-load
@@ -1,4 +1,6 @@
-{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %}
+{%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
 #
@@ -16,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 default_conf_dir=/opt/so/conf
-ELASTICSEARCH_HOST="{{ MANAGERIP}}"
+ELASTICSEARCH_HOST="{{ MYIP }}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
@@ -28,7 +30,11 @@ echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
-	curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+    {% if grains['role'] in ['so-node','so-heavynode'] %}
    curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
    {% else %}
 	curl --output /dev/null --silent --head --fail -L http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
 	{% endif %}
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"
@@ -49,7 +55,11 @@ cd ${ELASTICSEARCH_TEMPLATES}
 echo "Loading templates..."
-for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
+{% if grains['role'] in ['so-node','so-heavynode'] %}
 for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 {% else %}
 for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT -L http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 {% endif %}
 echo
 cd - >/dev/null
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -15,36 +15,39 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 . /usr/sbin/so-image-common
 local_salt_dir=/opt/so/saltstack/local
-manager_check() {
+cat << EOF
-  # Check to see if this is a manager
+This program will switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license.
-  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+If you proceed, then we will download new Docker images and restart services.
-  if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then
+
-    echo "This is a manager. We can proceed"
+Please review the Elastic license:
-  else
+https://raw.githubusercontent.com/elastic/elasticsearch/master/licenses/ELASTIC-LICENSE.txt
-    echo "Please run so-features-enable on the manager."
+
-    exit 0
+Please also note that, if you have a distributed deployment and continue with this change, Elastic traffic between nodes will change from encrypted to cleartext!
-  fi
+(We expect to support Elastic Features Security at some point in the future.)
-}
+
 Do you agree to the terms of the Elastic license and understand the note about encryption?
 If so, type AGREE to accept the Elastic license and continue.  Otherwise, just press Enter to exit this program without making any changes.
 EOF
 read INPUT
 if [ "$INPUT" != "AGREE" ]; then
        exit
 fi
 echo "Please wait while switching to Elastic Features."
 require_manager
 TRUSTED_CONTAINERS=( \
  "so-elasticsearch" \
  "so-filebeat" \
  "so-kibana" \
  "so-logstash" )
 update_docker_containers "features" "-features"
 manager_check
 VERSION=$(grep soversion $local_salt_dir/pillar/global.sls | cut -d':' -f2|sed 's/ //g')
 # Modify global.sls to enable Features
 sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
  "so-elasticsearch:$VERSION$SUFFIX" \
  "so-filebeat:$VERSION$SUFFIX" \
  "so-kibana:$VERSION$SUFFIX" \
  "so-logstash:$VERSION$SUFFIX" )
 for i in "${TRUSTED_CONTAINERS[@]}"
 do
    # Pull down the trusted docker image
    echo "Downloading $i"
    docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
    # Tag it with the new registry destination
    docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
    docker push $HOSTNAME:5000/$IMAGEREPO/$i
 done
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -116,7 +116,7 @@ def addhostgroup(args):
    print('Missing host group name argument', file=sys.stderr)
    showUsage(args)
-  name = args[1]
+  name = args[0]
  content = loadYaml(hostgroupsFilename)
  if name in content['firewall']['hostgroups']:
    print('Already exists', file=sys.stderr)
--- a/salt/common/tools/sbin/so-fleet-user-add
+++ b/salt/common/tools/sbin/so-fleet-user-add
@@ -0,0 +1,64 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <new-user-name>"
    echo ""
    echo "Adds a new user to Fleet. The new password will be read from STDIN."
    exit 1
 }
 if [ $# -ne 1 ]; then
  usage
 fi
 USER=$1
 MYSQL_PASS=$(lookup_pillar_secret mysql)
 FLEET_IP=$(lookup_pillar fleet_ip)
 FLEET_USER=$USER
 # Read password for new user from stdin
 test -t 0
 if [[ $? == 0 ]]; then
  echo "Enter new password:"
 fi
 read -rs FLEET_PASS
 if ! check_password "$FLEET_PASS"; then
  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
  exit 2
 fi
 FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
 if [[ $? -ne 0 ]]; then
 	echo "Failed to generate Fleet password hash"
 	exit 2
 fi
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
    "INSERT INTO users (password,salt,username,email,admin,enabled) VALUES ('$FLEET_HASH','','$FLEET_USER','$FLEET_USER',1,1)" 2>&1)
 if [[ $? -eq 0 ]]; then
    echo "Successfully added user to Fleet"
 else
    echo "Unable to add user to Fleet; user might already exist"
    echo "$MYSQL_OUTPUT"
    exit 2
 fi
--- a/salt/common/tools/sbin/so-fleet-user-enable
+++ b/salt/common/tools/sbin/so-fleet-user-enable
@@ -0,0 +1,58 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <user-name>"
    echo ""
    echo "Enables or disables a user in Fleet"
    exit 1
 }
 if [ $# -ne 2 ]; then
  usage
 fi
 USER=$1
 MYSQL_PASS=$(lookup_pillar_secret mysql)
 FLEET_IP=$(lookup_pillar fleet_ip)
 FLEET_USER=$USER
 case "${2^^}" in
    FALSE | NO | 0)
        FLEET_STATUS=0
        ;;
    TRUE | YES | 1)
        FLEET_STATUS=1
        ;;
    *)
        usage
        ;;
 esac
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
    "UPDATE users SET enabled=$FLEET_STATUS WHERE username='$FLEET_USER'" 2>&1)
 if [[ $? -eq 0 ]]; then
    echo "Successfully updated user in Fleet"
 else
    echo "Failed to update user in Fleet"
    echo $resp
    exit 2
 fi
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -0,0 +1,175 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # NOTE: This script depends on so-common
 IMAGEREPO=securityonion
 container_list() {
    MANAGERCHECK=$1
    if [ -z "$MANAGERCHECK" ]; then
      MANAGERCHECK=so-unknown
      if [ -f /etc/salt/grains ]; then
        MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
      fi
    fi
    if [ $MANAGERCHECK == 'so-import' ]; then
      TRUSTED_CONTAINERS=( \
        "so-elasticsearch" \
        "so-filebeat" \
        "so-idstools" \
        "so-kibana" \
        "so-kratos" \
        "so-nginx" \
        "so-pcaptools" \
        "so-soc" \
        "so-steno" \
        "so-suricata" \
        "so-zeek" )
    elif [ $MANAGERCHECK != 'so-helix' ]; then
      TRUSTED_CONTAINERS=( \
        "so-acng" \
        "so-curator" \
        "so-domainstats" \
        "so-elastalert" \
        "so-elasticsearch" \
        "so-filebeat" \
        "so-fleet" \
        "so-fleet-launcher" \
        "so-freqserver" \
        "so-grafana" \
        "so-idstools" \
        "so-influxdb" \
        "so-kibana" \
        "so-kratos" \
        "so-logstash" \
        "so-minio" \
        "so-mysql" \
        "so-nginx" \
        "so-pcaptools" \
        "so-playbook" \
        "so-redis" \
        "so-soc" \
        "so-soctopus" \
        "so-steno" \
        "so-strelka-backend" \
        "so-strelka-filestream" \
        "so-strelka-frontend" \
        "so-strelka-manager" \
        "so-suricata" \
        "so-telegraf" \
        "so-thehive" \
        "so-thehive-cortex" \
        "so-thehive-es" \
        "so-wazuh" \
        "so-zeek" )
    else
      TRUSTED_CONTAINERS=( \
        "so-filebeat" \
        "so-idstools" \
        "so-logstash" \
        "so-nginx" \
        "so-redis" \
        "so-steno" \
        "so-suricata" \
        "so-telegraf" \
        "so-zeek" )
    fi
 }
 update_docker_containers() {
  local CURLTYPE=$1
  local IMAGE_TAG_SUFFIX=$2
  local PROGRESS_CALLBACK=$3
  local LOG_FILE=$4
  local CONTAINER_REGISTRY=quay.io
  local SIGNPATH=/root/sosigs
  if [ -z "$CURLTYPE" ]; then
    CURLTYPE=unknown
  fi
  if [ -z "$LOG_FILE" ]; then
    if [ -c /dev/tty ]; then
      LOG_FILE=/dev/tty
    else
      LOG_FILE=/dev/null
    fi
  fi
  # Recheck the version for scenarios were the VERSION wasn't known before this script was imported
  set_version
  set_os
  if [ -z "$TRUSTED_CONTAINERS" ]; then
    container_list
  fi
  # Let's make sure we have the public key
  curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -  >> "$LOG_FILE" 2>&1
  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 
  # Download the containers from the interwebs
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
    if [ -z "$PROGRESS_CALLBACK" ]; then
      echo "Downloading $i" >> "$LOG_FILE" 2>&1 
    else
      $PROGRESS_CALLBACK $i
    fi
    # Pull down the trusted docker image
    local image=$i:$VERSION$IMAGE_TAG_SUFFIX
    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 
    # Get signature
    curl -A "$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig >> "$LOG_FILE" 2>&1 
    if [[ $? -ne 0 ]]; then
      echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 
      exit 1
    fi
    # Dump our hash values
    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$image)
    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$image.txt
    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$image.txt
    if [[ $? -ne 0 ]]; then
      echo "Unable to inspect $image" >> "$LOG_FILE" 2>&1 
      exit 1
    fi
    GPGTEST=$(gpg --verify $SIGNPATH/$image.sig $SIGNPATH/$image.txt 2>&1)
    if [[ $? -eq 0 ]]; then
      if [[ -z "$SKIP_TAGPUSH" ]]; then
        # Tag it with the new registry destination
        if [ -z "$HOSTNAME" ]; then
          HOSTNAME=$(hostname)
        fi
        docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$image $HOSTNAME:5000/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 
        docker push $HOSTNAME:5000/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 
      fi
    else
      echo "There is a problem downloading the $image image. Details: " >> "$LOG_FILE" 2>&1 
      echo "" >> "$LOG_FILE" 2>&1 
      echo $GPGTEST >> "$LOG_FILE" 2>&1 
      exit 1
    fi
  done
 }
--- a/salt/common/tools/sbin/so-index-list
+++ b/salt/common/tools/sbin/so-index-list
@@ -15,4 +15,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-curl -X GET "localhost:9200/_cat/indices?v"
+{% if grains['role'] in ['so-node','so-heavynode'] %}
 curl -X GET -k -L https://localhost:9200/_cat/indices?v
 {% else %}
 curl -X GET -L localhost:9200/_cat/indices?v
 {% endif %}
--- a/salt/common/tools/sbin/so-ip-update
+++ b/salt/common/tools/sbin/so-ip-update
@@ -0,0 +1,59 @@
 #!/bin/bash
 . $(dirname $0)/so-common
 if [ "$FORCE_IP_UPDATE" != "1" ]; then
 	is_single_node_grid || fail "Cannot update the IP on a distributed grid"
 fi
 echo "This tool will update a manager's IP address to the new IP assigned to the management network interface."
 echo
 echo "WARNING: This tool is still undergoing testing, use at your own risk!"
 echo
 if [ -z "$OLD_IP" ]; then
 	OLD_IP=$(lookup_pillar "managerip")
 	if [ -z "$OLD_IP" ]; then
 		fail "Unable to find old IP; possible salt system failure"
 	fi
 	echo "Found old IP $OLD_IP."
 fi
 if [ -z "$NEW_IP" ]; then
 	iface=$(lookup_pillar "mainint" "host")
 	NEW_IP=$(ip -4 addr list $iface | grep inet | cut -d' ' -f6 | cut -d/ -f1)
 	if [ -z "$NEW_IP" ]; then
 		fail "Unable to detect new IP on interface $iface.    "
 	fi
 	echo "Detected new IP $NEW_IP on interface $iface."
 fi
 if [ "$OLD_IP" == "$NEW_IP" ]; then
 	fail "IP address has not changed"
 fi
 echo "About to change old IP $OLD_IP to new IP $NEW_IP."
 read -n 1 -p "Would you like to continue? (y/N) " CONTINUE
 echo
 if [ "$CONTINUE" == "y" ]; then
  for file in $(grep -rlI $OLD_IP /opt/so/saltstack /etc); do
  	echo "Updating file: $file"
    sed -i "s|$OLD_IP|$NEW_IP|g" $file
  done
 	echo "The IP has been changed from $OLD_IP to $NEW_IP."
 	if [ -z "$SKIP_STATE_APPLY" ]; then
 		echo "Re-applying salt states."
 		salt-call state.highstate queue=True
 	fi
 else
 	echo "Exiting without changes."
 fi
--- a/salt/common/tools/sbin/so-kibana-config-export
+++ b/salt/common/tools/sbin/so-kibana-config-export
@@ -23,7 +23,7 @@
 KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601
 OUTFILE="saved_objects.ndjson"
-curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
+curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
 # Clean up using PLACEHOLDER
 sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
--- a/salt/common/tools/sbin/so-playbook-reset
+++ b/salt/common/tools/sbin/so-playbook-reset
@@ -0,0 +1,26 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 salt-call state.apply playbook.db_init,playbook,playbook.automation_user_create
 /usr/sbin/so-soctopus-restart
 echo "Importing Plays - this will take some time...."
 wait 5
 /usr/sbin/so-playbook-ruleupdate
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -19,18 +19,22 @@
 . /usr/sbin/so-common
-echo $banner
+if [ $# -ge 1 ]; then
 printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
 echo $banner
-if [ "$2" = "--force" ]
+        echo $banner
-then
+        printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
-   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+        echo $banner
-   salt-call saltutil.kill_all_jobs
+
        if [ "$2" = "--force" ]; then
                printf "\nForce-stopping all Salt jobs before proceeding\n\n"
                salt-call saltutil.kill_all_jobs
        fi
        case $1 in
                "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
                "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
                *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
        esac
 else
        echo -e "\nPlease provide an argument by running like so-restart $component, or by using the component-specific script.\nEx. so-restart filebeat, or so-filebeat-restart\n"
 fi
 case $1 in
   "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
   "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
   *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac
--- a/salt/common/tools/sbin/so-rule-update
+++ b/salt/common/tools/sbin/so-rule-update
@@ -10,4 +10,4 @@ got_root() {
 }
 got_root
-docker exec -d so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'
+docker exec so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'
--- a/salt/common/tools/sbin/so-salt-minion-check
+++ b/salt/common/tools/sbin/so-salt-minion-check
@@ -0,0 +1,104 @@
 {% import_yaml 'salt/minion.defaults.yaml' as SALT_MINION_DEFAULTS -%}
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # this script checks the time the file /opt/so/log/salt/state-apply-test was last modified and restarts the salt-minion service if it is outside a threshold date/time
 # the file is modified via file.touch using a scheduled job healthcheck.salt-minion.state-apply-test that runs a state.apply. 
 # by default the file should be updated every 5-8 minutes. 
 # this allows us to test that the minion is able apply states and communicate with the master
 # if the file is unable to be touched via the state.apply, then we assume there is a possibilty that the minion is hung (though it could be possible the master is down as well)
 # we then stop the service, pkill salt-minion, the start the salt-minion service back up
 . /usr/sbin/so-common
 QUIET=false
 UPTIME_REQ=1800 #in seconds, how long the box has to be up before considering restarting salt-minion due to /opt/so/log/salt/state-apply-test not being touched
 CURRENT_TIME=$(date +%s)
 SYSTEM_START_TIME=$(date -d "$(</proc/uptime awk '{print $1}') seconds ago" +%s)
 LAST_HIGHSTATE_END=$([ -e "/opt/so/log/salt/lasthighstate" ] && date -r /opt/so/log/salt/lasthighstate +%s || echo 0)
 LAST_HEALTHCHECK_STATE_APPLY=$([ -e "/opt/so/log/salt/state-apply-test" ] && date -r /opt/so/log/salt/state-apply-test +%s || echo 0)
 # SETTING THRESHOLD TO ANYTHING UNDER 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
 THRESHOLD={{SALT_MINION_DEFAULTS.salt.minion.check_threshold}} #within how many seconds the file /opt/so/log/salt/state-apply-test must have been touched/modified before the salt minion is restarted
 THRESHOLD_DATE=$((LAST_HEALTHCHECK_STATE_APPLY+THRESHOLD))
 logCmd() {
  cmd=$1
  info "Executing command: $cmd"
  $cmd >> "/opt/so/log/salt/so-salt-minion-check"
 }
 log() {
    msg=$1
    level=${2:-I}
    now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
    if ! $QUIET; then
      echo $msg
    fi
    echo -e "$now | $level | $msg" >> "/opt/so/log/salt/so-salt-minion-check" 2>&1
 }
 error() {
    log "$1" "E"
 }
 info() {
    log "$1" "I"
 }
 usage()
 {
 cat <<EOF
 Check health of salt-minion and restart it if needed
  Options:
  -h                This message
  -q                Don't output to terminal
 EOF
 }
 while getopts ":q" opt; do
  case "$opt" in
    q )
       QUIET=true
      ;;
    * ) usage
        exit 0
      ;;
  esac
 done
 log "running so-salt-minion-check"
 if [ $CURRENT_TIME -ge $((SYSTEM_START_TIME+$UPTIME_REQ))  ]; then
  if [ $THRESHOLD_DATE -le $CURRENT_TIME ]; then
    log "salt-minion is unable to apply states" E
    log "/opt/so/log/salt/healthcheck-state-apply not touched by required date: `date -d @$THRESHOLD_DATE`, last touched: `date -d @$LAST_HEALTHCHECK_STATE_APPLY`" I
    log "last highstate completed at `date -d @$LAST_HIGHSTATE_END`" I
    log "checking if any jobs are running" I
    logCmd "salt-call --local saltutil.running" I
    log "killing all salt-minion processes" I
    logCmd "pkill -9 -ef /usr/bin/salt-minion" I
    log "starting salt-minion service" I
    logCmd "systemctl start salt-minion" I
  else
    log "/opt/so/log/salt/healthcheck-state-apply last touched: `date -d @$LAST_HEALTHCHECK_STATE_APPLY` must be touched by `date -d @$THRESHOLD_DATE` to avoid salt-minion restart" I
  fi
 else
  log "system uptime only $((CURRENT_TIME-SYSTEM_START_TIME)) seconds does not meet $UPTIME_REQ second requirement." I
 fi
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -23,99 +23,104 @@ CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
 LOG="/opt/so/log/sensor_clean.log"
 TODAY=$(date -u "+%Y-%m-%d")
-clean () {
+clean() {
-                ## find the oldest Zeek logs directory
+	## find the oldest Zeek logs directory
-                OLDEST_DIR=$(ls /nsm/zeek/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | head -n 1)
+	OLDEST_DIR=$(ls /nsm/zeek/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | head -n 1)
-                if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
+	if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]; then
-                then
+		echo "$(date) - No old Zeek logs available to clean up in /nsm/zeek/logs/" >>$LOG
-                        echo "$(date) - No old Zeek logs available to clean up in /nsm/zeek/logs/" >> $LOG
+		#exit 0
-                        #exit 0
+	else
-                else
+		echo "$(date) - Removing directory: /nsm/zeek/logs/$OLDEST_DIR" >>$LOG
-                        echo "$(date) - Removing directory: /nsm/zeek/logs/$OLDEST_DIR" >> $LOG
+		rm -rf /nsm/zeek/logs/"$OLDEST_DIR"
-                        rm -rf /nsm/zeek/logs/"$OLDEST_DIR"
+	fi
                fi
 	## Remarking for now, as we are moving extracted files to /nsm/strelka/processed
 	## find oldest files in extracted directory and exclude today
 	#OLDEST_EXTRACT=$(find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
 	#if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
 	#then
 	#        echo "$(date) - No old extracted files available to clean up in /nsm/zeek/extracted/complete" >> $LOG
 	#else
 	#        OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
 	#        OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
 	#        echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
 	#        find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
 	#        do
 	#                echo "$(date) - Removing extracted file: $FILE" >> $LOG
 	#                rm -f "$FILE"
 	#        done
 	#fi
-                ## Remarking for now, as we are moving extracted files to /nsm/strelka/processed
+	## Clean up Zeek extracted files processed by Strelka
-                ## find oldest files in extracted directory and exclude today
+	STRELKA_FILES='/nsm/strelka/processed'
-                #OLDEST_EXTRACT=$(find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
+	OLDEST_STRELKA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1)
-                #if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
+	if [ -z "$OLDEST_STRELKA" -o "$OLDEST_STRELKA" == ".." -o "$OLDEST_STRELKA" == "." ]; then
-                #then
+		echo "$(date) - No old files available to clean up in $STRELKA_FILES" >>$LOG
-                #        echo "$(date) - No old extracted files available to clean up in /nsm/zeek/extracted/complete" >> $LOG
+	else
-                #else
+		OLDEST_STRELKA_DATE=$(echo $OLDEST_STRELKA | awk '{print $1}' | cut -d+ -f1)
-                #        OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
+		OLDEST_STRELKA_FILE=$(echo $OLDEST_STRELKA | awk '{print $2}')
-                #        OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
+		echo "$(date) - Removing extracted files for $OLDEST_STRELKA_DATE" >>$LOG
-                #        echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
+		find $STRELKA_FILES -type f -printf '%T+ %p\n' | grep $OLDEST_STRELKA_DATE | awk '{print $2}' | while read FILE; do
-                #        find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
+			echo "$(date) - Removing file: $FILE" >>$LOG
-                #        do
+			rm -f "$FILE"
-                #                echo "$(date) - Removing extracted file: $FILE" >> $LOG
+		done
-                #                rm -f "$FILE"
+	fi
                #        done
                #fi
-                ## Clean up Zeek extracted files processed by Strelka
+	## Clean up Suricata log files
-                STRELKA_FILES='/nsm/strelka/processed'
+	SURICATA_LOGS='/nsm/suricata'
-                OLDEST_STRELKA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1 )
+	OLDEST_SURICATA=$(find $SURICATA_LOGS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
-                if [ -z "$OLDEST_STRELKA" -o "$OLDEST_STRELKA" == ".." -o "$OLDEST_STRELKA" == "." ]
+	if [[ -z "$OLDEST_SURICATA" ]] || [[ "$OLDEST_SURICATA" == ".." ]] || [[ "$OLDEST_SURICATA" == "." ]]; then
-                then
+		echo "$(date) - No old files available to clean up in $SURICATA_LOGS" >>$LOG
-                        echo "$(date) - No old files available to clean up in $STRELKA_FILES" >> $LOG
+	else
-                else
+		OLDEST_SURICATA_DATE=$(echo $OLDEST_SURICATA | awk '{print $1}' | cut -d+ -f1)
-                        OLDEST_STRELKA_DATE=`echo $OLDEST_STRELKA | awk '{print $1}' | cut -d+ -f1`
+		OLDEST_SURICATA_FILE=$(echo $OLDEST_SURICATA | awk '{print $2}')
-                        OLDEST_STRELKA_FILE=`echo $OLDEST_STRELKA | awk '{print $2}'`
+		echo "$(date) - Removing logs for $OLDEST_SURICATA_DATE" >>$LOG
-                        echo "$(date) - Removing extracted files for $OLDEST_STRELKA_DATE" >> $LOG
+		find $SURICATA_LOGS -type f -printf '%T+ %p\n' | grep $OLDEST_SURICATA_DATE | awk '{print $2}' | while read FILE; do
-                        find $STRELKA_FILES -type f -printf '%T+ %p\n' | grep $OLDEST_STRELKA_DATE | awk '{print $2}' |while read FILE
+			echo "$(date) - Removing file: $FILE" >>$LOG
-                        do
+			rm -f "$FILE"
-                                echo "$(date) - Removing file: $FILE" >> $LOG
+		done
-                                rm -f "$FILE"
+	fi
                        done
                fi
-                ## Clean up Suricata log files
+	# Clean Wazuh archives
-                SURICATA_LOGS='/nsm/suricata'
+	# Slightly different code since we have 2 files to remove (.json and .log)
-                OLDEST_SURICATA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1)
+	WAZUH_ARCHIVE='/nsm/wazuh/logs/archives'
-                if [ -z "$OLDEST_SURICATA" -o "$OLDEST_SURICATA" == ".." -o "$OLDEST_SURICATA" == "." ]
+	OLDEST_WAZUH=$(find $WAZUH_ARCHIVE -type f ! -name "archives.json" -printf "%T+\t%p\n" | sort -n | awk '{print $1}' | head -n 1)
-                then
+	# Make sure we don't delete the current files
-                        echo "$(date) - No old files available to clean up in $SURICATA_LOGS" >> $LOG
+	find $WAZUH_ARCHIVE -type f ! -name "archives.json" -printf "%T+\t%p\n" | sort -n | awk '{print $2}' | head -n 1 >/tmp/files$$
-                else
+	if [[ $(wc -l </tmp/files$$) -ge 1 ]]; then
-                        OLDEST_SURICATA_DATE=`echo $OLDEST_SURICATA | awk '{print $1}' | cut -d+ -f1`
+		echo "$(date) - Removing logs for $OLDEST_WAZUH" >>$LOG
-                        OLDEST_SURICATA_FILE=`echo $OLDEST_SURICATA | awk '{print $2}'`
+		while read -r line; do
-                        echo "$(date) - Removing logs for $OLDEST_SURICATA_DATE" >> $LOG
+			echo "$(date) - Removing file: $line" >>$LOG
-                        find $SURICATA_LOGS -type f -printf '%T+ %p\n' | grep $OLDEST_SURICATA_DATE | awk '{print $2}' |while read FILE
+			rm "$line"
-                        do
+		done </tmp/files$$
-                                echo "$(date) - Removing file: $FILE" >> $LOG
+	else
-                                rm -f "$FILE"
+		echo "$(date) - No old files available to clean up in $WAZUH_ARCHIVE" >>$LOG
-                        done
+	fi
-                fi
+	rm /tmp/files$$
-                ## Clean up extracted pcaps from Steno
+	## Clean up extracted pcaps from Steno
-                PCAPS='/nsm/pcapout'
+	PCAPS='/nsm/pcapout'
-                OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1 )
+	OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
-                if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]
+	if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]; then
-                then
+		echo "$(date) - No old files available to clean up in $PCAPS" >>$LOG
-                        echo "$(date) - No old files available to clean up in $PCAPS" >> $LOG
+	else
-                else
+		OLDEST_PCAP_DATE=$(echo $OLDEST_PCAP | awk '{print $1}' | cut -d+ -f1)
-                        OLDEST_PCAP_DATE=`echo $OLDEST_PCAP | awk '{print $1}' | cut -d+ -f1`
+		OLDEST_PCAP_FILE=$(echo $OLDEST_PCAP | awk '{print $2}')
-                        OLDEST_PCAP_FILE=`echo $OLDEST_PCAP | awk '{print $2}'`
+		echo "$(date) - Removing extracted files for $OLDEST_PCAP_DATE" >>$LOG
-                        echo "$(date) - Removing extracted files for $OLDEST_PCAP_DATE" >> $LOG
+		find $PCAPS -type f -printf '%T+ %p\n' | grep $OLDEST_PCAP_DATE | awk '{print $2}' | while read FILE; do
-                        find $PCAPS -type f -printf '%T+ %p\n' | grep $OLDEST_PCAP_DATE | awk '{print $2}' |while read FILE
+			echo "$(date) - Removing file: $FILE" >>$LOG
-                        do
+			rm -f "$FILE"
-                                echo "$(date) - Removing file: $FILE" >> $LOG
+		done
-                                rm -f "$FILE"
+	fi
                        done
                fi
 }
 # Check to see if we are already running
 IS_RUNNING=$(ps aux | grep "sensor_clean" | grep -v grep | wc -l)
-[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >> $LOG && exit 0
+[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
-    while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
+	while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; do
-        do
+		clean
-         clean
+		CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
-         CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+	done
    done
 else
    echo "$(date) - Current usage value of $CUR_USAGE not greater than CRIT_DISK_USAGE value of $CRIT_DISK_USAGE..." >> $LOG
 fi
--- a/salt/common/tools/sbin/so-ssh-harden
+++ b/salt/common/tools/sbin/so-ssh-harden
@@ -0,0 +1,49 @@
 #!/bin/bash
 . /usr/sbin/so-common
 if [[ $1 =~ ^(q|--quiet) ]]; then
    quiet=true
 fi
 print_sshd_t() {
    local string=$1
    local state=$2
    echo "${state}:"
    sshd -T | grep "^${string}"
 }
 if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
 sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
    print_sshd_t "ciphers" "After"
    echo ""
 fi
 if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
 sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
    print_sshd_t "kexalgorithms" "After"
    echo ""
 fi
 if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
 sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
    print_sshd_t "macs" "After"
    echo ""
 fi
 if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
 sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
    print_sshd_t "hostkeyalgorithms" "After"
    echo ""
 fi
 {% if grains['os'] != 'CentOS' %}
 echo "----"
 echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
 echo "----"
 {% endif %}
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -19,18 +19,21 @@
 . /usr/sbin/so-common
-echo $banner
+if [ $# -ge 1 ]; then
-printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+	echo $banner
-echo $banner
+	printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
 	echo $banner
-if [ "$2" = "--force" ]
+	if [ "$2" = "--force" ]; then
-then
+   		printf "\nForce-stopping all Salt jobs before proceeding\n\n"
-   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   		salt-call saltutil.kill_all_jobs
-   salt-call saltutil.kill_all_jobs
+	fi
 	case $1 in
   		"all") salt-call state.highstate queue=True;;
   		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
   		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 	esac
 else
 	echo -e "\nPlease provide an argument by running like so-start $component, or by using the component-specific script.\nEx. so-start filebeat, or so-filebeat-start\n"	
 fi
 case $1 in
   "all") salt-call state.highstate queue=True;;
   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
   *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -14,8 +14,6 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- from 'common/maps/so-status.map.jinja' import docker with context %}
 {%- set container_list = docker['containers'] | sort %}
 if ! [ "$(id -u)" = 0 ]; then
   echo "This command must be run as root"
@@ -23,13 +21,24 @@ if ! [ "$(id -u)" = 0 ]; then
 fi
 # Constants
 SYSTEM_START_TIME=$(date -d "$(</proc/uptime awk '{print $1}') seconds ago" +%s)
 # file populated by salt.lasthighstate state at end of successful highstate run
 LAST_HIGHSTATE_END=$([ -e "/opt/so/log/salt/lasthighstate" ] && date -r /opt/so/log/salt/lasthighstate +%s || echo 0)
 HIGHSTATE_RUNNING=$(salt-call --local saltutil.running --out=json | jq -r '.local[].fun' | grep -q 'state.highstate' && echo $?)
 ERROR_STRING="ERROR"
 SUCCESS_STRING="OK"
 PENDING_STRING="PENDING"
 MISSING_STRING='MISSING'
 DISABLED_STRING='DISABLED'
 WAIT_START_STRING='WAIT_START'
 STARTING_STRING='STARTING'
 CALLER=$(ps -o comm= $PPID)
 declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
 declare -a PENDING_STATUSES=("paused" "created" "restarting")
 declare -a GOOD_STATUSES=("running")
 declare -a DISABLED_CONTAINERS=()
 mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.conf | grep "^\s*#" | tr -d "#")
 declare -a temp_container_name_list=()
 declare -a temp_container_state_list=()
@@ -71,9 +80,9 @@ compare_lists() {
 # {% endraw %}
 create_expected_container_list() {
-    {% for item in container_list%}
+
-        expected_container_list+=("{{ item }}")
+    mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#")    
-    {% endfor %}
+
 }
 populate_container_lists() {
@@ -103,76 +112,140 @@ populate_container_lists() {
 parse_status() {
    local container_state=${1}
-
+    local service_name=${2}
    [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
    for state in "${GOOD_STATUSES[@]}"; do
        [[ $container_state = "$state" ]] && printf $SUCCESS_STRING && return 0
    done
    for state in "${PENDING_STATUSES[@]}"; do
        [[ $container_state = "$state" ]] && printf $PENDING_STRING && return 0
    done
    # This is technically not needed since the default is error state
    for state in "${BAD_STATUSES[@]}"; do
-        [[ $container_state = "$state" ]] && printf $ERROR_STRING && return 1
+        [[ " ${DISABLED_CONTAINERS[@]} " =~ " ${service_name} " ]] && printf $DISABLED_STRING && return 0
    done
-    printf $ERROR_STRING && return 1
+    # if a highstate has finished running since the system has started
    # then the containers should be running so let's check the status
    if [ $LAST_HIGHSTATE_END -ge $SYSTEM_START_TIME ]; then
        [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
        for state in "${PENDING_STATUSES[@]}"; do
            [[ $container_state = "$state" ]] && printf $PENDING_STRING && return 0
        done
        # This is technically not needed since the default is error state
        for state in "${BAD_STATUSES[@]}"; do
            [[ $container_state = "$state" ]] &&  printf $ERROR_STRING && return 1
        done
        printf $ERROR_STRING && return 1
    # if a highstate has not run since system start time, but a highstate is currently running
    # then show that the containers are STARTING
    elif [[ "$HIGHSTATE_RUNNING" == 0 ]]; then
        printf $STARTING_STRING && return 0
    # if a highstate has not finished running since system startup and isn't currently running
    # then just show that the containers are WAIT_START; waiting to be started
    else
        printf $WAIT_START_STRING && return 1
    fi
 }
 # {% raw %}
 print_line() {
    local service_name=${1}
-    local service_state="$( parse_status ${2} )"
+    local service_state="$( parse_status ${2} ${1} )"
    local columns=$(tput cols)
    local state_color="\e[0m"
-    local PADDING_CONSTANT=14
+    local PADDING_CONSTANT=15
-    if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
+    if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
        state_color="\e[1;31m"
    elif [[ $service_state = "$SUCCESS_STRING" ]]; then
        state_color="\e[1;32m"
-    elif [[ $service_state = "$PENDING_STRING" ]]; then
+    elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]]; then
        state_color="\e[1;33m"
    fi
    printf "    $service_name "
    for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
-        printf "-"
+        printf "${state_color}%b\e[0m" "-"
    done
    printf " [ "
    printf "${state_color}%b\e[0m" "$service_state"
    printf "%s    \n" " ]"
 }
-main() {
+non_term_print_line() {
-    local focus_color="\e[1;34m"
+    local service_name=${1}
-    printf "\n"
+    local service_state="$( parse_status ${2} ${1} )"
    printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
-    systemctl is-active --quiet docker
+    printf "    $service_name "
-    if [[ $? = 0 ]]; then
+    for i in $(seq 0 $(( 35 - ${#service_name} - ${#service_state} ))); do
-        print_line "Docker" "running"
+        printf "-"
    else
        print_line "Docker" "exited"
    fi
    populate_container_lists
    printf "\n"
    printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
    local num_containers=${#container_name_list[@]}
    for i in $(seq 0 $(($num_containers - 1 ))); do
        print_line ${container_name_list[$i]} ${container_state_list[$i]}
    done
    printf " [ "
    printf "$service_state"
    printf "%s    \n" " ]"
 }
-    printf "\n"
+main() {
    # if running from salt
    if [ "$CALLER" == 'salt-call' ] ||  [ "$CALLER" == 'salt-minion' ]; then
      printf "\n"
      printf "Checking Docker status\n\n"
      systemctl is-active --quiet docker
      if [[ $? = 0 ]]; then
          non_term_print_line "Docker" "running"
      else
          non_term_print_line "Docker" "exited"
      fi
      populate_container_lists
      printf "\n"
      printf "Checking container statuses\n\n"
      local num_containers=${#container_name_list[@]}
      for i in $(seq 0 $(($num_containers - 1 ))); do
          non_term_print_line ${container_name_list[$i]} ${container_state_list[$i]}
      done
      printf "\n"
    # else if running from a terminal
    else
      local focus_color="\e[1;34m"
      printf "\n"
      printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
      systemctl is-active --quiet docker
      if [[ $? = 0 ]]; then
          print_line "Docker" "running"
      else
          print_line "Docker" "exited"
      fi
      populate_container_lists
      printf "\n"
      printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
      local num_containers=${#container_name_list[@]}
      for i in $(seq 0 $(($num_containers - 1 ))); do
          print_line ${container_name_list[$i]} ${container_state_list[$i]}
      done
      printf "\n"
    fi
 }
 # {% endraw %}
--- a/salt/common/tools/sbin/so-stop
+++ b/salt/common/tools/sbin/so-stop
@@ -19,11 +19,15 @@
 . /usr/sbin/so-common
-echo $banner
+if [ $# -ge 1 ]; then
-printf "Stopping $1...\n"
+	echo $banner
-echo $banner
+	printf "Stopping $1...\n"
 	echo $banner
-case $1 in
+	case $1 in
-    *) docker stop so-$1 ; docker rm so-$1 ;;
+    		*) docker stop so-$1 ; docker rm so-$1 ;;
-esac
+	esac
 else
 	echo -e "\nPlease provide an argument by running like so-stop $component, or by using the component-specific script.\nEx. so-stop filebeat, or so-filebeat-stop\n"	
 fi
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -15,7 +15,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-# Usage: so-tcpreplay "/opt/so/samples/*"
+# Usage: so-tcpreplay "/opt/samples/*"
 REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
 REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
--- a/salt/common/tools/sbin/so-test
+++ b/salt/common/tools/sbin/so-test
@@ -0,0 +1,45 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Usage: so-test
 . /usr/sbin/so-common
 REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
 REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
 if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
   echo
   echo "Preparing to replay PCAPs..."
   docker cp so-tcpreplay:/opt/samples /opt/samples
   docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 /opt/samples/*
   echo
   echo "PCAP's have been replayed - it is normal to see some warnings."
   echo
 else
  echo "Replay functionality not enabled!  Enabling Now...."
  echo
  echo "Note that you will need internet access to download the appropriate components"
  /usr/sbin/so-start tcpreplay
  echo "Replay functionality enabled.  Replaying PCAPs Now...."
  docker cp so-tcpreplay:/opt/samples /opt/samples
  docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 /opt/samples/*
  echo
  echo "PCAP's have been replayed - it is normal to see some warnings."
  echo
 fi
--- a/salt/common/tools/sbin/so-thehive-user-add
+++ b/salt/common/tools/sbin/so-thehive-user-add
@@ -0,0 +1,57 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <new-user-name>"
    echo ""
    echo "Adds a new user to TheHive. The new password will be read from STDIN."
    exit 1
 }
 if [ $# -ne 1 ]; then
  usage
 fi
 USER=$1
 THEHIVE_KEY=$(lookup_pillar hivekey)
 THEHVIE_API_URL="$(lookup_pillar url_base)/thehive/api"
 THEHIVE_USER=$USER
 # Read password for new user from stdin
 test -t 0
 if [[ $? == 0 ]]; then
  echo "Enter new password:"
 fi
 read -rs THEHIVE_PASS
 if ! check_password "$THEHIVE_PASS"; then
  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
  exit 2
 fi
 # Create new user in TheHive
 resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}")
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully added user to TheHive"
 else
    echo "Unable to add user to TheHive; user might already exist"
    echo $resp
    exit 2
 fi
--- a/salt/common/tools/sbin/so-thehive-user-enable
+++ b/salt/common/tools/sbin/so-thehive-user-enable
@@ -0,0 +1,57 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <user-name> <true|false>"
    echo ""
    echo "Enables or disables a user in TheHive."
    exit 1
 }
 if [ $# -ne 2 ]; then
  usage
 fi
 USER=$1
 THEHIVE_KEY=$(lookup_pillar hivekey)
 THEHVIE_API_URL="$(lookup_pillar url_base)/thehive/api"
 THEHIVE_USER=$USER
 case "${2^^}" in
 	FALSE | NO | 0)
 		THEHIVE_STATUS=Locked
 		;;
 	TRUE | YES | 1)
 		THEHIVE_STATUS=Ok
 		;;
 	*)
 		usage
 		;;
 esac
 resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }")
 if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
    echo "Successfully updated user in TheHive"
 else
    echo "Failed to update user in TheHive"
    echo "$resp"
    exit 2
 fi
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -8,31 +8,21 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-got_root() {
+source $(dirname $0)/so-common
-  # Make sure you are root
+if [[ $# -lt 1 || $# -gt 2 ]]; then
-  if [ "$(id -u)" -ne 0 ]; then
+  echo "Usage: $0 <list|add|update|enable|disable|validate|valemail|valpass> [email]"
          echo "This script must be run using sudo!"
          exit 1
  fi
 }
 # Make sure the user is root
 got_root
 if [[ $# < 1 || $# > 2 ]]; then
  echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
  echo ""
  echo "     list: Lists all user email addresses currently defined in the identity system"
  echo "      add: Adds a new user to the identity system; requires 'email' parameter"
  echo "   update: Updates a user's password; requires 'email' parameter"
-  echo "   delete: Deletes an existing user; requires 'email' parameter"
+  echo "   enable: Enables a user; requires 'email' parameter"
  echo "  disable: Disables a user; requires 'email' parameter"
  echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
  echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter"
  echo "  valpass: Validates that a password is acceptable for defining a new user"
  echo ""
-  echo " Note that the password can be piped into stdin to avoid prompting for it."
+  echo " Note that the password can be piped into STDIN to avoid prompting for it"
  exit 1
 fi
@@ -66,15 +56,15 @@ function verifyEnvironment() {
  require "openssl"
  require "sqlite3"
  [[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable"
-  response=$(curl -Ss ${kratosUrl}/)
+  response=$(curl -Ss -L ${kratosUrl}/)
  [[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable"
 }
 function findIdByEmail() {
  email=$1
-  response=$(curl -Ss ${kratosUrl}/identities)
+  response=$(curl -Ss -L ${kratosUrl}/identities)
-  identityId=$(echo "${response}" | jq ".[] | select(.addresses[0].value == \"$email\") | .id")
+  identityId=$(echo "${response}" | jq ".[] | select(.verifiable_addresses[0].value == \"$email\") | .id")
  echo $identityId
 }
@@ -100,14 +90,16 @@ function validateEmail() {
 function updatePassword() {
  identityId=$1
-  # Read password from stdin (show prompt only if no stdin was piped in)
+  if [ -z "$password" ]; then
-  test -t 0
+    # Read password from stdin (show prompt only if no stdin was piped in)
-  if [[ $? == 0 ]]; then
+    test -t 0
-    echo "Enter new password:"
+    if [[ $? == 0 ]]; then
-  fi
+      echo "Enter new password:"
-  read -s password
+    fi
    read -rs password
-  validatePassword "$password"
+    validatePassword "$password"
  fi
  if [[ -n $identityId ]]; then
    # Generate password hash
@@ -121,10 +113,10 @@ function updatePassword() {
 }
 function listUsers() {
-  response=$(curl -Ss ${kratosUrl}/identities)
+  response=$(curl -Ss -L ${kratosUrl}/identities)
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
-  echo "${response}" | jq -r ".[] | .addresses[0].value" | sort
+  echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort
 }
 function createUser() {
@@ -133,22 +125,13 @@ function createUser() {
  now=$(date -u +%FT%TZ)
  addUserJson=$(cat <<EOF
 {
  "addresses": [
    {
      "expires_at": "2099-01-31T12:00:00Z",
      "value": "${email}",
      "verified": true,
      "verified_at": "${now}",
      "via": "so-add-user"
    }
  ],
  "traits": {"email":"${email}"},
-  "traits_schema_id": "default"
+  "schema_id": "default"
 }
 EOF
  )
-  response=$(curl -Ss ${kratosUrl}/identities -d "$addUserJson")
+  response=$(curl -Ss -L ${kratosUrl}/identities -d "$addUserJson")
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
  identityId=$(echo "${response}" | jq ".id")
@@ -163,6 +146,36 @@ EOF
  updatePassword $identityId
 }
 function updateStatus() {
  email=$1
  status=$2
  identityId=$(findIdByEmail "$email")
  [[ ${identityId} == "" ]] && fail "User not found"
  response=$(curl -Ss -L "${kratosUrl}/identities/$identityId")
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
  oldConfig=$(echo "select config from identity_credentials where identity_id=${identityId};" | sqlite3 "$databasePath")
  if [[ "$status" == "locked" ]]; then
    config=$(echo $oldConfig | sed -e 's/hashed/locked/')
    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
    [[ $? != 0 ]] && fail "Unable to lock credential record"
    echo "delete from sessions where identity_id=${identityId};" | sqlite3 "$databasePath"
    [[ $? != 0 ]] && fail "Unable to invalidate sessions"    
  else
    config=$(echo $oldConfig | sed -e 's/locked/hashed/')
    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
    [[ $? != 0 ]] && fail "Unable to unlock credential record"
  fi  
  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url)")
  response=$(curl -Ss -XPUT -L ${kratosUrl}/identities/$identityId -d "$updatedJson")
  [[ $? != 0 ]] && fail "Unable to mark user as locked"
 }
 function updateUser() {
  email=$1
@@ -178,7 +191,7 @@ function deleteUser() {
  identityId=$(findIdByEmail "$email")
  [[ ${identityId} == "" ]] && fail "User not found"
-  response=$(curl -Ss -XDELETE "${kratosUrl}/identities/$identityId")
+  response=$(curl -Ss -XDELETE -L "${kratosUrl}/identities/$identityId")
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
 }
@@ -188,8 +201,11 @@ case "${operation}" in
    [[ "$email" == "" ]] && fail "Email address must be provided"
    validateEmail "$email"
    updatePassword
    createUser "$email"
-    echo "Successfully added new user"
+    echo "Successfully added new user to SOC"
    check_container thehive && echo $password | so-thehive-user-add "$email"
    check_container fleet && echo $password | so-fleet-user-add "$email"
    ;;
  "list")
@@ -205,12 +221,34 @@ case "${operation}" in
    echo "Successfully updated user"
    ;;
  "enable")
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    updateStatus "$email" 'active'
    echo "Successfully enabled user"
    check_container thehive && so-thehive-user-enable "$email" true
    check_container fleet && so-fleet-user-enable "$email" true   
    ;;
  "disable")
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    updateStatus "$email" 'locked'
    echo "Successfully disabled user"
    check_container thehive && so-thehive-user-enable "$email" false
    check_container fleet && so-fleet-user-enable "$email" false   
    ;;    
  "delete")
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    deleteUser "$email"
    echo "Successfully deleted user"
    check_container thehive && so-thehive-user-enable "$email" false
    check_container fleet && so-fleet-user-enable "$email" false
    ;;
  "validate")
--- a/salt/common/tools/sbin/so-user-disable
+++ b/salt/common/tools/sbin/so-user-disable
@@ -0,0 +1,2 @@
 #!/bin/bash
 so-user disable $*
--- a/salt/common/tools/sbin/so-user-enable
+++ b/salt/common/tools/sbin/so-user-enable
@@ -0,0 +1,2 @@
 #!/bin/bash
 so-user enable $*
--- a/salt/common/tools/sbin/so-user-list
+++ b/salt/common/tools/sbin/so-user-list
@@ -0,0 +1,2 @@
 #!/bin/bash
 so-user list
--- a/salt/common/tools/sbin/so-wazuh-agent-manage
+++ b/salt/common/tools/sbin/so-wazuh-agent-manage
@@ -0,0 +1,22 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 if docker ps |grep so-wazuh >/dev/null 2>&1; then
  docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@"
 else
  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
 fi
--- a/salt/common/tools/sbin/so-wazuh-agent-upgrade
+++ b/salt/common/tools/sbin/so-wazuh-agent-upgrade
@@ -0,0 +1,22 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 if docker ps |grep so-wazuh >/dev/null 2>&1; then
  docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@"
 else
  echo "Wazuh manager is not running.  Please start it with so-wazuh-start."
 fi
--- a/salt/common/tools/sbin/so-wazuh-user-add
+++ b/salt/common/tools/sbin/so-wazuh-user-add
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd /var/ossec/api/configuration/auth/user $1
--- a/salt/common/tools/sbin/so-wazuh-user-passwd
+++ b/salt/common/tools/sbin/so-wazuh-user-passwd
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd /var/ossec/api/configuration/auth/user $1
--- a/salt/common/tools/sbin/so-wazuh-user-remove
+++ b/salt/common/tools/sbin/so-wazuh-user-remove
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd -D /var/ossec/api/configuration/auth/user $1
--- a/salt/common/tools/sbin/so-yara-update
+++ b/salt/common/tools/sbin/so-yara-update
@@ -14,10 +14,10 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 clone_dir="/tmp"
 output_dir="/opt/so/saltstack/default/salt/strelka/rules"
-#mkdir -p $output_dir
+mkdir -p $output_dir
 repos="$output_dir/repos.txt"
 ignorefile="$output_dir/ignore.txt"
@@ -25,8 +25,70 @@ deletecounter=0
 newcounter=0
 updatecounter=0
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
+{% if ISAIRGAP is sameas true %}
 clone_dir="/nsm/repo/rules/strelka"
 repo_name="signature-base"
 mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base
 [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
 # Copy over rules
 for i in $(find $clone_dir/yara -name "*.yar*"); do
  rule_name=$(echo $i | awk -F '/' '{print $NF}')
  repo_sum=$(sha256sum $i | awk '{print $1}')
  # Check rules against those in ignore list -- don't copy if ignored.
  if ! grep -iq $rule_name $ignorefile; then
    existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
    # For existing rules, check to see if they need to be updated, by comparing checksums
    if [ $existing_rules -gt 0 ];then
      local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
      if [ "$repo_sum" != "$local_sum" ]; then
        echo "Checksums do not match!"
        echo "Updating $rule_name..."
        cp $i $output_dir/$repo_name;
        ((updatecounter++))
      fi
    else
      # If rule doesn't exist already, we'll add it
      echo "Adding new rule: $rule_name..."
      cp $i $output_dir/$repo_name
      ((newcounter++))
    fi
  fi;
 done
 # Check to see if we have any old rules that need to be removed
 for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
  is_repo_rule=$(find $clone_dir -name "$i" | wc -l)
  if [ $is_repo_rule -eq 0 ]; then
    echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
    rm $output_dir/$repo_name/$i
    ((deletecounter++))
  fi
 done
 echo "Done!"
  if [ "$newcounter" -gt 0 ];then
    echo "$newcounter new rules added."
  fi
  if [ "$updatecounter" -gt 0 ];then
    echo "$updatecounter rules updated."
  fi
  if [ "$deletecounter" -gt 0 ];then
    echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
  fi
 {% else %}
 gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
 clone_dir="/tmp"
 if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
  while IFS= read -r repo; do
@@ -100,3 +162,4 @@ else
  echo "No connectivity to Github...exiting..."
  exit 1
 fi
 {%- endif -%}
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -2,17 +2,14 @@
 local_salt_dir=/opt/so/saltstack/local
 zeek_logs_enabled() {
  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
-  for BLOG in ${BLOGS[@]}; do
+  for BLOG in "${BLOGS[@]}"; do
    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
  done
 }
 whiptail_manager_adv_service_zeeklogs() {
  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
  "conn" "Connection Logging" ON \
  "dce_rpc" "RPC Logs" ON \
@@ -52,7 +49,25 @@ whiptail_manager_adv_service_zeeklogs() {
  "mysql" "MySQL Logs" ON \
  "socks" "SOCKS Logs" ON \
  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  IFS=' ' read -ra BLOGS <<< "$BLOGS"
  return $exitstatus
 }
 whiptail_manager_adv_service_zeeklogs
-zeek_logs_enabled
+return_code=$?
 case $return_code in
  1)
    whiptail --title "Security Onion Setup" --msgbox "Cancelling. No changes have been made." 8 75
    ;;
  255)
    whiptail --title "Security Onion Setup" --msgbox "Whiptail error occured, exiting." 8 75
    ;;
  *)
    zeek_logs_enabled
    ;;
 esac
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -16,33 +16,118 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 UPDATE_DIR=/tmp/sogh/securityonion
 INSTALLEDVERSION=$(cat /etc/soversion)
 INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 BATCHSIZE=5
 SOUP_LOG=/root/soup.log
 exec 3>&1 1>${SOUP_LOG} 2>&1
-manager_check() {
+add_common() {
-  # Check to see if this is a manager
+  cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
-  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
-  if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch'|'so-import')$ ]]; then
+  salt-call state.apply common queue=True
-    echo "This is a manager. We can proceed."
+  echo "Run soup one more time"
-    MINIONID=$(salt-call grains.get id --out=txt|awk -F: {'print $2'}|tr -d ' ')
+  exit 0
 }
 airgap_mounted() {
  # Let's see if the ISO is already mounted. 
  if [ -f /tmp/soagupdate/SecurityOnion/VERSION ]; then
    echo "The ISO is already mounted"
  else
-    echo "Please run soup on the manager. The manager controls all updates."
+    echo ""
-    exit 0
+    echo "Looks like we need access to the upgrade content"
    echo "" 
    echo "If you just copied the .iso file over you can specify the path."
    echo "If you burned the ISO to a disk the standard way you can specify the device."
    echo "Example: /home/user/securityonion-2.X.0.iso"
    echo "Example: /dev/sdx1"
    echo ""
    read -p 'Enter the location of the iso: ' ISOLOC
    if [ -f $ISOLOC ]; then
      # Mounting the ISO image
      mkdir -p /tmp/soagupdate
      mount -t iso9660 -o loop $ISOLOC /tmp/soagupdate
      # Make sure mounting was successful
      if [ ! -f /tmp/soagupdate/SecurityOnion/VERSION ]; then
        echo "Something went wrong trying to mount the ISO."
        echo "Ensure you verify the ISO that you downloaded."
        exit 0
      else
        echo "ISO has been mounted!"
      fi  
    elif [ -f $ISOLOC/SecurityOnion/VERSION ]; then
      ln -s $ISOLOC /tmp/soagupdate
      echo "Found the update content"
    else 
      mkdir -p /tmp/soagupdate
      mount $ISOLOC /tmp/soagupdate
      if [ ! -f /tmp/soagupdate/SecurityOnion/VERSION ]; then
        echo "Something went wrong trying to mount the device."
        echo "Ensure you verify the ISO that you downloaded."
        exit 0
      else
        echo "Device has been mounted!"
      fi        
    fi
  fi
 }
 airgap_update_dockers() {
  if [ $is_airgap -eq 0 ]; then
    # Let's copy the tarball
    if [ ! -f $AGDOCKER/registry.tar ]; then
      echo "Unable to locate registry. Exiting"
      exit 1
    else
      echo "Stopping the registry docker"
      docker stop so-dockerregistry
      docker rm so-dockerregistry
      echo "Copying the new dockers over"
      tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker
      echo "Add Registry back"
      docker load -i $AGDOCKER/registry_image.tar
    fi
  fi
 }
 update_registry() {
  docker stop so-dockerregistry
  docker rm so-dockerregistry
  salt-call state.apply registry queue=True
 }
 check_airgap() {
  # See if this is an airgap install
  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap | awk '{print $2}')
  if [[ "$AIRGAP" == "True" ]]; then
      is_airgap=0
      UPDATE_DIR=/tmp/soagupdate/SecurityOnion
      AGDOCKER=/tmp/soagupdate/docker
      AGREPO=/tmp/soagupdate/Packages
  else 
      is_airgap=1
  fi
 }
 check_sudoers() {
 	if grep -q "so-setup" /etc/sudoers; then
 		echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"."
 	fi
 }
 clean_dockers() {
  # Place Holder for cleaning up old docker images
-  echo ""
+  echo "Trying to clean up old dockers."
  docker system prune -a -f
 }
 clone_to_tmp() {
  # TODO Need to add a air gap option
  # Clean old files
  rm -rf /tmp/sogh
  # Make a temp location for the files
@@ -62,7 +147,7 @@ clone_to_tmp() {
 copy_new_files() {
  # Copy new files over to the salt dir
-  cd /tmp/sogh/securityonion
+  cd $UPDATE_DIR
  rsync -a salt $DEFAULT_SALT_DIR/
  rsync -a pillar $DEFAULT_SALT_DIR/
  chown -R socore:socore $DEFAULT_SALT_DIR/
@@ -70,21 +155,9 @@ copy_new_files() {
  cd /tmp
 }
 detect_os() {
 	# Detect Base OS
 	echo "Determining Base OS." >> "$SOUP_LOG" 2>&1
 	if [ -f /etc/redhat-release ]; then
 		OS="centos"
 	elif [ -f /etc/os-release ]; then
 		OS="ubuntu"
 	fi
 	echo "Found OS: $OS" >> "$SOUP_LOG" 2>&1
 }
 highstate() {
-  # Run a highstate but first cancel a running one.
+  # Run a highstate.
-  salt-call saltutil.kill_all_jobs
+  salt-call state.highstate -l info queue=True
  salt-call state.highstate -l info
 }
 masterlock() {
@@ -111,7 +184,7 @@ masterunlock() {
 playbook() {
  echo "Applying playbook settings"
  if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
-    salt-call state.apply playbook.db_init
+    salt-call state.apply playbook.OLD_db_init
    rm -f /opt/so/rules/elastalert/playbook/*.yaml
    so-playbook-ruleupdate >> /root/soup_playbook_rule_update.log 2>&1 &
  fi
@@ -121,131 +194,123 @@ pillar_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if pillar changes are needed."
-    # Move baseurl in global.sls
+    [[ "$INSTALLEDVERSION" =~ rc.1 ]] && rc1_to_rc2
-    if [[ "$INSTALLEDVERSION" =~ rc.1 ]]; then
+    [[ "$INSTALLEDVERSION" =~ rc.2 ]] && rc2_to_rc3
-      # Move the static file to global.sls
+    [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0
      echo "Migrating static.sls to global.sls"
      mv -v /opt/so/saltstack/local/pillar/static.sls /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
      sed -i '1c\global:' /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
      # Moving baseurl from minion sls file to inside global.sls
      local line=$(grep '^  url_base:' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls)
      sed -i '/^  url_base:/d' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls;
      sed -i "/^global:/a \\$line" /opt/so/saltstack/local/pillar/global.sls;
      # Adding play values to the global.sls
      local HIVEPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
  	  local CORTEXPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
      sed -i "/^global:/a \\  hiveplaysecret: $HIVEPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
      sed -i "/^global:/a \\  cortexplaysecret: $CORTEXPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
      # Move storage nodes to hostname for SSL
      # Get a list we can use:
      grep -A1 searchnode /opt/so/saltstack/local/pillar/data/nodestab.sls | grep -v '\-\-' | sed '$!N;s/\n/ /' | awk '{print $1,$3}' | awk '/_searchnode:/{gsub(/\_searchnode:/, "_searchnode"); print}' >/tmp/nodes.txt
      # Remove the nodes from cluster settings
      while read p; do
        local NAME=$(echo $p | awk '{print $1}')
        local IP=$(echo $p | awk '{print $2}')
        echo "Removing the old cross cluster config for $NAME"
        curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}'
      done </tmp/nodes.txt
      # Add the nodes back using hostname
      while read p; do
        local NAME=$(echo $p | awk '{print $1}')
        local EHOSTNAME=$(echo $p | awk -F"_" '{print $1}')
 	local IP=$(echo $p | awk '{print $2}')
        echo "Adding the new cross cluster config for $NAME"
        curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
      done </tmp/nodes.txt
    fi
 }
-update_dockers() {
+rc1_to_rc2() {
    # List all the containers
    if [ $MANAGERCHECK == 'so-import' ]; then
      TRUSTED_CONTAINERS=( \
      "so-idstools" \
      "so-nginx" \
      "so-filebeat" \
      "so-suricata" \
      "so-soc" \
      "so-elasticsearch" \
      "so-kibana" \
      "so-kratos" \
      "so-suricata" \
      "so-registry" \
      "so-pcaptools" \
      "so-zeek" )
    elif [ $MANAGERCHECK != 'so-helix' ]; then
      TRUSTED_CONTAINERS=( \
      "so-acng" \
      "so-thehive-cortex" \
      "so-curator" \
      "so-domainstats" \
      "so-elastalert" \
      "so-elasticsearch" \
      "so-filebeat" \
      "so-fleet" \
      "so-fleet-launcher" \
      "so-freqserver" \
      "so-grafana" \
      "so-idstools" \
      "so-influxdb" \
      "so-kibana" \
      "so-kratos" \
      "so-logstash" \
      "so-minio" \
      "so-mysql" \
      "so-nginx" \
      "so-pcaptools" \
      "so-playbook" \
      "so-redis" \
      "so-soc" \
      "so-soctopus" \
      "so-steno" \
      "so-strelka-frontend" \
      "so-strelka-manager" \
      "so-strelka-backend" \
      "so-strelka-filestream" \
      "so-suricata" \
      "so-telegraf" \
      "so-thehive" \
      "so-thehive-es" \
      "so-wazuh" \
      "so-zeek" )
    else
      TRUSTED_CONTAINERS=( \
      "so-filebeat" \
      "so-idstools" \
      "so-logstash" \
      "so-nginx" \
      "so-redis" \
      "so-steno" \
      "so-suricata" \
      "so-telegraf" \
      "so-zeek" )
    fi
-# Download the containers from the interwebs
+  # Move the static file to global.sls
-    for i in "${TRUSTED_CONTAINERS[@]}"
+  echo "Migrating static.sls to global.sls"
-    do
+  mv -v /opt/so/saltstack/local/pillar/static.sls /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
-      # Pull down the trusted docker image
+  sed -i '1c\global:' /opt/so/saltstack/local/pillar/global.sls >> "$SOUP_LOG" 2>&1
      echo "Downloading $i:$NEWVERSION"
      docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION
      # Tag it with the new registry destination
      docker tag $IMAGEREPO/$i:$NEWVERSION $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION 
    done
  # Moving baseurl from minion sls file to inside global.sls
  local line=$(grep '^  url_base:' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls)
  sed -i '/^  url_base:/d' /opt/so/saltstack/local/pillar/minions/$MINIONID.sls;
  sed -i "/^global:/a \\$line" /opt/so/saltstack/local/pillar/global.sls;
  # Adding play values to the global.sls
  local HIVEPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
  local CORTEXPLAYSECRET=$(tr -dc 'a-zA-Z0-9' < /dev/urandom  | fold -w 20 | head -n 1)
  sed -i "/^global:/a \\  hiveplaysecret: $HIVEPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
  sed -i "/^global:/a \\  cortexplaysecret: $CORTEXPLAYSECRET" /opt/so/saltstack/local/pillar/global.sls;
  # Move storage nodes to hostname for SSL
  # Get a list we can use:
  grep -A1 searchnode /opt/so/saltstack/local/pillar/data/nodestab.sls | grep -v '\-\-' | sed '$!N;s/\n/ /' | awk '{print $1,$3}' | awk '/_searchnode:/{gsub(/\_searchnode:/, "_searchnode"); print}' >/tmp/nodes.txt
  # Remove the nodes from cluster settings
  while read p; do
  local NAME=$(echo $p | awk '{print $1}')
  local IP=$(echo $p | awk '{print $2}')
  echo "Removing the old cross cluster config for $NAME"
  curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}'
  done </tmp/nodes.txt
  # Add the nodes back using hostname
  while read p; do
      local NAME=$(echo $p | awk '{print $1}')
      local EHOSTNAME=$(echo $p | awk -F"_" '{print $1}')
 	    local IP=$(echo $p | awk '{print $2}')
      echo "Adding the new cross cluster config for $NAME"
      curl -XPUT http://localhost:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"'$NAME'": {"skip_unavailable": "true", "seeds": ["'$EHOSTNAME':9300"]}}}}}'
  done </tmp/nodes.txt
  INSTALLEDVERSION=rc.2
 }
 rc2_to_rc3() {
  # move location of local.rules
  cp /opt/so/saltstack/default/salt/idstools/localrules/local.rules /opt/so/saltstack/local/salt/idstools/local.rules
  if [ -f /opt/so/saltstack/local/salt/idstools/localrules/local.rules ]; then
    cat /opt/so/saltstack/local/salt/idstools/localrules/local.rules >> /opt/so/saltstack/local/salt/idstools/local.rules
  fi
  rm -rf /opt/so/saltstack/local/salt/idstools/localrules
  rm -rf /opt/so/saltstack/default/salt/idstools/localrules
  # Rename mdengine to MDENGINE
  sed -i "s/  zeekversion/  mdengine/g" /opt/so/saltstack/local/pillar/global.sls
  # Enable Strelka Rules
  sed -i "/  rules:/c\  rules: 1" /opt/so/saltstack/local/pillar/global.sls
  INSTALLEDVERSION=rc.3
 }
 rc3_to_2.3.0() {
  # Fix Tab Complete
  if [ ! -f /etc/profile.d/securityonion.sh ]; then
    echo "complete -cf sudo" > /etc/profile.d/securityonion.sh
  fi
  {
      echo "redis_settings:"
      echo "  redis_maxmemory: 827"
      echo "playbook:"
      echo "  api_key: de6639318502476f2fa5aa06f43f51fb389a3d7f" 
  } >> /opt/so/saltstack/local/pillar/global.sls
  sed -i 's/playbook:/playbook_db:/' /opt/so/saltstack/local/pillar/secrets.sls
  {
    echo "playbook_admin: $(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)"
    echo "playbook_automation: $(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)"
  } >> /opt/so/saltstack/local/pillar/secrets.sls
 }
 space_check() {
  # Check to see if there is enough space
  CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
  if [ "$CURRENTSPACE" -lt "10" ]; then
      echo "You are low on disk space. Upgrade will try and clean up space.";
      clean_dockers
  else
      echo "Plenty of space for upgrading"
  fi
 }
 unmount_update() {
  cd /tmp
  umount /tmp/soagupdate
 }
 update_centos_repo() {
  # Update the files in the repo
  echo "Syncing new updates to /nsm/repo"
  rsync -av $AGREPO/* /nsm/repo/
  echo "Creating repo"
  createrepo /nsm/repo
 }
 update_version() {
  # Update the version to the latest
  echo "Updating the Security Onion version file."
  echo $NEWVERSION > /etc/soversion
-  sed -i "s/$INSTALLEDVERSION/$NEWVERSION/g" /opt/so/saltstack/local/pillar/global.sls
+  sed -i "/  soversion:/c\  soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global.sls
 }
 upgrade_check() {
@@ -262,6 +327,10 @@ upgrade_check_salt() {
    if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
      echo "You are already running the correct version of Salt for Security Onion."
    else
      UPGRADESALT=1
    fi
 }   
 upgrade_salt() {
      SALTUPGRADED=True
      echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
      echo ""
@@ -272,7 +341,11 @@ upgrade_check_salt() {
        yum versionlock delete "salt-*"
        echo "Updating Salt packages and restarting services."
        echo ""
-        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+	if [ $is_airgap -eq 0 ]; then
          sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION"
 	else 
          sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
 	fi
        echo "Applying yum versionlock for Salt."
        echo ""
        yum versionlock add "salt-*"
@@ -292,13 +365,12 @@ upgrade_check_salt() {
        apt-mark hold "salt-master"
        apt-mark hold "salt-minion"
      fi
    fi 
 }
 verify_latest_update_script() {
    # Check to see if the update scripts match. If not run the new one.
    CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup | awk '{print $1}')
-    GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup | awk '{print $1}')
+    GITSOUP=$(md5sum $UPDATE_DIR/salt/common/tools/sbin/soup | awk '{print $1}')
    if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then
      echo "This version of the soup script is up to date. Proceeding."
    else
@@ -329,13 +401,28 @@ done
 echo "Checking to see if this is a manager."
 echo ""
-manager_check
+require_manager
 set_minionid
 echo "Checking to see if this is an airgap install"
 echo ""
 check_airgap
 echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
 echo ""
-detect_os
+set_os
 echo ""
-echo "Cloning Security Onion github repo into $UPDATE_DIR."
+if [ $is_airgap -eq 0 ]; then
-clone_to_tmp
+  # Let's mount the ISO since this is airgap
  airgap_mounted
 else
  echo "Cloning Security Onion github repo into $UPDATE_DIR."
  clone_to_tmp
 fi
 if [ -f /usr/sbin/so-image-common ]; then
  . /usr/sbin/so-image-common
 else 
 add_common
 fi
 echo ""
 echo "Verifying we have the latest soup script."
 verify_latest_update_script
@@ -343,30 +430,64 @@ echo ""
 echo "Let's see if we need to update Security Onion."
 upgrade_check
 space_check
 echo "Checking for Salt Master and Minion updates."
 upgrade_check_salt
 echo ""
 echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
 echo ""
 echo "Updating dockers to $NEWVERSION."
 if [ $is_airgap -eq 0 ]; then
  airgap_update_dockers
 else
  update_registry
  update_docker_containers "soup"
 fi
 echo ""
 echo "Stopping Salt Minion service."
 systemctl stop salt-minion
 echo "Killing any remaining Salt Minion processes."
 pkill -9 -ef /usr/bin/salt-minion
 echo ""
 echo "Stopping Salt Master service."
 systemctl stop salt-master
 echo ""
 echo "Checking for Salt Master and Minion updates."
 upgrade_check_salt
 # Does salt need upgraded. If so update it.
 if [ "$UPGRADESALT" == "1" ]; then
  echo "Upgrading Salt"
  # Update the repo files so it can actually upgrade
  if [ $is_airgap -eq 0 ]; then
    update_centos_repo
    yum clean all
  fi
  upgrade_salt
 fi
 echo "Checking if Salt was upgraded."
 echo ""
 # Check that Salt was upgraded
 if [[ $(salt --versions-report | grep Salt: | awk {'print $2'}) != "$NEWSALTVERSION" ]]; then
  echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
  echo "Once the issue is resolved, run soup again."
  echo "Exiting."
  echo ""
  exit 1
 else
  echo "Salt upgrade success."
  echo ""
 fi
 echo "Making pillar changes."
 pillar_changes
 echo ""
-echo "Cleaning up old dockers."
+# Only update the repo if its airgap
-clean_dockers
+if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then
-echo ""
+update_centos_repo
-echo "Updating dockers to $NEWVERSION."
+fi
 update_dockers
 echo ""
 echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
@@ -382,9 +503,19 @@ echo ""
 echo "Starting Salt Master service."
 systemctl start salt-master
 # Only regenerate osquery packages if Fleet is enabled
 FLEET_MANAGER=$(lookup_pillar fleet_manager)
 FLEET_NODE=$(lookup_pillar fleet_node)
 if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then
  echo ""
  echo "Regenerating Osquery Packages.... This will take several minutes."
  salt-call state.apply fleet.event_gen-packages -l info queue=True
  echo ""
 fi
 echo ""
 echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
-highstate
+salt-call state.highstate -l info queue=True
 echo ""
 echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
@@ -397,17 +528,23 @@ masterunlock
 echo ""
 echo "Starting Salt Master service."
 systemctl start salt-master
-highstate
+echo "Running a highstate. This could take several minutes."
 salt-call state.highstate -l info queue=True
 playbook
 unmount_update
-SALTUPGRADED="True"
+if [ "$UPGRADESALT" == "1" ]; then
 if [[ "$SALTUPGRADED" == "True" ]]; then
  echo ""
  echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
-  salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion 
+  if [ $is_airgap -eq 0 ]; then
    salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all"
  fi
  salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion queue=True
  echo ""
 fi
 check_sudoers
 }
 main "$@" | tee /dev/fd/3
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`#!/bin/bash`
							`logrotate -f /opt/so/conf/log-rotate.conf >/dev/null 2>&1`
		`@@ -0,0 +1,2 @@`
							`#!/bin/bash`
							`/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1`
		`@@ -0,0 +1 @@`
							<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 87.86 105.22"><defs><style>.cls-1{fill:#fff;}.cls-2{fill:#1976d2;}</style></defs><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><g id="Onion"><path id="Flesh" class="cls-1" d="M43.37,71.34a1.27,1.27,0,0,0,.44-.51,4.74,4.74,0,0,0,.61-2.39c-.12-6.79-.22-12.88-4-14.46-4.05-1.72-9.38,3.14-10.71,4.35a19.84,19.84,0,0,0-6.17,12.34c-.1,1-.76,9.34,5.46,15.41s15.45,6.06,21.72,3.53A22.25,22.25,0,0,0,61.88,79.16c5.31-10,1.61-20.31.85-22.3C57.78,44,43.35,36.11,29.88,36.78c-2.17.11-15.82,1-24.16,12.42A30.55,30.55,0,0,0,0,67.36c.15,16.14,13.38,29.51,26.23,34.7,12.61,5.1,24,2.76,28.78,1.65s17.12-4,25.53-15.08a34.47,34.47,0,0,0,7.24-18.46,34.79,34.79,0,0,0-3.42-17.32c-1.11-2.3-6.16-12.09-17-17C57,31.21,48.52,34.37,45.65,29.12a8.46,8.46,0,0,1-.41-6.21,1,1,0,0,0-1.05-1.28l-1.6,0a1.07,1.07,0,0,0-1,.8c-.66,2.51-1.12,6,.51,9.17C46,39.08,56.87,35.31,67.56,42.78c8.29,5.79,14.14,16.69,13.21,27.29a28.06,28.06,0,0,1-6,14.65c-7,9-17,11.29-21.82,12.38-4,.9-13.19,2.87-23.54-.93-2.65-1-20.33-8.29-22.38-25C5.72,60.55,13,48.9,24.21,44.93c13-4.6,27.26,2.75,32.09,13.26.58,1.25,4.85,10.93-.59,18.72-4.05,5.79-13.07,9.94-19.77,6A13.48,13.48,0,0,1,30,68.25c1.42-5,6.37-8.72,8.13-7.84s2.94,6.14,3,9.85A1.39,1.39,0,0,0,43.37,71.34Z"/><path id="Stem" class="cls-2" d="M30,27.14l-4.17,1.27a1.16,1.16,0,0,1-1.49-.93l-.11-.72a26.93,26.93,0,0,0-4.53-11.09A1.13,1.13,0,0,1,20.06,14l1.06-.63a1.15,1.15,0,0,1,1.52.32c.41.58.82,1.17,1.23,1.78l1.48,2.2C28.42,7.27,37.14.12,46.21,0,58.09-.16,65.59,10.67,68,17.63a23.37,23.37,0,0,1,.94,3.64.91.91,0,0,1-1.14,1l-2.66-.73a1.47,1.47,0,0,1-1-1.08,19.71,19.71,0,0,0-1.9-4.8c-3-5.44-9.67-11.21-16.55-10.59-7.74.7-15.22,9.46-14.85,20.91A1.14,1.14,0,0,1,30,27.14Z"/></g></g></g></svg>