Merge remote-tracking branch 'remotes/origin/dev' into feature/users

.github/.gitleaks.toml

@@ -1,546 +0,0 @@
-title = "gitleaks config"
-
-# Gitleaks rules are defined by regular expressions and entropy ranges.
-# Some secrets have unique signatures which make detecting those secrets easy.
-# Examples of those secrets would be GitLab Personal Access Tokens, AWS keys, and GitHub Access Tokens.
-# All these examples have defined prefixes like `glpat`, `AKIA`, `ghp_`, etc.
-#
-# Other secrets might just be a hash which means we need to write more complex rules to verify
-# that what we are matching is a secret.
-#
-# Here is an example of a semi-generic secret
-#
-#   discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
-#
-# We can write a regular expression to capture the variable name (identifier),
-# the assignment symbol (like '=' or ':='), and finally the actual secret.
-# The structure of a rule to match this example secret is below:
-#
-#                                                           Beginning string
-#                                                               quotation
-#                                                                   │            End string quotation
-#                                                                   │                      │
-#                                                                   ▼                      ▼
-#    (?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]
-#
-#                   ▲                              ▲                                ▲
-#                   │                              │                                │
-#                   │                              │                                │
-#              identifier                  assignment symbol
-#                                                                                Secret
-#
-[[rules]]
-id = "gitlab-pat"
-description = "GitLab Personal Access Token"
-regex = '''glpat-[0-9a-zA-Z\-\_]{20}'''
-
-[[rules]]
-id = "aws-access-token"
-description = "AWS"
-regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
-
-# Cryptographic keys
-[[rules]]
-id = "PKCS8-PK"
-description = "PKCS8 private key"
-regex = '''-----BEGIN PRIVATE KEY-----'''
-
-[[rules]]
-id = "RSA-PK"
-description = "RSA private key"
-regex = '''-----BEGIN RSA PRIVATE KEY-----'''
-
-[[rules]]
-id = "OPENSSH-PK"
-description = "SSH private key"
-regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
-
-[[rules]]
-id = "PGP-PK"
-description = "PGP private key"
-regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
-
-[[rules]]
-id = "github-pat"
-description = "GitHub Personal Access Token"
-regex = '''ghp_[0-9a-zA-Z]{36}'''
-
-[[rules]]
-id = "github-oauth"
-description = "GitHub OAuth Access Token"
-regex = '''gho_[0-9a-zA-Z]{36}'''
-
-[[rules]]
-id = "SSH-DSA-PK"
-description = "SSH (DSA) private key"
-regex = '''-----BEGIN DSA PRIVATE KEY-----'''
-
-[[rules]]
-id = "SSH-EC-PK"
-description = "SSH (EC) private key"
-regex = '''-----BEGIN EC PRIVATE KEY-----'''
-
-
-[[rules]]
-id = "github-app-token"
-description = "GitHub App Token"
-regex = '''(ghu|ghs)_[0-9a-zA-Z]{36}'''
-
-[[rules]]
-id = "github-refresh-token"
-description = "GitHub Refresh Token"
-regex = '''ghr_[0-9a-zA-Z]{76}'''
-
-[[rules]]
-id = "shopify-shared-secret"
-description = "Shopify shared secret"
-regex = '''shpss_[a-fA-F0-9]{32}'''
-
-[[rules]]
-id = "shopify-access-token"
-description = "Shopify access token"
-regex = '''shpat_[a-fA-F0-9]{32}'''
-
-[[rules]]
-id = "shopify-custom-access-token"
-description = "Shopify custom app access token"
-regex = '''shpca_[a-fA-F0-9]{32}'''
-
-[[rules]]
-id = "shopify-private-app-access-token"
-description = "Shopify private app access token"
-regex = '''shppa_[a-fA-F0-9]{32}'''
-
-[[rules]]
-id = "slack-access-token"
-description = "Slack token"
-regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
-
-[[rules]]
-id = "stripe-access-token"
-description = "Stripe"
-regex = '''(?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}'''
-
-[[rules]]
-id = "pypi-upload-token"
-description = "PyPI upload token"
-regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}'''
-
-[[rules]]
-id = "gcp-service-account"
-description = "Google (GCP) Service-account"
-regex = '''\"type\": \"service_account\"'''
-
-[[rules]]
-id = "heroku-api-key"
-description = "Heroku API Key"
-regex = ''' (?i)(heroku[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "slack-web-hook"
-description = "Slack Webhook"
-regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8,12}/[a-zA-Z0-9_]{24}'''
-
-[[rules]]
-id = "twilio-api-key"
-description = "Twilio API Key"
-regex = '''SK[0-9a-fA-F]{32}'''
-
-[[rules]]
-id = "age-secret-key"
-description = "Age secret key"
-regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}'''
-
-[[rules]]
-id = "facebook-token"
-description = "Facebook token"
-regex = '''(?i)(facebook[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "twitter-token"
-description = "Twitter token"
-regex = '''(?i)(twitter[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{35,44})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "adobe-client-id"
-description = "Adobe Client ID (Oauth Web)"
-regex = '''(?i)(adobe[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "adobe-client-secret"
-description = "Adobe Client Secret"
-regex = '''(p8e-)(?i)[a-z0-9]{32}'''
-
-[[rules]]
-id = "alibaba-access-key-id"
-description = "Alibaba AccessKey ID"
-regex = '''(LTAI)(?i)[a-z0-9]{20}'''
-
-[[rules]]
-id = "alibaba-secret-key"
-description = "Alibaba Secret Key"
-regex = '''(?i)(alibaba[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{30})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "asana-client-id"
-description = "Asana Client ID"
-regex = '''(?i)(asana[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9]{16})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "asana-client-secret"
-description = "Asana Client Secret"
-regex = '''(?i)(asana[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "atlassian-api-token"
-description = "Atlassian API token"
-regex = '''(?i)(atlassian[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{24})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "bitbucket-client-id"
-description = "Bitbucket client ID"
-regex = '''(?i)(bitbucket[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "bitbucket-client-secret"
-description = "Bitbucket client secret"
-regex = '''(?i)(bitbucket[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9_\-]{64})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "beamer-api-token"
-description = "Beamer API token"
-regex = '''(?i)(beamer[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](b_[a-z0-9=_\-]{44})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "clojars-api-token"
-description = "Clojars API token"
-regex = '''(CLOJARS_)(?i)[a-z0-9]{60}'''
-
-[[rules]]
-id = "contentful-delivery-api-token"
-description = "Contentful delivery API token"
-regex = '''(?i)(contentful[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9\-=_]{43})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "databricks-api-token"
-description = "Databricks API token"
-regex = '''dapi[a-h0-9]{32}'''
-
-[[rules]]
-id = "discord-api-token"
-description = "Discord API key"
-regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "discord-client-id"
-description = "Discord client ID"
-regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9]{18})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "discord-client-secret"
-description = "Discord client secret"
-regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "doppler-api-token"
-description = "Doppler API token"
-regex = '''['\"](dp\.pt\.)(?i)[a-z0-9]{43}['\"]'''
-
-[[rules]]
-id = "dropbox-api-secret"
-description = "Dropbox API secret/key"
-regex = '''(?i)(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{15})['\"]'''
-
-[[rules]]
-id = "dropbox--api-key"
-description = "Dropbox API secret/key"
-regex = '''(?i)(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{15})['\"]'''
-
-[[rules]]
-id = "dropbox-short-lived-api-token"
-description = "Dropbox short lived API token"
-regex = '''(?i)(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](sl\.[a-z0-9\-=_]{135})['\"]'''
-
-[[rules]]
-id = "dropbox-long-lived-api-token"
-description = "Dropbox long lived API token"
-regex = '''(?i)(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"][a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43}['\"]'''
-
-[[rules]]
-id = "duffel-api-token"
-description = "Duffel API token"
-regex = '''['\"]duffel_(test|live)_(?i)[a-z0-9_-]{43}['\"]'''
-
-[[rules]]
-id = "dynatrace-api-token"
-description = "Dynatrace API token"
-regex = '''['\"]dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64}['\"]'''
-
-[[rules]]
-id = "easypost-api-token"
-description = "EasyPost API token"
-regex = '''['\"]EZAK(?i)[a-z0-9]{54}['\"]'''
-
-[[rules]]
-id = "easypost-test-api-token"
-description = "EasyPost test API token"
-regex = '''['\"]EZTK(?i)[a-z0-9]{54}['\"]'''
-
-[[rules]]
-id = "fastly-api-token"
-description = "Fastly API token"
-regex = '''(?i)(fastly[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9\-=_]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "finicity-client-secret"
-description = "Finicity client secret"
-regex = '''(?i)(finicity[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{20})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "finicity-api-token"
-description = "Finicity API token"
-regex = '''(?i)(finicity[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "flutterwave-public-key"
-description = "Flutterwave public key"
-regex = '''FLWPUBK_TEST-(?i)[a-h0-9]{32}-X'''
-
-[[rules]]
-id = "flutterwave-secret-key"
-description = "Flutterwave secret key"
-regex = '''FLWSECK_TEST-(?i)[a-h0-9]{32}-X'''
-
-[[rules]]
-id = "flutterwave-enc-key"
-description = "Flutterwave encrypted key"
-regex = '''FLWSECK_TEST[a-h0-9]{12}'''
-
-[[rules]]
-id = "frameio-api-token"
-description = "Frame.io API token"
-regex = '''fio-u-(?i)[a-z0-9\-_=]{64}'''
-
-[[rules]]
-id = "gocardless-api-token"
-description = "GoCardless API token"
-regex = '''['\"]live_(?i)[a-z0-9\-_=]{40}['\"]'''
-
-[[rules]]
-id = "grafana-api-token"
-description = "Grafana API token"
-regex = '''['\"]eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]'''
-
-[[rules]]
-id = "hashicorp-tf-api-token"
-description = "HashiCorp Terraform user/org API token"
-regex = '''['\"](?i)[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}['\"]'''
-
-[[rules]]
-id = "hubspot-api-token"
-description = "HubSpot API token"
-regex = '''(?i)(hubspot[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "intercom-api-token"
-description = "Intercom API token"
-regex = '''(?i)(intercom[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_]{60})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "intercom-client-secret"
-description = "Intercom client secret/ID"
-regex = '''(?i)(intercom[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "ionic-api-token"
-description = "Ionic API token"
-regex = '''(?i)(ionic[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](ion_[a-z0-9]{42})['\"]'''
-
-[[rules]]
-id = "linear-api-token"
-description = "Linear API token"
-regex = '''lin_api_(?i)[a-z0-9]{40}'''
-
-[[rules]]
-id = "linear-client-secret"
-description = "Linear client secret/ID"
-regex = '''(?i)(linear[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "lob-api-key"
-description = "Lob API Key"
-regex = '''(?i)(lob[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]((live|test)_[a-f0-9]{35})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "lob-pub-api-key"
-description = "Lob Publishable API Key"
-regex = '''(?i)(lob[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]((test|live)_pub_[a-f0-9]{31})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "mailchimp-api-key"
-description = "Mailchimp API key"
-regex = '''(?i)(mailchimp[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32}-us20)['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "mailgun-private-api-token"
-description = "Mailgun private API token"
-regex = '''(?i)(mailgun[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](key-[a-f0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "mailgun-pub-key"
-description = "Mailgun public validation key"
-regex = '''(?i)(mailgun[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](pubkey-[a-f0-9]{32})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "mailgun-signing-key"
-description = "Mailgun webhook signing key"
-regex = '''(?i)(mailgun[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "mapbox-api-token"
-description = "Mapbox API token"
-regex = '''(?i)(pk\.[a-z0-9]{60}\.[a-z0-9]{22})'''
-
-[[rules]]
-id = "messagebird-api-token"
-description = "MessageBird API token"
-regex = '''(?i)(messagebird[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{25})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "messagebird-client-id"
-description = "MessageBird API client ID"
-regex = '''(?i)(messagebird[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "new-relic-user-api-key"
-description = "New Relic user API Key"
-regex = '''['\"](NRAK-[A-Z0-9]{27})['\"]'''
-
-[[rules]]
-id = "new-relic-user-api-id"
-description = "New Relic user API ID"
-regex = '''(?i)(newrelic[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([A-Z0-9]{64})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "new-relic-browser-api-token"
-description = "New Relic ingest browser API token"
-regex = '''['\"](NRJS-[a-f0-9]{19})['\"]'''
-
-[[rules]]
-id = "npm-access-token"
-description = "npm access token"
-regex = '''['\"](npm_(?i)[a-z0-9]{36})['\"]'''
-
-[[rules]]
-id = "planetscale-password"
-description = "PlanetScale password"
-regex = '''pscale_pw_(?i)[a-z0-9\-_\.]{43}'''
-
-[[rules]]
-id = "planetscale-api-token"
-description = "PlanetScale API token"
-regex = '''pscale_tkn_(?i)[a-z0-9\-_\.]{43}'''
-
-[[rules]]
-id = "postman-api-token"
-description = "Postman API token"
-regex = '''PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34}'''
-
-[[rules]]
-id = "pulumi-api-token"
-description = "Pulumi API token"
-regex = '''pul-[a-f0-9]{40}'''
-
-[[rules]]
-id = "rubygems-api-token"
-description = "Rubygem API token"
-regex = '''rubygems_[a-f0-9]{48}'''
-
-[[rules]]
-id = "sendgrid-api-token"
-description = "SendGrid API token"
-regex = '''SG\.(?i)[a-z0-9_\-\.]{66}'''
-
-[[rules]]
-id = "sendinblue-api-token"
-description = "Sendinblue API token"
-regex = '''xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16}'''
-
-[[rules]]
-id = "shippo-api-token"
-description = "Shippo API token"
-regex = '''shippo_(live|test)_[a-f0-9]{40}'''
-
-[[rules]]
-id = "linkedin-client-secret"
-description = "LinkedIn Client secret"
-regex = '''(?i)(linkedin[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z]{16})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "linkedin-client-id"
-description = "LinkedIn Client ID"
-regex = '''(?i)(linkedin[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{14})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "twitch-api-token"
-description = "Twitch API token"
-regex = '''(?i)(twitch[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{30})['\"]'''
-secretGroup = 3
-
-[[rules]]
-id = "typeform-api-token"
-description = "Typeform API token"
-regex = '''(?i)(typeform[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}(tfp_[a-z0-9\-_\.=]{59})'''
-secretGroup = 3
-
-[[rules]]
-id = "generic-api-key"
-description = "Generic API Key"
-regex = '''(?i)((key|api[^Version]|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
-entropy = 3.7
-secretGroup = 4
-
-
-[allowlist]
-description = "global allow lists"
-regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''']
-paths = [
-    '''gitleaks.toml''',
-    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
-    '''(go.mod|go.sum)$''',
-    
-    '''salt/nginx/files/enterprise-attack.json'''
-]

.github/workflows/leaktest.yml

@@ -13,5 +13,3 @@ jobs:
 
     - name: Gitleaks
       uses: zricethezav/gitleaks-action@master
-      with:
-        config-path: .github/.gitleaks.toml

.github/workflows/pythontest.yml

@@ -1,31 +0,0 @@
-name: python-test
-
-on: [push, pull_request]
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.10"]
-        python-code-path: ["salt/sensoroni/files/analyzers"]
-
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v3
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        python -m pip install flake8 pytest pytest-cov
-        find . -name requirements.txt -exec pip install -r {} \;
-    - name: Lint with flake8
-      run: |
-        flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12  --doctests --max-line-length=200 --statistics
-    - name: Test with pytest
-      run: |
-        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=${{ matrix.python-code-path }}/pytest.ini

.gitignore

@@ -56,15 +56,4 @@ $RECYCLE.BIN/
 # Windows shortcuts
 *.lnk
 
-# End of https://www.gitignore.io/api/macos,windows
-
-# Pytest output
-__pycache__
-.pytest_cache
-.coverage
-*.pyc
-.venv
-
-# Analyzer dev/test config files
-*_dev.yaml
-site-packages
+# End of https://www.gitignore.io/api/macos,windows

CONTRIBUTING.md

@@ -29,11 +29,6 @@
 
 * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting.
 
-* Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor pull requests are welcome, but ensure your new code behaves exactly the same as the old.
-
-* **Do not refactor code for non-functional reasons**. If you are submitting a pull request that refactors code, ensure the refactor is improving the functionality of the code you're refactoring (e.g. decreasing complexity, removing reliance on 3rd party tools, improving performance).
-
-* Before submitting a PR with significant changes to the project, [start a discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions/new) explaining what you hope to acheive. The project maintainers will provide feedback and determine whether your goal aligns with the project. 
 
 
 ### Code style and conventions
@@ -42,5 +37,3 @@
 * All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored.
 
 * **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules. 
-
-* **All code of any language should match the style of other code of that same language within the project.** Be sure that any changes you make do not break from the pre-existing style of Security Onion code.

HOTFIX

@@ -1 +0,0 @@
-

README.md

@@ -1,20 +1,14 @@
-## Security Onion 2.3.130
+## Security Onion 2.3.80
 
-Security Onion 2.3.130 is here!
+Security Onion 2.3.80 is here!
 
 ## Screenshots
 
 Alerts
-![Alerts](./assets/images/screenshots/alerts.png)
-
-Dashboards
-![Dashboards](./assets/images/screenshots/dashboards.png)
+![Alerts](./assets/images/screenshots/alerts-1.png)
 
 Hunt
-![Hunt](./assets/images/screenshots/hunt.png)
-
-Cases
-![Cases](./assets/images/screenshots/cases-comments.png)
+![Hunt](./assets/images/screenshots/hunt-1.png)
 
 ### Release Notes
 

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.130-20220607 ISO image built on 2022/06/07
+### 2.3.80 ISO image built on 2021/09/27
 
 
 
 ### Download and Verify
 
-2.3.130-20220607 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso
+2.3.80 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.80.iso
 
-MD5: 0034D6A9461C04357AFF512875408A4C  
-SHA1: BF80EEB101C583153CAD8E185A7DB3173FD5FFE8  
-SHA256: 15943623B96D8BB4A204A78668447F36B54A63ABA5F8467FBDF0B25C5E4E6078 
+MD5: 24F38563860416F4A8ABE18746913E14  
+SHA1: F923C005F54EA2A17AB225ADA0DA46042707AAD9  
+SHA256: 8E95D10AF664D9A406C168EC421D943CB23F0D0C1813C6C2DBA9B4E131984018 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.130-20220607.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.80.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.130-20220607.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.80.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.130-20220607.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.80.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.130-20220607.iso.sig securityonion-2.3.130-20220607.iso
+gpg --verify securityonion-2.3.80.iso.sig securityonion-2.3.80.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 07 Jun 2022 01:27:20 PM EDT using RSA key ID FE507013
+gpg: Signature made Mon 27 Sep 2021 08:55:01 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.130
+2.3.90

files/firewall/assigned_hostgroups.local.map.yaml

@@ -13,11 +13,9 @@ role:
   fleet:
   heavynode:
   helixsensor:
-  idh:
   import:
   manager:
   managersearch:
-  receiver:
   standalone:
   searchnode:
-  sensor:
+  sensor:

files/firewall/hostgroups.local.yaml

@@ -28,10 +28,6 @@ firewall:
       ips:
         delete:
         insert:
-    idh:
-      ips:
-        delete:
-        insert: 
     manager:
       ips:
         delete:
@@ -48,10 +44,6 @@ firewall:
       ips:
         delete:
         insert:
-    receiver:
-      ips:
-        delete:
-        insert:
     search_node:
       ips:
         delete:

pillar/elasticsearch/eval.sls

@@ -1,2 +1,13 @@
 elasticsearch:
   templates:
+    - so/so-beats-template.json.jinja
+    - so/so-common-template.json.jinja
+    - so/so-firewall-template.json.jinja
+    - so/so-flow-template.json.jinja
+    - so/so-ids-template.json.jinja
+    - so/so-import-template.json.jinja
+    - so/so-osquery-template.json.jinja
+    - so/so-ossec-template.json.jinja
+    - so/so-strelka-template.json.jinja
+    - so/so-syslog-template.json.jinja
+    - so/so-zeek-template.json.jinja

pillar/elasticsearch/index_templates.sls

@@ -1,2 +0,0 @@
-elasticsearch:
-  index_settings:

pillar/elasticsearch/manager.sls

@@ -1,2 +1,14 @@
 elasticsearch:
   templates:
+    - so/so-beats-template.json.jinja
+    - so/so-common-template.json.jinja
+    - so/so-endgame-template.json.jinja
+    - so/so-firewall-template.json.jinja
+    - so/so-flow-template.json.jinja
+    - so/so-ids-template.json.jinja
+    - so/so-import-template.json.jinja
+    - so/so-osquery-template.json.jinja
+    - so/so-ossec-template.json.jinja
+    - so/so-strelka-template.json.jinja
+    - so/so-syslog-template.json.jinja
+    - so/so-zeek-template.json.jinja

pillar/elasticsearch/search.sls

@@ -1,2 +1,14 @@
 elasticsearch:
   templates:
+    - so/so-beats-template.json.jinja
+    - so/so-common-template.json.jinja
+    - so/so-endgame-template.json.jinja
+    - so/so-firewall-template.json.jinja
+    - so/so-flow-template.json.jinja
+    - so/so-ids-template.json.jinja
+    - so/so-import-template.json.jinja
+    - so/so-osquery-template.json.jinja
+    - so/so-ossec-template.json.jinja
+    - so/so-strelka-template.json.jinja
+    - so/so-syslog-template.json.jinja
+    - so/so-zeek-template.json.jinja

pillar/logstash/manager.sls

@@ -1,3 +1,4 @@
+{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'redis') %}
 logstash:
   pipelines:
     manager:

pillar/logstash/nodes.sls

@@ -1,31 +0,0 @@
-{% set node_types = {} %}
-{% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %}
-{% for minionid, ip in salt.saltutil.runner(
-    'mine.get',
-    tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix',
-    fun='network.ip_addrs',
-    tgt_type='compound') | dictsort()
-%}
-
-{%   set hostname = cached_grains[minionid]['host'] %}
-{%   set node_type = minionid.split('_')[1] %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: ip[0]}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: ip[0]}) %}
-{%     else %}
-{%       do node_types[node_type][hostname].update(ip[0]) %}
-{%     endif %}
-{%   endif %}
-{% endfor %}
-
-logstash:
-  nodes:
-{% for node_type, values in node_types.items() %}
-    {{node_type}}:
-{%   for hostname, ip in values.items() %}
-      {{hostname}}:
-        ip: {{ip}}
-{%   endfor %}
-{% endfor %}

pillar/logstash/receiver.sls

@@ -1,9 +0,0 @@
-logstash:
-  pipelines:
-    receiver:
-      config:
-        - so/0009_input_beats.conf      
-        - so/0010_input_hhbeats.conf
-        - so/0011_input_endgame.conf
-        - so/9999_output_redis.conf.jinja
-        

pillar/logstash/search.sls

@@ -1,3 +1,4 @@
+{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'minio') %}
 logstash:
   pipelines:
     search:
@@ -13,5 +14,4 @@ logstash:
         - so/9600_output_ossec.conf.jinja
         - so/9700_output_strelka.conf.jinja
         - so/9800_output_logscan.conf.jinja
-        - so/9801_output_rita.conf.jinja
         - so/9900_output_endgame.conf.jinja

pillar/node_data/ips.sls

@@ -1,33 +0,0 @@
-{% set node_types = {} %}
-{% set manage_alived = salt.saltutil.runner('manage.alived', show_ip=True) %}
-{% set manager = grains.master %}
-{% set manager_type = manager.split('_')|last %}
-{% for minionid, ip in salt.saltutil.runner('mine.get', tgt='*', fun='network.ip_addrs', tgt_type='glob') | dictsort() %}
-{%   set hostname = minionid.split('_')[0] %}
-{%   set node_type = minionid.split('_')[1] %}
-{%   set is_alive = False %}
-{%   if minionid in manage_alived.keys() %}
-{%     if ip[0] == manage_alived[minionid] %}
-{%       set is_alive = True %}
-{%     endif %}
-{%   endif %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
-{%     else %}
-{%       do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
-{%     endif %}
-{%   endif %}
-{% endfor %}
-
-node_data:
-{% for node_type, host_values in node_types.items() %}
-  {{node_type}}:
-{%   for hostname, details in host_values.items() %}
-    {{hostname}}:
-      ip: {{details.ip}}
-      alive: {{ details.alive }}
-{%   endfor %}
-{% endfor %}

pillar/top.sls

@@ -2,9 +2,7 @@ base:
   '*':
     - patch.needs_restarting
     - logrotate
-
-  '* and not *_eval and not *_import':
-    - logstash.nodes
+    - users
 
   '*_eval or *_helixsensor or *_heavynode or *_sensor or *_standalone or *_import':
     - match: compound
@@ -15,12 +13,12 @@ base:
     - logstash
     - logstash.manager
     - logstash.search
-    - elasticsearch.index_templates
+    - elasticsearch.search
 
   '*_manager':
     - logstash
     - logstash.manager
-    - elasticsearch.index_templates
+    - elasticsearch.manager
 
   '*_manager or *_managersearch':
     - match: compound
@@ -46,7 +44,7 @@ base:
     - zeeklogs
     - secrets
     - healthcheck.eval
-    - elasticsearch.index_templates
+    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
 {% endif %}
@@ -60,7 +58,7 @@ base:
     - logstash
     - logstash.manager
     - logstash.search
-    - elasticsearch.index_templates
+    - elasticsearch.search
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
 {% endif %}
@@ -98,31 +96,19 @@ base:
     - global
     - minions.{{ grains.id }}
 
-  '*_idh':
-    - data.*
-    - global
-    - minions.{{ grains.id }}
-
   '*_searchnode':
     - logstash
     - logstash.search
-    - elasticsearch.index_templates
+    - elasticsearch.search
     - elasticsearch.auth
     - global
     - minions.{{ grains.id }}
     - data.nodestab
 
-  '*_receiver':
-    - logstash
-    - logstash.receiver
-    - elasticsearch.auth
-    - global
-    - minions.{{ grains.id }}
-
   '*_import':
     - zeeklogs
     - secrets
-    - elasticsearch.index_templates
+    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
 {% endif %}
@@ -131,6 +117,3 @@ base:
 {% endif %}
     - global
     - minions.{{ grains.id }}
-
-  '*_workstation':
-    - minions.{{ grains.id }}

pillar/users/init.sls

@@ -0,0 +1,2 @@
+# users pillar goes in /opt/so/saltstack/local/pillar/users/init.sls
+# the users directory may need to be created under /opt/so/saltstack/local/pillar

pillar/users/pillar.example

@@ -0,0 +1,19 @@
+users:
+  sclapton:
+    # required fields
+    status: present
+    # node_access determines which node types the user can access.
+    # this can either be by grains.role or by final part of the minion id after the _
+    node_access:
+      - standalone
+      - searchnode
+    # optional fields
+    fullname: Stevie Claptoon
+    uid: 1001
+    gid: 1001
+    homephone: does not have a phone
+    groups:
+      - mygroup1
+      - mygroup2
+      - wheel # give sudo access
+      

pillar/users/pillar.usage

@@ -0,0 +1,20 @@
+users:
+  sclapton:
+    # required fields
+    status: <present | absent>
+    # node_access determines which node types the user can access.
+    # this can either be by grains.role or by final part of the minion id after the _
+    node_access:
+      - standalone
+      - searchnode
+    # optional fields
+    fullname: <string>
+    uid: <integer>
+    gid: <integer>
+    roomnumber: <string>
+    workphone: <string>
+    homephone: <string>
+    groups:
+      - <string>
+      - <string>
+      - wheel # give sudo access

salt/allowed_states.map.jinja

@@ -1,5 +1,6 @@
 {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
 {% set WAZUH = salt['pillar.get']('global:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
@@ -49,6 +50,7 @@
           'learn'
           ],
       'so-heavynode': [
+          'ca',
           'ssl',
           'nginx',
           'telegraf',
@@ -78,6 +80,7 @@
           'docker_clean'
           ],
       'so-fleet': [
+          'ca',
           'ssl',
           'nginx',
           'telegraf',
@@ -90,16 +93,6 @@
           'schedule',
           'docker_clean'
           ],
-     'so-idh': [
-          'ssl',
-          'telegraf',
-          'firewall',
-          'fleet.install_package',
-          'filebeat',
-          'idh',
-          'schedule',
-          'docker_clean'
-          ],
       'so-import': [
           'salt.master',
           'ca',
@@ -164,6 +157,7 @@
           'learn'
           ],
       'so-node': [
+          'ca',
           'ssl',
           'nginx',
           'telegraf',
@@ -197,6 +191,7 @@
           'learn'
           ],
       'so-sensor': [
+          'ca',
           'ssl',
           'telegraf',
           'firewall',
@@ -210,18 +205,9 @@
           'tcpreplay',
           'docker_clean'
           ],
-      'so-receiver': [
-          'ssl',
-          'telegraf',
-          'firewall',
-          'schedule',
-          'docker_clean'
-          ],
-      'so-workstation': [
-          ],
   }, grain='role') %}
 
-  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %}
+  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
     {% do allowed_states.append('filebeat') %}
   {% endif %}
 
@@ -229,7 +215,7 @@
     {% do allowed_states.append('mysql') %}
   {% endif %}
 
-  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
+  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
     {% do allowed_states.append('fleet.install_package') %}
   {% endif %}
 
@@ -249,7 +235,7 @@
     {% do allowed_states.append('strelka') %}
   {% endif %}
 
-  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%}
+  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode']%}
     {% do allowed_states.append('wazuh') %}
   {% endif %}
 
@@ -274,6 +260,10 @@
     {% do allowed_states.append('elastalert') %}
   {% endif %}
 
+  {% if (THEHIVE != 0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
+    {% do allowed_states.append('thehive') %}
+  {% endif %}
+
   {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
     {% do allowed_states.append('playbook') %}
   {% endif %}
@@ -290,11 +280,11 @@
     {% do allowed_states.append('domainstats') %}
   {% endif %}
 
-  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
+  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
     {% do allowed_states.append('logstash') %}
   {% endif %}
 
-  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
+  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
     {% do allowed_states.append('redis') %}
   {% endif %}
 

salt/ca/dirs.sls

@@ -1,4 +0,0 @@
-pki_issued_certs:
-  file.directory:
-    - name: /etc/pki/issued_certs
-    - makedirs: True

salt/ca/files/signing_policies.conf

@@ -1,6 +1,3 @@
-mine_functions:
-  x509.get_pem_entries: [/etc/pki/ca.crt]
-
 x509_signing_policies:
   filebeat:
     - minions: '*'

salt/ca/init.sls

@@ -1,14 +1,17 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-include:
-  - ca.dirs
-
 {% set manager = salt['grains.get']('master') %}
 /etc/salt/minion.d/signing_policies.conf:
   file.managed:
     - source: salt://ca/files/signing_policies.conf
 
+/etc/pki:
+  file.directory: []
+
+/etc/pki/issued_certs:
+  file.directory: []
+
 pki_private_key:
   x509.private_key_managed:
     - name: /etc/pki/ca.key
@@ -39,12 +42,18 @@ pki_public_ca_crt:
     - backup: True
     - replace: False
     - require:
-      - sls: ca.dirs
+      - file: /etc/pki
     - timeout: 30
     - retry:
         attempts: 5
         interval: 30
 
+x509_pem_entries:
+  module.run:
+    - mine.send:
+       - name: x509.get_pem_entries
+       - glob_path: /etc/pki/ca.crt
+
 cakeyperms:
   file.managed:
     - replace: False

salt/ca/remove.sls

@@ -1,7 +0,0 @@
-pki_private_key:
-  file.absent:
-    - name: /etc/pki/ca.key
-
-pki_public_ca_crt:
-  file.absent:
-    - name: /etc/pki/ca.crt

salt/common/files/log-rotate.conf

@@ -23,7 +23,6 @@
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
-/nsm/idh/*.log
 {
     {{ logrotate_conf | indent(width=4) }}
 }

salt/common/init.sls

@@ -4,12 +4,6 @@
 {% set role = grains.id.split('_') | last %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
 
-include:
-  - common.soup_scripts
-{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
-  - manager.elasticsearch # needed for elastic_curl_config state
-{% endif %}
-
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
   file.absent:
@@ -188,7 +182,6 @@ alwaysupdated:
 Etc/UTC:
   timezone.system
 
-{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 elastic_curl_config:
   file.managed:
     - name: /opt/so/conf/elasticsearch/curl.config
@@ -196,11 +189,6 @@ elastic_curl_config:
     - mode: 600
     - show_changes: False
     - makedirs: True
-  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
-    - require:
-      - file: elastic_curl_config_distributed
-  {% endif %}
-{% endif %}
 
 # Sync some Utilities
 utilsyncscripts:
@@ -215,11 +203,6 @@ utilsyncscripts:
         ELASTICCURL: 'curl'
     - context:
         ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
-    - exclude_pat:
-        - so-common
-        - so-firewall
-        - so-image-common
-        - soup
 
 {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}
 # Add sensor cleanup
@@ -300,17 +283,8 @@ sostatus_log:
     - month: '*'
     - dayweek: '*'
 
+
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
-# Install cron job to determine size of influxdb for telegraf
-'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1':
-  cron.present:
-    - user: root
-    - minute: '*/1'
-    - hour: '*'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-    
 # Lock permissions on the backup directory
 backupdir:
   file.directory:

salt/common/soup_scripts.sls

@@ -1,13 +0,0 @@
-# Sync some Utilities
-soup_scripts:
-  file.recurse:
-    - name: /usr/sbin
-    - user: root
-    - group: root
-    - file_mode: 755
-    - source: salt://common/tools/sbin
-    - include_pat:
-        - so-common
-        - so-firewall
-        - so-image-common
-        - soup

salt/common/tools/sbin/so-allow

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -23,6 +23,7 @@ import sys
 import argparse
 import re
 from lxml import etree as ET
+from xml.dom import minidom
 from datetime import datetime as dt
 from datetime import timezone as tz
 
@@ -78,15 +79,20 @@ def ip_prompt() -> str:
 
 
 def wazuh_enabled() -> bool:
-  file = f'{LOCAL_SALT_DIR}/pillar/global.sls'
-  with open(file, 'r') as pillar:
-    if 'wazuh: 1' in pillar.read():
-      return True
+  for file in os.listdir(f'{LOCAL_SALT_DIR}/pillar'):
+    with open(file, 'r') as pillar:
+      if 'wazuh: 1' in pillar.read():
+        return True
   return False
 
 
 def root_to_str(root: ET.ElementTree) -> str:
-    return ET.tostring(root, encoding='unicode', method='xml', xml_declaration=False, pretty_print=True)
+    xml_str = ET.tostring(root, encoding='unicode', method='xml').replace('\n', '')
+    xml_str = re.sub(r'(?:(?<=>) *)', '', xml_str)
+    xml_str = re.sub(r'       -', '', xml_str)
+    xml_str = re.sub(r'      -->', ' -->', xml_str)
+    dom = minidom.parseString(xml_str)
+    return dom.toprettyxml(indent="  ")
 
 
 def add_wl(ip):
@@ -118,7 +124,7 @@ def apply(role: str, ip: str) -> int:
   else:
     return cmd.returncode
   if cmd.returncode == 0:
-    if wazuh_enabled() and role=='analyst':
+    if wazuh_enabled and role=='analyst':
       try:
         add_wl(ip)
         print(f'Added whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr)

salt/common/tools/sbin/so-allow-view

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -20,4 +20,4 @@
 echo ""
 echo "Hosts/Networks that have access to login to the Security Onion Console:"
 
-so-firewall includedhosts analyst
+so-firewall includedhosts analyst

salt/common/tools/sbin/so-analyst-install

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014-2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -15,86 +15,295 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html"
-{# we only want the script to install the workstation if it is CentOS -#}
-{% if grains.os == 'CentOS' -%}
-{#   if this is a manager -#}
-{%   if grains.master == grains.id.split('_')|first -%}
+if [ "$(id -u)" -ne 0 ]; then
+	echo "This script must be run using sudo!"
+	exit 1
+fi
 
-source /usr/sbin/so-common
-pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
+INSTALL_LOG=/root/so-analyst-install.log
+exec &> >(tee -a "$INSTALL_LOG")
 
-if [ -f "$pillar_file" ]; then
-  if ! grep -q "^workstation:$" "$pillar_file"; then
+log() {
+	msg=$1
+	level=${2:-I}
+	now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
+	echo -e "$now | $level | $msg" >> "$INSTALL_LOG" 2>&1
+}
 
+error() {
+	log "$1" "E"
+}
+
+info() {
+	log "$1" "I"
+}
+
+title() {
+	echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$INSTALL_LOG" 2>&1
+}
+
+logCmd() {
+	cmd=$1
+	info "Executing command: $cmd"
+	$cmd >> "$INSTALL_LOG" 2>&1
+}
+
+analyze_system() {
+	title "System Characteristics"
+	logCmd "uptime"
+	logCmd "uname -a"
+	logCmd "free -h"
+	logCmd "lscpu"
+	logCmd "df -h"
+	logCmd "ip a"
+}
+
+analyze_system
+
+OS=$(grep PRETTY_NAME /etc/os-release | grep 'CentOS Linux 7')
+if [ $? -ne 0 ]; then
+  echo "This is an unsupported OS. Please use CentOS 7 to install the analyst node."
+  exit 1
+fi
+
+if [[ "$manufacturer" == "Security Onion Solutions" && "$family" == "Automated" ]]; then
+  INSTALL=yes
+  CURLCONTINUE=no
+else
+  INSTALL=''
+  CURLCONTINUE=''
+fi
+
+FIRSTPASS=yes
+while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
+  if [[ "$FIRSTPASS" == "yes" ]]; then
+    clear
+    echo "###########################################"
+    echo "##          ** W A R N I N G **          ##"
+    echo "##    _______________________________    ##"
+    echo "##                                       ##"
+    echo "##    Installing the Security Onion      ##"
+    echo "##   analyst node on this device will    ##"
+    echo "##       make permanent changes to       ##"
+    echo "##              the system.              ##"
+    echo "##                                       ##"
+    echo "###########################################"
+    echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
+    FIRSTPASS=no
+  else
+    echo "Please type 'yes' to continue or 'no' to exit."
+  fi      
+  read INSTALL
+done
+
+if [[ $INSTALL == "no" ]]; then
+  echo "Exiting analyst node installation."
+  exit 0
+fi
+
+echo "Testing for internet connection with curl https://securityonionsolutions.com/"
+CANCURL=$(curl -sI https://securityonionsolutions.com/ | grep "200 OK")
+  if [ $? -ne 0 ]; then
     FIRSTPASS=yes
-    while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
+    while [[ $CURLCONTINUE != "yes" ]] && [[ $CURLCONTINUE != "no" ]]; do
       if [[ "$FIRSTPASS" == "yes" ]]; then
-        echo "###########################################"
-        echo "##          ** W A R N I N G **          ##"
-        echo "##    _______________________________    ##"
-        echo "##                                       ##"
-        echo "##    Installing the Security Onion      ##"
-        echo "##   analyst node on this device will    ##"
-        echo "##       make permanent changes to       ##"
-        echo "##              the system.              ##"
-        echo "##    A system reboot will be required   ##"
-        echo "##        to complete the install.       ##"
-        echo "##                                       ##"
-        echo "###########################################"
-        echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
+        echo "We could not access https://securityonionsolutions.com/."
+        echo "Since packages are downloaded from the internet, internet acceess is required."
+        echo "If you would like to ignore this warning and continue anyway, please type 'yes'."
+        echo "Otherwise, type 'no' to exit."
         FIRSTPASS=no
       else
         echo "Please type 'yes' to continue or 'no' to exit."
-      fi      
-      read INSTALL
+      fi  
+      read CURLCONTINUE
     done
-
-    if [[ $INSTALL == "no" ]]; then
+    if [[ "$CURLCONTINUE" == "no" ]]; then
       echo "Exiting analyst node installation."
       exit 0
     fi
-
-    # Add workstation pillar to the minion's pillar file
-    printf '%s\n'\
-      "workstation:"\
-      "  gui:"\
-      "    enabled: true"\
-		  "" >> "$pillar_file"
-    echo "Applying the workstation state. This could take some time since there are many packages that need to be installed."
-    if salt-call state.apply workstation -linfo queue=True; then # make sure the state ran successfully
-      echo ""
-      echo "Analyst workstation has been installed!"
-      echo "Press ENTER to reboot or Ctrl-C to cancel."
-      read pause
-
-      reboot;
-    else
-      echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/logs/salt/minion."
-    fi
-  else # workstation is already added
-    echo "The workstation pillar already exists in $pillar_file."
-    echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file."
-    echo "Additional documentation can be found at $doc_workstation_url."
+  else
+    echo "We were able to curl https://securityonionsolutions.com/."
+    sleep 3
   fi
-else # if the pillar file doesn't exist
-  echo "Could not find $pillar_file and add the workstation pillar."
+
+# Install a GUI text editor
+yum -y install gedit
+
+# Install misc utils
+yum -y install wget curl unzip epel-release yum-plugin-versionlock;
+
+# Install xWindows
+yum -y groupinstall "X Window System";
+yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts;
+unlink /etc/systemd/system/default.target;
+ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
+yum -y install file-roller
+
+# Install Mono - prereq for NetworkMiner
+yum -y install mono-core mono-basic mono-winforms expect
+
+# Install NetworkMiner
+yum -y install libcanberra-gtk2;
+wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
+mkdir -p /opt/networkminer/
+unzip /tmp/nm.zip -d /opt/networkminer/;
+rm /tmp/nm.zip;
+mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/
+chmod +x /opt/networkminer/NetworkMiner.exe;
+chmod -R go+w /opt/networkminer/AssembledFiles/;
+chmod -R go+w /opt/networkminer/Captures/;
+# Create networkminer shim
+cat << EOF >> /bin/networkminer
+#!/bin/bash
+/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@"
+EOF
+chmod +x /bin/networkminer
+# Convert networkminer ico file to png format
+yum -y install ImageMagick
+convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png
+# Create menu entry
+cat << EOF >> /usr/share/applications/networkminer.desktop
+[Desktop Entry]
+Name=NetworkMiner
+Comment=NetworkMiner
+Encoding=UTF-8
+Exec=/bin/networkminer %f
+Icon=/opt/networkminer/networkminericon-4.png
+StartupNotify=true
+Terminal=false
+X-MultipleArgs=false
+Type=Application
+MimeType=application/x-pcap;
+Categories=Network;
+EOF
+
+# Set default monospace font to Liberation
+cat << EOF >> /etc/fonts/local.conf
+ <match target="pattern">
+  <test name="family" qual="any">
+   <string>monospace</string>
+  </test>
+  <edit binding="strong" mode="prepend" name="family">
+   <string>Liberation Mono</string>
+  </edit>
+ </match>
+EOF
+
+# Install Wireshark for Gnome
+yum -y install wireshark-gnome; 
+
+# Install dnsiff
+yum -y install dsniff;
+
+# Install hping3
+yum -y install hping3;
+
+# Install netsed
+yum -y install netsed;
+
+# Install ngrep
+yum -y install ngrep;
+
+# Install scapy
+yum -y install python36-scapy;
+
+# Install ssldump
+yum -y install ssldump;
+
+# Install tcpdump
+yum -y install tcpdump;
+
+# Install tcpflow
+yum -y install tcpflow;
+
+# Install tcpxtract
+yum -y install tcpxtract;
+
+# Install whois
+yum -y install whois;
+
+# Install foremost
+yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
+
+# Install chromium
+yum -y install chromium;
+
+# Install tcpstat
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
+
+# Install tcptrace
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
+
+# Install sslsplit
+yum -y install libevent;
+yum -y install sslsplit;
+
+# Install Bit-Twist
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
+
+# Install chaosreader
+yum -y install perl-IO-Compress perl-Net-DNS;
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
+chmod +x /bin/chaosreader;
+
+if [ -f ../../files/analyst/README ]; then
+  cp ../../files/analyst/README /;
+  cp ../../files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
+  cp ../../files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
+  cp ../../files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
+else
+  cp /opt/so/saltstack/default/salt/common/files/analyst/README /;
+  cp /opt/so/saltstack/default/salt/common/files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
+  cp /opt/so/saltstack/default/salt/common/files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
+  cp /opt/so/saltstack/default/salt/common/files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
 fi
 
-{#-  if this is not a manager #}
-{%   else -%}
+# Set background wallpaper
+cat << EOF >> /etc/dconf/db/local.d/00-background
+# Specify the dconf path
+[org/gnome/desktop/background]
 
-echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documentation at $doc_workstation_url."
+# Specify the path to the desktop background image file
+picture-uri='file:///usr/share/backgrounds/so-wallpaper.jpg'
+# Specify one of the rendering options for the background image:
+# 'none', 'wallpaper', 'centered', 'scaled', 'stretched', 'zoom', 'spanned'
+picture-options='zoom'
+# Specify the left or top color when drawing gradients or the solid color
+primary-color='000000'
+# Specify the right or bottom color when drawing gradients
+secondary-color='FFFFFF'
+EOF
 
-{#- endif if this is a manager #}
-{%   endif -%}
+# Set lock screen
+cat << EOF >> /etc/dconf/db/local.d/00-screensaver
+[org/gnome/desktop/session]
+idle-delay=uint32 180
 
-{#- if not CentOS #}
-{%- else %}
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+lock-delay=uint32 120
+picture-options='zoom'
+picture-uri='file:///usr/share/backgrounds/so-lockscreen.jpg'
+EOF
 
-echo "The Analyst Workstation can only be installed on CentOS. Please view the documentation at $doc_workstation_url."
+cat << EOF >> /etc/dconf/db/local.d/locks/screensaver
+/org/gnome/desktop/session/idle-delay
+/org/gnome/desktop/screensaver/lock-enabled
+/org/gnome/desktop/screensaver/lock-delay
+EOF
 
-{#- endif grains.os == CentOS #}
-{% endif -%}
+# Do not show the user list at login screen
+cat << EOF >> /etc/dconf/db/local.d/00-login-screen
+[org/gnome/login-screen]
+logo='/usr/share/pixmaps/so-login-logo-dark.svg'
+disable-user-list=true
+EOF
 
-exit 0
+dconf update;
+
+echo
+echo "Analyst workstation has been installed!"
+echo "Press ENTER to reboot or Ctrl-C to cancel."
+read pause
+
+reboot;

salt/common/tools/sbin/so-checkin

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-common

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -120,30 +120,6 @@ check_elastic_license() {
 	fi  
 }
 
-check_salt_master_status() {
-	local timeout=$1
-	echo "Checking if we can talk to the salt master"
-	salt-call state.show_top concurrent=true
-
-	return
-}
-
-check_salt_minion_status() {
-	local timeout=$1
-	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
-	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
-	local status=$?
-	if [ $status -gt 0 ]; then
-		echo "  Minion did not respond" >> "$setup_log" 2>&1
-	else
-		echo "  Received job response from salt minion" >> "$setup_log" 2>&1
-	fi
-
-	return $status
-}
-
-
-
 copy_new_files() {
   # Copy new files over to the salt dir
   cd $UPDATE_DIR
@@ -273,7 +249,6 @@ lookup_salt_value() {
 	group=$2
 	kind=$3
 	output=${4:-newline_values_only}
-	local=$5
 
 	if [ -z "$kind" ]; then
 		kind=pillar
@@ -283,13 +258,7 @@ lookup_salt_value() {
 		group=${group}:
 	fi
 
-	if [[ "$local" == "--local" ]] || [[ "$local" == "local" ]]; then
-		local="--local"
-	else
-		local=""
-	fi
-
-	salt-call --no-color  ${kind}.get ${group}${key} --out=${output} ${local}
+	salt-call --no-color  ${kind}.get ${group}${key} --out=${output}
 }
 
 lookup_pillar() {
@@ -325,49 +294,32 @@ require_manager() {
 }
 
 retry() {
-        maxAttempts=$1
-        sleepDelay=$2
-        cmd=$3
-        expectedOutput=$4
-        failedOutput=$5
-        attempt=0
-        local exitcode=0
-        while [[ $attempt -lt $maxAttempts ]]; do
-                attempt=$((attempt+1))
-                echo "Executing command with retry support: $cmd"
-                output=$(eval "$cmd")
-                exitcode=$?
-                echo "Results: $output ($exitcode)"
-                if [ -n "$expectedOutput" ]; then
-                        if [[ "$output" =~ "$expectedOutput" ]]; then
-                                return $exitcode
-                        else
-                                echo "Did not find expectedOutput: '$expectedOutput' in the output below from running the command: '$cmd'"
-								echo "<Start of output>"
-								echo "$output"
-								echo "<End of output>"
-                        fi
-                elif [ -n "$failedOutput" ]; then
-                        if [[ "$output" =~ "$failedOutput" ]]; then
-                                echo "Found failedOutput: '$failedOutput' in the output below from running the command: '$cmd'"
-								echo "<Start of output>"
-								echo "$output"
-								echo "<End of output>"
-								if [[ $exitcode -eq 0 ]]; then
-									echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output."
-									exitcode=1
-								fi
-                        else
-                                return $exitcode
-                        fi
-                elif [[ $exitcode -eq 0 ]]; then
-                        return $exitcode
-                fi
-                echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
-                sleep $sleepDelay
-        done
-        echo "Command continues to fail; giving up."
-        return $exitcode
+	maxAttempts=$1
+	sleepDelay=$2
+	cmd=$3
+	expectedOutput=$4
+	attempt=0
+	local exitcode=0
+	while [[ $attempt -lt $maxAttempts ]]; do			
+		attempt=$((attempt+1))
+		echo "Executing command with retry support: $cmd"
+		output=$(eval "$cmd")
+		exitcode=$?
+		echo "Results: $output ($exitcode)"
+		if [ -n "$expectedOutput" ]; then
+			if [[ "$output" =~ "$expectedOutput" ]]; then
+				return $exitCode
+			else
+				echo "Expected '$expectedOutput' but got '$output'"
+			fi
+		elif [[ $exitcode -eq 0 ]]; then
+			return $exitCode
+		fi
+		echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
+		sleep $sleepDelay
+	done
+	echo "Command continues to fail; giving up."
+	return $exitcode
 }
 
 run_check_net_err() {
@@ -392,14 +344,6 @@ run_check_net_err() {
 	fi
 }
 
-set_cron_service_name() {
-  if [[ "$OS" == "centos" ]]; then
-    cron_service_name="crond"
-  else
-    cron_service_name="cron"
-  fi
-}
-
 set_os() {
 	if [ -f /etc/redhat-release ]; then
 		OS=centos
@@ -437,21 +381,6 @@ set_version() {
 	fi
 }
 
-systemctl_func() {
-	local action=$1
-	local echo_action=$1
-	local service_name=$2
-
-	if [[ "$echo_action" == "stop" ]]; then
-		echo_action="stopp"
-	fi
-
-	echo ""
-	echo "${echo_action^}ing $service_name service at $(date +"%T.%6N")"
-    systemctl $action $service_name && echo "Successfully ${echo_action}ed $service_name." || echo "Failed to $action $service_name."
-	echo ""
-}
-
 has_uppercase() {
 	local string=$1
 

salt/common/tools/sbin/so-config-backup

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -45,4 +45,4 @@ while [ "$NUMBACKUPS" -gt "$MAXBACKUPS" ]; do
   OLDESTBACKUP=$(find /nsm/backup/ -type f -name "so-config-backup*" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}')
   rm -f $OLDESTBACKUP
   NUMBACKUPS=$(find /nsm/backup/ -type f -name "so-config-backup*" | wc -l)
-done
+done

salt/common/tools/sbin/so-cortex-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,4 +17,5 @@
 
 . /usr/sbin/so-common
 
-echo "TheHive and its components are no longer part of Security Onion"
+/usr/sbin/so-stop cortex $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-cortex-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-echo "TheHive and its components are no longer part of Security Onion"
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-cortex-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-echo "TheHive and its components are no longer part of Security Onion"
+/usr/sbin/so-stop cortex $1

salt/common/tools/sbin/so-cortex-user-add

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,4 +17,38 @@
 
 . /usr/sbin/so-common
 
-echo "TheHive and its components are no longer part of Security Onion"
+usage() {
+    echo "Usage: $0 <new-user-name>"
+    echo ""
+    echo "Adds a new user to Cortex. The new password will be read from STDIN."
+    exit 1
+}
+
+if [ $# -ne 1 ]; then
+  usage
+fi
+
+USER=$1
+
+CORTEX_KEY=$(lookup_pillar cortexorguserkey)
+CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api"
+CORTEX_ORG_NAME=$(lookup_pillar cortexorgname)
+CORTEX_USER=$USER
+
+# Read password for new user from stdin
+test -t 0
+if [[ $? == 0 ]]; then
+  echo "Enter new password:"
+fi
+read -rs CORTEX_PASS
+
+# Create new user in Cortex
+resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }")
+if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
+    echo "Successfully added user to Cortex."
+else
+    echo "Unable to add user to Cortex; user might already exist."
+    echo $resp
+    exit 2
+fi
+    

salt/common/tools/sbin/so-cortex-user-enable

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,4 +17,41 @@
 
 . /usr/sbin/so-common
 
-echo "TheHive and its components are no longer part of Security Onion"
+usage() {
+    echo "Usage: $0 <user-name> <true|false>"
+    echo ""
+    echo "Enables or disables a user in Cortex."
+    exit 1
+}
+
+if [ $# -ne 2 ]; then
+  usage
+fi
+
+USER=$1
+
+CORTEX_KEY=$(lookup_pillar cortexorguserkey)
+CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api"
+CORTEX_USER=$USER
+
+case "${2^^}" in
+	FALSE | NO | 0)
+		CORTEX_STATUS=Locked
+		;;
+	TRUE | YES | 1)
+		CORTEX_STATUS=Ok
+		;;
+	*)
+		usage
+		;;
+esac
+
+resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_API_URL/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }")
+if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
+    echo "Successfully updated user in Cortex."
+else
+    echo "Failed to update user in Cortex."
+    echo $resp
+    exit 2
+fi
+    

salt/common/tools/sbin/so-curator-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-curator-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-curator-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-deny

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-docker-prune

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-docker-refresh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastalert-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastalert-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastalert-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-auth

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-auth-password-reset

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-clear

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-diagnose

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elastic-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-component-templates-list

@@ -1,23 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2014-2022 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
-. /usr/sbin/so-common
-if [ "$1" == "" ]; then
-    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
-else
-    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
-fi

salt/common/tools/sbin/so-elasticsearch-index-templates-list

@@ -1,23 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2014-2022 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
-. /usr/sbin/so-common
-if [ "$1" == "" ]; then
-    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
-else
-    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
-fi

salt/common/tools/sbin/so-elasticsearch-indices-list

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,4 +18,4 @@
 
 . /usr/sbin/so-common
 
-{{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index"
+{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty

salt/common/tools/sbin/so-elasticsearch-indices-rw

@@ -1,7 +1,7 @@
 #!/bin/bash
 #
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,7 +17,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
 ESPORT=9200
+THEHIVEESPORT=9400
 
 echo "Removing read only attributes for indices..."
 echo
 {{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
+{{ ELASTICCURL }} -XPUT -H "Content-Type: application/json" -L http://$IP:9400/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;

salt/common/tools/sbin/so-elasticsearch-pipeline-stats

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-pipeline-view

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-pipelines-list

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-query

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-roles-load

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -33,8 +33,6 @@ while [[ "$COUNT" -le 240 ]]; do
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"
-		# Check cluster health once connected
-		so-elasticsearch-query _cluster/health?wait_for_status=yellow > /dev/null 2>&1
 		break
 	else
 		((COUNT+=1))
@@ -50,7 +48,7 @@ fi
 
 cd ${ELASTICSEARCH_ROLES}
 
-echo "Loading roles..."
+echo "Loading templates..."
 for role in *; do
 	name=$(echo "$role" | cut -d. -f1)
 	so-elasticsearch-query _security/role/$name -XPUT -d @"$role"

salt/common/tools/sbin/so-elasticsearch-shards-list

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-template-remove

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-template-view

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-templates-list

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-elasticsearch-templates-load

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -30,7 +30,7 @@ echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
-      so-elasticsearch-query -k --output /dev/null --silent --head --fail
+    {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"
@@ -47,23 +47,11 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
 	echo
 fi
 
-cd ${ELASTICSEARCH_TEMPLATES}/component/ecs
+cd ${ELASTICSEARCH_TEMPLATES}
 
-echo "Loading ECS component templates..."
-for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done
 
-# Load SO-specific component templates
-cd ${ELASTICSEARCH_TEMPLATES}/component/so
-
-echo "Loading Security Onion component templates..."
-for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
-echo
-
-# Load SO index templates
-cd ${ELASTICSEARCH_TEMPLATES}/index
-
-echo "Loading Security Onion index templates..."
-for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
+echo "Loading templates..."
+for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 echo
 
 cd - >/dev/null

salt/common/tools/sbin/so-filebeat-module-setup

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-filebeat-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-filebeat-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-filebeat-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-firewall

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-fleet-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-fleet-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-fleet-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-fleet-user-add

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -66,4 +66,4 @@ fi
 
 # Disable forced password reset
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
-"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)
+"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)

salt/common/tools/sbin/so-fleet-user-delete

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-fleet-user-update

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-grafana-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-grafana-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-grafana-stop

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

salt/common/tools/sbin/so-idh-restart

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014-2022 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-restart idh $1

salt/common/tools/sbin/so-idh-start

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014-2022 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start idh $1

salt/common/tools/sbin/so-idh-stop

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014-2022 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop idh $1

salt/common/tools/sbin/so-idstools-restart

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014-2022 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by