Merge pull request #5282 from Security-Onion-Solutions/hotfix/2.3.70

Hotfix/2.3.70
Merge pull request #5281 from Security-Onion-Solutions/grafana_fleet_hotfix
2026-04-25 14:07:49 +02:00 · 2021-08-24 10:15:33 -04:00 · 2021-08-24 10:01:10 -04:00 · 2021-08-24 10:00:06 -04:00 · 2021-08-24 09:58:28 -04:00 · 2021-08-23 13:10:35 -04:00
573 changed files with 29807 additions and 34388 deletions
@@ -1,6 +1,6 @@
 name: leak-test
-on: [push,pull_request]
+on: [pull_request]
 jobs:
  build:
@@ -0,0 +1,39 @@
 # Contributing to Security Onion
 ### Questions, suggestions, and general comments
 * Security Onion uses GitHub's [Discussions](https://github.com/Security-Onion-Solutions/securityonion/discussions) to provide a forum where the community and developers can interact as well as ask and answer questions.
 ### Reporting a bug
 * The primary place to report unexpected behavior or possible bugs is the repo's [Discussions forum](https://github.com/Security-Onion-Solutions/securityonion/discussions).
 *  **If you are familiar with the current version of Security Onion and are confident you've discovered a bug**, first ensure there is not already an issue present by searching the open [issues](https://github.com/Security-Onion-Solutions/securityonion/issues). If there is, a thumbs up :+1: is a great way to show this bug is affecting you too.
 * If an issue doesn't exist, [open a new one](https://github.com/Security-Onion-Solutions/securityonion/issues/new), following the directions in the issue template. This means including:
  * **System information** and how Security Onion was installed
  * **Log files** relevant to the bug report
  * **Reproduction steps** 
 ### Contributing code
 * **All commits must be signed** with a valid key that has been added to your GitHub account. The commits should have all the "**Verified**" tag when viewed on GitHub as shown below:
  <img src="./assets/images/verified-commit-1.png" width="450">
 * If an issue does not already exist for the bug or feature for which you are submitting a pull request, [create one](https://github.com/Security-Onion-Solutions/securityonion/issues/new) with the relevant prefix. (**`FIX:`** for bug fixes, **`FEATURE:`** for new features.)
 * Link the PR to the related issue, either using [keywords](https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword) in the PR description, or [manually](https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-issues/linking-a-pull-request-to-an-issue#manually-linking-a-pull-request-to-an-issue).
 * **Pull requests should be opened against the `dev` branch of this repo**, and should clearly describe the problem and solution.
 * Be sure you have tested your changes and are confident they will not break other parts of the product.
 * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting.
 ### Code style and conventions
 * **Keep code [DRY](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself)**. For example, Bash code used by multiple scripts will likely best be added to <span style="white-space: nowrap;">[`so-common`](salt/common/tools/sbin/so-common)</span>.
 * All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored.
 * **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules. 
@@ -0,0 +1,2 @@
 CURATOR GRAFANA_DASH_ALLOW
@@ -1,14 +1,14 @@
-## Security Onion 2.3.21
+## Security Onion 2.3.70
-Security Onion 2.3.21 is here!
+Security Onion 2.3.70 is here!
 ## Screenshots
 Alerts
-![Alerts](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/alerts-1.png)
+![Alerts](./assets/images/screenshots/alerts-1.png)
 Hunt
-![Hunt](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/hunt-1.png)
+![Hunt](./assets/images/screenshots/hunt-1.png)
 ### Release Notes
@@ -0,0 +1,21 @@
 # Security Policy
 ## Supported Versions
 | Version | Supported          |
 | ------- | ------------------ |
 | 2.x.x   | :white_check_mark: |
 | 16.04.x | :x:                |
 Security Onion 16.04 has reached End Of Life and is no longer supported.
 ## Reporting a Vulnerability
 If you have any security concerns regarding Security Onion or believe you have uncovered a vulnerability, please follow these steps:
 - send an email to security@securityonion.net
 - include a description of the issue and steps to reproduce
 - please use plain text format (no Word documents or PDF files)
 - please do not disclose publicly until we have had sufficient time to resolve the issue
 This security address should be used only for undisclosed vulnerabilities. Dealing with fixed issues or general questions on how to use Security Onion should be handled via the normal support channels.
@@ -1,16 +1,18 @@
-### 2.3.21 ISO image built on 2020/12/21
+### 2.3.70-GRAFANA ISO image built on 2021/08/23
 ### Download and Verify
-2.3.21 ISO image:  
+2.3.70-GRAFANA ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.21.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.70-GRAFANA.iso
-MD5: 7B8BC5B241B7220C011215BCE852FF78  
+MD5: A16683FC8F2151C290E359FC6066B1F2  
-SHA1: 541C9689D8F8E8D3F25E169ED34A3F683851975B  
+SHA1: A93329C103CCCE665968F246163FBE5D41EF0510  
-SHA256: 7647FD67BA6AC85CCB1308789FFF7DAB19A841621FDA9AE41B89A0A79618F068 
+SHA256: 3ED0177CADF203324363916AA240A10C58DC3E9044A9ADE173A80674701A50A3 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.21.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.70-GRAFANA.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.21.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.70-GRAFANA.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.21.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.70-GRAFANA.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.21.iso.sig securityonion-2.3.21.iso
+gpg --verify securityonion-2.3.70-GRAFANA.iso.sig securityonion-2.3.70-GRAFANA.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 21 Dec 2020 06:27:53 PM EST using RSA key ID FE507013
+gpg: Signature made Mon 23 Aug 2021 01:43:00 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
@@ -1 +1 @@
-2.3.21
+2.3.70
@@ -13,6 +13,8 @@
 # user: socore
 log_file: /opt/so/log/salt/master
 log_level_logfile: info
 log_level: info
 #####      File Server settings      #####
 ##########################################
@@ -65,3 +67,7 @@ peer:
 reactor:
  - 'so/fleet':
    - salt://reactor/fleet.sls
  - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db':
    - salt://reactor/kratos.sls
@@ -1,208 +0,0 @@
 {%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
 {% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
 eval:
  containers:
    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
    - so-grafana
    {% endif %}
    - so-dockerregistry
    - so-soc
    - so-kratos
    - so-idstools
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    - so-elasticsearch
    - so-logstash
    - so-kibana
    - so-steno
    - so-suricata
    - so-zeek
    - so-curator
    - so-elastalert
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 heavy_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-redis
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-steno
    - so-suricata
    - so-wazuh
    - so-filebeat
    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
 helix:
  containers:
    - so-nginx
    - so-telegraf
    - so-idstools
    - so-steno
    - so-zeek
    - so-redis
    - so-logstash
    - so-filebeat
 hot_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
 manager_search:
  containers:
    - so-nginx
    - so-telegraf
    - so-soc
    - so-kratos
    - so-acng
    - so-idstools
    - so-redis
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-kibana
    - so-elastalert
    - so-filebeat
    - so-soctopus
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 manager:
  containers:
    - so-dockerregistry
    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
    - so-grafana
    {% endif %}
    - so-soc
    - so-kratos
    - so-acng
    - so-idstools
    - so-redis
    - so-elasticsearch
    - so-logstash
    - so-kibana
    - so-elastalert
    - so-filebeat
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 parser_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
 search_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-filebeat
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
 sensor:
  containers:
    - so-nginx
    - so-telegraf
    - so-steno
    - so-suricata
    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
    - so-wazuh
    - so-filebeat
 warm_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-elasticsearch
 fleet:
  containers:
    {% if FLEETNODE %}
    - so-mysql
    - so-fleet
    - so-redis
    - so-filebeat
    - so-nginx
    - so-telegraf
    {% endif %}
@@ -9,3 +9,5 @@ logrotate:
    extension .log
    dateext
    dateyesterday
  group_conf: |
    su root socore
@@ -7,8 +7,10 @@ logstash:
        - so/9000_output_zeek.conf.jinja
        - so/9002_output_import.conf.jinja
        - so/9034_output_syslog.conf.jinja
        - so/9050_output_filebeatmodules.conf.jinja
        - so/9100_output_osquery.conf.jinja  
        - so/9400_output_suricata.conf.jinja
        - so/9500_output_beats.conf.jinja
        - so/9600_output_ossec.conf.jinja
        - so/9700_output_strelka.conf.jinja
        - so/9800_output_logscan.conf.jinja
@@ -22,6 +22,9 @@ base:
  '*_manager or *_managersearch':
    - match: compound
    - data.*
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - secrets
    - global
    - minions.{{ grains.id }}
@@ -38,6 +41,9 @@ base:
    - secrets
    - healthcheck.eval
    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - global
    - minions.{{ grains.id }}
@@ -46,6 +52,9 @@ base:
    - logstash.manager
    - logstash.search
    - elasticsearch.search
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - data.*
    - zeeklogs
    - secrets
@@ -59,6 +68,7 @@ base:
  '*_heavynode':
    - zeeklogs
    - elasticsearch.auth
    - global
    - minions.{{ grains.id }}
@@ -80,6 +90,7 @@ base:
    - logstash
    - logstash.search
    - elasticsearch.search
    - elasticsearch.auth
    - global
    - minions.{{ grains.id }}
    - data.nodestab
@@ -88,5 +99,8 @@ base:
    - zeeklogs
    - secrets
    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - global
    - minions.{{ grains.id }}
@@ -52,5 +52,4 @@ zeek:
      - frameworks/signatures/detect-windows-shells
    redef:
      - LogAscii::use_json = T;
      - LogAscii::json_timestamps = JSON::TS_ISO8601;
      - CaptureLoss::watch_interval = 5 mins;
@@ -1,60 +0,0 @@
 {% set MANAGER = salt['grains.get']('master') %}
 airgapyum:
  file.managed:
    - name: /etc/yum/yum.conf
    - source: salt://airgap/files/yum.conf
 airgap_repo:
  pkgrepo.managed:
    - humanname: Airgap Repo
    - baseurl: https://{{ MANAGER }}/repo
    - gpgcheck: 0
    - sslverify: 0
 agbase:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Base.repo
 agcr:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-CR.repo
 agdebug:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Debuginfo.repo
 agfasttrack:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-fasttrack.repo
 agmedia:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Media.repo
 agsources:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Sources.repo
 agvault:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-Vault.repo
 agkernel:
  file.absent:
    - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo
 agepel:
  file.absent:
    - name: /etc/yum.repos.d/epel.repo
 agtesting:
  file.absent:
    - name: /etc/yum.repos.d/epel-testing.repo
 agssrepo:
  file.absent:
    - name: /etc/yum.repos.d/saltstack.repo
 agwazrepo:
  file.absent:
    - name: /etc/yum.repos.d/wazuh.repo
@@ -0,0 +1,304 @@
 {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
 {% set WAZUH = salt['pillar.get']('global:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
 {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
 {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
 {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
 {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
 {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
 {% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
 {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
 {% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
 {% set REDIS = salt['pillar.get']('redis:enabled', True) %}
 {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
 {% set saltversion = saltversion.salt.minion.version %}
 {# this is the list we are returning from this map file, it gets built below #}
 {% set allowed_states= [] %}
 {% if grains.saltversion | string == saltversion | string %}
  {% set allowed_states= salt['grains.filter_by']({
      'so-eval': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'firewall',
          'idstools',
          'suricata.manager',
          'healthcheck',
          'pcap',
          'suricata',
          'utility',
          'schedule',
          'soctopus',
          'tcpreplay',
          'docker_clean',
          'learn'
          ],
      'so-heavynode': [
          'ca',
          'ssl',
          'nginx',
          'telegraf',
          'firewall',
          'pcap',
          'suricata',
          'healthcheck',
          'schedule',
          'tcpreplay',
          'docker_clean'
          ],
      'so-helixsensor': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'telegraf',
          'firewall',
          'idstools',
          'suricata.manager',
          'zeek',
          'redis',
          'elasticsearch',
          'logstash',
          'schedule',
          'tcpreplay',
          'docker_clean'
          ],
      'so-fleet': [
          'ca',
          'ssl',
          'nginx',
          'telegraf',
          'firewall',
          'mysql',
          'redis',
          'fleet',
          'fleet.install_package',
          'filebeat',
          'schedule',
          'docker_clean'
          ],
      'so-import': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'soc',
          'firewall',
          'idstools',
          'suricata.manager',
          'pcap',
          'utility',
          'suricata',
          'zeek',
          'schedule',
          'tcpreplay',
          'docker_clean',
          'learn'
          ],
      'so-manager': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'firewall',
          'idstools',
          'suricata.manager',
          'utility',
          'schedule',
          'soctopus',
          'docker_clean',
          'learn'
          ],
      'so-managersearch': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'firewall',
          'manager',
          'idstools',
          'suricata.manager',
          'utility',
          'schedule',
          'soctopus',
          'docker_clean',
          'learn'
          ],
      'so-node': [
          'ca',
          'ssl',
          'nginx',
          'telegraf',
          'firewall',
          'schedule',
          'docker_clean'
          ],
      'so-standalone': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'firewall',
          'idstools',
          'suricata.manager',
          'pcap',
          'suricata',
          'healthcheck',
          'utility',
          'schedule',
          'soctopus',
          'tcpreplay',
          'docker_clean',
          'learn'
          ],
      'so-sensor': [
          'ca',
          'ssl',
          'telegraf',
          'firewall',
          'nginx',
          'pcap',
          'suricata',
          'healthcheck',
          'wazuh',
          'filebeat',
          'schedule',
          'tcpreplay',
          'docker_clean'
          ],
  }, grain='role') %}
  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
    {% do allowed_states.append('filebeat') %}
  {% endif %}
  {% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
    {% do allowed_states.append('mysql') %}
  {% endif %}
  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
    {% do allowed_states.append('fleet.install_package') %}
  {% endif %}
  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
    {% do allowed_states.append('fleet') %}
  {% endif %}
  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}
  {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('zeek') %}
  {%- endif %}
  {% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('strelka') %}
  {% endif %}
  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode']%}
    {% do allowed_states.append('wazuh') %}
  {% endif %}
  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
    {% do allowed_states.append('elasticsearch') %}
  {% endif %}
  {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
    {% do allowed_states.append('kibana') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
    {% do allowed_states.append('curator') %}
  {% endif %}
  {% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}
  {% if (THEHIVE != 0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('thehive') %}
  {% endif %}
  {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('playbook') %}
  {% endif %}
  {% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}
  {% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('freqserver') %}
  {% endif %}
  {% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('domainstats') %}
  {% endif %}
  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}
  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}
  {% if grains.os == 'CentOS' %}
    {% if not ISAIRGAP %}
      {% do allowed_states.append('yum') %}
    {% endif %}
    {% do allowed_states.append('yum.packages') %}
  {% endif %}
  {# all nodes on the right salt version can run the following states #}
  {% do allowed_states.append('common') %}
  {% do allowed_states.append('patch.os.schedule') %}
  {% do allowed_states.append('motd') %}
  {% do allowed_states.append('salt.minion-check') %}
  {% do allowed_states.append('sensoroni') %}
  {% do allowed_states.append('salt.lasthighstate') %}
 {% endif %}
 {% if ISAIRGAP %}
  {% do allowed_states.append('airgap') %}
 {% endif %}
 {# all nodes can always run salt.minion state #}
 {% do allowed_states.append('salt.minion') %}
@@ -1,7 +1,5 @@
-{% set show_top = salt['state.show_top']() %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
-{% set top_states = show_top.values() | join(', ') %}
+{% if sls in allowed_states %}
 {% if 'ca' in top_states %}
 {% set manager = salt['grains.get']('master') %}
 /etc/salt/minion.d/signing_policies.conf:
@@ -44,6 +42,10 @@ pki_private_key:
    - replace: False
    - require:
      - file: /etc/pki
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
 x509_pem_entries:
  module.run:
@@ -60,8 +62,8 @@ cakeyperms:
 {% else %}
-ca_state_not_allowed:
+{{sls}}_state_not_allowed:
  test.fail_without_changes:
-    - name: ca_state_not_allowed
+    - name: {{sls}}_state_not_allowed
 {% endif %}
@@ -1,2 +1,2 @@
 #!/bin/bash
-logrotate -f /opt/so/conf/log-rotate.conf >/dev/null 2>&1
+/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1
@@ -0,0 +1 @@
 net.ipv4.ip_local_reserved_ports=55000,57314,47760-47860
@@ -1,4 +1,6 @@
 {%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
 {%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
 /opt/so/log/aptcacher-ng/*.log
 /opt/so/log/idstools/*.log
@@ -13,12 +15,22 @@
 /opt/so/log/fleet/*.log
 /opt/so/log/suricata/*.log
 /opt/so/log/mysql/*.log
 /opt/so/log/playbook/*.log
 /opt/so/log/logstash/*.log
 /opt/so/log/filebeat/*.log
 /opt/so/log/telegraf/*.log
 /opt/so/log/redis/*.log
 /opt/so/log/sensoroni/*.log
 /opt/so/log/stenographer/*.log
 /opt/so/log/salt/so-salt-minion-check
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
 }
 # Playbook's log directory needs additional configuration
 # because Playbook requires a more permissive directory
 /opt/so/log/playbook/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
    {{ group_conf | indent(width=4) }}
 }
@@ -6,5 +6,17 @@
    nocompress
    create
    sharedscripts
-    endscript
+}
 /nsm/strelka/log/strelka.log
 {
    daily
    rotate 14
    missingok
    copytruncate
    compress
    create
    extension .log
    dateext
    dateyesterday
 }
@@ -0,0 +1,2 @@
 {%- set VERSION = salt['pillar.get']('global:soversion') -%}
 {{ VERSION }}
@@ -0,0 +1,6 @@
 " Activates filetype detection
 filetype plugin indent on
 " Sets .sls files to use YAML syntax highlighting
 autocmd BufNewFile,BufRead *.sls set syntax=yaml
 set number
@@ -1,9 +1,8 @@
-{% set show_top = salt['state.show_top']() %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
-{% set top_states = show_top.values() | join(', ') %}
+{% if sls in allowed_states %}
 {% if 'common' in top_states %}
 {% set role = grains.id.split('_') | last %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
@@ -51,6 +50,11 @@ sosaltstackperms:
    - gid: 939
    - dir_mode: 770
 so_log_perms:
  file.directory:
    - name: /opt/so/log
    - dir_mode: 755
 # Create a state directory
 statedir:
  file.directory:
@@ -66,20 +70,12 @@ salttmp:
    - group: 939
    - makedirs: True
-# Install epel
+# VIM config
-{% if grains['os'] == 'CentOS' %}
+vimconfig:
-repair_yumdb:
+  file.managed:
-  cmd.run:
+    - name: /root/.vimrc
-    - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all'
+    - source: salt://common/files/vimrc
-    - onlyif:
+    - replace: False
      - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"'
 epel:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - epel-release
 {% endif %}
 # Install common packages
 {% if grains['os'] != 'CentOS' %}     
@@ -92,7 +88,6 @@ commonpkgs:
      - ntpdate
      - jq
      - python3-docker
      - docker-ce
      - curl
      - ca-certificates
      - software-properties-common
@@ -101,17 +96,21 @@ commonpkgs:
      - netcat
      - python3-mysqldb
      - sqlite3
      - argon2
      - libssl-dev
      - python3-dateutil
      - python3-m2crypto
      - python3-mysqldb
      - python3-packaging
      - git
      - vim
 heldpackages:
  pkg.installed:
    - pkgs:
-      - containerd.io: 1.2.13-2
+      - containerd.io: 1.4.4-1
-      - docker-ce: 5:19.03.14~3-0~ubuntu-bionic
+      - docker-ce: 5:20.10.5~3-0~ubuntu-bionic
      - docker-ce-cli: 5:20.10.5~3-0~ubuntu-bionic
      - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-bionic
    - hold: True
    - update_holds: True
@@ -129,7 +128,6 @@ commonpkgs:
      - net-tools
      - curl
      - sqlite
      - argon2
      - mariadb-devel
      - nmap-ncat
      - python3
@@ -137,17 +135,21 @@ commonpkgs:
      - python36-dateutil
      - python36-m2crypto
      - python36-mysql
      - python36-packaging
      - yum-utils
      - device-mapper-persistent-data
      - lvm2
      - openssl
      - git
      - vim-enhanced
 heldpackages:
  pkg.installed:
    - pkgs:
-      - containerd.io: 1.2.13-3.2.el7
+      - containerd.io: 1.4.4-3.1.el7
-      - docker-ce: 3:19.03.14-3.el7
+      - docker-ce: 3:20.10.5-3.el7
      - docker-ce-cli: 1:20.10.5-3.el7
      - docker-ce-rootless-extras: 20.10.5-3.el7
    - hold: True
    - update_holds: True
 {% endif %}
@@ -166,6 +168,14 @@ alwaysupdated:
 Etc/UTC:
  timezone.system
 elastic_curl_config:
  file.managed:
    - name: /opt/so/conf/elasticsearch/curl.config
    - source: salt://elasticsearch/curl.config
    - mode: 600
    - show_changes: False
    - makedirs: True
 # Sync some Utilities
 utilsyncscripts:
  file.recurse:
@@ -175,6 +185,10 @@ utilsyncscripts:
    - file_mode: 755
    - template: jinja
    - source: salt://common/tools/sbin
    - defaults:
        ELASTICCURL: 'curl'
    - context:
        ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
 {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}
 # Add sensor cleanup
@@ -232,7 +246,40 @@ commonlogrotateconf:
    - month: '*'
    - dayweek: '*'
 # Create the status directory
 sostatusdir:
  file.directory:
    - name: /opt/so/log/sostatus
    - user: 0
    - group: 0
    - makedirs: True
 sostatus_log:
  file.managed:
    - name: /opt/so/log/sostatus/status.log
    - mode: 644
 # Install sostatus check cron
 '/usr/sbin/so-status -q; echo $? > /opt/so/log/sostatus/status.log 2>&1':
  cron.present:
    - user: root
    - minute: '*/1'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
 # Lock permissions on the backup directory
 backupdir:
  file.directory:
    - name: /nsm/backup
    - user: 0
    - group: 0
    - makedirs: True
    - mode: 700
 # Add config backup
 /usr/sbin/so-config-backup > /dev/null 2>&1:
  cron.present:
@@ -242,6 +289,14 @@ commonlogrotateconf:
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 soversionfile:
  file.managed:
    - name: /etc/soversion
    - source: salt://common/files/soversion
    - mode: 644
    - template: jinja
 {% endif %}
 # Manager daemon.json
@@ -258,10 +313,45 @@ docker:
    - watch:
      - file: docker_daemon
-{% else %}
+# Reserve OS ports for Docker proxy in case boot settings are not already applied/present
 # 55000 = Wazuh, 57314 = Strelka, 47760-47860 = Zeek
 dockerapplyports:
    cmd.run:
      - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760-47860"; fi
-common_state_not_allowed:
+# Reserve OS ports for Docker proxy
-  test.fail_without_changes:
+dockerreserveports:
-    - name: common_state_not_allowed
+  file.managed:
    - source: salt://common/files/99-reserved-ports.conf
    - name: /etc/sysctl.d/99-reserved-ports.conf
 {% if salt['grains.get']('sosmodel', '') %}
  {% if grains['os'] == 'CentOS' %}     
 # Install Raid tools
 raidpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - securityonion-raidtools
      - securityonion-megactl
  {% endif %}
 # Install raid check cron
 /usr/sbin/so-raid-status > /dev/null 2>&1:
  cron.present:
    - user: root
    - minute: '*/15'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% endif %}
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,4 +17,4 @@
 . /usr/sbin/so-common
-salt-call state.highstate
+salt-call state.highstate -linfo 
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -15,6 +15,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 # Check for prerequisites
 if [ "$(id -u)" -ne 0 ]; then
 	echo "This script must be run using sudo!"
@@ -24,15 +26,220 @@ fi
 # Define a banner to separate sections
 banner="========================================================================="
 add_interface_bond0() {
 	local BNIC=$1
 	if [[ -z $MTU ]]; then
 		local MTU
 		MTU=$(lookup_pillar "mtu" "sensor")
 	fi
 	local nic_error=0
 	# Check if specific offload features are able to be disabled
 	for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
 		if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then
 			echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected."
 			((nic_error++))
 			break
 		fi
 	done
 	case "$2" in
 		-v|--verbose)
 			local verbose=true
 		;;
 	esac
 	for i in rx tx sg tso ufo gso gro lro; do
 		if [[ $verbose == true ]]; then
 			ethtool -K "$BNIC" $i off
 		else
 			ethtool -K "$BNIC" $i off &>/dev/null
 		fi
 	done
 	# Check if the bond slave connection has already been created
 	nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC"
 	local found_int=$?
 	if [[ $found_int != 0 ]]; then
 		# Create the slave interface and assign it to the bond
 		nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
 			ethernet.mtu "$MTU" \
 			connection.autoconnect "yes"
 	else
 		local int_uuid
 		int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ')
 		nmcli con mod "$int_uuid" \
 			ethernet.mtu "$MTU" \
 			connection.autoconnect "yes"
 	fi
 	ip link set dev "$BNIC" arp off multicast off allmulticast off promisc on
 	# Bring the slave interface up
 	if [[ $verbose == true ]]; then
 		nmcli con up "bond0-slave-$BNIC"
 	else
 		nmcli con up "bond0-slave-$BNIC" &>/dev/null
 	fi
 	if [ "$nic_error" != 0 ]; then
 		return "$nic_error"
 	fi
 }
 check_container() {
 	docker ps | grep "$1:" > /dev/null 2>&1
 	return $?
 }
 check_password() {
 	local password=$1
 	echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
 	return $?
 }
 check_elastic_license() {
 	[ -n "$TESTING" ] && return
 	# See if the user has already accepted the license
 	if [ ! -f /opt/so/state/yeselastic.txt ]; then
 	  elastic_license
 	else
 	  echo "Elastic License has already been accepted"
 	fi  
 }
 copy_new_files() {
  # Copy new files over to the salt dir
  cd $UPDATE_DIR
  rsync -a salt $DEFAULT_SALT_DIR/
  rsync -a pillar $DEFAULT_SALT_DIR/
  chown -R socore:socore $DEFAULT_SALT_DIR/
  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
  cd /tmp
 }
 disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 elastic_license() {
 read -r -d '' message <<- EOM
 \n
 Starting in Elastic Stack version 7.11, the Elastic Stack binaries are only available under the Elastic License:
 https://securityonion.net/elastic-license
 Please review the Elastic License:
 https://www.elastic.co/licensing/elastic-license
 Do you agree to the terms of the Elastic License?
 If so, type AGREE to accept the Elastic License and continue.  Otherwise, press Enter to exit this program without making any changes.
 EOM
 	AGREED=$(whiptail --title "$whiptail_title" --inputbox \
 	"$message" 20 75 3>&1 1>&2 2>&3)
 	if [ "${AGREED^^}" = 'AGREE' ]; then
 		mkdir -p /opt/so/state
 		touch /opt/so/state/yeselastic.txt 
 	else
 		echo "Starting in 2.3.40 you must accept the Elastic license if you want to run Security Onion."
 		exit 1
 	fi
 }
 fail() {
 	msg=$1
 	echo "ERROR: $msg"
 	echo "Exiting."
 	exit 1
 }
 get_random_value() {
 	length=${1:-20}
 	head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
 }
 gpg_rpm_import() {
 	if [[ "$OS" == "centos" ]]; then
 	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
 	        local RPMKEYSLOC="../salt/repo/client/files/centos/keys"
 	    else
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/centos/keys"
 	    fi
 	    RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub')
 	    for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
 	fi
 }
 header() {
-	echo
+	printf '%s\n' "" "$banner" " $*" "$banner" 
-    printf '%s\n' "$banner" "$*" "$banner"
+}
 init_monitor() {
 	MONITORNIC=$1
 	if [[ $MONITORNIC == "bond0" ]]; then 
 	  BIFACES=$(lookup_bond_interfaces)
 	else
 	  BIFACES=$MONITORNIC
 	fi
 	for DEVICE_IFACE in $BIFACES; do
 	  for i in rx tx sg tso ufo gso gro lro; do
 	    ethtool -K "$DEVICE_IFACE" "$i" off;
  	  done
 	  ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
 	done
 }
 is_manager_node() {
 	# Check to see if this is a manager node
 	role=$(lookup_role)
 	is_single_node_grid && return 0
 	[ $role == 'manager' ] && return 0
 	[ $role == 'managersearch' ] && return 0
 	[ $role == 'helix' ] && return 0
 	return 1
 }
 is_sensor_node() {
 	# Check to see if this is a sensor (forward) node
 	role=$(lookup_role)
 	is_single_node_grid && return 0
 	[ $role == 'sensor' ] && return 0
 	[ $role == 'heavynode' ] && return 0
 	[ $role == 'helix' ] && return 0
 	return 1
 }
 is_single_node_grid() {
 	role=$(lookup_role)
 	[ $role == 'eval' ] && return 0
 	[ $role == 'standalone' ] && return 0
 	[ $role == 'import' ] && return 0
 	return 1
 }
 lookup_bond_interfaces() {
 	cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g"
 }
 lookup_salt_value() {
 	key=$1
 	group=$2
 	kind=$3
 	output=${4:-newline_values_only}
 	if [ -z "$kind" ]; then
 		kind=pillar
@@ -42,7 +249,7 @@ lookup_salt_value() {
 		group=${group}:
 	fi
-  salt-call --no-color  ${kind}.get ${group}${key} --out=newline_values_only
+	salt-call --no-color  ${kind}.get ${group}${key} --out=${output}
 }
 lookup_pillar() {
@@ -68,15 +275,64 @@ lookup_role() {
 	echo ${pieces[1]}
 }
-check_container() {
+require_manager() {
-	docker ps | grep "$1:" > /dev/null 2>&1
+	if is_manager_node; then
-	return $?
+		echo "This is a manager, so we can proceed."
 	else
 		echo "Please run this command on the manager; the manager controls the grid."
 		exit 1
 	fi
 }
-check_password() {
+retry() {
-  local password=$1
+	maxAttempts=$1
-  echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
+	sleepDelay=$2
-  return $?
+	cmd=$3
 	expectedOutput=$4
 	attempt=0
 	local exitcode=0
 	while [[ $attempt -lt $maxAttempts ]]; do			
 		attempt=$((attempt+1))
 		echo "Executing command with retry support: $cmd"
 		output=$(eval "$cmd")
 		exitcode=$?
 		echo "Results: $output ($exitcode)"
 		if [ -n "$expectedOutput" ]; then
 			if [[ "$output" =~ "$expectedOutput" ]]; then
 				return $exitCode
 			else
 				echo "Expected '$expectedOutput' but got '$output'"
 			fi
 		elif [[ $exitcode -eq 0 ]]; then
 			return $exitCode
 		fi
 		echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
 		sleep $sleepDelay
 	done
 	echo "Command continues to fail; giving up."
 	return $exitcode
 }
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
 	local no_retry=$3
 	local exit_code
 	if [[ -z $no_retry ]]; then
 		retry 5 60 "$cmd"
 		exit_code=$?
 	else
 		eval "$cmd"
 		exit_code=$?
 	fi
 	if [[ $exit_code -ne 0 ]]; then
 		ERR_HANDLED=true
 		[[ -z $no_retry ]] || echo "Command failed with error $exit_code"
 		echo "$err_msg"
 		exit $exit_code
 	fi
 }
 set_os() {
@@ -91,6 +347,12 @@ set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 set_palette() {
 	if [ "$OS" == ubuntu ]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
 set_version() {
 	CURRENTVERSION=0.0.0
 	if [ -f /etc/soversion ]; then
@@ -110,33 +372,162 @@ set_version() {
 	fi
 }
-require_manager() {
+has_uppercase() {
-  # Check to see if this is a manager
+	local string=$1
-  MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+
-  if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ] || [ $MANAGERCHECK == 'so-import' ]; then
+	echo "$string" | grep -qP '[A-Z]' \
-    echo "This is a manager, We can proceed."
+		&& return 0 \
 		|| return 1
 }
 valid_cidr() {
 	# Verify there is a backslash in the string
 	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
 	local cidr
 	local ip
 	cidr=$(echo "$1" | sed 's/.*\///')
 	ip=$(echo "$1" | sed 's/\/.*//' )
 	if valid_ip4 "$ip"; then
 		[[ $cidr =~ ([0-9]|[1-2][0-9]|3[0-2]) ]] && return 0 || return 1
 	else
-    echo "Please run this command on the manager; the manager controls the grid."
+		return 1
    exit 1
 	fi
 }
-is_single_node_grid() {
+valid_cidr_list() {
-  role=$(lookup_role)
+	local all_valid=0
-  if [ "$role" != "eval" ] && [ "$role" != "standalone" ] && [ "$role" != "import" ]; then
+
 	IFS="," read -r -a net_arr <<< "$1"
 	for net in "${net_arr[@]}"; do
 		valid_cidr "$net" || all_valid=1
 	done
 	return $all_valid
 }
 valid_dns_list() {
 	local all_valid=0
 	IFS="," read -r -a dns_arr <<< "$1"
 	for addr in "${dns_arr[@]}"; do
 		valid_ip4 "$addr" || all_valid=1
 	done
 	return $all_valid
 }
 valid_fqdn() {
 	local fqdn=$1
 	echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z]{2,63}$)' \
 		&& return 0 \
 		|| return 1
 }
 valid_hostname() {
 	local hostname=$1
 	[[ $hostname =~ ^[a-zA-Z0-9\-]+$ ]] && [[ $hostname != 'localhost' ]] && return 0 || return 1
 }
 valid_ip4() {
 	local ip=$1
 	echo "$ip" | grep -qP '^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' && return 0 || return 1
 }
 valid_int() {
 	local num=$1
 	local min=${2:-1}
 	local max=${3:-1000000000}
 	[[ $num =~ ^[0-9]*$ ]] && [[ $num -ge $min ]] && [[ $num -le $max ]] && return 0 || return 1
 }
 # {% raw %}
 valid_proxy() {
 	local proxy=$1
 	local url_prefixes=( 'http://' 'https://' )
 	local has_prefix=false
 	for prefix in "${url_prefixes[@]}"; do
 		echo "$proxy" | grep -q "$prefix" && has_prefix=true && proxy=${proxy#"$prefix"} && break
 	done
 	local url_arr
 	mapfile -t url_arr <<< "$(echo "$proxy" | tr ":" "\n")"
 	local valid_url=true
 	if ! valid_ip4 "${url_arr[0]}" && ! valid_fqdn "${url_arr[0]}" && ! valid_hostname "${url_arr[0]}"; then
 		valid_url=false
 	fi
 	[[ $has_prefix == true ]] && [[ $valid_url == true ]] && return 0 || return 1
 }
 valid_ntp_list() {
 	local string=$1
 	local ntp_arr
 	IFS="," read -r -a ntp_arr <<< "$string"
 	for ntp in "${ntp_arr[@]}"; do
 		if ! valid_ip4 "$ntp" && ! valid_hostname "$ntp" && ! valid_fqdn "$ntp"; then
 			return 1
 		fi
 	done
 	return 0
 }
-fail() {
+valid_string() {
-  msg=$1
+	local str=$1
-  echo "ERROR: $msg"
+	local min_length=${2:-1}
-  echo "Exiting."
+	local max_length=${3:-64}
-  exit 1
+
 	echo "$str" | grep -qP '^\S+$' && [[ ${#str} -ge $min_length ]] && [[ ${#str} -le $max_length ]] && return 0 || return 1
 }
-get_random_value() {
+# {% endraw %}
-  length=${1:-20}
+
-  head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
+valid_username() {
 	local user=$1
 	echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1
 }
 wait_for_web_response() {
 	url=$1
 	expected=$2
 	maxAttempts=${3:-300}
 	curlcmd=${4:-curl}
 	logfile=/root/wait_for_web_response.log
 	truncate -s 0 "$logfile"
 	attempt=0
 	while [[ $attempt -lt $maxAttempts ]]; do
 		attempt=$((attempt+1))
 		echo "Waiting for value '$expected' at '$url' ($attempt/$maxAttempts)"
 		result=$($curlcmd -ks -L $url)
 		exitcode=$?
 		echo "--------------------------------------------------" >> $logfile
 		echo "$(date) - Checking web URL: $url ($attempt/$maxAttempts)" >> $logfile
 		echo "$result" >> $logfile
 		echo "exit code=$exitcode" >> $logfile
 		echo "" >> $logfile
 		if [[ $exitcode -eq 0 && "$result" =~ $expected ]]; then
 			echo "Received expected response; proceeding."
 			return 0
 		fi
 		echo "Server is not ready"
 		sleep 1
 	done
 	echo "Server still not ready after $maxAttempts attempts; giving up."
 	return 1
 }
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -33,12 +33,16 @@ if [ ! -f $BACKUPFILE ]; then
  {%- for LOCATION in BACKUPLOCATIONS %}
  tar -rf $BACKUPFILE {{ LOCATION }}
  {%- endfor %}
  tar -rf $BACKUPFILE /etc/pki
  tar -rf $BACKUPFILE /etc/salt
  tar -rf $BACKUPFILE /opt/so/conf/kratos
 fi
-# Find oldest backup file and remove it
+# Find oldest backup files and remove them
 NUMBACKUPS=$(find /nsm/backup/ -type f -name "so-config-backup*" | wc -l)
-OLDESTBACKUP=$(find /nsm/backup/ -type f -name "so-config-backup*" | ls -1t | tail -1)
+while [ "$NUMBACKUPS" -gt "$MAXBACKUPS" ]; do
-if [ "$NUMBACKUPS" -gt "$MAXBACKUPS" ]; then
+  OLDESTBACKUP=$(find /nsm/backup/ -type f -name "so-config-backup*" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}')
-  rm -f /nsm/backup/$OLDESTBACKUP
+  rm -f $OLDESTBACKUP
-fi
+  NUMBACKUPS=$(find /nsm/backup/ -type f -name "so-config-backup*" | wc -l)
 done
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -30,7 +30,7 @@ fi
 USER=$1
-CORTEX_KEY=$(lookup_pillar cortexkey)
+CORTEX_KEY=$(lookup_pillar cortexorguserkey)
 CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api"
 CORTEX_ORG_NAME=$(lookup_pillar cortexorgname)
 CORTEX_USER=$USER
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -30,7 +30,7 @@ fi
 USER=$1
-CORTEX_KEY=$(lookup_pillar cortexkey)
+CORTEX_KEY=$(lookup_pillar cortexorguserkey)
 CORTEX_API_URL="$(lookup_pillar url_base)/cortex/api"
 CORTEX_USER=$USER
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -0,0 +1,102 @@
 #!/usr/bin/env python3
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys, argparse, re, docker
 from packaging.version import Version, InvalidVersion
 from itertools import groupby, chain
 def get_image_name(string) -> str:
  return ':'.join(string.split(':')[:-1])
 def get_so_image_basename(string) -> str:
  return get_image_name(string).split('/so-')[-1]
 def get_image_version(string) -> str:
  ver = string.split(':')[-1]
  if ver == 'latest':
    # Version doesn't like "latest", so use a high semver
    return '99999.9.9'
  else:
    try:
      Version(ver)
    except InvalidVersion:
      # Also return a very high semver for any version 
      # with a dash in it since it will likely be a dev version of some kind
      if '-' in ver:
        return '999999.9.9'
    return ver
 def main(quiet):
  client = docker.from_env()
  # Prune old/stopped containers
  if not quiet: print('Pruning old containers')
  client.containers.prune()
  image_list = client.images.list(filters={ 'dangling': False })
  # Map list of image objects to flattened list of tags (format: "name:version")
  tag_list = list(chain.from_iterable(list(map(lambda x: x.attrs.get('RepoTags'), image_list))))
  # Filter to only SO images (base name begins with "so-")
  tag_list = list(filter(lambda x: re.match(r'^.*\/so-[^\/]*$', get_image_name(x)), tag_list))
  # Group tags into lists by base name (sort by same projection first)
  tag_list.sort(key=lambda x: get_so_image_basename(x))
  grouped_tag_lists = [ list(it) for _, it in groupby(tag_list, lambda x: get_so_image_basename(x)) ]
  no_prunable = True
  for t_list in grouped_tag_lists:
    try:
      # Group tags by version, in case multiple images exist with the same version string
      t_list.sort(key=lambda x: Version(get_image_version(x)), reverse=True)
      grouped_t_list = [ list(it) for _,it in groupby(t_list, lambda x: get_image_version(x)) ]
      # Keep the 2 most current version groups
      if len(grouped_t_list) <= 2:
        continue
      else:
        no_prunable = False
        for group in grouped_t_list[2:]:
          for tag in group:
            if not quiet: print(f'Removing image {tag}')
            try:
              client.images.remove(tag, force=True)
            except docker.errors.ClientError as e:
              print(f'Could not remove image {tag}, continuing...')
    except (docker.errors.APIError, InvalidVersion) as e:
      print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr)
      exit(1)
    except Exception as e:
      print('Unhandled exception occurred:')
      print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr)
      exit(1)
  if no_prunable and not quiet:
    print('No Security Onion images to prune')
 if __name__ == "__main__":
  main_parser = argparse.ArgumentParser(add_help=False)
  main_parser.add_argument('-q', '--quiet', action='store_const', const=True, required=False)
  args = main_parser.parse_args(sys.argv[1:])
  main(args.quiet)
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -145,9 +145,9 @@ EOF
   rulename=$(echo ${raw_rulename,,} | sed 's/ /_/g')
 cat << EOF >> "$rulename.yaml"
-# Elasticsearch Host
+# Elasticsearch Host Override (optional)
-es_host: elasticsearch
+# es_host: elasticsearch
-es_port: 9200
+# es_port: 9200
 # (Required)
 # Rule name, must be unique
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -96,7 +96,7 @@ rule_prompt(){
 	echo "-----------------------------------"
 	echo
 	while [ -z "$RULE_NAME" ]; do
-		read -p "Please enter the rule filename you want to test (filename only, no path): " -e RULE_NAME
+		read -p "Choose a rule to test from the list above (must be typed exactly as shown above): " -e RULE_NAME
 	done
 }
@@ -0,0 +1,67 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 if [ -f "/usr/sbin/so-common" ]; then
  . /usr/sbin/so-common
 fi
 ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls}
 ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
 authEnable=$1
 if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
  echo "Elastic auth pillar file is invalid. Unable to proceed."
  exit 1
 fi
 function restart() {
  if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
    echo "Elasticsearch on all affected minions will now be stopped and then restarted..."
    salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop queue=True
    echo "Applying highstate to all affected minions..."
    salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True
  fi
 }
 if [[ "$authEnable" == "true" ]]; then
  if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then
    sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR"
    restart
    echo "Elastic auth is now enabled."
    if grep -q "argon" "$ES_USERS_FILE"; then
      echo ""
      echo "IMPORTANT: The following users will need to change their password, after logging into SOC, in order to access Kibana:"
      grep argon "$ES_USERS_FILE" | cut -d ":" -f 1
    fi
  else
    echo "Auth is already enabled."
  fi
 elif [[ "$authEnable" == "false" ]]; then
  if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then
    sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR"
    restart
    echo "Elastic auth is now disabled."
  else
    echo "Auth is already disabled."
  fi
 else
  echo "Usage: $0 <true|false>"
  echo ""
  echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion."
  echo ""
 fi
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -50,11 +50,7 @@ done
 if [ $SKIP -ne 1 ]; then
        # List indices
        echo 
-        {% if grains['role'] in ['so-node','so-heavynode'] %}
+        {{ ELASTICCURL }} -k -L https://{{ NODEIP }}:9200/_cat/indices?v
        curl -k -L https://{{ NODEIP }}:9200/_cat/indices?v
        {% else %}
        curl -L {{ NODEIP }}:9200/_cat/indices?v
        {% endif %}
        echo
        # Inform user we are about to delete all data
        echo
@@ -93,18 +89,10 @@ fi
 # Delete data
 echo "Deleting data..."
-{% if grains['role'] in ['so-node','so-heavynode'] %}
+INDXS=$({{ ELASTICCURL }} -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 INDXS=$(curl -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 {% else %}
 INDXS=$(curl -s -XGET -L {{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 {% endif %}
 for INDX in ${INDXS}
 do
-    {% if grains['role'] in ['so-node','so-heavynode'] %}
+    {{ ELASTICCURL }} -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
    curl -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
    {% else %}
    curl -XDELETE -L "{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
    {% endif %}
 done
 #Start Logstash/Filebeat
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -0,0 +1,21 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty
@@ -1,7 +1,7 @@
 #!/bin/bash
 #
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,6 +21,5 @@ THEHIVEESPORT=9400
 echo "Removing read only attributes for indices..."
 echo
-for p in $ESPORT $THEHIVEESPORT; do
+{{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
-   curl -XPUT -H "Content-Type: application/json" -L http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
+{{ ELASTICCURL }} -XPUT -H "Content-Type: application/json" -L http://$IP:9400/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
 done
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -19,15 +19,7 @@
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-        {% if grains['role'] in ['so-node','so-heavynode'] %}
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
        curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
        {% else %}
        curl -s -L {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
        {% endif %}
 else
-        {% if grains['role'] in ['so-node','so-heavynode'] %}
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
        curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
        {% else %}
        curl -s -L {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
        {% endif %}
 fi
@@ -0,0 +1,25 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq .
 else
        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[]
 fi
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,15 +17,7 @@
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    {% if grains['role'] in ['so-node','so-heavynode'] %}
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
    curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
    {% endif %}
 else
-    {% if grains['role'] in ['so-node','so-heavynode'] %}
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
    curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
    {% endif %}
 fi
@@ -0,0 +1,37 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 . /usr/sbin/so-common
 if [[ $# -lt 1 ]]; then
 	echo "Submit a cURL request to the local Security Onion Elasticsearch host."
 	echo ""
 	echo "Usage: $0 <PATH> [ARGS,...]"
 	echo ""
  echo "Where "
  echo "   PATH represents the elastic function being requested."
  echo "   ARGS is used to specify additional, optional curl parameters."
  echo ""
  echo "Examples:"
  echo "   $0 /"
  echo "   $0 '*:so-*/_search' -d '{\"query\": {\"match_all\": {}},\"size\": 1}' | jq"
  exit 1
 fi
 QUERYPATH=$1
 shift
 {{ ELASTICCURL }} -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@"
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -0,0 +1,21 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -0,0 +1,21 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 {{ ELASTICCURL }} -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1
@@ -0,0 +1,25 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq .
 else
        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq .
 fi
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,15 +17,7 @@
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    {% if grains['role'] in ['so-node','so-heavynode'] %}
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
    curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_template/* | jq 'keys'
    {% endif %}
 else
-    {% if grains['role'] in ['so-node','so-heavynode'] %}
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
    curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
    {% else %}
    curl -s -L {{ NODEIP }}:9200/_template/$1 | jq
    {% endif %}
 fi
@@ -1,8 +1,5 @@
 {%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,6 +14,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 default_conf_dir=/opt/so/conf
 ELASTICSEARCH_HOST="{{ MYIP }}"
 ELASTICSEARCH_PORT=9200
@@ -30,11 +30,7 @@ echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
-    {% if grains['role'] in ['so-node','so-heavynode'] %}
+    {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
    curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
    {% else %}
 	curl --output /dev/null --silent --head --fail -L http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
 	{% endif %}
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"
@@ -55,11 +51,7 @@ cd ${ELASTICSEARCH_TEMPLATES}
 echo "Loading templates..."
-{% if grains['role'] in ['so-node','so-heavynode'] %}
+for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 {% else %}
 for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT -L http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 {% endif %}
 echo
 cd - >/dev/null
@@ -0,0 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
 wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}"
@@ -1,53 +0,0 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 . /usr/sbin/so-image-common
 local_salt_dir=/opt/so/saltstack/local
 cat << EOF
 This program will switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license.
 If you proceed, then we will download new Docker images and restart services.
 Please review the Elastic license:
 https://raw.githubusercontent.com/elastic/elasticsearch/master/licenses/ELASTIC-LICENSE.txt
 Please also note that, if you have a distributed deployment and continue with this change, Elastic traffic between nodes will change from encrypted to cleartext!
 (We expect to support Elastic Features Security at some point in the future.)
 Do you agree to the terms of the Elastic license and understand the note about encryption?
 If so, type AGREE to accept the Elastic license and continue.  Otherwise, just press Enter to exit this program without making any changes.
 EOF
 read INPUT
 if [ "$INPUT" != "AGREE" ]; then
        exit
 fi
 echo "Please wait while switching to Elastic Features."
 require_manager
 TRUSTED_CONTAINERS=( \
  "so-elasticsearch" \
  "so-filebeat" \
  "so-kibana" \
  "so-logstash" )
 update_docker_containers "features" "-features"
 # Modify global.sls to enable Features
 sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls
@@ -0,0 +1,67 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 default_conf_dir=/opt/so/conf
 ELASTICSEARCH_HOST="{{ MYIP }}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
 # Define a default directory to load pipelines from
 FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
        {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
        if [ $? -eq 0 ]; then
                ELASTICSEARCH_CONNECTED="yes"
                echo "connected!"
                break
        else
                ((COUNT+=1))
                sleep 1
                echo -n "."
        fi
 done
 if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
        echo
        echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
        echo
 fi
 echo "Testing to see if the pipelines are already applied"
 ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \")
 PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c)
 if [[ "$PIPELINES" -lt 5 ]]; then
  echo "Setting up ingest pipeline(s)"
  for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler
  do
    echo "Loading $MODULE"
    docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML
    sleep 2
  done
 else
  exit 0
 fi
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -15,27 +15,39 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import os
 import subprocess
 import sys
 import time
 import yaml
 lockFile = "/tmp/so-firewall.lock"
 hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
 portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
 defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml"
 supportedProtocols = ['tcp', 'udp']
-def showUsage(args):
+def showUsage(options, args):
  print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
  print('  Options:')
  print('   --apply         - After updating the firewall configuration files, apply the new firewall state')
  print('   --defaultports  - Read port groups from default configuration files instead of local configuration.')
  print('')
-  print('  Available commands:')
+  print('  General commands:')
  print('    help           - Prints this usage information.')
  print('    apply          - Apply the firewall state.')
  print('')
  print('  Host commands:')
  print('    listhostgroups - Lists the known host groups.')
  print('    includedhosts  - Lists the IPs included in the given group. Args: <GROUP_NAME>')
  print('    excludedhosts  - Lists the IPs excluded from the given group. Args: <GROUP_NAME>')
  print('    includehost    - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
  print('    excludehost    - Excludes the given IP from the given group. Args: <GROUP_NAME> <IP>')
  print('    removehost     - Removes an excluded IP from the given group. Args: <GROUP_NAME> <IP>')
  print('    addhostgroup   - Adds a new, custom host group. Args: <GROUP_NAME>')
  print('')
  print('  Port commands:')
  print('    listportgroups - Lists the known port groups.')
  print('    listports      - Lists ports in the given group and protocol. Args: <GROUP_NAME> <PORT_PROTOCOL>')
  print('    addport        - Adds a PORT to the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
  print('    removeport     - Removes a PORT from the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
@@ -48,6 +60,15 @@ def showUsage(args):
  print('   PORT          - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).')
  sys.exit(1)
 def checkDefaultPortsOption(options):
  global portgroupsFilename
  if "--defaultports" in options:
    portgroupsFilename = defaultPortgroupsFilename
 def checkApplyOption(options):
  if "--apply" in options:
    return apply(None, None)
 def loadYaml(filename):
  file = open(filename, "r")
  return yaml.load(file.read())
@@ -56,6 +77,14 @@ def writeYaml(filename, content):
  file = open(filename, "w")
  return yaml.dump(content, file)
 def listHostGroups():
  content = loadYaml(hostgroupsFilename)
  hostgroups = content['firewall']['hostgroups']
  if hostgroups is not None:
    for group in hostgroups:
      print(group)
  return 0
 def listIps(name, mode):
  content = loadYaml(hostgroupsFilename)
  if name not in content['firewall']['hostgroups']:
@@ -111,10 +140,18 @@ def createProtocolMap():
    map[protocol] = []
  return map
-def addhostgroup(args):
+def listPortGroups():
  content = loadYaml(portgroupsFilename)
  portgroups = content['firewall']['aliases']['ports']
  if portgroups is not None:
    for group in portgroups:
      print(group)
  return 0
 def addhostgroup(options, args):
  if len(args) != 1:
    print('Missing host group name argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  name = args[0]
  content = loadYaml(hostgroupsFilename)
@@ -125,10 +162,17 @@ def addhostgroup(args):
  writeYaml(hostgroupsFilename, content)
  return 0
-def addportgroup(args):
+def listportgroups(options, args):
  if len(args) != 0:
    print('Unexpected arguments', file=sys.stderr)
    showUsage(options, args)
  checkDefaultPortsOption(options)
  return listPortGroups()
 def addportgroup(options, args):
  if len(args) != 1:
    print('Missing port group name argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  name = args[0]
  content = loadYaml(portgroupsFilename)
@@ -143,11 +187,12 @@ def addportgroup(args):
  writeYaml(portgroupsFilename, content)
  return 0
-def listports(args):
+def listports(options, args):
  if len(args) != 2:
    print('Missing port group name or port protocol', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  checkDefaultPortsOption(options)
  name = args[0]
  protocol = args[1]
  if protocol not in supportedProtocols:
@@ -162,16 +207,19 @@ def listports(args):
  if name not in ports:
    print('Port group does not exist', file=sys.stderr)
    return 3
  if protocol not in ports[name]:
    print('Port group does not contain protocol', file=sys.stderr)
    return 3
  ports = ports[name][protocol]
  if ports is not None:
    for port in ports:
      print(port)
  return 0
-def addport(args):
+def addport(options, args):
  if len(args) != 3:
    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  name = args[0]
  protocol = args[1]
@@ -197,12 +245,13 @@ def addport(args):
    return 3
  ports.append(port)
  writeYaml(portgroupsFilename, content)
-  return 0
+  code = checkApplyOption(options)
  return code
-def removeport(args):
+def removeport(options, args):
  if len(args) != 3:
    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  name = args[0]
  protocol = args[1]
@@ -225,45 +274,62 @@ def removeport(args):
    return 3
  ports.remove(port)
  writeYaml(portgroupsFilename, content)
-  return 0
+  code = checkApplyOption(options)
  return code
-def includedhosts(args):
+
 def listhostgroups(options, args):
  if len(args) != 0:
    print('Unexpected arguments', file=sys.stderr)
    showUsage(options, args)
  return listHostGroups()
 def includedhosts(options, args):
  if len(args) != 1:
    print('Missing host group name argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  return listIps(args[0], 'insert')
-def excludedhosts(args):
+def excludedhosts(options, args):
  if len(args) != 1:
    print('Missing host group name argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  return listIps(args[0], 'delete')
-def includehost(args):
+def includehost(options, args):
  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  result = addIp(args[0], args[1], 'insert')
  if result == 0:
    removeIp(args[0], args[1], 'delete', True)
-  return result
+  code = result
  if code == 0:
    code = checkApplyOption(options)
  return code
-def excludehost(args):
+def excludehost(options, args):
  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
  result = addIp(args[0], args[1], 'delete')
  if result == 0:
    removeIp(args[0], args[1], 'insert', True)
-  return result
+  code = result
  if code == 0:
    code = checkApplyOption(options)
  return code
-def removehost(args):
+def removehost(options, args):
  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
-    showUsage(args)
+    showUsage(options, args)
-  return removeIp(args[0], args[1], 'delete')
+  code = removeIp(args[0], args[1], 'delete')
  if code == 0:
    code = checkApplyOption(options)
  return code
-def apply():
+def apply(options, args):
  proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
  return proc.returncode
@@ -276,28 +342,49 @@ def main():
      args.remove(option)
  if len(args) == 0:
-    showUsage(None)
+    showUsage(options, None)
  commands = {
    "help": showUsage,
    "listhostgroups": listhostgroups,
    "includedhosts": includedhosts,
    "excludedhosts": excludedhosts,
    "includehost": includehost,
    "excludehost": excludehost,
    "removehost": removehost,
    "listportgroups": listportgroups,
    "listports": listports,
    "addport": addport,
    "removeport": removeport,
    "addhostgroup": addhostgroup,
-    "addportgroup": addportgroup
+    "addportgroup": addportgroup,
    "apply": apply
  }
  code=1
  try:
    lockAttempts = 0
    maxAttempts = 30
    while lockAttempts < maxAttempts:
      lockAttempts = lockAttempts + 1
      try:
        f = open(lockFile, "x")
        f.close()
        break
      except:
        time.sleep(2)
    if lockAttempts == maxAttempts:
      print("Lock file (" + lockFile + ") could not be created; proceeding without lock.")
    cmd = commands.get(args[0], showUsage)
-  code = cmd(args[1:])
+    code = cmd(options, args[1:])
-
+  finally:
-
+    try:
-  if code == 0 and "--apply" in options:
+      os.remove(lockFile)
-    code = apply()
+    except:
      print("Lock file (" + lockFile + ") already removed")
  sys.exit(code)
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -16,7 +16,7 @@ if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
 fi
 docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet
-docker exec -it so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done'
+docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done'
 docker exec so-fleet fleetctl setup --email $1 --password $2
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -0,0 +1,75 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <user-name>"
    echo ""
    echo "Update password for an existing Fleet user. The new password will be read from STDIN."
    exit 1
 }
 if [ $# -ne 1 ]; then
  usage
 fi
 USER=$1
 MYSQL_PASS=$(lookup_pillar_secret mysql)
 FLEET_IP=$(lookup_pillar fleet_ip)
 FLEET_USER=$USER
 # test existence of user
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
    "SELECT count(1) FROM users WHERE username='$FLEET_USER'" 2>/dev/null | tail -1)
 if [[ $? -ne 0 ]] || [[ $MYSQL_OUTPUT -ne 1 ]] ; then
    echo "Test for username [${FLEET_USER}] failed"
    echo "    expect 1 hit in users database, return $MYSQL_OUTPUT hit(s)."
    echo "Unable to update Fleet user password."
    exit 2
 fi
 # Read password for new user from stdin
 test -t 0
 if [[ $? == 0 ]]; then
  echo "Enter new password:"
 fi
 read -rs FLEET_PASS
 if ! check_password "$FLEET_PASS"; then
  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
  exit 2
 fi
 FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
 if [[ $? -ne 0 ]]; then
 	echo "Failed to generate Fleet password hash"
 	exit 2
 fi
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
    "UPDATE users SET password='$FLEET_HASH', salt='' where username='$FLEET_USER'" 2>&1)
 if [[ $? -eq 0 ]]; then
    echo "Successfully updated Fleet user password"
 else
    echo "Unable to update Fleet user password"
    echo "$MYSQL_OUTPUT"
    exit 2
 fi
@@ -0,0 +1,17 @@
 # this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70
 folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64')
 delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode")
 for row in $folders; do
   title=$(echo ${row} | base64 --decode | jq -r '.title')
   uid=$(echo ${row} | base64 --decode | jq -r '.uid')
  if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then
   curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid
  fi
 done
 echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete
 exit 0
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -16,8 +16,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # NOTE: This script depends on so-common
-IMAGEREPO=securityonion
+IMAGEREPO=security-onion-solutions
 # shellcheck disable=SC2120
 container_list() {
  MANAGERCHECK=$1
@@ -30,6 +31,7 @@ container_list() {
  if [ $MANAGERCHECK == 'so-import' ]; then
    TRUSTED_CONTAINERS=(
      "so-acng"
      "so-elasticsearch"
      "so-filebeat"
      "so-idstools"
@@ -46,20 +48,17 @@ container_list() {
    TRUSTED_CONTAINERS=(
      "so-acng"
      "so-curator"
      "so-domainstats"
      "so-elastalert"
      "so-elasticsearch"
      "so-filebeat"
      "so-fleet"
      "so-fleet-launcher"
      "so-freqserver"
      "so-grafana"
      "so-idstools"
      "so-influxdb"
      "so-kibana"
      "so-kratos"
      "so-logstash"
      "so-minio"
      "so-mysql"
      "so-nginx"
      "so-pcaptools"
@@ -103,7 +102,7 @@ update_docker_containers() {
  local PROGRESS_CALLBACK=$3
  local LOG_FILE=$4
-  local CONTAINER_REGISTRY=quay.io
+  local CONTAINER_REGISTRY=ghcr.io
  local SIGNPATH=/root/sosigs
  if [ -z "$CURLTYPE" ]; then
@@ -126,12 +125,19 @@ update_docker_containers() {
    container_list
  fi
  # Let's make sure we have the public key
  curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -  >> "$LOG_FILE" 2>&1
  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 
  # Let's make sure we have the public key
  run_check_net_err \
  "curl --retry 5 --retry-delay 60 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \
  "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" \
  noretry >> "$LOG_FILE" 2>&1
  result=$?
  if [[ $result -eq 0 ]]; then
    cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1
  fi
  # Download the containers from the interwebs
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
@@ -143,14 +149,15 @@ update_docker_containers() {
    # Pull down the trusted docker image
    local image=$i:$VERSION$IMAGE_TAG_SUFFIX
-    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 
+    run_check_net_err \
    "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \
    "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 
    # Get signature
-    curl -A "$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig >> "$LOG_FILE" 2>&1 
+    run_check_net_err \
-    if [[ $? -ne 0 ]]; then
+    "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \
-      echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 
+    "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \
-      exit 1
+    noretry >> "$LOG_FILE" 2>&1
    fi
    # Dump our hash values
    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$image)
@@ -0,0 +1,58 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 . /usr/sbin/so-image-common
 usage() {
 	read -r -d '' message <<- EOM
 		usage: so-image-pull [-h] IMAGE [IMAGE ...]
 		positional arguments:
 			IMAGE         One or more 'so-' prefixed images to download and verify.
 		optional arguments:
 			-h, --help    Show this help message and exit.
 	EOM
 	echo "$message"
 	exit 1
 }
 for arg; do
 	shift
 	[[ "$arg" = "--quiet" || "$arg" = "-q" ]] && quiet=true && continue
 	set -- "$@" "$arg"
 done
 if [[ $# -eq 0 || $# -gt 1 ]] || [[ $1 == '-h' || $1 == '--help' ]]; then
 	usage
 fi
 TRUSTED_CONTAINERS=("$@")
 set_version
 for image in "${TRUSTED_CONTAINERS[@]}"; do
 	if ! docker images | grep "$image" | grep ":5000" | grep -q "$VERSION"; then
 		if [[ $quiet == true ]]; then
 			update_docker_containers "$image" "" "" "/dev/null"
 		else
 			update_docker_containers "$image" "" "" "" 
 		fi
 	else
 		echo "$image:$VERSION image exists."
 	fi
 done
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -132,6 +132,8 @@ for PCAP in "$@"; do
    PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap`
    echo "- attempting to recover corrupted PCAP file"
    pcapfix "${PCAP}" "${PCAP_FIXED}"
    # Make fixed file world readable since the Suricata docker container will runas a non-root user
    chmod a+r "${PCAP_FIXED}"
    PCAP="${PCAP_FIXED}"
    TEMP_PCAPS+=(${PCAP_FIXED})
  fi
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -15,8 +15,4 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% if grains['role'] in ['so-node','so-heavynode'] %}
+{{ ELASTICCURL }} -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"
 curl -X GET -k -L https://localhost:9200/_cat/indices?v
 {% else %}
 curl -X GET -L localhost:9200/_cat/indices?v
 {% endif %}
@@ -0,0 +1,53 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 wdurregex="^[0-9]+w$"
 ddurregex="^[0-9]+d$"
 echo -e "\nThis script is used to reduce the size of InfluxDB by removing old data and retaining only the duration specified."
 echo "The duration will need to be specified as an integer followed by the duration unit without a space."
 echo -e "\nFor example, to purge all data but retain the past 12 weeks, specify 12w for the duration."
 echo "The duration units are as follows:"
 echo "  w  - week(s)"
 echo "  d  - day(s)"
 while true; do
  echo ""
  read -p 'Enter the duration of past data that you would like to retain: ' duration
  duration=$(echo $duration | tr '[:upper:]' '[:lower:]')
  if [[ "$duration" =~ $wdurregex ]] || [[ "$duration" =~ $ddurregex ]]; then
    break
  fi
  echo -e "\nInvalid duration."
 done
 echo -e "\nInfluxDB will now be cleaned and leave only the past $duration worth of data."
 read -r -p "Are you sure you want to continue? [y/N] " yorn
 if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
  echo -e "\nCleaning InfluxDb and saving only the past $duration. This may could take several minutes depending on how much data needs to be cleaned."
    if docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"DELETE FROM /.*/ WHERE \"time\" >= '2020-01-01T00:00:00.0000000Z' AND \"time\" <= now() - $duration\""; then
      echo -e "\nInfluxDb clean complete."
    else
      echo -e "\nSomething went wrong with cleaning InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
    fi
 else
  echo -e "\nExiting as requested."
 fi
@@ -0,0 +1,63 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set role = grains.id.split('_') | last %}
 {%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %}
  {%- import_yaml 'influxdb/defaults.yaml' as default_settings %}
  {%- set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
 . /usr/sbin/so-common
 echo -e "\nThis script is used to reduce the size of InfluxDB by downsampling old data into the so_long_term retention policy."
 echo -e "\nInfluxDB will now be downsampled. This could take a few hours depending on how large the database is and hardware resources available."
 read -r -p "Are you sure you want to continue? [y/N] " yorn
 if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
  echo -e "\nDownsampling InfluxDb started at `date`. This may take several hours depending on how much data needs to be downsampled."
  {% for dest_rp in influxdb.downsample.keys() -%}
    {% for measurement in influxdb.downsample[dest_rp].get('measurements', []) -%}
  day=0
  startdate=`date`
  while docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"SELECT mean(*) INTO \"so_long_term\".\"{{measurement}}\" FROM \"autogen\".\"{{measurement}}\" WHERE \"time\" >= '2020-07-21T00:00:00.0000000Z' + ${day}d AND \"time\" <= '2020-07-21T00:00:00.0000000Z' + $((day+1))d GROUP BY time(5m),*\""; do
    # why 2020-07-21? 
    migrationdate=`date -d "2020-07-21 + ${day} days" +"%y-%m-%d"`
    echo "Downsampling of measurement: {{measurement}} from $migrationdate started at $startdate and completed at `date`."
    newdaytomigrate=$(date -d "$migrationdate + 1 days" +"%s")
    today=$(date +"%s")
    if [ $newdaytomigrate -ge $today ]; then
      break
    else
      ((day=day+1))
      startdate=`date`
      echo -e "\nDownsampling the next day's worth of data for measurement: {{measurement}}."
    fi
  done
    {% endfor -%}
  {% endfor -%}
  echo -e "\nInfluxDb data downsampling complete."
 else
  echo -e "\nExiting as requested."
 fi
 {%- else %}
 echo -e "\nThis script can only be run on a node running InfluxDB."
 {%- endif %}
@@ -0,0 +1,34 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 echo -e "\nThis script is used to reduce the size of InfluxDB by dropping the autogen retention policy."
 echo "If you want to retain historical data prior to 2.3.60, then this should only be run after you have downsampled your data using so-influxdb-downsample."
 echo -e "\nThe autogen retention policy will now be dropped from InfluxDB."
 read -r -p "Are you sure you want to continue? [y/N] " yorn
 if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
  echo -e "\nDropping autogen retention policy."
    if docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -execute "drop retention policy autogen on telegraf"; then
      echo -e "\nAutogen retention policy dropped from InfluxDb."
    else
      echo -e "\nSomething went wrong dropping then autogen retention policy from InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
    fi
 else
  echo -e "\nExiting as requested."
 fi
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -5,7 +5,7 @@
 # {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
 # {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
 #
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -23,7 +23,9 @@
 KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601
 OUTFILE="saved_objects.ndjson"
-curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
+
 SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}')
 {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
 # Clean up using PLACEHOLDER
 sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -0,0 +1,13 @@
 . /usr/sbin/so-common
 wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"
 ## This hackery will be removed if using Elastic Auth ##
 # Let's snag a cookie from Kibana
 SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 # Disable certain Features from showing up in the Kibana UI
 echo
 echo "Setting up default Space:"
 {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log
 echo
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`#!/bin/bash`	`#!/bin/bash`
	`logrotate -f /opt/so/conf/log-rotate.conf >/dev/null 2>&1`	`/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1`
		`@@ -0,0 +1 @@`
							`net.ipv4.ip_local_reserved_ports=55000,57314,47760-47860`
		`@@ -0,0 +1,2 @@`
							`{%- set VERSION = salt['pillar.get']('global:soversion') -%}`
							`{{ VERSION }}`