Merge pull request #5282 from Security-Onion-Solutions/hotfix/2.3.70

Hotfix/2.3.70
Merge pull request #5281 from Security-Onion-Solutions/grafana_fleet_hotfix
2025-12-06 17:22:49 +01:00 · 2021-08-24 10:15:33 -04:00 · 2021-08-24 10:01:10 -04:00 · 2021-08-24 10:00:06 -04:00 · 2021-08-24 09:58:28 -04:00 · 2021-08-23 13:10:35 -04:00
289 changed files with 19444 additions and 31315 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,39 @@
 # Contributing to Security Onion
 ### Questions, suggestions, and general comments
 * Security Onion uses GitHub's [Discussions](https://github.com/Security-Onion-Solutions/securityonion/discussions) to provide a forum where the community and developers can interact as well as ask and answer questions.
 ### Reporting a bug
 * The primary place to report unexpected behavior or possible bugs is the repo's [Discussions forum](https://github.com/Security-Onion-Solutions/securityonion/discussions).
 *  **If you are familiar with the current version of Security Onion and are confident you've discovered a bug**, first ensure there is not already an issue present by searching the open [issues](https://github.com/Security-Onion-Solutions/securityonion/issues). If there is, a thumbs up :+1: is a great way to show this bug is affecting you too.
 * If an issue doesn't exist, [open a new one](https://github.com/Security-Onion-Solutions/securityonion/issues/new), following the directions in the issue template. This means including:
  * **System information** and how Security Onion was installed
  * **Log files** relevant to the bug report
  * **Reproduction steps** 
 ### Contributing code
 * **All commits must be signed** with a valid key that has been added to your GitHub account. The commits should have all the "**Verified**" tag when viewed on GitHub as shown below:
  <img src="./assets/images/verified-commit-1.png" width="450">
 * If an issue does not already exist for the bug or feature for which you are submitting a pull request, [create one](https://github.com/Security-Onion-Solutions/securityonion/issues/new) with the relevant prefix. (**`FIX:`** for bug fixes, **`FEATURE:`** for new features.)
 * Link the PR to the related issue, either using [keywords](https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword) in the PR description, or [manually](https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-issues/linking-a-pull-request-to-an-issue#manually-linking-a-pull-request-to-an-issue).
 * **Pull requests should be opened against the `dev` branch of this repo**, and should clearly describe the problem and solution.
 * Be sure you have tested your changes and are confident they will not break other parts of the product.
 * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting.
 ### Code style and conventions
 * **Keep code [DRY](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself)**. For example, Bash code used by multiple scripts will likely best be added to <span style="white-space: nowrap;">[`so-common`](salt/common/tools/sbin/so-common)</span>.
 * All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored.
 * **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules. 
--- a/3
+++ b/3
@@ -1 +1,2 @@
-GRIDFIX
+
 CURATOR GRAFANA_DASH_ALLOW
--- a/README.md
+++ b/README.md
@@ -1,14 +1,14 @@
-## Security Onion 2.3.50
+## Security Onion 2.3.70
-Security Onion 2.3.50 is here!
+Security Onion 2.3.70 is here!
 ## Screenshots
 Alerts
-![Alerts](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/alerts-1.png)
+![Alerts](./assets/images/screenshots/alerts-1.png)
 Hunt
-![Hunt](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/hunt-1.png)
+![Hunt](./assets/images/screenshots/hunt-1.png)
 ### Release Notes
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
 # Security Policy
 ## Supported Versions
 | Version | Supported          |
 | ------- | ------------------ |
 | 2.x.x   | :white_check_mark: |
 | 16.04.x | :x:                |
 Security Onion 16.04 has reached End Of Life and is no longer supported.
 ## Reporting a Vulnerability
 If you have any security concerns regarding Security Onion or believe you have uncovered a vulnerability, please follow these steps:
 - send an email to security@securityonion.net
 - include a description of the issue and steps to reproduce
 - please use plain text format (no Word documents or PDF files)
 - please do not disclose publicly until we have had sufficient time to resolve the issue
 This security address should be used only for undisclosed vulnerabilities. Dealing with fixed issues or general questions on how to use Security Onion should be handled via the normal support channels.
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,17 +1,18 @@
-### 2.3.50 ISO image built on 2021/04/27
+### 2.3.70-GRAFANA ISO image built on 2021/08/23
 ### Download and Verify
-2.3.50 ISO image:  
+2.3.70-GRAFANA ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.70-GRAFANA.iso
-MD5: C39CEA68B5A8AFC5CFFB2481797C0374  
+MD5: A16683FC8F2151C290E359FC6066B1F2  
-SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6  
+SHA1: A93329C103CCCE665968F246163FBE5D41EF0510  
-SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E 
+SHA256: 3ED0177CADF203324363916AA240A10C58DC3E9044A9ADE173A80674701A50A3 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.70-GRAFANA.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -25,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.70-GRAFANA.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.70-GRAFANA.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso
+gpg --verify securityonion-2.3.70-GRAFANA.iso.sig securityonion-2.3.70-GRAFANA.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013
+gpg: Signature made Mon 23 Aug 2021 01:43:00 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.3.50
+2.3.70
--- a/assets/images/screenshots/alerts-1.png
+++ b/assets/images/screenshots/alerts-1.png
--- a/assets/images/screenshots/hunt-1.png
+++ b/assets/images/screenshots/hunt-1.png
--- a/assets/images/verified-commit-1.png
+++ b/assets/images/verified-commit-1.png
--- a/files/salt/master/master
+++ b/files/salt/master/master
@@ -67,3 +67,7 @@ peer:
 reactor:
  - 'so/fleet':
    - salt://reactor/fleet.sls
  - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db':
    - salt://reactor/kratos.sls
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,208 +0,0 @@
 {%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
 {% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %}
 {% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %}
 {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
 {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
 {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
 {% set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
 eval:
  containers:
    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
    - so-grafana
    {% endif %}
    - so-dockerregistry
    - so-soc
    - so-kratos
    - so-idstools
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    - so-elasticsearch
    - so-logstash
    - so-kibana
    - so-steno
    - so-suricata
    - so-zeek
    - so-curator
    - so-elastalert
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 heavy_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-redis
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-steno
    - so-suricata
    - so-wazuh
    - so-filebeat
    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
 helix:
  containers:
    - so-nginx
    - so-telegraf
    - so-idstools
    - so-steno
    - so-zeek
    - so-redis
    - so-logstash
    - so-filebeat
 hot_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
 manager_search:
  containers:
    - so-nginx
    - so-telegraf
    - so-soc
    - so-kratos
    - so-acng
    - so-idstools
    - so-redis
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-kibana
    - so-elastalert
    - so-filebeat
    - so-soctopus
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 manager:
  containers:
    - so-dockerregistry
    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
    - so-grafana
    {% endif %}
    - so-soc
    - so-kratos
    - so-acng
    - so-idstools
    - so-redis
    - so-elasticsearch
    - so-logstash
    - so-kibana
    - so-elastalert
    - so-filebeat
    {% if FLEETMANAGER %}
    - so-mysql
    - so-fleet
    - so-redis
    {% endif %}
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
    - so-soctopus
    {% if THEHIVE != '0' %}
    - so-thehive
    - so-thehive-es
    - so-cortex
    {% endif %}
    {% if PLAYBOOK != '0' %}
    - so-playbook
    {% endif %}
    {% if FREQSERVER != '0' %}
    - so-freqserver
    {% endif %}
    {% if DOMAINSTATS != '0' %}
    - so-domainstats
    {% endif %}
 parser_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
 search_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
    - so-filebeat
    {% if WAZUH != '0' %}
    - so-wazuh
    {% endif %}
 sensor:
  containers:
    - so-nginx
    - so-telegraf
    - so-steno
    - so-suricata
    {% if ZEEKVER != 'SURICATA' %}
    - so-zeek
    {% endif %}
    - so-wazuh
    - so-filebeat
 warm_node:
  containers:
    - so-nginx
    - so-telegraf
    - so-elasticsearch
 fleet:
  containers:
    {% if FLEETNODE %}
    - so-mysql
    - so-fleet
    - so-redis
    - so-filebeat
    - so-nginx
    - so-telegraf
    {% endif %}
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -7,8 +7,10 @@ logstash:
        - so/9000_output_zeek.conf.jinja
        - so/9002_output_import.conf.jinja
        - so/9034_output_syslog.conf.jinja
        - so/9050_output_filebeatmodules.conf.jinja
        - so/9100_output_osquery.conf.jinja  
        - so/9400_output_suricata.conf.jinja
        - so/9500_output_beats.conf.jinja
        - so/9600_output_ossec.conf.jinja
        - so/9700_output_strelka.conf.jinja
        - so/9800_output_logscan.conf.jinja
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -22,6 +22,9 @@ base:
  '*_manager or *_managersearch':
    - match: compound
    - data.*
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - secrets
    - global
    - minions.{{ grains.id }}
@@ -38,6 +41,9 @@ base:
    - secrets
    - healthcheck.eval
    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - global
    - minions.{{ grains.id }}
@@ -46,6 +52,9 @@ base:
    - logstash.manager
    - logstash.search
    - elasticsearch.search
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - data.*
    - zeeklogs
    - secrets
@@ -59,6 +68,7 @@ base:
  '*_heavynode':
    - zeeklogs
    - elasticsearch.auth
    - global
    - minions.{{ grains.id }}
@@ -80,6 +90,7 @@ base:
    - logstash
    - logstash.search
    - elasticsearch.search
    - elasticsearch.auth
    - global
    - minions.{{ grains.id }}
    - data.nodestab
@@ -88,5 +99,8 @@ base:
    - zeeklogs
    - secrets
    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
    - global
    - minions.{{ grains.id }}
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -52,5 +52,4 @@ zeek:
      - frameworks/signatures/detect-windows-shells
    redef:
      - LogAscii::use_json = T;
      - LogAscii::json_timestamps = JSON::TS_ISO8601;
      - CaptureLoss::watch_interval = 5 mins;
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -45,7 +45,8 @@
          'schedule',
          'soctopus',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
          'learn'
          ],
      'so-heavynode': [
          'ca',
@@ -108,7 +109,8 @@
          'zeek',
          'schedule',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
          'learn'
          ],
      'so-manager': [
          'salt.master',
@@ -127,7 +129,8 @@
          'utility',
          'schedule',
          'soctopus',
-          'docker_clean'
+          'docker_clean',
          'learn'
          ],
      'so-managersearch': [
          'salt.master',
@@ -146,7 +149,8 @@
          'utility',
          'schedule',
          'soctopus',
-          'docker_clean'
+          'docker_clean',
          'learn'
          ],
      'so-node': [
          'ca',
@@ -178,7 +182,8 @@
          'schedule',
          'soctopus',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
          'learn'
          ],
      'so-sensor': [
          'ca',
@@ -237,7 +242,7 @@
    {% do allowed_states.append('kibana') %}
  {% endif %}
-  {% if CURATOR and grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode'] %}
+  {% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
    {% do allowed_states.append('curator') %}
  {% endif %}
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -22,6 +22,7 @@
 /opt/so/log/salt/so-salt-minion-check
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
 }
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -2,6 +2,7 @@
 {% if sls in allowed_states %}
 {% set role = grains.id.split('_') | last %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
@@ -95,7 +96,6 @@ commonpkgs:
      - netcat
      - python3-mysqldb
      - sqlite3
      - argon2
      - libssl-dev
      - python3-dateutil
      - python3-m2crypto
@@ -128,7 +128,6 @@ commonpkgs:
      - net-tools
      - curl
      - sqlite
      - argon2
      - mariadb-devel
      - nmap-ncat
      - python3
@@ -169,6 +168,14 @@ alwaysupdated:
 Etc/UTC:
  timezone.system
 elastic_curl_config:
  file.managed:
    - name: /opt/so/conf/elasticsearch/curl.config
    - source: salt://elasticsearch/curl.config
    - mode: 600
    - show_changes: False
    - makedirs: True
 # Sync some Utilities
 utilsyncscripts:
  file.recurse:
@@ -178,6 +185,10 @@ utilsyncscripts:
    - file_mode: 755
    - template: jinja
    - source: salt://common/tools/sbin
    - defaults:
        ELASTICCURL: 'curl'
    - context:
        ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
 {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}
 # Add sensor cleanup
@@ -315,6 +326,16 @@ dockerreserveports:
    - name: /etc/sysctl.d/99-reserved-ports.conf
 {% if salt['grains.get']('sosmodel', '') %}
  {% if grains['os'] == 'CentOS' %}     
 # Install Raid tools
 raidpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - securityonion-raidtools
      - securityonion-megactl
  {% endif %}
 # Install raid check cron
 /usr/sbin/so-raid-status > /dev/null 2>&1:
  cron.present:
--- a/salt/common/tools/sbin/so-airgap-hotfixapply
+++ b/salt/common/tools/sbin/so-airgap-hotfixapply
@@ -1,64 +0,0 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 UPDATE_DIR=/tmp/sohotfixapply
 if [ -z "$1" ]; then
  echo "No tarball given. Please provide the filename so I can run the hotfix"
  echo "so-airgap-hotfixapply /path/to/sohotfix.tar" 
  exit 1
 else
  if [ ! -f "$1" ]; then
    echo "Unable to find $1. Make sure your path is correct and retry."
    exit 1
  else
    echo "Determining if we need to apply this hotfix"
    rm -rf $UPDATE_DIR
    mkdir -p $UPDATE_DIR
    tar xvf $1 -C $UPDATE_DIR
    # Compare some versions
    NEWVERSION=$(cat $UPDATE_DIR/VERSION)
    HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
    CURRENTHOTFIX=$(cat /etc/sohotfix)
    INSTALLEDVERSION=$(cat /etc/soversion)
    if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
      echo "Checking to see if there are hotfixes needed"
      if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
        echo "You are already running the latest version of Security Onion."
        rm -rf $UPDATE_DIR
        exit 1
      else
        echo "We need to apply a hotfix"
        copy_new_files
        echo $HOTFIXVERSION > /etc/sohotfix
        salt-call state.highstate -l info queue=True
        echo "The Hotfix $HOTFIXVERSION has been applied"
        # Clean up 
        rm -rf $UPDATE_DIR
        exit 0
      fi
    else
      echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup"
      rm -rf $UPDATE_DIR
    fi
  fi
 fi
--- a/salt/common/tools/sbin/so-checkin
+++ b/salt/common/tools/sbin/so-checkin
@@ -17,4 +17,4 @@
 . /usr/sbin/so-common
-salt-call state.highstate
+salt-call state.highstate -linfo 
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -88,19 +88,6 @@ add_interface_bond0() {
 	fi
 }
 check_airgap() {
  # See if this is an airgap install
  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}')
  if [[ "$AIRGAP" == "True" ]]; then
      is_airgap=0
      UPDATE_DIR=/tmp/soagupdate/SecurityOnion
      AGDOCKER=/tmp/soagupdate/docker
      AGREPO=/tmp/soagupdate/Packages
  else 
      is_airgap=1
  fi
 }
 check_container() {
 	docker ps | grep "$1:" > /dev/null 2>&1
 	return $?
@@ -153,7 +140,7 @@ Do you agree to the terms of the Elastic License?
 If so, type AGREE to accept the Elastic License and continue.  Otherwise, press Enter to exit this program without making any changes.
 EOM
-AGREED=$(whiptail --title "Security Onion Setup" --inputbox \
+	AGREED=$(whiptail --title "$whiptail_title" --inputbox \
 	"$message" 20 75 3>&1 1>&2 2>&3)
 	if [ "${AGREED^^}" = 'AGREE' ]; then
@@ -252,6 +239,7 @@ lookup_salt_value() {
 	key=$1
 	group=$2
 	kind=$3
 	output=${4:-newline_values_only}
 	if [ -z "$kind" ]; then
 		kind=pillar
@@ -261,7 +249,7 @@ lookup_salt_value() {
 		group=${group}:
 	fi
-	salt-call --no-color  ${kind}.get ${group}${key} --out=newline_values_only
+	salt-call --no-color  ${kind}.get ${group}${key} --out=${output}
 }
 lookup_pillar() {
@@ -289,7 +277,7 @@ lookup_role() {
 require_manager() {
 	if is_manager_node; then
-		echo "This is a manager, We can proceed."
+		echo "This is a manager, so we can proceed."
 	else
 		echo "Please run this command on the manager; the manager controls the grid."
 		exit 1
@@ -302,6 +290,7 @@ retry() {
 	cmd=$3
 	expectedOutput=$4
 	attempt=0
 	local exitcode=0
 	while [[ $attempt -lt $maxAttempts ]]; do			
 		attempt=$((attempt+1))
 		echo "Executing command with retry support: $cmd"
@@ -321,7 +310,29 @@ retry() {
 		sleep $sleepDelay
 	done
 	echo "Command continues to fail; giving up."
-	return 1
+	return $exitcode
 }
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
 	local no_retry=$3
 	local exit_code
 	if [[ -z $no_retry ]]; then
 		retry 5 60 "$cmd"
 		exit_code=$?
 	else
 		eval "$cmd"
 		exit_code=$?
 	fi
 	if [[ $exit_code -ne 0 ]]; then
 		ERR_HANDLED=true
 		[[ -z $no_retry ]] || echo "Command failed with error $exit_code"
 		echo "$err_msg"
 		exit $exit_code
 	fi
 }
 set_os() {
@@ -361,6 +372,14 @@ set_version() {
 	fi
 }
 has_uppercase() {
 	local string=$1
 	echo "$string" | grep -qP '[A-Z]' \
 		&& return 0 \
 		|| return 1
 }
 valid_cidr() {
 	# Verify there is a backslash in the string
 	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
@@ -486,12 +505,14 @@ wait_for_web_response() {
 	url=$1
 	expected=$2
 	maxAttempts=${3:-300}
 	curlcmd=${4:-curl}
 	logfile=/root/wait_for_web_response.log
 	truncate -s 0 "$logfile"
 	attempt=0
 	while [[ $attempt -lt $maxAttempts ]]; do
 		attempt=$((attempt+1))
 		echo "Waiting for value '$expected' at '$url' ($attempt/$maxAttempts)"
-		result=$(curl -ks -L $url)
+		result=$($curlcmd -ks -L $url)
 		exitcode=$?
 		echo "--------------------------------------------------" >> $logfile
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -35,6 +35,7 @@ if [ ! -f $BACKUPFILE ]; then
  {%- endfor %}
  tar -rf $BACKUPFILE /etc/pki
  tar -rf $BACKUPFILE /etc/salt
  tar -rf $BACKUPFILE /opt/so/conf/kratos
 fi
--- a/salt/common/tools/sbin/so-docker-prune
+++ b/salt/common/tools/sbin/so-docker-prune
@@ -32,19 +32,25 @@ def get_image_version(string) -> str:
  ver = string.split(':')[-1]
  if ver == 'latest':
    # Version doesn't like "latest", so use a high semver
-    return '999999.9.9'
+    return '99999.9.9'
  else:
    try:
      Version(ver)
    except InvalidVersion:
-      # Strip the last substring following a hyphen for automated branches
+      # Also return a very high semver for any version 
-      ver = '-'.join(ver.split('-')[:-1])  
+      # with a dash in it since it will likely be a dev version of some kind
      if '-' in ver:
        return '999999.9.9'
    return ver
 def main(quiet):
  client = docker.from_env()
  # Prune old/stopped containers
  if not quiet: print('Pruning old containers')
  client.containers.prune()
  image_list = client.images.list(filters={ 'dangling': False })
  # Map list of image objects to flattened list of tags (format: "name:version")
@@ -72,9 +78,16 @@ def main(quiet):
        for group in grouped_t_list[2:]:
          for tag in group:
            if not quiet: print(f'Removing image {tag}')
-            client.images.remove(tag)
+            try:
-    except InvalidVersion as e:
+              client.images.remove(tag, force=True)
-      print(f'so-{get_so_image_basename(t_list[0])}: {e.args[0]}', file=sys.stderr)
+            except docker.errors.ClientError as e:
              print(f'Could not remove image {tag}, continuing...')
    except (docker.errors.APIError, InvalidVersion) as e:
      print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr)
      exit(1)
    except Exception as e:
      print('Unhandled exception occurred:')
      print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr)
      exit(1)
  if no_prunable and not quiet:
--- a/salt/common/tools/sbin/so-elastalert-create
+++ b/salt/common/tools/sbin/so-elastalert-create
@@ -145,9 +145,9 @@ EOF
   rulename=$(echo ${raw_rulename,,} | sed 's/ /_/g')
 cat << EOF >> "$rulename.yaml"
-# Elasticsearch Host
+# Elasticsearch Host Override (optional)
-es_host: elasticsearch
+# es_host: elasticsearch
-es_port: 9200
+# es_port: 9200
 # (Required)
 # Rule name, must be unique
--- a/salt/common/tools/sbin/so-elastic-auth
+++ b/salt/common/tools/sbin/so-elastic-auth
@@ -0,0 +1,67 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 if [ -f "/usr/sbin/so-common" ]; then
  . /usr/sbin/so-common
 fi
 ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls}
 ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
 authEnable=$1
 if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
  echo "Elastic auth pillar file is invalid. Unable to proceed."
  exit 1
 fi
 function restart() {
  if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
    echo "Elasticsearch on all affected minions will now be stopped and then restarted..."
    salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop queue=True
    echo "Applying highstate to all affected minions..."
    salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True
  fi
 }
 if [[ "$authEnable" == "true" ]]; then
  if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then
    sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR"
    restart
    echo "Elastic auth is now enabled."
    if grep -q "argon" "$ES_USERS_FILE"; then
      echo ""
      echo "IMPORTANT: The following users will need to change their password, after logging into SOC, in order to access Kibana:"
      grep argon "$ES_USERS_FILE" | cut -d ":" -f 1
    fi
  else
    echo "Auth is already enabled."
  fi
 elif [[ "$authEnable" == "false" ]]; then
  if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then
    sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR"
    restart
    echo "Elastic auth is now disabled."
  else
    echo "Auth is already disabled."
  fi
 else
  echo "Usage: $0 <true|false>"
  echo ""
  echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion."
  echo ""
 fi
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -50,7 +50,7 @@ done
 if [ $SKIP -ne 1 ]; then
        # List indices
        echo 
-        curl -k -L https://{{ NODEIP }}:9200/_cat/indices?v
+        {{ ELASTICCURL }} -k -L https://{{ NODEIP }}:9200/_cat/indices?v
        echo
        # Inform user we are about to delete all data
        echo
@@ -89,10 +89,10 @@ fi
 # Delete data
 echo "Deleting data..."
-INDXS=$(curl -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
+INDXS=$({{ ELASTICCURL }} -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
 for INDX in ${INDXS}
 do
-    curl -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
+    {{ ELASTICCURL }} -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
 done
 #Start Logstash/Filebeat
--- a/salt/common/tools/sbin/so-elasticsearch-indices-list
+++ b/salt/common/tools/sbin/so-elasticsearch-indices-list
@@ -18,4 +18,4 @@
 . /usr/sbin/so-common
-curl -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty
+{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty
--- a/salt/common/tools/sbin/so-elasticsearch-indices-rw
+++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw
@@ -21,5 +21,5 @@ THEHIVEESPORT=9400
 echo "Removing read only attributes for indices..."
 echo
-curl -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
+{{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
-curl -XPUT -H "Content-Type: application/json" -L http://$IP:9400/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
+{{ ELASTICCURL }} -XPUT -H "Content-Type: application/json" -L http://$IP:9400/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute.  Please ensure Elasticsearch is running.";fi;
--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
@@ -19,7 +19,7 @@
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-        curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
 else
-        curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view
@@ -19,7 +19,7 @@
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-        curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq .
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq .
 else
-        curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[]
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list
+++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list
@@ -17,7 +17,7 @@
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
 else
-    curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-query
+++ b/salt/common/tools/sbin/so-elasticsearch-query
@@ -0,0 +1,37 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>
 . /usr/sbin/so-common
 if [[ $# -lt 1 ]]; then
 	echo "Submit a cURL request to the local Security Onion Elasticsearch host."
 	echo ""
 	echo "Usage: $0 <PATH> [ARGS,...]"
 	echo ""
  echo "Where "
  echo "   PATH represents the elastic function being requested."
  echo "   ARGS is used to specify additional, optional curl parameters."
  echo ""
  echo "Examples:"
  echo "   $0 /"
  echo "   $0 '*:so-*/_search' -d '{\"query\": {\"match_all\": {}},\"size\": 1}' | jq"
  exit 1
 fi
 QUERYPATH=$1
 shift
 {{ ELASTICCURL }} -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@"
--- a/salt/common/tools/sbin/so-elasticsearch-shards-list
+++ b/salt/common/tools/sbin/so-elasticsearch-shards-list
@@ -18,4 +18,4 @@
 . /usr/sbin/so-common
-curl -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty
+{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty
--- a/salt/common/tools/sbin/so-elasticsearch-template-remove
+++ b/salt/common/tools/sbin/so-elasticsearch-template-remove
@@ -18,4 +18,4 @@
 . /usr/sbin/so-common
-curl -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1
+{{ ELASTICCURL }} -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1
--- a/salt/common/tools/sbin/so-elasticsearch-template-view
+++ b/salt/common/tools/sbin/so-elasticsearch-template-view
@@ -19,7 +19,7 @@
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-        curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq .
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq .
 else
-        curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq .
+        {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq .
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-templates-list
@@ -17,7 +17,7 @@
 {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
-    curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
 else
-    curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
+    {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
 fi
--- a/salt/common/tools/sbin/so-elasticsearch-templates-load
+++ b/salt/common/tools/sbin/so-elasticsearch-templates-load
@@ -1,8 +1,5 @@
 {%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 #!/bin/bash
-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,6 +14,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 default_conf_dir=/opt/so/conf
 ELASTICSEARCH_HOST="{{ MYIP }}"
 ELASTICSEARCH_PORT=9200
@@ -30,7 +30,7 @@ echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
-    curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+    {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"
@@ -51,7 +51,7 @@ cd ${ELASTICSEARCH_TEMPLATES}
 echo "Loading templates..."
-for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
+for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
 echo
 cd - >/dev/null
--- a/salt/common/tools/sbin/so-elasticsearch-wait
+++ b/salt/common/tools/sbin/so-elasticsearch-wait
@@ -0,0 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
 wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}"
--- a/salt/common/tools/sbin/so-filebeat-module-setup
+++ b/salt/common/tools/sbin/so-filebeat-module-setup
@@ -0,0 +1,67 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set mainint = salt['pillar.get']('host:mainint') %}
 {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
 default_conf_dir=/opt/so/conf
 ELASTICSEARCH_HOST="{{ MYIP }}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
 # Define a default directory to load pipelines from
 FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
        {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
        if [ $? -eq 0 ]; then
                ELASTICSEARCH_CONNECTED="yes"
                echo "connected!"
                break
        else
                ((COUNT+=1))
                sleep 1
                echo -n "."
        fi
 done
 if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
        echo
        echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
        echo
 fi
 echo "Testing to see if the pipelines are already applied"
 ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \")
 PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c)
 if [[ "$PIPELINES" -lt 5 ]]; then
  echo "Setting up ingest pipeline(s)"
  for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler
  do
    echo "Loading $MODULE"
    docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML
    sleep 2
  done
 else
  exit 0
 fi
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -35,6 +35,7 @@ def showUsage(options, args):
  print('')
  print('  General commands:')
  print('    help           - Prints this usage information.')
  print('    apply          - Apply the firewall state.')
  print('')
  print('  Host commands:')
  print('    listhostgroups - Lists the known host groups.')
@@ -66,7 +67,7 @@ def checkDefaultPortsOption(options):
 def checkApplyOption(options):
  if "--apply" in options:
-    return apply()
+    return apply(None, None)
 def loadYaml(filename):
  file = open(filename, "r")
@@ -328,7 +329,7 @@ def removehost(options, args):
    code = checkApplyOption(options)
  return code
-def apply():
+def apply(options, args):
  proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
  return proc.returncode
@@ -356,7 +357,8 @@ def main():
    "addport": addport,
    "removeport": removeport,
    "addhostgroup": addhostgroup,
-    "addportgroup": addportgroup
+    "addportgroup": addportgroup,
    "apply": apply
  }
  code=1
--- a/salt/common/tools/sbin/so-fleet-user-update
+++ b/salt/common/tools/sbin/so-fleet-user-update
@@ -0,0 +1,75 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <user-name>"
    echo ""
    echo "Update password for an existing Fleet user. The new password will be read from STDIN."
    exit 1
 }
 if [ $# -ne 1 ]; then
  usage
 fi
 USER=$1
 MYSQL_PASS=$(lookup_pillar_secret mysql)
 FLEET_IP=$(lookup_pillar fleet_ip)
 FLEET_USER=$USER
 # test existence of user
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
    "SELECT count(1) FROM users WHERE username='$FLEET_USER'" 2>/dev/null | tail -1)
 if [[ $? -ne 0 ]] || [[ $MYSQL_OUTPUT -ne 1 ]] ; then
    echo "Test for username [${FLEET_USER}] failed"
    echo "    expect 1 hit in users database, return $MYSQL_OUTPUT hit(s)."
    echo "Unable to update Fleet user password."
    exit 2
 fi
 # Read password for new user from stdin
 test -t 0
 if [[ $? == 0 ]]; then
  echo "Enter new password:"
 fi
 read -rs FLEET_PASS
 if ! check_password "$FLEET_PASS"; then
  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
  exit 2
 fi
 FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
 if [[ $? -ne 0 ]]; then
 	echo "Failed to generate Fleet password hash"
 	exit 2
 fi
 MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
    "UPDATE users SET password='$FLEET_HASH', salt='' where username='$FLEET_USER'" 2>&1)
 if [[ $? -eq 0 ]]; then
    echo "Successfully updated Fleet user password"
 else
    echo "Unable to update Fleet user password"
    echo "$MYSQL_OUTPUT"
    exit 2
 fi
--- a/salt/common/tools/sbin/so-grafana-dashboard-folder-delete
+++ b/salt/common/tools/sbin/so-grafana-dashboard-folder-delete
@@ -0,0 +1,17 @@
 # this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70
 folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64')
 delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode")
 for row in $folders; do
   title=$(echo ${row} | base64 --decode | jq -r '.title')
   uid=$(echo ${row} | base64 --decode | jq -r '.uid')
  if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then
   curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid
  fi
 done
 echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete
 exit 0
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -18,6 +18,7 @@
 # NOTE: This script depends on so-common
 IMAGEREPO=security-onion-solutions
 # shellcheck disable=SC2120
 container_list() {
  MANAGERCHECK=$1
@@ -128,13 +129,13 @@ update_docker_containers() {
  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 
  # Let's make sure we have the public key
-  retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1
+  run_check_net_err \
  "curl --retry 5 --retry-delay 60 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \
  "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" \
  noretry >> "$LOG_FILE" 2>&1
  result=$?
  if [[ $result -eq 0 ]]; then
    cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1
  else
    echo "Failed to pull signature key file: $result"
    exit 1
  fi
  # Download the containers from the interwebs
@@ -148,14 +149,15 @@ update_docker_containers() {
    # Pull down the trusted docker image
    local image=$i:$VERSION$IMAGE_TAG_SUFFIX
-    retry 50 10 "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" >> "$LOG_FILE" 2>&1 
+    run_check_net_err \
    "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \
    "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 
    # Get signature
-    retry 50 10 "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1
+    run_check_net_err \
-    if [[ $? -ne 0 ]]; then
+    "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \
-      echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 
+    "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \
-      exit 1
+    noretry >> "$LOG_FILE" 2>&1
    fi
    # Dump our hash values
    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$image)
--- a/salt/common/tools/sbin/so-image-pull
+++ b/salt/common/tools/sbin/so-image-pull
@@ -0,0 +1,58 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 . /usr/sbin/so-image-common
 usage() {
 	read -r -d '' message <<- EOM
 		usage: so-image-pull [-h] IMAGE [IMAGE ...]
 		positional arguments:
 			IMAGE         One or more 'so-' prefixed images to download and verify.
 		optional arguments:
 			-h, --help    Show this help message and exit.
 	EOM
 	echo "$message"
 	exit 1
 }
 for arg; do
 	shift
 	[[ "$arg" = "--quiet" || "$arg" = "-q" ]] && quiet=true && continue
 	set -- "$@" "$arg"
 done
 if [[ $# -eq 0 || $# -gt 1 ]] || [[ $1 == '-h' || $1 == '--help' ]]; then
 	usage
 fi
 TRUSTED_CONTAINERS=("$@")
 set_version
 for image in "${TRUSTED_CONTAINERS[@]}"; do
 	if ! docker images | grep "$image" | grep ":5000" | grep -q "$VERSION"; then
 		if [[ $quiet == true ]]; then
 			update_docker_containers "$image" "" "" "/dev/null"
 		else
 			update_docker_containers "$image" "" "" "" 
 		fi
 	else
 		echo "$image:$VERSION image exists."
 	fi
 done
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -132,6 +132,8 @@ for PCAP in "$@"; do
    PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap`
    echo "- attempting to recover corrupted PCAP file"
    pcapfix "${PCAP}" "${PCAP_FIXED}"
    # Make fixed file world readable since the Suricata docker container will runas a non-root user
    chmod a+r "${PCAP_FIXED}"
    PCAP="${PCAP_FIXED}"
    TEMP_PCAPS+=(${PCAP_FIXED})
  fi
--- a/salt/common/tools/sbin/so-index-list
+++ b/salt/common/tools/sbin/so-index-list
@@ -15,4 +15,4 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-curl -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"
+{{ ELASTICCURL }} -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"
--- a/salt/common/tools/sbin/so-influxdb-clean
+++ b/salt/common/tools/sbin/so-influxdb-clean
@@ -0,0 +1,53 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 wdurregex="^[0-9]+w$"
 ddurregex="^[0-9]+d$"
 echo -e "\nThis script is used to reduce the size of InfluxDB by removing old data and retaining only the duration specified."
 echo "The duration will need to be specified as an integer followed by the duration unit without a space."
 echo -e "\nFor example, to purge all data but retain the past 12 weeks, specify 12w for the duration."
 echo "The duration units are as follows:"
 echo "  w  - week(s)"
 echo "  d  - day(s)"
 while true; do
  echo ""
  read -p 'Enter the duration of past data that you would like to retain: ' duration
  duration=$(echo $duration | tr '[:upper:]' '[:lower:]')
  if [[ "$duration" =~ $wdurregex ]] || [[ "$duration" =~ $ddurregex ]]; then
    break
  fi
  echo -e "\nInvalid duration."
 done
 echo -e "\nInfluxDB will now be cleaned and leave only the past $duration worth of data."
 read -r -p "Are you sure you want to continue? [y/N] " yorn
 if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
  echo -e "\nCleaning InfluxDb and saving only the past $duration. This may could take several minutes depending on how much data needs to be cleaned."
    if docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"DELETE FROM /.*/ WHERE \"time\" >= '2020-01-01T00:00:00.0000000Z' AND \"time\" <= now() - $duration\""; then
      echo -e "\nInfluxDb clean complete."
    else
      echo -e "\nSomething went wrong with cleaning InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
    fi
 else
  echo -e "\nExiting as requested."
 fi
--- a/salt/common/tools/sbin/so-influxdb-downsample
+++ b/salt/common/tools/sbin/so-influxdb-downsample
@@ -0,0 +1,63 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {%- set role = grains.id.split('_') | last %}
 {%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %}
  {%- import_yaml 'influxdb/defaults.yaml' as default_settings %}
  {%- set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
 . /usr/sbin/so-common
 echo -e "\nThis script is used to reduce the size of InfluxDB by downsampling old data into the so_long_term retention policy."
 echo -e "\nInfluxDB will now be downsampled. This could take a few hours depending on how large the database is and hardware resources available."
 read -r -p "Are you sure you want to continue? [y/N] " yorn
 if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
  echo -e "\nDownsampling InfluxDb started at `date`. This may take several hours depending on how much data needs to be downsampled."
  {% for dest_rp in influxdb.downsample.keys() -%}
    {% for measurement in influxdb.downsample[dest_rp].get('measurements', []) -%}
  day=0
  startdate=`date`
  while docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"SELECT mean(*) INTO \"so_long_term\".\"{{measurement}}\" FROM \"autogen\".\"{{measurement}}\" WHERE \"time\" >= '2020-07-21T00:00:00.0000000Z' + ${day}d AND \"time\" <= '2020-07-21T00:00:00.0000000Z' + $((day+1))d GROUP BY time(5m),*\""; do
    # why 2020-07-21? 
    migrationdate=`date -d "2020-07-21 + ${day} days" +"%y-%m-%d"`
    echo "Downsampling of measurement: {{measurement}} from $migrationdate started at $startdate and completed at `date`."
    newdaytomigrate=$(date -d "$migrationdate + 1 days" +"%s")
    today=$(date +"%s")
    if [ $newdaytomigrate -ge $today ]; then
      break
    else
      ((day=day+1))
      startdate=`date`
      echo -e "\nDownsampling the next day's worth of data for measurement: {{measurement}}."
    fi
  done
    {% endfor -%}
  {% endfor -%}
  echo -e "\nInfluxDb data downsampling complete."
 else
  echo -e "\nExiting as requested."
 fi
 {%- else %}
 echo -e "\nThis script can only be run on a node running InfluxDB."
 {%- endif %}
--- a/salt/common/tools/sbin/so-influxdb-drop-autogen
+++ b/salt/common/tools/sbin/so-influxdb-drop-autogen
@@ -0,0 +1,34 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 echo -e "\nThis script is used to reduce the size of InfluxDB by dropping the autogen retention policy."
 echo "If you want to retain historical data prior to 2.3.60, then this should only be run after you have downsampled your data using so-influxdb-downsample."
 echo -e "\nThe autogen retention policy will now be dropped from InfluxDB."
 read -r -p "Are you sure you want to continue? [y/N] " yorn
 if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then
  echo -e "\nDropping autogen retention policy."
    if docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -execute "drop retention policy autogen on telegraf"; then
      echo -e "\nAutogen retention policy dropped from InfluxDb."
    else
      echo -e "\nSomething went wrong dropping then autogen retention policy from InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details."
    fi
 else
  echo -e "\nExiting as requested."
 fi
--- a/salt/common/tools/sbin/so-kibana-config-export
+++ b/salt/common/tools/sbin/so-kibana-config-export
@@ -23,7 +23,9 @@
 KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601
 OUTFILE="saved_objects.ndjson"
-curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
+
 SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}')
 {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
 # Clean up using PLACEHOLDER
 sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
--- a/salt/common/tools/sbin/so-kibana-space-defaults
+++ b/salt/common/tools/sbin/so-kibana-space-defaults
@@ -1,13 +1,13 @@
 . /usr/sbin/so-common
-wait_for_web_response "http://localhost:5601/app/kibana" "Elastic"
+wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"
 ## This hackery will be removed if using Elastic Auth ##
 # Let's snag a cookie from Kibana
-THECOOKIE=$(curl -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
+SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 # Disable certain Features from showing up in the Kibana UI
 echo
 echo "Setting up default Space:"
-curl -b "sid=$THECOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log
+{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log
 echo
--- a/salt/common/tools/sbin/so-learn
+++ b/salt/common/tools/sbin/so-learn
@@ -0,0 +1,303 @@
 #!/usr/bin/env python3
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from itertools import chain
 from typing import List
 import signal
 import sys
 import os
 import re
 import subprocess
 import argparse
 import textwrap
 import yaml
 import multiprocessing
 import docker
 import pty
 minion_pillar_dir = '/opt/so/saltstack/local/pillar/minions'
 so_status_conf = '/opt/so/conf/so-status/so-status.conf'
 proc: subprocess.CompletedProcess = None
 # Temp store of modules, will likely be broken out into salt
 def get_learn_modules():
  return {
    'logscan': { 'cpu_period': get_cpu_period(fraction=0.25), 'enabled': False, 'description': 'Scan log files against pre-trained models to alert on anomalies.' }
  }
 def get_cpu_period(fraction: float):
  multiplier = 10000
  num_cores = multiprocessing.cpu_count()
  if num_cores <= 2:
    fraction = 1.
  num_used_cores = int(num_cores * fraction)
  cpu_period = num_used_cores * multiplier
  return cpu_period
 def sigint_handler(*_):
  print('Exiting gracefully on Ctrl-C')
  if proc is not None: proc.send_signal(signal.SIGINT)
  sys.exit(1)
 def find_minion_pillar() -> str:
  regex = '^.*_(manager|managersearch|standalone|import|eval)\.sls$'
  result = []
  for root, _, files in os.walk(minion_pillar_dir):
    for f_minion_id in files:
      if re.search(regex, f_minion_id):
        result.append(os.path.join(root, f_minion_id))
  if len(result) == 0:
    print('Could not find manager-type pillar (eval, standalone, manager, managersearch, import). Are you running this script on the manager?', file=sys.stderr)
    sys.exit(3)
  elif len(result) > 1:
    res_str = ', '.join(f'\"{result}\"')
    print('(This should not happen, the system is in an error state if you see this message.)\n', file=sys.stderr)
    print('More than one manager-type pillar exists, minion id\'s listed below:', file=sys.stderr)
    print(f'  {res_str}', file=sys.stderr)
    sys.exit(3)
  else:
    return result[0]
 def read_pillar(pillar: str):
  try:
    with open(pillar, 'r') as pillar_file:
      loaded_yaml = yaml.safe_load(pillar_file.read())
      if loaded_yaml is None:
        print(f'Could not parse {pillar}', file=sys.stderr)
        sys.exit(3)
      return loaded_yaml
  except:
    print(f'Could not open {pillar}', file=sys.stderr)
    sys.exit(3)
 def write_pillar(pillar: str, content: dict):
  try:
    with open(pillar, 'w') as pillar_file:
      yaml.dump(content, pillar_file, default_flow_style=False)
  except:
    print(f'Could not open {pillar}', file=sys.stderr)
    sys.exit(3)
 def mod_so_status(action: str, item: str):
  with open(so_status_conf, 'a+') as conf:
    conf.seek(0)
    containers = conf.readlines()
    if f'so-{item}\n' in containers:
      if action == 'remove': containers.remove(f'so-{item}\n')
      if action == 'add': pass
    else:
      if action == 'remove': pass
      if action == 'add': containers.append(f'so-{item}\n')
    [containers.remove(c_name) for c_name in containers if c_name == '\n'] # remove extra newlines
    conf.seek(0)
    conf.truncate(0)
    conf.writelines(containers)
 def create_pillar_if_not_exist(pillar:str, content: dict):
  pillar_dict = content
  if pillar_dict.get('learn', {}).get('modules') is None:
    pillar_dict['learn'] = {}
    pillar_dict['learn']['modules'] = get_learn_modules()
    content.update()
    write_pillar(pillar, content)
  return content
 def salt_call(module: str):
  salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', f'learn.{module}', 'queue=True']
  print(f'  Applying salt state for {module} module...')
  proc = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
  return_code = proc.returncode
  if return_code != 0:
    print(f'  [ERROR] Failed to apply salt state for {module} module.')
  return return_code
 def pull_image(module: str):
  container_basename = f'so-{module}'
  client = docker.from_env()
  image_list = client.images.list(filters={ 'dangling': False })  
  tag_list = list(chain.from_iterable(list(map(lambda x: x.attrs.get('RepoTags'), image_list))))
  basename_match = list(filter(lambda x: f'{container_basename}' in x, tag_list))
  local_registry_match = list(filter(lambda x: ':5000' in x, basename_match))
  if len(local_registry_match) == 0:
    print(f'Pulling and verifying missing image for {module} (may take several minutes) ...')
    pull_command = ['so-image-pull', '--quiet', container_basename]
    proc = subprocess.run(pull_command, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
    return_code = proc.returncode
    if return_code != 0:
      print(f'[ERROR] Failed to pull image so-{module}, skipping state.')
  else:
    return_code = 0
  return return_code
 def apply(module_list: List):
  return_code = 0
  for module in module_list:
    salt_ret = salt_call(module)
    # Only update return_code if the command returned a non-zero return
    if salt_ret != 0:
      return_code = salt_ret
  return return_code
 def check_apply(args: dict):
  if args.apply:
    print('Configuration updated. Applying changes:')
    return apply(args.modules)
  else:
    message = 'Configuration updated. Would you like to apply your changes now? (y/N) '
    answer = input(message)
    while answer.lower() not in [ 'y', 'n', '' ]:
      answer = input(message)
    if answer.lower() in [ 'n', '' ]:
      return 0
    else:
      print('Applying changes:')
      return apply(args.modules)
 def enable_disable_modules(args, enable: bool):
  pillar_modules = args.pillar_dict.get('learn', {}).get('modules')
  pillar_mod_names = args.pillar_dict.get('learn', {}).get('modules').keys()
  action_str = 'add' if enable else 'remove'
  if 'all' in args.modules:
    for module, details in pillar_modules.items():
      details['enabled'] = enable
      mod_so_status(action_str, module)
      if enable: pull_image(module)
    args.pillar_dict.update()
    write_pillar(args.pillar, args.pillar_dict)
  else:
    write_needed = False
    for module in args.modules:
      if module in pillar_mod_names:
        if pillar_modules[module]['enabled'] == enable:
          state_str = 'enabled' if enable else 'disabled'
          print(f'{module} module already {state_str}.', file=sys.stderr)
        else:
          if enable and pull_image(module) != 0:
            continue
          pillar_modules[module]['enabled'] = enable
          mod_so_status(action_str, module)
          write_needed = True
    if write_needed:
      args.pillar_dict.update()
      write_pillar(args.pillar, args.pillar_dict)
  cmd_ret = check_apply(args)
  return cmd_ret
 def enable_modules(args):
  enable_disable_modules(args, enable=True)
 def disable_modules(args):
  enable_disable_modules(args, enable=False)
 def list_modules(*_):
  print('Available ML modules:')
  for module, details in get_learn_modules().items():
    print(f'  - { module } : {details["description"]}')
  return 0
 def main():
  beta_str = 'BETA - SUBJECT TO CHANGE\n'
  apply_help='After ACTION the chosen modules, apply any necessary salt states.'
  enable_apply_help = apply_help.replace('ACTION', 'enabling')
  disable_apply_help = apply_help.replace('ACTION', 'disabling')
  signal.signal(signal.SIGINT, sigint_handler)
  if os.geteuid() != 0:
    print('You must run this script as root', file=sys.stderr)
    sys.exit(1)
  main_parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
  subcommand_desc = textwrap.dedent(
    """\
      enable              Enable one or more ML modules.
      disable             Disable one or more ML modules.
      list                List all available ML modules.
    """
  )
  subparsers = main_parser.add_subparsers(title='commands', description=subcommand_desc, metavar='', dest='command')
  module_help_str = 'One or more ML modules, which can be listed using \'so-learn list\'. Use the keyword \'all\' to apply the action to all available modules.'
  enable = subparsers.add_parser('enable')
  enable.set_defaults(func=enable_modules)
  enable.add_argument('modules', metavar='ML_MODULE', nargs='+', help=module_help_str)
  enable.add_argument('--apply', action='store_const', const=True, required=False, help=enable_apply_help)
  disable = subparsers.add_parser('disable')
  disable.set_defaults(func=disable_modules)
  disable.add_argument('modules', metavar='ML_MODULE', nargs='+', help=module_help_str)
  disable.add_argument('--apply', action='store_const', const=True, required=False, help=disable_apply_help)
  list = subparsers.add_parser('list')
  list.set_defaults(func=list_modules)
  args = main_parser.parse_args(sys.argv[1:])
  args.pillar = find_minion_pillar()
  args.pillar_dict = create_pillar_if_not_exist(args.pillar, read_pillar(args.pillar))
  if hasattr(args, 'func'):
    exit_code = args.func(args)
  else:
    if args.command is None:
      print(beta_str)
      main_parser.print_help()
    sys.exit(0)
  sys.exit(exit_code)
 if __name__ == '__main__':
  main()
--- a/salt/common/tools/sbin/so-airgap-hotfixdownload
+++ b/salt/common/tools/sbin/so-airgap-hotfixdownload
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
@@ -15,19 +15,12 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-# Get the latest code
+if [ $# -lt 2 ]; then
-rm -rf /tmp/sohotfix
+  echo "Usage: $0 <steno-query> Output-Filename"
 mkdir -p /tmp/sohotfix
 cd /tmp/sohotfix
 git clone https://github.com/Security-Onion-Solutions/securityonion
 if [ ! -d "/tmp/sohotfix/securityonion" ]; then
  echo "I was unable to get the latest code. Check your internet and try again."
  exit 1
 else
  echo "Looks like we have the code lets create the tarball."
  cd /tmp/sohotfix/securityonion
  tar cvf /tmp/sohotfix/sohotfix.tar HOTFIX VERSION salt pillar
  echo ""
  echo "Copy /tmp/sohotfix/sohotfix.tar to portable media and then copy it to your airgap manager."
  exit 0
 fi
 docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
 echo ""
 echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"
--- a/salt/common/tools/sbin/so-playbook-reset
+++ b/salt/common/tools/sbin/so-playbook-reset
@@ -22,5 +22,5 @@ salt-call state.apply playbook.db_init,playbook,playbook.automation_user_create
 /usr/sbin/so-soctopus-restart
 echo "Importing Plays - this will take some time...."
-wait 5
+sleep 5
 /usr/sbin/so-playbook-ruleupdate
--- a/salt/common/tools/sbin/so-raid-status
+++ b/salt/common/tools/sbin/so-raid-status
@@ -17,67 +17,98 @@
 . /usr/sbin/so-common
-#check_boss_raid() {
+appliance_check() {
-#    BOSSBIN=/opt/boss/mvcli
+  {%- if salt['grains.get']('sosmodel', '') %}
-#    BOSSRC=$($BOSSBIN info -o vd | grep functional)
+  APPLIANCE=1
-#
+  DUDEYOUGOTADELL=$(dmidecode |grep Dell)
-#    if [[ $BOSSRC ]]; then
+  if [[ -n $DUDEYOUGOTADELL ]]; then
-#        # Raid is good
+  APPTYPE=dell
 #        BOSSRAID=0
 #    else
 #        BOSSRAID=1
 #    fi
 #}
 check_lsi_raid() {
    # For use for LSI on Ubuntu
    #MEGA=/opt/MegaRAID/MegeCli/MegaCli64
    #LSIRC=$($MEGA -LDInfo -Lall -aALL | grep Optimal)
    # Open Source Centos
    MEGA=/opt/mega/megasasctl
    LSIRC=$($MEGA | grep optimal)
    if [[ $LSIRC ]]; then
        # Raid is good
        LSIRAID=0
  else
-        LSIRAID=1
+  APPTYPE=sm
  fi
  mkdir -p /opt/so/log/raid
  {%- else %}
  echo "This is not an appliance"
  exit 0
  {%- endif %}
 }
 check_nsm_raid() {
  PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
  MEGACTL=$(/opt/raidtools/megasasctl |grep optimal)
  if [[ $APPLIANCE == '1' ]]; then
    if [[ -n $PERCCLI ]]; then
      HWRAID=0
    elif [[ -n $MEGACTL ]]; then
      HWRAID=0
    else
      HWRAID=1
    fi
  fi
 }
 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
  if [[ -n $DUDEYOUGOTADELL ]]; then
    if [[ -n $MVCLI ]]; then
      BOSSRAID=0
    else
      BOSSRAID=1
    fi
  fi
 }
 check_software_raid() {
  if [[ -n $DUDEYOUGOTADELL ]]; then
    SWRC=$(grep "_" /proc/mdstat)
-    if [[ $SWRC ]]; then
+    if [[ -n $SWRC ]]; then
        # RAID is failed in some way
        SWRAID=1
    else
        SWRAID=0
    fi
  fi
 }
 # This script checks raid status if you use SO appliances
 # See if this is an appliance
 appliance_check
 check_nsm_raid
 check_boss_raid
 {%- if salt['grains.get']('sosmodel', '') %}
 mkdir -p /opt/so/log/raid
 {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
 #check_boss_raid
 check_software_raid
 #echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log
 echo "osraid=1 nsmraid=$SWRAID" > /opt/so/log/raid/status.log
  {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %}
 #check_boss_raid
 check_lsi_raid
 #echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
 echo "osraid=1 nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
  {%- else %}
 exit 0
 {%- endif %}
 {%- else %}
 exit 0
 {%- endif %}
 if [[ -n $SWRAID ]]; then
  if [[ $SWRAID == '0' && BOSSRAID == '0' ]]; then
    RAIDSTATUS=0
  else
    RAIDSTATUS=1
  fi
 elif [[ -n $DUDEYOUGOTADELL ]]; then
  if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then
    RAIDSTATUS=0
  else
    RAIDSTATUS=1
  fi
 elif [[ "$APPTYPE" == 'sm' ]]; then
  if [[ -n "$HWRAID" ]]; then
    RAIDSTATUS=0
  else
    RAIDSTATUS=1
  fi
 fi
 echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
--- a/salt/common/tools/sbin/so-suricata-testrule
+++ b/salt/common/tools/sbin/so-suricata-testrule
@@ -23,6 +23,11 @@ TESTPCAP=$2
 . /usr/sbin/so-common
 if [ $# -lt 2 ]; then
  echo "Usage: $0 <CustomRule> <TargetPCAP>"
  exit 1
 fi
 echo ""
 echo "==============="
 echo "Running all.rules and $TESTRULE against the following pcap: $TESTPCAP" 
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -31,7 +31,7 @@ if [[ $# -lt 1 ]]; then
 	echo "Usage: $0 <pcap-sample(s)>"
 	echo 
 	echo "All PCAPs must be placed in the /opt/so/samples directory unless replaying"
-	echo "a sample pcap that is included in the so-tcpreplay image. Those PCAP sampes"
+	echo "a sample pcap that is included in the so-tcpreplay image. Those PCAP samples"
 	echo "are located in the /opt/samples directory inside of the image."
 	echo 
 	echo "Customer provided PCAP example:"
--- a/salt/common/tools/sbin/so-thehive-user-update
+++ b/salt/common/tools/sbin/so-thehive-user-update
@@ -0,0 +1,57 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 usage() {
    echo "Usage: $0 <user-name>"
    echo ""
    echo "Update password for an existing TheHive user. The new password will be read from STDIN."
    exit 1
 }
 if [ $# -ne 1 ]; then
  usage
 fi
 USER=$1
 THEHIVE_KEY=$(lookup_pillar hivekey)
 THEHVIE_API_URL="$(lookup_pillar url_base)/thehive/api"
 THEHIVE_USER=$USER
 # Read password for new user from stdin
 test -t 0
 if [[ $? == 0 ]]; then
  echo "Enter new password:"
 fi
 read -rs THEHIVE_PASS
 if ! check_password "$THEHIVE_PASS"; then
  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
  exit 2
 fi
 # Change password for user in TheHive
 resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user/${THEHIVE_USER}/password/set" -d "{\"password\" : \"$THEHIVE_PASS\"}")
 if [[ -z "$resp" ]]; then
    echo "Successfully updated TheHive user password"
 else
    echo "Unable to update TheHive user password"
    echo $resp
    exit 2
 fi
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -39,10 +39,18 @@ email=$2
 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434}
 databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
-argon2Iterations=${ARGON2_ITERATIONS:-3}
+bcryptRounds=${BCRYPT_ROUNDS:-12}
-argon2Memory=${ARGON2_MEMORY:-14}
+elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
-argon2Parallelism=${ARGON2_PARALLELISM:-2}
+elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
-argon2HashSize=${ARGON2_HASH_SIZE:-32}
+esUID=${ELASTIC_UID:-930}
 esGID=${ELASTIC_GID:-930}
 function lock() {
  # Obtain file descriptor lock
  exec 99>/var/tmp/so-user.lock || fail "Unable to create lock descriptor; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually."
  flock -w 10 99 || fail "Another process is using so-user; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually."
  trap 'rm -f /var/tmp/so-user.lock' EXIT
 }
 function fail() {
  msg=$1
@@ -58,7 +66,7 @@ function require() {
 # Verify this environment is capable of running this script
 function verifyEnvironment() {
-  require "argon2"
+  require "htpasswd"
  require "jq"
  require "curl"
  require "openssl"
@@ -95,6 +103,16 @@ function validateEmail() {
  fi
 }
 function hashPassword() {
  password=$1
  passwordHash=$(echo "${password}" | htpasswd -niBC $bcryptRounds SOUSER)
  passwordHash=$(echo "$passwordHash" | cut -c 11-)
  passwordHash="\$2a${passwordHash}" # still waiting for https://github.com/elastic/elasticsearch/issues/51132
  echo "$passwordHash"
 }
 function updatePassword() {
  identityId=$1
@@ -111,15 +129,125 @@ function updatePassword() {
  if [[ -n $identityId ]]; then
    # Generate password hash
-    salt=$(openssl rand -hex 8)
+    passwordHash=$(hashPassword "$password")
    passwordHash=$(echo "${password}" | argon2 ${salt} -id -t $argon2Iterations -m $argon2Memory -p $argon2Parallelism -l $argon2HashSize -e)
    # Update DB with new hash
-    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"${passwordHash}\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
    [[ $? != 0 ]] && fail "Unable to update password"
  fi
 }
 function createElasticFile() {
  filename=$1
  tmpFile=${filename}
  truncate -s 0 "$tmpFile"
  chmod 600 "$tmpFile"
  chown "${esUID}:${esGID}" "$tmpFile"
 }
 function syncElasticSystemUser() {
  json=$1
  userid=$2
  usersFile=$3
  user=$(echo "$json" | jq -r ".local.users.$userid.user")
  pass=$(echo "$json" | jq -r ".local.users.$userid.pass")
  [[ -z "$user" || -z "$pass" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
  hash=$(hashPassword "$pass")
  echo "${user}:${hash}" >> "$usersFile"
 }
 function syncElasticSystemRole() {
  json=$1
  userid=$2
  role=$3
  rolesFile=$4
  user=$(echo "$json" | jq -r ".local.users.$userid.user")
  [[ -z "$user" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
  echo "${role}:${user}" >> "$rolesFile"
 }
 function syncElastic() {
  echo "Syncing users between SOC and Elastic..."
  usersTmpFile="${elasticUsersFile}.tmp"
  rolesTmpFile="${elasticRolesFile}.tmp"
  createElasticFile "${usersTmpFile}"
  createElasticFile "${rolesTmpFile}"
  authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
  syncElasticSystemUser "$authPillarJson" "so_elastic_user"  "$usersTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_elastic_user"  "superuser" "$rolesTmpFile"
  syncElasticSystemUser "$authPillarJson" "so_kibana_user"   "$usersTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_kibana_user"   "superuser" "$rolesTmpFile"
  syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_logstash_user" "superuser" "$rolesTmpFile"
  syncElasticSystemUser "$authPillarJson" "so_beats_user"    "$usersTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_beats_user"    "superuser" "$rolesTmpFile"
  syncElasticSystemUser "$authPillarJson" "so_monitor_user"  "$usersTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_collector" "$rolesTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_agent" "$rolesTmpFile"
  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "monitoring_user" "$rolesTmpFile"
  if [[ -f "$databasePath" ]]; then
    # Generate the new users file
    echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
      "from identity_credential_identifiers ici, identity_credentials ic " \
      "where ici.identity_credential_id=ic.id and instr(ic.config, 'hashed_password') " \
      "order by ici.identifier;" | \
      sqlite3 "$databasePath" | \
      jq -r '.user + ":" + .data.hashed_password' \
      >> "$usersTmpFile"
    [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
    # Generate the new users_roles file
    echo "select 'superuser:' || ici.identifier " \
      "from identity_credential_identifiers ici, identity_credentials ic " \
      "where ici.identity_credential_id=ic.id and instr(ic.config, 'hashed_password') " \
      "order by ici.identifier;" | \
      sqlite3 "$databasePath" \
      >> "$rolesTmpFile"
    [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
  else
    echo "Database file does not exist yet, skipping users export"
  fi
  if [[ -s "${usersTmpFile}" ]]; then
    mv "${usersTmpFile}" "${elasticUsersFile}"
    mv "${rolesTmpFile}" "${elasticRolesFile}"
    if [[ -z "$SKIP_STATE_APPLY" ]]; then
      echo "Elastic state will be re-applied to affected minions. This may take several minutes..."
      echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1
      salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
    fi
  else
    echo "Newly generated users/roles files are incomplete; aborting."
  fi
 }
 function syncAll() {
  if [[ -z "$FORCE_SYNC" && -f "$databasePath" && -f "$elasticUsersFile" ]]; then
    usersFileAgeSecs=$(echo $(($(date +%s) - $(date +%s -r "$elasticUsersFile"))))
    staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${usersFileAgeSecs} seconds');" \
      | sqlite3 "$databasePath")
    if [[ "$staleCount" == "0" ]]; then
      return 1
    fi
  fi
  syncElastic
  return 0
 }
 function listUsers() {
  response=$(curl -Ss -L ${kratosUrl}/identities)
  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
@@ -178,7 +306,7 @@ function updateStatus() {
    [[ $? != 0 ]] && fail "Unable to unlock credential record"
  fi  
-  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url)")
+  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url) | del(.created_at) | del(.updated_at)")
  response=$(curl -Ss -XPUT -L ${kratosUrl}/identities/$identityId -d "$updatedJson")
  [[ $? != 0 ]] && fail "Unable to mark user as locked"
@@ -208,12 +336,14 @@ case "${operation}" in
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    lock
    validateEmail "$email"
    updatePassword
    createUser "$email"
    syncAll
    echo "Successfully added new user to SOC"
-    check_container thehive && echo $password | so-thehive-user-add "$email"
+    check_container thehive && echo "$password" | so-thehive-user-add "$email"
-    check_container fleet && echo $password | so-fleet-user-add "$email"
+    check_container fleet && echo "$password" | so-fleet-user-add "$email"
    ;;
  "list")
@@ -225,7 +355,9 @@ case "${operation}" in
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    lock
    updateUser "$email"
    syncAll
    echo "Successfully updated user"
    ;;
@@ -233,7 +365,9 @@ case "${operation}" in
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    lock
    updateStatus "$email" 'active'
    syncAll
    echo "Successfully enabled user"
    check_container thehive && so-thehive-user-enable "$email" true
    check_container fleet && so-fleet-user-enable "$email" true   
@@ -243,7 +377,9 @@ case "${operation}" in
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    lock
    updateStatus "$email" 'locked'
    syncAll
    echo "Successfully disabled user"
    check_container thehive && so-thehive-user-enable "$email" false
    check_container fleet && so-fleet-user-enable "$email" false   
@@ -253,12 +389,19 @@ case "${operation}" in
    verifyEnvironment
    [[ "$email" == "" ]] && fail "Email address must be provided"
    lock
    deleteUser "$email"
    syncAll
    echo "Successfully deleted user"
    check_container thehive && so-thehive-user-enable "$email" false
    check_container fleet && so-fleet-user-enable "$email" false
    ;;
  "sync")
    lock
    syncAll
    ;;
  "validate")
    validateEmail "$email"
    updatePassword
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -10,11 +10,10 @@ zeek_logs_enabled() {
 }
 whiptail_manager_adv_service_zeeklogs() {
-  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
+  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
  "conn" "Connection Logging" ON \
  "dce_rpc" "RPC Logs" ON \
  "dhcp" "DHCP Logs" ON \
  "dhcpv6" "DHCP IPv6 Logs" ON \
  "dnp3" "DNP3 Logs" ON \
  "dns" "DNS Logs" ON \
  "dpd" "DPD Logs" ON \
@@ -25,25 +24,20 @@ whiptail_manager_adv_service_zeeklogs() {
  "irc" "IRC Chat Logs" ON \
  "kerberos" "Kerberos Logs" ON \
  "modbus" "MODBUS Logs" ON \
  "mqtt" "MQTT Logs" ON \
  "notice" "Zeek Notice Logs" ON \
  "ntlm" "NTLM Logs" ON \
  "openvpn" "OPENVPN Logs" ON \
  "pe" "PE Logs" ON \
  "radius" "Radius Logs" ON \
  "rfb" "RFB Logs" ON \
  "rdp" "RDP Logs" ON \
  "signatures" "Signatures Logs" ON \
  "sip" "SIP Logs" ON \
  "smb_files" "SMB Files Logs" ON \
  "smb_mapping" "SMB Mapping Logs" ON \
  "smtp" "SMTP Logs" ON \
  "snmp" "SNMP Logs" ON \
  "software" "Software Logs" ON \
  "ssh" "SSH Logs" ON \
  "ssl" "SSL Logs" ON \
  "syslog" "Syslog Logs" ON \
  "telnet" "Telnet Logs" ON \
  "tunnel" "Tunnel Logs" ON \
  "weird" "Zeek Weird Logs" ON \
  "mysql" "MySQL Logs" ON \
@@ -61,10 +55,10 @@ whiptail_manager_adv_service_zeeklogs
 return_code=$?
 case $return_code in
  1)
-    whiptail --title "Security Onion Setup" --msgbox "Cancelling. No changes have been made." 8 75
+    whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75
    ;;
  255)
-    whiptail --title "Security Onion Setup" --msgbox "Whiptail error occured, exiting." 8 75
+    whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75
    ;;
  *)
    zeek_logs_enabled
--- a/salt/common/tools/sbin/so-zeek-stats
+++ b/salt/common/tools/sbin/so-zeek-stats
@@ -24,11 +24,11 @@ show_stats() {
  echo
  echo "Average throughput:"
  echo
-  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'
+  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl capstats
  echo
  echo "Average packet loss:"
  echo
-  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'
+  docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin /opt/zeek/bin/zeekctl netstats
  echo
 }
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -18,12 +18,82 @@
 . /usr/sbin/so-common
 UPDATE_DIR=/tmp/sogh/securityonion
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 INSTALLEDVERSION=$(cat /etc/soversion)
 POSTVERSION=$INSTALLEDVERSION
-INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
+INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
 BATCHSIZE=5
 SOUP_LOG=/root/soup.log
 INFLUXDB_MIGRATION_LOG=/opt/so/log/influxdb/soup_migration.log
 WHATWOULDYOUSAYYAHDOHERE=soup
 whiptail_title='Security Onion UPdater'
 check_err() {
  local exit_code=$1
  local err_msg="Unhandled error occured, please check $SOUP_LOG for details."
  [[ $ERR_HANDLED == true ]] && exit $exit_code
  if [[ $exit_code -ne 0 ]]; then
    printf '%s' "Soup failed with error $exit_code: "
    case $exit_code in
      2)
        echo 'No such file or directory'
      ;;
      5)
        echo 'Interrupted system call'
      ;;
      12)
        echo 'Out of memory'
      ;;
      28)
        echo 'No space left on device'
        echo 'Likely ran out of space on disk, please review hardware requirements for Security Onion: https://docs.securityonion.net/en/2.3/hardware.html'
      ;;
      30)
        echo 'Read-only file system'
      ;;
      35)
        echo 'Resource temporarily unavailable'
      ;;
      64)
        echo 'Machine is not on the network'
      ;;
      67)
        echo 'Link has been severed'
      ;;
      100)
        echo 'Network is down'
      ;;
      101)
        echo 'Network is unreachable'
      ;;
      102)
        echo 'Network reset'
      ;;
      110)
        echo 'Connection timed out'
      ;;
      111)
        echo 'Connection refused'
      ;;
      112)
        echo 'Host is down'
      ;;
      113)
        echo 'No route to host'
      ;;
      *)
        echo 'Unhandled error'
        echo "$err_msg"
      ;;
    esac
    if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then
      echo "$err_msg"
    fi
    exit $exit_code
  fi
 }
 add_common() {
  cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
@@ -39,15 +109,14 @@ airgap_mounted() {
    echo "The ISO is already mounted"
  else
    echo ""
-    echo "Looks like we need access to the upgrade content"
+    cat << EOF
-    echo "" 
+In order for soup to proceed, the path to the downloaded Security Onion ISO file, or the path to the CD-ROM or equivalent device containing the ISO media must be provided. 
-    echo "If you just copied the .iso file over you can specify the path."
+For example, if you have copied the new Security Onion ISO file to your home directory, then the path might look like /home/myuser/securityonion-2.x.y.iso. 
-    echo "If you burned the ISO to a disk the standard way you can specify the device."
+Or, if you have burned the new ISO onto an optical disk then the path might look like /dev/cdrom.
-    echo "Example: /home/user/securityonion-2.X.0.iso"
+
-    echo "Example: /dev/sdx1"
+EOF
-    echo ""
+    read -rp 'Enter the path to the new Security Onion ISO content: ' ISOLOC
-    read -p 'Enter the location of the iso: ' ISOLOC
+    if [[ -f $ISOLOC ]]; then
    if [ -f $ISOLOC ]; then
      # Mounting the ISO image
      mkdir -p /tmp/soagupdate
      mount -t iso9660 -o loop $ISOLOC /tmp/soagupdate
@@ -59,7 +128,7 @@ airgap_mounted() {
      else
        echo "ISO has been mounted!"
      fi  
-    elif [ -f $ISOLOC/SecurityOnion/VERSION ]; then
+    elif [[ -f $ISOLOC/SecurityOnion/VERSION ]]; then
      ln -s $ISOLOC /tmp/soagupdate
      echo "Found the update content"
    else 
@@ -77,9 +146,9 @@ airgap_mounted() {
 }
 airgap_update_dockers() {
-  if [ $is_airgap -eq 0 ]; then
+  if [[ $is_airgap -eq 0 ]]; then
    # Let's copy the tarball
-    if [ ! -f $AGDOCKER/registry.tar ]; then
+    if [[ ! -f $AGDOCKER/registry.tar ]]; then
      echo "Unable to locate registry. Exiting"
      exit 1
    else
@@ -87,9 +156,9 @@ airgap_update_dockers() {
      docker stop so-dockerregistry
      docker rm so-dockerregistry
      echo "Copying the new dockers over"
-      tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker
+      tar xvf "$AGDOCKER/registry.tar" -C /nsm/docker-registry/docker
      echo "Add Registry back"
-      docker load -i $AGDOCKER/registry_image.tar
+      docker load -i "$AGDOCKER/registry_image.tar"
    fi
  fi
 }
@@ -100,6 +169,50 @@ update_registry() {
  salt-call state.apply registry queue=True
 }
 check_airgap() {
  # See if this is an airgap install
  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}')
  if [[ "$AIRGAP" == "True" ]]; then
      is_airgap=0
      UPDATE_DIR=/tmp/soagupdate/SecurityOnion
      AGDOCKER=/tmp/soagupdate/docker
      AGREPO=/tmp/soagupdate/Packages
  else 
      is_airgap=1
  fi
 }
 # {% raw %}
 check_local_mods() {
  local salt_local=/opt/so/saltstack/local
  local_mod_arr=()
  while IFS= read -r -d '' local_file; do
    stripped_path=${local_file#"$salt_local"}
    default_file="${DEFAULT_SALT_DIR}${stripped_path}"
    if [[ -f $default_file ]]; then
      file_diff=$(diff "$default_file" "$local_file" )
      if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
        local_mod_arr+=( "$local_file" )
      fi
    fi
  done< <(find $salt_local -type f -print0)
  if [[ ${#local_mod_arr} -gt 0 ]]; then
    echo "Potentially breaking changes found in the following files (check ${DEFAULT_SALT_DIR} for original copy):"
    for file_str in "${local_mod_arr[@]}"; do
      echo "  $file_str"
    done
    echo ""
    echo "To reference this list later, check $SOUP_LOG"
    sleep 10
  fi
 }
 # {% endraw %}
 check_sudoers() {
  if grep -q "so-setup" /etc/sudoers; then
    echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"."
@@ -177,7 +290,9 @@ check_os_updates() {
          echo "Continuing without updating packages"
      elif [[ "$confirm" == [uU] ]]; then
          echo "Applying Grid Updates"
-          salt \* -b 5 state.apply patch.os queue=True
+          set +e
          run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.'
          set -e
      else
          echo "Exiting soup"
          exit 0
@@ -217,7 +332,7 @@ generate_and_clean_tarballs() {
  local new_version
  new_version=$(cat $UPDATE_DIR/VERSION)
  [ -d /opt/so/repo ] || mkdir -p /opt/so/repo
-  tar -czf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR"
+  tar -czf "/opt/so/repo/$new_version.tar.gz" -C "$UPDATE_DIR" .
  find "/opt/so/repo" -type f -not -name "$new_version.tar.gz" -exec rm -rf {} \;
 }
@@ -247,13 +362,6 @@ masterunlock() {
  fi
 }
 preupgrade_changes_2.3.50_repo() {
    # We made repo changes in 2.3.50 and this prepares for that on upgrade
    echo "Checking to see if 2.3.50 repo changes are needed."
    [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo
 }
 preupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if changes are needed."
@@ -264,6 +372,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20
    [[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30
    [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50
    true
 }
 postupgrade_changes() {
@@ -273,6 +382,8 @@ postupgrade_changes() {
    [[ "$POSTVERSION" =~ rc.1 ]] && post_rc1_to_rc2
    [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30
    [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40
    [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60
    true
 }
 post_rc1_to_2.3.21() {
@@ -293,6 +404,10 @@ post_2.3.30_to_2.3.40() {
  POSTVERSION=2.3.40
 }
 post_2.3.5X_to_2.3.60() {
  POSTVERSION=2.3.60
 }
 rc1_to_rc2() {
@@ -426,7 +541,7 @@ up_2.3.2X_to_2.3.30() {
  sed -i "/  imagerepo: securityonion/c\  imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls 
  # Strelka rule repo pillar addition
-  if [ $is_airgap -eq 0 ]; then
+  if [[ $is_airgap -eq 0 ]]; then
      # Add manager as default Strelka YARA rule repo
      sed -i "/^strelka:/a \\  repos: \n    - https://$HOSTNAME/repo/rules/strelka" /opt/so/saltstack/local/pillar/global.sls;
  else
@@ -437,8 +552,8 @@ up_2.3.2X_to_2.3.30() {
  INSTALLEDVERSION=2.3.30
 }
-up_2.3.3X_to_2.3.50_repo() {
+upgrade_to_2.3.50_repo() {
-  echo "Performing 2.3.50 repo actions."
+  echo "Performing repo changes."
  if [[ "$OS" == "centos" ]]; then
    # Import GPG Keys
    gpg_rpm_import
@@ -453,7 +568,7 @@ up_2.3.3X_to_2.3.50_repo() {
        rm -f "/etc/yum.repos.d/$DELREPO.repo"
      fi
    done
-    if [ $is_airgap -eq 1 ]; then
+    if [[ $is_airgap -eq 1 ]]; then
      # Copy the new repo file if not airgap
      cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
      yum clean all
@@ -569,7 +684,7 @@ upgrade_check() {
  # Let's make sure we actually need to update.
  NEWVERSION=$(cat $UPDATE_DIR/VERSION)
  HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
-  CURRENTHOTFIX=$(cat /etc/sohotfix 2>/dev/null)
+  [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
  if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
    echo "Checking to see if there are hotfixes needed"
    if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
@@ -586,13 +701,14 @@ upgrade_check() {
 }
 upgrade_check_salt() {
-  NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk {'print $2'})
+  NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk '{print $2}')
  if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
    echo "You are already running the correct version of Salt for Security Onion."
  else
    UPGRADESALT=1
  fi
 }   
 upgrade_salt() {
  SALTUPGRADED=True
  echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
@@ -604,7 +720,11 @@ upgrade_salt() {
    yum versionlock delete "salt-*"
    echo "Updating Salt packages and restarting services."
    echo ""
-    sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION"
+    set +e
    run_check_net_err \
    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \
    "Could not update salt, please check $SOUP_LOG for details."
    set -e
    echo "Applying yum versionlock for Salt."
    echo ""
    yum versionlock add "salt-*"
@@ -617,7 +737,11 @@ upgrade_salt() {
    apt-mark unhold "salt-minion"
    echo "Updating Salt packages and restarting services."
    echo ""
-    sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+    set +e
    run_check_net_err \
    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \
    "Could not update salt, please check $SOUP_LOG for details."
    set -e
    echo "Applying apt hold for Salt."
    echo ""
    apt-mark hold "salt-common"
@@ -642,7 +766,7 @@ verify_latest_update_script() {
    cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
    cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
    cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
-    salt-call state.apply common queue=True
+    salt-call state.apply -l info common queue=True
    echo ""
    echo "soup has been updated. Please run soup again."
    exit 0
@@ -650,7 +774,11 @@ verify_latest_update_script() {
 }
 main() {
-echo "### Preparing soup at `date` ###"
+  set -e
  set +e
  trap 'check_err $?' EXIT
  echo "### Preparing soup at $(date) ###"
  while getopts ":b" opt; do
    case "$opt" in
      b ) # process option b
@@ -671,29 +799,30 @@ echo "Checking to see if this is a manager."
  echo ""
  require_manager
  set_minionid
-echo "Checking to see if this is an airgap install"
+  echo "Checking to see if this is an airgap install."
  echo ""
  check_airgap
  echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
  echo ""
-set_os
+  if [[ $is_airgap -eq 0 ]]; then
 set_palette
 check_elastic_license
 echo ""
 if [ $is_airgap -eq 0 ]; then
    # Let's mount the ISO since this is airgap
    echo "This is airgap. Ask for a location."
    airgap_mounted
  else
    echo "Cloning Security Onion github repo into $UPDATE_DIR."
    echo "Removing previous upgrade sources."
    rm -rf $UPDATE_DIR
    echo "Cloning the Security Onion Repo."
    clone_to_tmp
  fi
 check_os_updates
 echo ""
  echo "Verifying we have the latest soup script."
  verify_latest_update_script
  echo ""
  set_os
  set_palette
  check_elastic_license
  echo ""
  check_os_updates
  echo "Generating new repo archive"
  generate_and_clean_tarballs
@@ -709,7 +838,7 @@ upgrade_space
  echo "Checking for Salt Master and Minion updates."
  upgrade_check_salt
-
+  set -e
  if [ "$is_hotfix" == "true" ]; then
    echo "Applying $HOTFIXVERSION" 
@@ -717,37 +846,40 @@ if [ "$is_hotfix" == "true" ]; then
    echo ""
    update_version
    salt-call state.highstate -l info queue=True
  else
    echo ""
    echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
    echo ""
    echo "Updating dockers to $NEWVERSION."
-  if [ $is_airgap -eq 0 ]; then
+    if [[ $is_airgap -eq 0 ]]; then
      airgap_update_dockers
      update_centos_repo
      yum clean all
      check_os_updates
    else
      update_registry
      set +e
      update_docker_containers "soup"
      set -e
    fi
    echo ""
    echo "Stopping Salt Minion service."
    systemctl stop salt-minion
    echo "Killing any remaining Salt Minion processes."
    set +e
    pkill -9 -ef /usr/bin/salt-minion
    set -e
    echo ""
    echo "Stopping Salt Master service."
    systemctl stop salt-master
    echo ""
-  preupgrade_changes_2.3.50_repo
+    upgrade_to_2.3.50_repo
    # Does salt need upgraded. If so update it.
-  if [ "$UPGRADESALT" == "1" ]; then
+    if [[ $UPGRADESALT -eq 1 ]]; then
      echo "Upgrading Salt"
      # Update the repo files so it can actually upgrade
      upgrade_salt
@@ -756,7 +888,7 @@ else
    echo "Checking if Salt was upgraded."
    echo ""
    # Check that Salt was upgraded
-  SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'})
+    SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}')
    if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
      echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
      echo "Once the issue is resolved, run soup again."
@@ -771,13 +903,13 @@ else
    preupgrade_changes
    echo ""
-  if [ $is_airgap -eq 0 ]; then
+    if [[ $is_airgap -eq 0 ]]; then
      echo "Updating Rule Files to the Latest."
      update_airgap_rules
    fi
    # Only update the repo if its airgap
-  if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then
+    if [[ $is_airgap -eq 0 && $UPGRADESALT -ne 1 ]]; then
      update_centos_repo
    fi
@@ -795,6 +927,17 @@ else
    echo "Starting Salt Master service."
    systemctl start salt-master
    # Testing that salt-master is up by checking that is it connected to itself
    set +e
    echo "Waiting on the Salt Master service to be ready."
    salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details."
    set -e
    echo ""
    echo "Ensuring python modules for Salt are installed and patched."
    salt-call state.apply salt.python3-influxdb -l info queue=True
    echo ""
    # Only regenerate osquery packages if Fleet is enabled
    FLEET_MANAGER=$(lookup_pillar fleet_manager)
    FLEET_NODE=$(lookup_pillar fleet_node)
@@ -807,7 +950,9 @@ else
    echo ""
    echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
    set +e
    salt-call state.highstate -l info queue=True
    set -e
    echo ""
    echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
@@ -820,14 +965,21 @@ else
    echo ""
    echo "Starting Salt Master service."
    systemctl start salt-master
    set +e
    echo "Waiting on the Salt Master service to be ready."
    salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details."
    set -e
    echo "Running a highstate. This could take several minutes."
    salt-call state.highstate -l info queue=True
    postupgrade_changes
-  unmount_update
+    [[ $is_airgap -eq 0 ]] && unmount_update
    thehive_maint
-  if [ "$UPGRADESALT" == "1" ]; then
+    NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
-    if [ $is_airgap -eq 0 ]; then
+    if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then
      if [[ $is_airgap -eq 0 ]]; then
        echo ""
        echo "Cleaning repos on remote Security Onion nodes."
        salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
@@ -835,6 +987,8 @@ else
      fi
    fi
    check_local_mods
    check_sudoers
    if [[ -n $lsl_msg ]]; then
@@ -853,9 +1007,7 @@ else
      esac
    fi
-  NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
+    if [[ $NUM_MINIONS -gt 1 ]]; then
  if [ $NUM_MINIONS -gt 1 ]; then
      cat << EOF
@@ -874,7 +1026,7 @@ EOF
    fi
  fi
-echo "### soup has been served at `date` ###"
+  echo "### soup has been served at $(date) ###"
 }
 cat << EOF
@@ -889,6 +1041,7 @@ Press Enter to continue or Ctrl-C to cancel.
 EOF
-read input
+read -r input
 main "$@" | tee -a $SOUP_LOG
--- a/salt/curator/files/bin/so-curator-closed-delete-delete
+++ b/salt/curator/files/bin/so-curator-closed-delete-delete
@@ -4,7 +4,7 @@
 {%- if grains['role'] in ['so-node', 'so-heavynode'] %}
  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%}  
  {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%}
-{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %}
+{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('manager:mainip', '') -%}
  {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port', '') -%}
 {%- endif -%}
@@ -34,7 +34,7 @@ overlimit() {
 closedindices() {
-        INDICES=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null)
+        INDICES=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null)
        [ $? -eq 1 ] && return false 
        echo ${INDICES} | grep -q -E "(logstash-|so-)"
 }
@@ -49,10 +49,10 @@ while overlimit && closedindices; do
 	# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
 	# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field.
 	# Finally, select the first entry in that sorted list.
-	OLDEST_INDEX=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
+	OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
 	# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
-	curl -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}
+	{{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}
 	# Finally, write a log entry that says we deleted it.
 	echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG}
--- a/salt/curator/files/curator.yml
+++ b/salt/curator/files/curator.yml
@@ -1,8 +1,15 @@
 {% if grains['role'] in ['so-node', 'so-heavynode'] %}
  {%- set elasticsearch = salt['pillar.get']('elasticsearch:mainip', '') -%}
-{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %}
+{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
  {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%}
 {%- endif %}
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 {%-   set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%-   set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- else %}
 {%-   set ES_USER = '' %}
 {%-   set ES_PASS = '' %}
 {%- endif %}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -11,13 +18,15 @@ client:
  hosts:
    - {{elasticsearch}}
  port: 9200
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
  http_auth: {{ ES_USER }}:{{ ES_PASS }}
 {%- endif %}
  url_prefix:
  use_ssl: True
  certificate:
  client_cert:
  client_key:
  ssl_no_validate: True
  http_auth:
  timeout: 30
  master_only: False
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -4,7 +4,10 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %}
+{% set REMOVECURATORCRON = False %}
 {% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %}
  {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
  {% from "curator/map.jinja" import CURATOROPTIONS with context %}
 # Curator
 # Create the group
 curatorgroup:
@@ -48,6 +51,7 @@ curconf:
    - source: salt://curator/files/curator.yml
    - user: 934
    - group: 939
    - mode: 660
    - template: jinja
 curcloseddel:
@@ -66,6 +70,8 @@ curcloseddeldel:
    - group: 939
    - mode: 755
    - template: jinja
    - defaults:
        ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
 curclose:
  file.managed:
@@ -83,6 +89,81 @@ curdel:
    - group: 939
    - mode: 755
 so-curator:
  docker_container.{{ CURATOROPTIONS.status }}:
  {% if CURATOROPTIONS.status == 'running' %}
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }}
    - start: {{ CURATOROPTIONS.start }}
    - hostname: curator
    - name: so-curator
    - user: curator
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
    - require:
      - file: actionconfs
      - file: curconf
      - file: curlogdir
  {% else %}
    - force: True
  {% endif %}
  {% if CURATOROPTIONS.manage_sostatus %}
 append_so-curator_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-curator
    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
    {% if not CURATOROPTIONS.start %}
 so-curator_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
      # need to remove cronjobs here since curator is disabled
      {% set REMOVECURATORCRON = True %}    
    {% else %}
 delete_so-curator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
    {% endif %}
  {% else %}
 delete_so-curator_so-status:
  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
    - match: ^so-curator$
    - mode: delete
    # need to remove cronjobs here since curator is disabled
    {% set REMOVECURATORCRON = True %}
  {% endif %}
  {% if REMOVECURATORCRON %}
 so-curatorcloseddeletecron:
 cron.absent:
   - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
   - user: root
 so-curatorclosecron:
 cron.absent:
   - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
   - user: root
 so-curatordeletecron:
 cron.absent:
   - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
   - user: root
  {% else %}
 so-curatorcloseddeletecron:
 cron.present:
   - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
@@ -113,23 +194,7 @@ so-curatordeletecron:
   - month: '*'
   - dayweek: '*'
-so-curator:
+  {% endif %}
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }}
    - hostname: curator
    - name: so-curator
    - user: curator
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
 append_so-curator_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-curator
 # Begin Curator Cron Jobs
--- a/salt/curator/map.jinja
+++ b/salt/curator/map.jinja
@@ -0,0 +1,16 @@
 {% set CURATOROPTIONS = {} %}
 {% set ENABLED = salt['pillar.get']('curator:enabled', True) %}
 {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
 {% do CURATOROPTIONS.update({'manage_sostatus': True}) %}
 # don't start the docker container if curator is disabled via pillar
 {% if not ENABLED or grains.id.split('_')|last == 'manager'%}
  {% do CURATOROPTIONS.update({'start': False}) %}
  {% do CURATOROPTIONS.update({'status': 'absent'}) %}
  {% if grains.id.split('_')|last == 'manager' %}
    {% do CURATOROPTIONS.update({'manage_sostatus': False}) %}
  {% endif %}
 {% else %}
  {% do CURATOROPTIONS.update({'start': True}) %}
  {% do CURATOROPTIONS.update({'status': 'running'}) %}
 {% endif %}
--- a/salt/elastalert/defaults.yaml
+++ b/salt/elastalert/defaults.yaml
@@ -1,3 +1,5 @@
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 elastalert:
  config:
    rules_folder: /opt/elastalert/rules/
@@ -19,8 +21,10 @@ elastalert:
    use_ssl: true
    verify_certs: false
    #es_send_get_body_as: GET
-    #es_username: someusername
+{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-    #es_password: somepassword
+    es_username: {{ ES_USER }}
    es_password: {{ ES_PASS }}
 {%- endif %}
    writeback_index: elastalert_status
    alert_time_limit:
      days: 2
--- a/salt/elastalert/files/modules/so/playbook-es.py
+++ b/salt/elastalert/files/modules/so/playbook-es.py
@@ -12,16 +12,21 @@ class PlaybookESAlerter(Alerter):
    Use matched data to create alerts in elasticsearch
    """
-    required_options = set(['play_title','play_url','sigma_level','elasticsearch_host'])
+    required_options = set(['play_title','play_url','sigma_level'])
    def alert(self, matches):
       for match in matches:
            today = strftime("%Y.%m.%d", gmtime())
            timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S"'.000Z', gmtime())
            headers = {"Content-Type": "application/json"}
            creds = None
            if 'es_username' in self.rule and 'es_password' in self.rule:
                creds = (self.rule['es_username'], self.rule['es_password'])
            payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
-            url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/"
+            url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/so-playbook-alerts-{today}/_doc/"
-            requests.post(url, data=json.dumps(payload), headers=headers, verify=False)
+            requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds)
    def get_info(self):
        return {'type': 'PlaybookESAlerter'} 
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -99,14 +99,12 @@ elastaconf:
        elastalert_config: {{ elastalert_config.elastalert.config }}
    - user: 933
    - group: 933
    - mode: 660
    - template: jinja
 wait_for_elasticsearch:
-  module.run:
+  cmd.run:
-    - http.wait_for_successful_query:
+    - name: so-elasticsearch-wait
      - url: 'https://{{MANAGER}}:9200/_cat/indices/.kibana*'
      - wait_for: 180
      - verify_ssl: False
 so-elastalert:
  docker_container.running:
@@ -123,7 +121,7 @@ so-elastalert:
    - extra_hosts:
      - {{MANAGER_URL}}:{{MANAGER_IP}}
    - require:
-      - module: wait_for_elasticsearch
+      - cmd: wait_for_elasticsearch
    - watch:
      - file: elastaconf
--- a/salt/elasticsearch/auth.map.jinja
+++ b/salt/elasticsearch/auth.map.jinja
@@ -0,0 +1,7 @@
 {% set ELASTICAUTH = salt['pillar.filter_by']({
    True: {
      'user': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user'), 
      'pass': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass'), 
      'elasticcurl':'curl -K /opt/so/conf/elasticsearch/curl.config' },
    False: {'elasticcurl': 'curl'},
 }, pillar='elasticsearch:auth:enabled', default=False) %}
--- a/salt/elasticsearch/auth.sls
+++ b/salt/elasticsearch/auth.sls
@@ -0,0 +1,39 @@
 {% set so_elastic_user_pass = salt['random.get_str'](20) %}
 {% set so_kibana_user_pass = salt['random.get_str'](20) %}
 {% set so_logstash_user_pass = salt['random.get_str'](20) %}
 {% set so_beats_user_pass = salt['random.get_str'](20) %}
 {% set so_monitor_user_pass = salt['random.get_str'](20) %}
 elastic_auth_pillar:
  file.managed:
    - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
    - mode: 600
    - reload_pillar: True
    - contents: |
        elasticsearch:
          auth:
            enabled: False
            users:
              so_elastic_user:
                user: so_elastic
                pass: {{ so_elastic_user_pass }}
              so_kibana_user:
                user: so_kibana
                pass: {{ so_kibana_user_pass }}
              so_logstash_user:
                user: so_logstash
                pass: {{ so_logstash_user_pass }}
              so_beats_user:
                user: so_beats
                pass: {{ so_beats_user_pass }}
              so_monitor_user:
                user: so_monitor
                pass: {{ so_monitor_user_pass }}
    # since we are generating a random password, and we don't want that to happen everytime
    # a highstate runs, we only manage the file each user isn't present in the file. if the
    # pillar file doesn't exists, then the default vault provided to pillar.get should not
    # be within the file either, so it should then be created
    - unless:
    {% for so_app_user, values in salt['pillar.get']('elasticsearch:auth:users', {'so_noapp_user': {'user': 'r@NDumu53Rd0NtDOoP'}}).items() %}
      - grep {{ values.user }} /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
    {% endfor%}
--- a/salt/elasticsearch/files/curl.config.template
+++ b/salt/elasticsearch/files/curl.config.template
@@ -0,0 +1 @@
 user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}"
--- a/salt/elasticsearch/files/elasticsearch.yml
+++ b/salt/elasticsearch/files/elasticsearch.yml
@@ -30,13 +30,15 @@ xpack.security.http.ssl.client_authentication: none
 xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
 xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
 xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
 {% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 xpack.security.authc:
  anonymous:
    username: anonymous_user
    roles: superuser
    authz_exception: true
 {% endif %}
 node.name: {{ grains.host }}
-script.max_compilations_rate: 1000/1m
+script.max_compilations_rate: 20000/1m
 {%- if TRUECLUSTER is sameas true %}
  {%- if grains.role == 'so-manager' %}
    {%- if salt['pillar.get']('nodestab', {}) %}
@@ -47,6 +49,16 @@ discovery.seed_hosts:
   - {{ SN.split('_')|first }}
      {%- endfor %}
    {%- endif %}
  {%- elif grains.role == 'so-managersearch' %}
      {%- if salt['pillar.get']('nodestab', {}) %}
 node.roles: [ master, data, remote_cluster_client ]
 discovery.seed_hosts:
   - {{ grains.master }}
      {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
   - {{ SN.split('_')|first }}
      {%- endfor %}
    {%- endif %}
 node.attr.box_type: {{ NODE_ROUTE_TYPE }}
  {%- else %}
 node.roles: {{ NODE_ROLES }}
 node.attr.box_type: {{ NODE_ROUTE_TYPE }}
--- a/salt/elasticsearch/files/ingest/filterlog
+++ b/salt/elasticsearch/files/ingest/filterlog
@@ -51,7 +51,7 @@
     },
     { "set":         { "field": "_index",        "value": "so-firewall", "override": true           } },
     { "set":         { "if": "ctx.network?.transport_id == '0'", "field": "network.transport",        "value": "icmp", "override": true           } },
-     {"community_id": { "if": "ctx.network?.transport != null", "field":["source.ip","source.port","destination.ip","destination.port","network.transport"],"target_field":"network.community_id"}},
+     {"community_id": {} },
     { "set":         { "field": "module",        "value": "pfsense", "override": true           } },
     { "set":         { "field": "dataset",        "value": "firewall", "override": true           } },
     { "remove":      { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"],     "ignore_failure": true  } }
--- a/salt/elasticsearch/files/ingest/logscan.alert
+++ b/salt/elasticsearch/files/ingest/logscan.alert
@@ -0,0 +1,29 @@
 {
    "description": "logscan",
    "processors": [
        { "set": { "field": "event.severity", "value": 2 } },
        { "json": { "field": "message", "add_to_root": true, "ignore_failure": true } },
        { "rename": { "field": "@timestamp", "target_field": "event.ingested", "ignore_missing": true } },
        { "date": { "field": "timestamp", "target_field": "event.created", "formats": [ "ISO8601", "UNIX" ], "ignore_failure": true } },
        { "date": { "field": "start_time", "target_field": "@timestamp", "formats": [ "ISO8601", "UNIX" ], "ignore_failure": true } },
        { "date": { "field": "start_time", "target_field": "event.start", "formats": [ "ISO8601", "UNIX" ], "ignore_failure": true } },
        { "date": { "field": "end_time", "target_field": "event.end", "formats": [ "ISO8601", "UNIX" ], "ignore_failure": true } },
        { "remove": { "field": "start_time", "ignore_missing": true } },
        { "remove": { "field": "end_time", "ignore_missing": true } },
        { "rename": { "field": "source_ip", "target_field": "source.ip", "ignore_missing": true } },
        { "rename": { "field": "top_source_ips", "target_field": "logscan.source.ips", "ignore_missing": true } },
        { "append": { "if": "ctx.source != null", "field": "logscan.source.ips", "value": "{{{source.ip}}}", "ignore_failure": true } },
        { "set": { "if": "ctx.model == 'k1'", "field": "rule.name", "value": "LOGSCAN K1 MODEL THRESHOLD" } },
        { "set": { "if": "ctx.model == 'k1'", "field": "rule.description", "value": "High number of logins from single IP in 1 minute window" } },
        { "set": { "if": "ctx.model == 'k5'", "field": "rule.name", "value": "LOGSCAN K5 MODEL THRESHOLD" } },
        { "set": { "if": "ctx.model == 'k5'", "field": "rule.description", "value": "High ratio of login failures from single IP in 5 minute window" } },
        { "set": { "if": "ctx.model == 'k60'", "field": "rule.name", "value": "LOGSCAN K60 MODEL THRESHOLD" } },
        { "set": { "if": "ctx.model == 'k60'", "field": "rule.description", "value": "Large number of login failures in 1 hour window" } },
        { "rename": { "field": "model", "target_field": "logscan.model" } },
        { "rename": { "field": "num_attempts", "target_field": "logscan.attempts.total.amount", "ignore_missing": true } },
        { "rename": { "field": "num_failed", "target_field": "logscan.attempts.failed.amount", "ignore_missing": true } },
        { "script": { "lang": "painless", "source": "ctx.logscan.attempts.succeeded.amount = ctx.logscan.attempts.total.amount - ctx.logscan.attempts.failed.amount" , "ignore_failure": true} },
        { "rename": { "field": "avg_failure_interval", "target_field": "logscan.attempts.failed.avg_interval", "ignore_missing": true } },
        { "pipeline": { "name": "common" } }
    ]
 }
--- a/salt/elasticsearch/files/ingest/ossec
+++ b/salt/elasticsearch/files/ingest/ossec
@@ -33,6 +33,7 @@
    { "rename":         { "field": "data.win.eventdata.user",                   "target_field": "user.name",            "ignore_missing": true  } },
    { "rename":         { "field": "data.win.system",                   "target_field": "winlog",           "ignore_missing": true  } },
    { "rename":         { "field": "data.win.eventdata",                   "target_field": "winlog.event_data",           "ignore_missing": true  } },
    { "rename":         { "field": "data",                   "target_field": "wazuh.data",           "ignore_missing": true  } },
    { "rename":         { "field": "winlog.eventID",                   "target_field": "winlog.event_id",           "ignore_missing": true  } },
    { "rename":         { "field": "predecoder.program_name",                   "target_field": "process.name",         "ignore_missing": true  } },
    { "rename":         { "field": "decoder.name",                   "target_field": "event.dataset",         "ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -8,6 +8,7 @@
    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
    { "rename":         { "field": "scan.exiftool",        "target_field": "exiftool",          "ignore_missing": true  } },
    { "grok":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
    { "gsub":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "pattern": "\/nsm\/strelka\/staging",      "replacement": "\/nsm\/strelka\/processed" } },
    { "foreach":
      {
        "if": "ctx.exiftool?.keys !=null",
--- a/salt/elasticsearch/files/ingest/suricata.dns
+++ b/salt/elasticsearch/files/ingest/suricata.dns
@@ -12,7 +12,7 @@
    { "rename": 	{ "field": "message2.dns.qr", 		"target_field": "dns.qr",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.rd", 		"target_field": "dns.recursion.desired",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.ra", 		"target_field": "dns.recursion.available",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rcode", 	"target_field": "dns.response.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rcode", 	"target_field": "dns.response.code_name",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.grouped.A", 	"target_field": "dns.answers.data",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.grouped.CNAME", 	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
    { "pipeline": 	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"			} },
--- a/salt/elasticsearch/files/ingest/suricata.fileinfo
+++ b/salt/elasticsearch/files/ingest/suricata.fileinfo
@@ -13,6 +13,7 @@
    { "rename": 	{ "field": "message2.fileinfo.size", 		"target_field": "file.size",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.state", 		"target_field": "file.state",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.stored", 		"target_field": "file.saved",		"ignore_missing": true 	} },
    { "rename":   { "field": "message2.fileinfo.sha256",   "target_field": "hash.sha256", "ignore_missing": true } },
    { "set":		{ "if": "ctx.network?.protocol != null", 	"field": "file.source",	"value": "{{network.protocol}}"  	} },
    { "pipeline": { "name": "common" } }
  ]
--- a/salt/elasticsearch/files/ingest/sysmon
+++ b/salt/elasticsearch/files/ingest/sysmon
@@ -1,7 +1,6 @@
 {
  "description" : "sysmon",
  "processors" : [
    {"community_id":   {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}},    
    { "set":           { "field": "event.code", "value": "{{winlog.event_id}}", "override": true }  },     
    { "set":           { "field": "event.module", "value": "sysmon", "override": true }  },   
    { "set":           { "if": "ctx.winlog?.computer_name != null",   "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true }  },
@@ -64,6 +63,7 @@
    { "rename": 	   { "field": "winlog.event_data.SourceIp", 		          "target_field": "source.ip",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.SourcePort", 		        "target_field": "source.port",		"ignore_missing": true 	} },   
    { "rename": 	   { "field": "winlog.event_data.targetFilename",		      "target_field": "file.target",	"ignore_missing": true 	} },
-    { "rename":      { "field": "winlog.event_data.TargetFilename",         "target_field": "file.target",    "ignore_missing": true  } }
+    { "rename":      { "field": "winlog.event_data.TargetFilename",         "target_field": "file.target",    "ignore_missing": true  } },
    { "community_id": {} }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.common
+++ b/salt/elasticsearch/files/ingest/zeek.common
@@ -8,11 +8,11 @@
    { "dot_expander":   { "field": "id.orig_p",                 "path": "message2",                     "ignore_failure": true  } },
    { "dot_expander":   { "field": "id.resp_h",                 "path": "message2",                     "ignore_failure": true  } },
    { "dot_expander":   { "field": "id.resp_p",                 "path": "message2",                     "ignore_failure": true  } },    
    {"community_id": {"if": "ctx.network?.transport != null", "field":["message2.id.orig_h","message2.id.orig_p","message2.id.resp_h","message2.id.resp_p","network.transport"],"target_field":"network.community_id"}},
    { "rename":         { "field": "message2.id.orig_h",        "target_field": "source.ip",            "ignore_missing": true  } },
    { "rename":         { "field": "message2.id.orig_p",        "target_field": "source.port",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.id.resp_h",        "target_field": "destination.ip",       "ignore_missing": true  } },
    { "rename":         { "field": "message2.id.resp_p",        "target_field": "destination.port",     "ignore_missing": true  } },
    { "community_id": {} },
    { "set":         { "if": "ctx.source?.ip != null", "field": "client.ip",        "value": "{{source.ip}}"           } },
    { "set":         { "if": "ctx.source?.port != null", "field": "client.port",        "value": "{{source.port}}"       } },
    { "set":         { "if": "ctx.destination?.ip != null", "field": "server.ip",        "value": "{{destination.ip}}"  } },
--- a/salt/elasticsearch/files/scripts/so-catrust
+++ b/salt/elasticsearch/files/scripts/so-catrust
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
--- a/salt/elasticsearch/files/so-elasticsearch-pipelines
+++ b/salt/elasticsearch/files/so-elasticsearch-pipelines
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -27,7 +27,7 @@ echo -n "Waiting for ElasticSearch..."
 COUNT=0
 ELASTICSEARCH_CONNECTED="no"
 while [[ "$COUNT" -le 240 ]]; do
-    curl ${ELASTICSEARCH_AUTH} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+    {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
 	if [ $? -eq 0 ]; then
 		ELASTICSEARCH_CONNECTED="yes"
 		echo "connected!"
@@ -47,7 +47,7 @@ fi
 cd ${ELASTICSEARCH_INGEST_PIPELINES}
 echo "Loading pipelines..."
-for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done
+for i in *; do echo $i; RESPONSE=$({{ ELASTICCURL }} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done
 echo
 cd - >/dev/null
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -35,6 +35,8 @@
 {% endif %}
 {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
 vm.max_map_count:
  sysctl.present:
@@ -169,6 +171,40 @@ eslogdir:
    - group: 939
    - makedirs: True
 auth_users:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users.tmp
    - source: salt://elasticsearch/files/users
    - user: 930
    - group: 930
    - mode: 600
    - show_changes: False
 auth_users_roles:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users_roles.tmp
    - source: salt://elasticsearch/files/users_roles
    - user: 930
    - group: 930
    - mode: 600
    - show_changes: False
 auth_users_inode:
  require:
    - file: auth_users
  cmd.run:
    - name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:930 /opt/so/conf/elasticsearch/users && chmod 600 /opt/so/conf/elasticsearch/users
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users.tmp
 auth_users_roles_inode:
  require:
    - file: auth_users_roles
  cmd.run:
    - name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:930 /opt/so/conf/elasticsearch/users_roles && chmod 600 /opt/so/conf/elasticsearch/users_roles
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users_roles.tmp
 so-elasticsearch:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}
@@ -213,6 +249,10 @@ so-elasticsearch:
      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
      - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
      {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %}
      - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
      - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
      {% endif %}
    - watch:
      - file: cacertz
      - file: esyml
@@ -232,6 +272,8 @@ so-elasticsearch-pipelines-file:
    - group: 939
    - mode: 754
    - template: jinja
    - defaults:
        ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
 so-elasticsearch-pipelines:
 cmd.run:
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -1,5 +1,5 @@
 {
-  "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"],
+  "index_patterns": ["so-*"],
  "version":50001,
  "order":10,
  "settings":{
@@ -65,6 +65,7 @@
       {
          "port": {
            "path_match": "*.port",
            "path_unmatch": "*.data.port",
 	    "mapping": {
              "type": "integer",
              "fields" : {
@@ -229,6 +230,10 @@
          "type":"object",
          "dynamic": true
        },
        "event_data":{
          "type":"object",
          "dynamic": true
        },	
        "file":{
          "type":"object",
          "dynamic": true
@@ -308,6 +313,10 @@
          "type":"object",
          "dynamic": true
        },
        "logscan": {
          "type": "object",
          "dynamic": true
        },
        "manager":{
          "type":"object",
          "dynamic": true
@@ -316,7 +325,8 @@
          "type":"text",
          "fields":{  
            "keyword":{  
-              "type":"keyword"
+              "type":"keyword",
 	      "ignore_above": 32766
            }
          }
        },
@@ -527,6 +537,158 @@
        "x509":{
          "type":"object",
          "dynamic": true
        },
 	"suricata":{
          "type":"object",
          "dynamic": true
        },
 	"zeek":{
          "type":"object",
          "dynamic": true
        },
 	"aws":{
          "type":"object",
          "dynamic": true
        },
 	"azure":{
          "type":"object",
          "dynamic": true
        },
 	"barracuda":{
          "type":"object",
          "dynamic": true
        },
 	"bluecoat":{
          "type":"object",
          "dynamic": true
        },
 	"cef":{
          "type":"object",
          "dynamic": true
        },
 	"checkpoint":{
          "type":"object",
          "dynamic": true
        },
 	"cisco":{
          "type":"object",
          "dynamic": true
        },
 	"cyberark":{
          "type":"object",
          "dynamic": true
        },
 	"cylance":{
          "type":"object",
          "dynamic": true
        },
 	"f5":{
          "type":"object",
          "dynamic": true
        },
 	"fortinet":{
          "type":"object",
          "dynamic": true
        },
 	"gcp":{
          "type":"object",
          "dynamic": true
        },
 	"google_workspace":{
          "type":"object",
          "dynamic": true
        },
 	"imperva":{
          "type":"object",
          "dynamic": true
        },
 	"infoblox":{
          "type":"object",
          "dynamic": true
        },
 	"juniper":{
          "type":"object",
          "dynamic": true
        },
 	"microsoft":{
          "type":"object",
          "dynamic": true
        },
 	"misp":{
          "type":"object",
          "dynamic": true
        },
 	"netflow":{
          "type":"object",
          "dynamic": true
        },
 	"netscout":{
          "type":"object",
          "dynamic": true
        },
 	"o365":{
          "type":"object",
          "dynamic": true
        },
 	"okta":{
          "type":"object",
          "dynamic": true
        },
 	"proofpoint":{
          "type":"object",
          "dynamic": true
        },
 	"radware":{
          "type":"object",
          "dynamic": true
        },
 	"snort":{
          "type":"object",
          "dynamic": true
        },
 	"snyk":{
          "type":"object",
          "dynamic": true
        },
 	"sonicwall":{
          "type":"object",
          "dynamic": true
        },
 	"sophos":{
          "type":"object",
          "dynamic": true
        },
 	"squid":{
          "type":"object",
          "dynamic": true
        },
 	"tomcat":{
          "type":"object",
          "dynamic": true
        },
 	"zcaler":{
          "type":"object",
          "dynamic": true
        },
 	"elasticsearch":{
          "type":"object",
          "dynamic": true
        },
 	"kibana":{
          "type":"object",
          "dynamic": true
        },
 	"logstash":{
          "type":"object",
          "dynamic": true
        },
 	"redis":{
          "type":"object",
          "dynamic": true
        },
 	"wazuh":{
          "type":"object",
          "dynamic": true
        }
     }
  }
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -3,7 +3,8 @@
 {%- else %}
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- endif %}
-
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
@@ -15,6 +16,7 @@
 {%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%}
 {%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%}
 {%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%}
 {%- set FBLOGGINGLEVEL = salt['pillar.get']('filebeat:logging:level', 'warning') -%}
 name: {{ HOSTNAME }}
@@ -24,7 +26,7 @@ name: {{ HOSTNAME }}
 # Sets log level. The default log level is info.
 # Available log levels are: error, warning, info, debug
-logging.level: warning
+logging.level: {{ FBLOGGINGLEVEL }}
 # Enable debug output for selected components. To enable all selectors use ["*"]
 # Other available selectors are "beat", "publish", "service"
@@ -71,7 +73,13 @@ logging.files:
 # Set to true to log messages in json format.
 #logging.json: false
 #==========================  Modules configuration ============================
 filebeat.config.modules:
  enabled: true
  path: ${path.config}/modules.d/*.yml
 filebeat.modules:
 #=========================== Filebeat prospectors =============================
@@ -104,6 +112,21 @@ filebeat.inputs:
      fields: ["source", "prospector", "input", "offset", "beat"]
  fields_under_root: true
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}
 - type: log
  paths:
    - /logs/logscan/alerts.log
  fields:
    module: logscan
    dataset: alert
  processors:
  - drop_fields:
      fields: ["source", "prospector", "input", "offset", "beat"]
  fields_under_root: true
  clean_removed: true
  close_removed: false
 {%- endif %}
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
  {%- if ZEEKVER != 'SURICATA' %}
    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
@@ -183,7 +206,6 @@ filebeat.inputs:
  fields_under_root: true
  clean_removed: false
  close_removed: false
  {%- if STRELKAENABLED == 1 %}
 - type: log
  paths:
@@ -261,6 +283,10 @@ output.{{ type }}:
 output.elasticsearch:
  enabled: true
  hosts: ["https://{{ MANAGER }}:9200"]
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
  username: "{{ ES_USER }}"
  password: "{{ ES_PASS }}"
 {%- endif %}
  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
  pipelines:
    - pipeline: "%{[module]}.%{[dataset]}"
@@ -283,6 +309,9 @@ output.elasticsearch:
    - index: "so-strelka"
      when.contains:
        module: "strelka"
    - index: "so-logscan"
      when.contains:
        module: "logscan"
 setup.template.enabled: false
  {%- else %}
--- a/salt/filebeat/etc/module-setup.yml
+++ b/salt/filebeat/etc/module-setup.yml
@@ -0,0 +1,16 @@
 {%- if grains['role'] in ['so-managersearch', 'so-heavynode', 'so-node'] %}
 {%- set MANAGER = salt['grains.get']('host' '') %}
 {%- else %}
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- endif %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 output.elasticsearch:
  enabled: true
  hosts: ["https://{{ MANAGER }}:9200"]
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
  username: "{{ ES_USER }}"
  password: "{{ ES_PASS }}"
 {% endif %}
  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
--- a/salt/filebeat/etc/module_config.yml.jinja
+++ b/salt/filebeat/etc/module_config.yml.jinja
@@ -0,0 +1,18 @@
 # DO NOT EDIT THIS FILE
 {%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%}
  {%- for module in MODULES.modules.keys() %}
 - module: {{ module }}
    {%- for fileset in MODULES.modules[module] %}
  {{ fileset }}:
    enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }}
      {#- only manage the settings if the fileset is enabled #}
      {%- if MODULES.modules[module][fileset].enabled %}
        {%- for var, value in MODULES.modules[module][fileset].items() %}
          {%- if var|lower != 'enabled' %}
    {{ var }}: {{ value }}
          {%- endif %}
        {%- endfor %}
      {%- endif %}
    {%- endfor %}
  {%- endfor %}
 {% endif %}
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,3 +1,4 @@
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -20,18 +21,37 @@
 {% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
 {% from 'filebeat/map.jinja' import THIRDPARTY with context %}
 {% from 'filebeat/map.jinja' import SO with context %}
 {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
 #only include elastic state for certain nodes
 {% if grains.role in ES_INCLUDED_NODES %}
 include:
  - elasticsearch
 {% endif %}
 filebeatetcdir:
  file.directory:
    - name: /opt/so/conf/filebeat/etc
    - user: 939
    - group: 939
    - makedirs: True
 filebeatmoduledir:
  file.directory:
    - name: /opt/so/conf/filebeat/modules
    - user: root
    - group: root
    - makedirs: True
 filebeatlogdir:
  file.directory:
    - name: /opt/so/log/filebeat
    - user: 939
    - group: 939
    - makedirs: True
 filebeatpkidir:
  file.directory:
    - name: /opt/so/conf/filebeat/etc/pki
@@ -44,6 +64,7 @@ fileregistrydir:
    - user: 939
    - group: 939
    - makedirs: True
 # This needs to be owned by root
 filebeatconfsync:
  file.managed:
@@ -55,6 +76,33 @@ filebeatconfsync:
    - defaults:
        INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }}
        OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
 # Filebeat module config file
 filebeatmoduleconfsync:
  file.managed:
    - name: /opt/so/conf/filebeat/etc/module-setup.yml
    - source: salt://filebeat/etc/module-setup.yml
    - user: root
    - group: root
    - mode: 640
    - template: jinja
 sodefaults_module_conf:
  file.managed:
    - name: /opt/so/conf/filebeat/modules/securityonion.yml
    - source: salt://filebeat/etc/module_config.yml.jinja
    - template: jinja
    - defaults:
        MODULES: {{ SO }}
 thirdparty_module_conf:
  file.managed:
    - name: /opt/so/conf/filebeat/modules/thirdparty.yml
    - source: salt://filebeat/etc/module_config.yml.jinja
    - template: jinja
    - defaults:
        MODULES: {{ THIRDPARTY }}
 so-filebeat:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}
@@ -65,19 +113,41 @@ so-filebeat:
      - /nsm:/nsm:ro
      - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
      - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
      - /opt/so/conf/filebeat/etc/module-setup.yml:/usr/share/filebeat/module-setup.yml:ro
      - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro
      - /nsm/wazuh/logs/archives:/wazuh/archives:ro
      - /opt/so/conf/filebeat/modules:/usr/share/filebeat/modules.d
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
      - /opt/so/conf/filebeat/registry:/usr/share/filebeat/data/registry:rw
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
      - /opt/so/log:/logs:ro
    - port_bindings:
        - 0.0.0.0:514:514/udp
        - 0.0.0.0:514:514/tcp
        - 0.0.0.0:5066:5066/tcp
 {% for module in THIRDPARTY.modules.keys() %}
  {% for submodule in THIRDPARTY.modules[module] %}
    {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %}
        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/tcp
        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/udp
    {% endif %}
  {% endfor %}
 {% endfor %}
    - watch:
      - file: /opt/so/conf/filebeat/etc/filebeat.yml
 {% if grains.role in ES_INCLUDED_NODES %}
 run_module_setup:
  cmd.run:
    - name: /usr/sbin/so-filebeat-module-setup
    - require:
      - file: filebeatmoduleconfsync
      - docker_container: so-filebeat
    - onchanges:
      - docker_container: so-elasticsearch
 {% endif %}
 append_so-filebeat_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/filebeat/map.jinja
+++ b/salt/filebeat/map.jinja
@@ -0,0 +1,6 @@
 {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %}
 {% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
 {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
 {% set SO = SODEFAULTS.securityonion_filebeat %}
 {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -0,0 +1,31 @@
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
 {% set ZEEKLOGLOOKUP = {
    'conn': 'connection',
 } %}
 securityonion_filebeat:
  modules:
  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']   %}
    elasticsearch:
      server:
        enabled: true
        var.paths: ["/logs/elasticsearch/*.log"]
    logstash:
      log:
        enabled: true
        var.paths: ["/logs/logstash.log"]
  {%- endif %}
  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
    kibana:
      log:
        enabled: true
        var.paths: ["/logs/kibana/kibana.log"]
  {%- endif %}
  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode'] %}
    redis:
      log:
        enabled: true
        var.paths: ["/logs/redis.log"]
      slowlog:
        enabled: false
  {%- endif %}
--- a/salt/filebeat/thirdpartydefaults.yaml
+++ b/salt/filebeat/thirdpartydefaults.yaml
@@ -0,0 +1,252 @@
 third_party_filebeat:
  modules:
    aws:
      cloudtrail:
        enabled: false
      cloudwatch:
        enabled: false
      ec2:
        enabled: false
      elb:
        enabled: false
      s3access:
        enabled: false
      vpcflow:
        enabled: false
    azure:
      activitylogs:
        enabled: false
      platformlogs:
        enabled: false
      auditlogs:
        enabled: false
      signinlogs:
        enabled: false
    barracuda:
      waf:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9503
      spamfirewall:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9524
    bluecoat:
      director:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9505
    cef:
      log:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9003
    checkpoint:
      firewall:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9505
    cisco:
      asa:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9001
      ftd:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9003
      ios:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9002
      nexus:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9506
      meraki:
        enabled: false
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9525
      umbrella:
        enabled: false
      amp:
        enabled: false
    cyberark:
      corepas:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9527
    cylance:
      protect:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9508
    f5:
      bigipapm:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9504
      bigipafm:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9528    
    fortinet:
      firewall:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9004
      clientendpoint:
        enabled: false
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9510
      fortimail:
        enabled: false
        var.input: udp
        var.syslog_port: 9350
    gcp:
      vpcflow:
        enabled: false
      firewall:
        enabled: false
      audit:
        enabled: false
    google_workspace:
      saml:
        enabled: false
      user_accounts:
        enabled: false
      login:
        enabled: false
      admin:
        enabled: false
      drive:
        enabled: false
      groups:
        enabled: false
    imperva:
      securesphere:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9511
    infoblox:
      nios:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9512
    juniper:
      junos:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9513
      netscreen:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9523
      srx:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9006
    microsoft:
      defender_atp:
        enabled: false 
      m365_defender:
        enabled: false
      dhcp:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9515
    misp:
      threat:
        enabled: false
    netflow:
      log:
        enabled: false
        var.netflow_host: 0.0.0.0
        var.netflow_port: 2055
        var.internal_networks:
          - private
    netscout:
      sightline:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9502
    o365:
      audit:
        enabled: false
    okta:
      system:
        enabled: false
    proofpoint:
      emailsecurity:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9531
    radware:
      defensepro:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9518
    snort:
      log:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9532
    snyk:
      audit:
        enabled: false
      vulnerabilities:
        enabled: false
    sonicwall:
      firewall:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9519
    sophos:
      xg:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9005
      utm:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9533
    squid:
      log:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9520
    tomcat:
      log:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9501
    zscaler:
      zia:
        enabled: false 
        var.input: udp
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9521
--- a/salt/grafana/dashboards/common_template.json.jinja
+++ b/salt/grafana/dashboards/common_template.json.jinja
@@ -0,0 +1,62 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": "-- Grafana --",
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "description": "{{TITLE}}",
  "editable": true,
  "gnetId": null,
  "graphTooltip": 0,
  "id": {{ ID }},
  "iteration": 1625757047565,
  "links": [],
  "panels": [
 {% for panel in PANELS -%}
 {%-  import_json "grafana/panels/" ~ panel ~ ".json.jinja" as panel %}
 {{   panel | json }} {% if not loop.last  %},{% endif %}
 {% endfor -%}
  ],
  "refresh": "5m",
  "schemaVersion": 27,
  "style": "dark",
  "tags": [],
  "templating": {
    "list": [
 {% for template in TEMPLATES.keys() -%}
 {%-  import_json "grafana/templates/" ~ template ~ ".json" as template %}
 {{   template | json }} {% if not loop.last  %},{% endif %}
 {% endfor -%}
    ]
  },
  "time": {
    "from": "now-3h",
    "to": "now"
  },
  "timepicker": {
    "refresh_intervals": [
      "30s",
      "1m",
      "5m",
      "15m",
      "30m",
      "1h",
      "2h",
      "1d"
    ]
  },
  "timezone": "browser",
  "title": "{{ TITLE }}",
  {% if TITLE | lower == 'security onion grid overview' %}
  "uid": "so_overview",
  {% endif %}
  "version": 1
 }
--- a/salt/grafana/dashboards/eval/eval.json
+++ b/salt/grafana/dashboards/eval/eval.json
--- a/salt/grafana/dashboards/manager/manager.json
+++ b/salt/grafana/dashboards/manager/manager.json
--- a/salt/grafana/dashboards/managersearch/managersearch.json
+++ b/salt/grafana/dashboards/managersearch/managersearch.json
--- a/salt/grafana/dashboards/search_nodes/searchnode.json
+++ b/salt/grafana/dashboards/search_nodes/searchnode.json
--- a/salt/grafana/dashboards/sensor_nodes/sensor.json
+++ b/salt/grafana/dashboards/sensor_nodes/sensor.json
--- a/salt/grafana/dashboards/standalone/standalone.json
+++ b/salt/grafana/dashboards/standalone/standalone.json
--- a/salt/grafana/defaults.yaml
+++ b/salt/grafana/defaults.yaml
--- a/salt/grafana/etc/dashboards/dashboard.yml
+++ b/salt/grafana/etc/dashboards/dashboard.yml
@@ -1,55 +1,12 @@
 apiVersion: 1
 providers:
 - name: 'Dashboards'
  folder: 'Dashboards'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/
 {%- if grains['role'] != 'so-eval' %}
 - name: 'Manager'
  folder: 'Manager'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/manager
 - name: 'Manager Search'
  folder: 'Manager Search'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/managersearch
 - name: 'Sensor Nodes'
  folder: 'Sensor Nodes'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/sensor_nodes
 - name: 'Search Nodes'
  folder: 'Search Nodes'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/search_nodes
 - name: 'Standalone'
  folder: 'Standalone'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/standalone
 {%- else %}
 - name: 'Security Onion'
  folder: 'Eval Mode'
  type: file
  disableDeletion: false
  editable: true
  allowUiUpdates: true
  options:
    path: /etc/grafana/grafana_dashboards/eval
 {% endif %}
--- a/Show More
+++ b/Show More
`@@ -17,4 +17,4 @@`

	`. /usr/sbin/so-common`	`. /usr/sbin/so-common`

	`salt-call state.highstate`	`salt-call state.highstate -linfo`
`@@ -18,4 +18,4 @@`

	`. /usr/sbin/so-common`	`. /usr/sbin/so-common`

	`curl -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty`	`{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty`
		`@@ -0,0 +1 @@`
							`user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}"`