Merge pull request #586 from Security-Onion-Solutions/dev

1.2.1-1

README.md

@@ -1,73 +1,84 @@
-# Security Onion Hybrid Hunter Tech Preview 1.0.3
+## Hybrid Hunter Beta 1.2.1 - Beta 1
 
-### About
-Hybrid Hunter is a brand new Security Onion platform with the following characteristics:
-- Move from Ubuntu DEB packages to Docker images
-- Support both Ubuntu 16.04 and RedHat/CentOS 7
-- Higher performance
-- More centralized configuration
+### Changes:
+
+- Full support for Ubuntu 18.04. 16.04 is no longer supported for Hybrid Hunter.
+- Introduction of the Security Onion Console. Once logged in you are directly taken to the SOC.
+- New authentication using Kratos.
+- During install you must specify how you would like to access the SOC ui. This is for strict cookie security.
+- Ability to list and delete web users from the SOC ui.
+- The soremote account is now used to add nodes to the grid vs using socore. 
+- Community ID support for Zeek, osquery, and Suricata. You can now tie host events to connection logs!
+- Elastic 7.6.1 with ECS support.
+- New set of Kibana dashboards that align with ECS.
+- Eval mode no longer uses Logstash for parsing (Filebeat -> ES Ingest)
+- Ingest node parsing for osquery-shipped logs (osquery, WEL, Sysmon).
+- Fleet standalone mode with improved Web UI & API access control.
+- Improved Fleet integration support.
+- Playbook now has full Windows Sigma community ruleset builtin.
+- Automatic Sigma community rule updates.
+- Playbook stability enhancements.
+- Zeek health check. Zeek will now auto restart if a worker crashes.
+- zeekctl is now managed by salt.
+- Grafana dashboard improvements and cleanup.
+- Moved logstash configs to pillars.
+- Salt logs moved to /opt/so/log/salt.
+- Strelka integrated for file-oriented detection/analysis at scale
+
+### Known issues:
+
+- Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
+- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
+- The osquery MacOS package does not install correctly.
 
 ### Warnings and Disclaimers
 
-- This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!  
+- This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
 - If this breaks your system, you get to keep both pieces!  
 - This script is a work in progress and is in constant flux.  
-- This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like.  This configuration will change drastically over time leading up to the final - release.  
+- This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like.  This configuration will change drastically over time leading up to the final release.  
 - Do NOT run this on a system that you care about!  
 - Do NOT run this on a system that has data that you care about!  
 - This script should only be run on a TEST box with TEST data!  
-- This script is only designed for standalone boxes and does NOT support distributed deployments.  
 - Use of this script may result in nausea, vomiting, or a burning sensation.  
 
 ### Requirements
 
 Evaluation Mode:
 
-- Single VM running Ubuntu 16.04 or CentOS 7
-- Minimum 8GB of RAM
+- ISO or a Single VM running Ubuntu 18.04 or CentOS 7
+- Minimum 12GB of RAM
 - Minimum 4 CPU cores
 - Minimum 2 NICs
 
 Distributed:
 
-- 3 VMs running Ubuntu 16.04 or CentOS 7 (You can mix and match)
+- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match)
 - Minimum 8GB of RAM per VM
 - Minimum 4 CPU cores per VM
 - Minimum 2 NICs for forward nodes
 
-### Prerequisites
-
-If you are running CentOS 7 there are a couple of prerequisites:
-
-```
-sudo yum -y install git bind-utils
-sudo hostnamectl set-hostname YOURHOSTNAME
-sudo reboot
-```
-
 ### Installation
 
-Once you resolve those requirements or are using Ubuntu 16.04 do the following:
+For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO).
+
+If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04.
+
+If using CentOS 7 Minimal, you will need to install git:
+
+```sudo yum -y install git```
+
+Once you have git, then do the following:
 
 ```
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
 cd securityonion-saltstack
-sudo bash so-setup-network.sh
+sudo bash so-setup-network
 ```
+
 Follow the prompts and reboot if asked to do so.
 
-### Allow Access to Kibana
-Once Setup is complete and services have initialized, you can then allow access to Kibana as follows.
-
-For a single host:
-```
-sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.1
-```
-For a network range:
-```
-sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.0/24
-```
-Then connect to your master via https://YOURMASTER
+Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide).
 
 ### FAQ
 See the [FAQ](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ) on the Hybrid Hunter wiki.

VERSION

@@ -1 +1 @@
-1.0.3
+1.2.1

exclude-list.txt

@@ -1,2 +0,0 @@
-salt/bro/files/local.bro
-salt/bro/files/local.bro.community

files/master

@@ -12,6 +12,7 @@
 # modified files cause conflicts, set verify_env to False.
 # user: socore
 
+log_file: /opt/so/log/salt/master
 
 #####      File Server settings      #####
 ##########################################
@@ -57,3 +58,7 @@ pillar_roots:
 peer:
   .*:
     - x509.sign_remote_certificate
+
+reactor:
+  - 'so/fleet':
+    - salt://reactor/fleet.sls

files/utils/so-checkin

@@ -1 +0,0 @@
-sudo salt-call state.highstate

files/utils/so-getparsed

@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed

files/utils/so-getunparsed

@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed

files/utils/so-listindex

@@ -1 +0,0 @@
-curl -X GET "localhost:9200/_cat/indices?v"

files/utils/so-start

@@ -1 +0,0 @@
-sudo salt-call state.highstate

pillar/data/addtotab.sh

@@ -5,12 +5,53 @@
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
+CPUS=$4
+GUID=$5
+MANINT=$6
+ROOTFS=$7
+NSM=$8
+MONINT=$9
+#NODETYPE=$10
+#HOTNAME=$11
 
-if grep -q $IPADDRESS "/opt/so/saltstack/pillar/data/nodestab.sls"; then
-  echo "Storage Node Already in There"
-else
-  echo "  $NAME:" >> /opt/so/saltstack/pillar/data/nodestab.sls
-  echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/nodestab.sls
-  salt-call state.apply utility
+echo "Seeing if this host is already in here. If so delete it"
+if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
+  echo "Node Already Present - Let's re-add it"
+  awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
+{
+    if( $0 ~ blah )
+    {
+       print_flag=0;
+       next
+    }
+    if( $0 ~ /^  [a-zA-Z0-9]+:$/ )
+    {
+        print_flag=1;
+    }
+    if ( print_flag == 1 )
+        print $0
 
+} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls
+mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "Deleted $NAME from the tab. Now adding it in again with updated info"
 fi
+echo "  $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+if [ $TYPE == 'sensorstab' ]; then
+  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  salt-call state.apply common queue=True
+fi
+if [ $TYPE == 'evaltab' ]; then
+  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  salt-call state.apply common queue=True
+  salt-call state.apply utility queue=True
+fi
+#if [ $TYPE == 'nodestab' ]; then
+#  echo "    nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#fi

pillar/data/evaltab.sls

@@ -0,0 +1 @@
+evaltab:

pillar/data/mastertab.sls

@@ -0,0 +1 @@
+mastertab:

pillar/data/sensorstab.sls

@@ -0,0 +1 @@
+sensorstab:

pillar/docker/config.sls

@@ -0,0 +1,211 @@
+{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
+{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
+{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+
+eval:
+  containers:
+    - so-core
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-dockerregistry
+    - so-soc
+    - so-kratos
+    - so-idstools
+    {% if FLEETMASTER %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-steno
+    - so-suricata
+    - so-zeek
+    - so-curator
+    - so-elastalert
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+heavy_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-steno
+    - so-suricata
+    - so-wazuh
+    - so-filebeat
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+helix:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-idstools
+    - so-steno
+    - so-zeek
+    - so-redis
+    - so-logstash
+    - so-filebeat
+hot_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+master_search:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-soc
+    - so-kratos
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    - so-soctopus
+    {% if FLEETMASTER %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+master:
+  containers:
+    - so-dockerregistry
+    - so-core
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-soc
+    - so-kratos
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    {% if FLEETMASTER %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+parser_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+search_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-filebeat
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+sensor:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-steno
+    - so-suricata
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+    - so-wazuh
+    - so-filebeat
+warm_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-elasticsearch
+fleet:
+  containers:
+    {% if FLEETNODE %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    - so-filebeat
+    - so-core
+    - so-telegraf
+    {% endif %}

pillar/firewall/addfirewall.sh

@@ -9,5 +9,5 @@ if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
   echo "  - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
-  salt-call state.apply firewall
+  salt-call state.apply firewall queue=True
 fi

pillar/firewall/osquery_endpoint.sls

@@ -0,0 +1,3 @@
+osquery_endpoint:
+  - 127.0.0.1
+  

pillar/firewall/search_nodes.sls

@@ -0,0 +1,2 @@
+search_nodes:
+  - 127.0.0.1

pillar/firewall/storage_nodes.sls

@@ -1,2 +0,0 @@
-storage_nodes:
-  - 127.0.0.1

pillar/firewall/wazuh_endpoint.sls

@@ -0,0 +1,2 @@
+wazuh_endpoint:
+  - 127.0.0.1

pillar/healthcheck/eval.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/healthcheck/sensor.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/logstash/eval.sls

@@ -0,0 +1,21 @@
+logstash:
+  pipelines:
+    eval:
+      config:
+        - so/0800_input_eval.conf
+        - so/1002_preprocess_json.conf
+        - so/1033_preprocess_snort.conf
+        - so/7100_osquery_wel.conf
+        - so/8999_postprocess_rename_type.conf
+        - so/9000_output_bro.conf.jinja
+        - so/9002_output_import.conf.jinja
+        - so/9033_output_snort.conf.jinja
+        - so/9100_output_osquery.conf.jinja
+        - so/9400_output_suricata.conf.jinja
+        - so/9500_output_beats.conf.jinja
+        - so/9600_output_ossec.conf.jinja
+        - so/9700_output_strelka.conf.jinja
+  templates:
+    - so/so-beats-template.json
+    - so/so-common-template.json
+    - so/so-zeek-template.json

pillar/logstash/helix.sls

@@ -0,0 +1,42 @@
+logstash:
+  pipelines:
+    helix:
+      config:
+        - so/0010_input_hhbeats.conf
+        - so/1033_preprocess_snort.conf
+        - so/1100_preprocess_bro_conn.conf
+        - so/1101_preprocess_bro_dhcp.conf
+        - so/1102_preprocess_bro_dns.conf
+        - so/1103_preprocess_bro_dpd.conf
+        - so/1104_preprocess_bro_files.conf
+        - so/1105_preprocess_bro_ftp.conf
+        - so/1106_preprocess_bro_http.conf
+        - so/1107_preprocess_bro_irc.conf
+        - so/1108_preprocess_bro_kerberos.conf
+        - so/1109_preprocess_bro_notice.conf
+        - so/1110_preprocess_bro_rdp.conf
+        - so/1111_preprocess_bro_signatures.conf
+        - so/1112_preprocess_bro_smtp.conf
+        - so/1113_preprocess_bro_snmp.conf
+        - so/1114_preprocess_bro_software.conf
+        - so/1115_preprocess_bro_ssh.conf
+        - so/1116_preprocess_bro_ssl.conf
+        - so/1117_preprocess_bro_syslog.conf
+        - so/1118_preprocess_bro_tunnel.conf
+        - so/1119_preprocess_bro_weird.conf
+        - so/1121_preprocess_bro_mysql.conf
+        - so/1122_preprocess_bro_socks.conf
+        - so/1123_preprocess_bro_x509.conf
+        - so/1124_preprocess_bro_intel.conf
+        - so/1125_preprocess_bro_modbus.conf
+        - so/1126_preprocess_bro_sip.conf
+        - so/1127_preprocess_bro_radius.conf
+        - so/1128_preprocess_bro_pe.conf
+        - so/1129_preprocess_bro_rfb.conf
+        - so/1130_preprocess_bro_dnp3.conf
+        - so/1131_preprocess_bro_smb_files.conf
+        - so/1132_preprocess_bro_smb_mapping.conf
+        - so/1133_preprocess_bro_ntlm.conf
+        - so/1134_preprocess_bro_dce_rpc.conf
+        - so/8001_postprocess_common_ip_augmentation.conf
+        - so/9997_output_helix.conf.jinja

pillar/logstash/init.sls

@@ -0,0 +1,11 @@
+logstash:
+  docker_options:
+    port_bindings:
+      - 0.0.0.0:514:514
+      - 0.0.0.0:5044:5044
+      - 0.0.0.0:5644:5644
+      - 0.0.0.0:6050:6050
+      - 0.0.0.0:6051:6051
+      - 0.0.0.0:6052:6052
+      - 0.0.0.0:6053:6053
+      - 0.0.0.0:9600:9600

pillar/logstash/master.sls

@@ -0,0 +1,6 @@
+logstash:
+  pipelines:
+    master:
+      config:
+        - so/0010_input_hhbeats.conf
+        - so/9999_output_redis.conf.jinja

pillar/logstash/search.sls

@@ -0,0 +1,16 @@
+logstash:
+  pipelines:
+    search:
+      config:
+        - so/0900_input_redis.conf.jinja
+        - so/9000_output_zeek.conf.jinja
+        - so/9002_output_import.conf.jinja
+        - so/9100_output_osquery.conf.jinja
+        - so/9400_output_suricata.conf.jinja
+        - so/9500_output_beats.conf.jinja
+        - so/9600_output_ossec.conf.jinja
+        - so/9700_output_strelka.conf.jinja
+  templates:
+    - so/so-beats-template.json
+    - so/so-common-template.json
+    - so/so-zeek-template.json

pillar/masters/example.sls

@@ -1,10 +0,0 @@
-# Example Pillar file for a master
-master:
-  esaccessip: 127.0.0.1
-  esheap: CHANGEME
-  esclustername: {{ grains.host }}
-  freq: 0
-  domainstats: 0
-  lsheap: 1500m
-  lsaccessip: 127.0.0.1
-  elastalert: 1

pillar/masters/schedule.sls

@@ -1,5 +0,0 @@
-schedule:
-  highstate:
-    funtion: state.highstate
-    minutes: 15
-    maxrunning: 1

pillar/nodes/example.sls

@@ -1,5 +0,0 @@
-# Example Pillar file for a sensor
-node:
-  ls_heapsize: CHANGEME
-  es_heapsize: CHANGEME
-  node_type: CHANGEME

pillar/nodes/schedule.sls

@@ -1,5 +0,0 @@
-schedule:
-  highstate:
-    funtion: state.highstate
-    minutes: 15
-    maxrunning: 1

pillar/patch/needs_restarting.sls

@@ -0,0 +1,2 @@
+mine_functions:
+  needs_restarting.check: []

pillar/sensors/example.sls

@@ -1,14 +0,0 @@
-# Example Pillar file for a sensor
-sensor:
-  interface: CHANGEME
-  bro_pins:
-    - 1
-    - 2
-    - 3
-    - 4
-  brobpf:
-  pcapbpf:
-  nidsbpf:
-  s3bucket:
-  s3key:
-

pillar/sensors/schedule.sls

@@ -1,5 +0,0 @@
-schedule:
-  highstate:
-    funtion: state.highstate
-    minutes: 15
-    maxrunning: 1

pillar/thresholding/pillar.example

@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24

pillar/thresholding/pillar.usage

@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>

pillar/top.sls

@@ -1,28 +1,72 @@
 base:
-  'G@role:so-sensor':
-    - sensors.schedule
-    - sensors.{{ grains.host }}
+  '*':
+    - patch.needs_restarting
+    - docker.config
+
+  '*_mastersearch or *_heavynode':
+    - match: compound
+    - logstash
+    - logstash.master
+    - logstash.search
+
+  '*_sensor':
     - static
     - firewall.*
     - brologs
+    - healthcheck.sensor
+    - minions.{{ grains.id }}
 
-  'G@role:so-master':
-    - masters.schedule
-    - masters.{{ grains.host }}
+  '*_master or *_mastersearch':
+    - match: compound
     - static
     - firewall.*
     - data.*
+    - secrets
+    - minions.{{ grains.id }}
 
-  'G@role:so-eval':
-    - masters.schedule
-    - masters.{{ grains.host }}
+  '*_master':
+    - logstash
+    - logstash.master
+
+  '*_eval':
     - static
     - firewall.*
     - data.*
     - brologs
+    - secrets
+    - healthcheck.eval
+    - minions.{{ grains.id }}
 
-  'G@role:so-node':
-    - nodes.schedule
-    - nodes.{{ grains.host }}
+  '*_node':
     - static
     - firewall.*
+    - minions.{{ grains.id }}
+
+  '*_heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
+  '*_helix':
+    - static
+    - firewall.*
+    - fireeye
+    - brologs
+    - logstash
+    - logstash.helix
+    - minions.{{ grains.id }}
+
+  '*_fleet':
+    - static
+    - firewall.*
+    - data.*
+    - secrets
+    - minions.{{ grains.id }}
+
+  '*_searchnode':
+    - static
+    - firewall.*
+    - logstash
+    - logstash.search
+    - minions.{{ grains.id }}

salt/_beacons/zeek.py

@@ -0,0 +1,33 @@
+import logging
+
+
+def status():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
+
+ return retval
+
+
+def beacon(config):
+
+  retval = []
+
+  is_enabled = __salt__['healthcheck.is_enabled']()
+  logging.info('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
+
+  if is_enabled:
+    zeekstatus = status().lower().split(' ')
+    logging.info('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
+    if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus:
+     zeek_restart = True
+    else:
+     zeek_restart = False
+
+    __salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
+    retval.append({'zeek_restart': zeek_restart})
+    logging.info('zeek_beacon: retval: %s' % str(retval))
+
+  return retval
+

salt/_modules/healthcheck.py

@@ -0,0 +1,96 @@
+#!py
+
+import logging
+import sys
+
+allowed_functions = ['is_enabled', 'zeek']
+states_to_apply = []
+
+
+def apply_states(states=''):
+
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: apply_states function caller: %s' % calling_func)
+
+  if not states:
+    states = ','.join(states_to_apply)
+ 
+  if states: 
+    logging.info('healthcheck_module: apply_states states: %s' % str(states))
+    __salt__['state.apply'](states)
+
+
+def docker_stop(container):
+  
+  try:
+    stopdocker = __salt__['docker.rm'](container, 'stop=True')
+  except Exception as e:
+    logging.error('healthcheck_module: %s' % e)
+
+
+def is_enabled():
+  
+  if __salt__['pillar.get']('healthcheck:enabled', 'False'):
+    retval = True
+  else:
+    retval = False
+  
+  return retval
+  
+
+def run(checks=''):
+  
+  retval = []
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: run function caller: %s' % calling_func)
+  
+  if checks:
+    checks = checks.split(',')
+  else:  
+    checks = __salt__['pillar.get']('healthcheck:checks', {})
+  
+  logging.debug('healthcheck_module: run checks to be run: %s' % str(checks))
+  for check in checks:
+    if check in allowed_functions:
+      retval.append(check)
+      check = getattr(sys.modules[__name__], check)
+      check()
+    else:
+      logging.warning('healthcheck_module: attempted to run function %s' % check)
+
+  # If you want to apply states at the end of the run,
+  # be sure to append the state name to states_to_apply[]
+  apply_states()
+
+  return retval
+
+
+def send_event(tag, eventdata):
+  __salt__['event.send'](tag, eventdata[0])
+
+
+def zeek():
+
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: zeek function caller: %s' % calling_func)
+  retval = []
+
+  retcode = __salt__['zeekctl.status'](verbose=False)
+  logging.debug('healthcheck_module: zeekctl.status retcode: %i' % retcode)
+  if retcode:
+    zeek_restart = 1
+    if calling_func != 'beacon':
+      docker_stop('so-zeek')
+      states_to_apply.append('zeek')
+  else:
+    zeek_restart = 0
+
+  __salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
+  
+  if calling_func == 'execute' and zeek_restart:
+    apply_states()
+  
+  retval.append({'zeek_restart': zeek_restart})
+
+  send_event('so/healthcheck/zeek', retval)
+  return retval

salt/_modules/needs_restarting.py

@@ -0,0 +1,24 @@
+from os import path
+import subprocess
+
+def check():
+
+  os = __grains__['os']
+  retval = 'False'
+
+  if os == 'Ubuntu':
+    if path.exists('/var/run/reboot-required'):
+      retval = 'True'
+
+  elif os == 'CentOS':
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    
+    try:
+      needs_restarting = subprocess.check_call(cmd, shell=True)
+    except subprocess.CalledProcessError:
+      retval = 'True'
+
+  else:
+    retval = 'Unsupported OS: %s' % os
+
+  return retval

salt/_modules/telegraf.py

@@ -0,0 +1,16 @@
+#!py
+
+import logging
+import socket
+
+
+def send(data):
+
+  mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('master:mainint'))
+  mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+  dstport = 8094
+
+  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  sent = sock.sendto(data.encode('utf-8'), (mainip, dstport))
+
+  return sent

salt/_modules/zeekctl.py

@@ -0,0 +1,160 @@
+#!py
+
+import logging
+
+
+def capstats(interval=10):
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats %i'" % interval
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ 
+ return retval
+
+
+def check():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl check'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ 
+ return retval
+
+
+def cleanup(all=''):
+
+ retval = ''
+
+ if all: 
+   if all == 'all':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl cleanup --all'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl cleanup'"
+
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def config():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl config'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def deploy():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl deploy'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def df():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl df'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def diag():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl diag'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def install(local=''):
+
+ retval = ''
+
+ if local:
+   if local == 'local':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl install --local'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options' 
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl install'"
+ 
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def netstats():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def nodes():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl nodes'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def restart(clean=''):
+
+ retval = ''
+
+ if clean:
+   if clean == 'clean':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl restart --clean'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl restart'"
+ 
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def scripts(c=''):
+
+ retval = ''
+
+ if c:
+   if c == 'c':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl scripts -c'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl scripts'"
+
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def start():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl start'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def status(verbose=True):
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ if not verbose:
+   retval = __context__['retcode']
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
+ return retval
+
+
+def stop():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl stop'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def top():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl top'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval

salt/ca/files/signing_policies.conf

@@ -10,7 +10,7 @@ x509_signing_policies:
     - keyUsage: "digitalSignature, nonRepudiation"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: 3000
+    - days_valid: 820
     - copypath: /etc/pki/issued_certs/
   registry:
     - minions: '*'
@@ -23,7 +23,8 @@ x509_signing_policies:
     - keyUsage: "critical keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: 3000
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
     - copypath: /etc/pki/issued_certs/
   masterssl:
     - minions: '*'
@@ -36,5 +37,34 @@ x509_signing_policies:
     - keyUsage: "critical keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: 3000
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
+  influxdb:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
+  fleet:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
     - copypath: /etc/pki/issued_certs/

salt/ca/init.sls

@@ -39,10 +39,10 @@ pki_private_key:
     - require:
       - file: /etc/pki
 
-mine.send:
+send_x509_pem_entries_to_mine:
   module.run:
-    - func: x509.get_pem_entries
-    - kwargs:
-        glob_path: /etc/pki/ca.crt
+    - mine.send:
+      - func: x509.get_pem_entries
+      - glob_path: /etc/pki/ca.crt
     - onchanges:
       - x509: /etc/pki/ca.crt

salt/common/grafana/etc/dashboards/dashboard.yml

@@ -0,0 +1,35 @@
+apiVersion: 1
+
+providers:
+
+{%- if grains['role'] != 'so-eval' %}
+- name: 'Master'
+  folder: 'Master'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/master
+- name: 'Sensor Nodes'
+  folder: 'Sensor Nodes'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/sensor_nodes
+- name: 'Search Nodes'
+  folder: 'Search Nodes'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/search_nodes
+{%- else %}
+- name: 'Security Onion'
+  folder: 'Eval Mode'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/eval
+{% endif %}

salt/common/grafana/etc/datasources/influxdb.yaml

@@ -0,0 +1,18 @@
+{%- set MASTER = salt['pillar.get']('static:masterip', '') %}
+apiVersion: 1
+
+deleteDatasources:
+  - name: Graphite
+    orgId: 1
+
+datasources:
+  - name: InfluxDB
+    type: influxdb
+    access: proxy
+    database: telegraf
+    url: https://{{ MASTER }}:8086
+    jsonData:
+      tlsAuth: false
+      tlsAuthWithCACert: false
+      tlsSkipVerify: true
+    version: 1

salt/common/grafana/etc/grafana.ini

@@ -0,0 +1,482 @@
+##################### Grafana Configuration Example #####################
+#
+# Everything has defaults so you only need to uncomment things you want to
+# change
+
+# possible values : production, development
+;app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+
+#################################### Paths ####################################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+;data = /var/lib/grafana
+
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+
+#################################### Server ####################################
+[server]
+# Protocol (http, https, socket)
+;protocol = http
+
+# The ip address to bind to, empty will bind to all interfaces
+;http_addr =
+
+# The http port  to use
+;http_port = 3000
+
+# The public facing domain name used to access grafana from a browser
+;domain = localhost
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+root_url = %(protocol)s://%(domain)s/grafana/
+
+# Log web requests
+;router_logging = false
+
+# the path relative working path
+;static_root_path = public
+
+# enable gzip
+;enable_gzip = false
+
+# https certs & key file
+;cert_file =
+;cert_key =
+
+# Unix socket path
+;socket =
+
+#################################### Database ####################################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+;type = sqlite3
+;host = 127.0.0.1:3306
+;name = grafana
+;user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+;url =
+
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+log_queries =
+
+#################################### Session ####################################
+[session]
+# Either "memory", "file", "redis", "mysql", "postgres", default is "file"
+;provider = file
+
+# Provider config options
+# memory: not have any config yet
+# file: session dir path, is relative to grafana data_path
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
+# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
+# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
+;provider_config = sessions
+
+# Session cookie name
+;cookie_name = grafana_sess
+
+# If you use session in https only, default is false
+;cookie_secure = false
+
+# Session life time, default is 86400
+;session_life_time = 86400
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+;logging = false
+
+#################################### Analytics ####################################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = true
+
+# Set to false to disable all checks to https://grafana.net
+# for new vesions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to http://grafana.com to get latest versions
+;check_for_updates = true
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+
+#################################### Security ####################################
+[security]
+# default admin user, created on startup
+;admin_user = admin
+
+# default admin password, can be changed before first start of grafana,  or in profile settings
+;admin_password = admin
+
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# Auto-login remember days
+;login_remember_days = 7
+;cookie_username = grafana_user
+;cookie_remember_name = grafana_remember
+
+# disable gravatar profile images
+;disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
+#################################### Snapshots ###########################
+[snapshots]
+# snapshot sharing options
+;external_enabled = true
+;external_snapshot_url = https://snapshots-origin.raintank.io
+;external_snapshot_name = Publish to snapshot.raintank.io
+
+# remove expired snapshot
+;snapshot_remove_expired = true
+
+#################################### Dashboards History ##################
+[dashboards]
+# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
+;versions_to_keep = 20
+
+#################################### Users ###############################
+[users]
+# disable user signup / registration
+;allow_sign_up = true
+
+# Allow non admin users to create organizations
+;allow_org_create = true
+
+# Set to true to automatically assign new users to the default organization (id 1)
+;auto_assign_org = true
+
+# Default role new users will be automatically assigned (if disabled above is set to true)
+;auto_assign_org_role = Viewer
+
+# Background text for the user field on the login page
+;login_hint = email or username
+
+# Default UI theme ("dark" or "light")
+;default_theme = dark
+
+# External user management, these options affect the organization users view
+;external_manage_link_url =
+;external_manage_link_name =
+;external_manage_info =
+
+# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
+;viewers_can_edit = false
+
+[auth]
+# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
+;disable_login_form = false
+
+# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
+;disable_signout_menu = false
+
+# URL to redirect the user to after sign out
+;signout_redirect_url =
+
+#################################### Anonymous Auth ##########################
+[auth.anonymous]
+# enable anonymous access
+;enabled = false
+
+# specify organization name that should be used for unauthenticated users
+;org_name = Main Org.
+
+# specify role for unauthenticated users
+;org_role = Viewer
+
+#################################### Github Auth ##########################
+[auth.github]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;auth_url = https://github.com/login/oauth/authorize
+;token_url = https://github.com/login/oauth/access_token
+;api_url = https://api.github.com/user
+;team_ids =
+;allowed_organizations =
+
+#################################### Google Auth ##########################
+[auth.google]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_client_id
+;client_secret = some_client_secret
+;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+;auth_url = https://accounts.google.com/o/oauth2/auth
+;token_url = https://accounts.google.com/o/oauth2/token
+;api_url = https://www.googleapis.com/oauth2/v1/userinfo
+;allowed_domains =
+
+#################################### Generic OAuth ##########################
+[auth.generic_oauth]
+;enabled = false
+;name = OAuth
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;auth_url = https://foo.bar/login/oauth/authorize
+;token_url = https://foo.bar/login/oauth/access_token
+;api_url = https://foo.bar/user
+;team_ids =
+;allowed_organizations =
+;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
+
+#################################### Grafana.com Auth ####################
+[auth.grafana_com]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email
+;allowed_organizations =
+
+#################################### Auth Proxy ##########################
+[auth.proxy]
+;enabled = false
+;header_name = X-WEBAUTH-USER
+;header_property = username
+;auto_sign_up = true
+;ldap_sync_ttl = 60
+;whitelist = 192.168.1.1, 192.168.2.1
+;headers = Email:X-User-Email, Name:X-User-Name
+
+#################################### Basic Auth ##########################
+[auth.basic]
+;enabled = true
+
+#################################### Auth LDAP ##########################
+[auth.ldap]
+;enabled = false
+;config_file = /etc/grafana/ldap.toml
+;allow_sign_up = true
+
+#################################### SMTP / Emailing ##########################
+[smtp]
+;enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+# EHLO identity in SMTP dialog (defaults to instance_name)
+;ehlo_identity = dashboard.example.com
+
+[emails]
+;welcome_email_on_sign_up = false
+
+#################################### Logging ##########################
+[log]
+# Either "console", "file", "syslog". Default is console and  file
+# Use space to separate multiple modes, e.g. "console file"
+;mode = console file
+
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+;level = info
+
+# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
+;filters =
+
+# For "console" mode only
+[log.console]
+;level =
+
+# log line format, valid options are text, console and json
+;format = console
+
+# For "file" mode only
+[log.file]
+;level =
+
+# log line format, valid options are text, console and json
+;format = text
+
+# This enables automated log rotate(switch of following options), default is true
+;log_rotate = true
+
+# Max line number of single file, default is 1000000
+;max_lines = 1000000
+
+# Max size shift of single file, default is 28 means 1 << 28, 256MB
+;max_size_shift = 28
+
+# Segment log daily, default is true
+;daily_rotate = true
+
+# Expired days of log file(delete after max days), default is 7
+;max_days = 7
+
+[log.syslog]
+;level =
+
+# log line format, valid options are text, console and json
+;format = text
+
+# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
+;network =
+;address =
+
+# Syslog facility. user, daemon and local0 through local7 are valid.
+;facility =
+
+# Syslog tag. By default, the process' argv[0] is used.
+;tag =
+
+#################################### Alerting ############################
+[alerting]
+# Disable alerting engine & UI features
+;enabled = true
+# Makes it possible to turn off alert rule execution but alerting UI is visible
+;execute_alerts = true
+
+# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
+;error_or_timeout = alerting
+
+# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
+;nodata_or_nullvalues = no_data
+
+# Alert notifications can include images, but rendering many images at the same time can overload the server
+# This limit will protect the server from render overloading and make sure notifications are sent out quickly
+;concurrent_render_limit = 5
+
+#################################### Explore #############################
+[explore]
+# Enable the Explore section
+;enabled = false
+
+#################################### Internal Grafana Metrics ##########################
+# Metrics available at HTTP API Url /metrics
+[metrics]
+# Disable / Enable internal metrics
+;enabled           = true
+
+# Publish interval
+;interval_seconds  = 10
+
+# Send internal metrics to Graphite
+[metrics.graphite]
+# Enable by setting the address setting (ex localhost:2003)
+;address =
+;prefix = prod.grafana.%(instance_name)s.
+
+#################################### Distributed tracing ############
+[tracing.jaeger]
+# Enable by setting the address sending traces to jaeger (ex localhost:6831)
+;address = localhost:6831
+# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
+;always_included_tag = tag1:value1
+# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+;sampler_type = const
+# jaeger samplerconfig param
+# for "const" sampler, 0 or 1 for always false/true respectively
+# for "probabilistic" sampler, a probability between 0 and 1
+# for "rateLimiting" sampler, the number of spans per second
+# for "remote" sampler, param is the same as for "probabilistic"
+# and indicates the initial sampling rate before the actual one
+# is received from the mothership
+;sampler_param = 1
+
+#################################### Grafana.com integration  ##########################
+# Url used to import dashboards directly from Grafana.com
+[grafana_com]
+;url = https://grafana.com
+
+#################################### External image storage ##########################
+[external_image_storage]
+# Used for uploading images to public servers so they can be included in slack/email messages.
+# you can choose between (s3, webdav, gcs, azure_blob, local)
+;provider =
+
+[external_image_storage.s3]
+;bucket =
+;region =
+;path =
+;access_key =
+;secret_key =
+
+[external_image_storage.webdav]
+;url =
+;public_url =
+;username =
+;password =
+
+[external_image_storage.gcs]
+;key_file =
+;bucket =
+;path =
+
+[external_image_storage.azure_blob]
+;account_name =
+;account_key =
+;container_name =
+
+[external_image_storage.local]
+# does not require any configuration
+
+[rendering]
+# Options to configure external image rendering server like https://github.com/grafana/grafana-image-renderer
+;server_url =
+;callback_url =
+
+[enterprise]
+# Path to a valid Grafana Enterprise license.jwt file
+;license_path =

salt/common/influxdb/etc/influxdb.conf

@@ -0,0 +1,560 @@
+### Welcome to the InfluxDB configuration file.
+
+# The values in this file override the default values used by the system if
+# a config option is not specified. The commented out lines are the configuration
+# field and the default value used. Uncommenting a line and changing the value
+# will change the value used at runtime when the process is restarted.
+
+# Once every 24 hours InfluxDB will report usage data to usage.influxdata.com
+# The data includes a random ID, os, arch, version, the number of series and other
+# usage data. No data from user databases is ever transmitted.
+# Change this option to true to disable reporting.
+# reporting-disabled = false
+
+# Bind address to use for the RPC service for backup and restore.
+# bind-address = "127.0.0.1:8088"
+
+###
+### [meta]
+###
+### Controls the parameters for the Raft consensus group that stores metadata
+### about the InfluxDB cluster.
+###
+
+[meta]
+  # Where the metadata/raft database is stored
+  dir = "/var/lib/influxdb/meta"
+
+  # Automatically create a default retention policy when creating a database.
+  # retention-autocreate = true
+
+  # If log messages are printed for the meta service
+  # logging-enabled = true
+
+###
+### [data]
+###
+### Controls where the actual shard data for InfluxDB lives and how it is
+### flushed from the WAL. "dir" may need to be changed to a suitable place
+### for your system, but the WAL settings are an advanced configuration. The
+### defaults should work for most systems.
+###
+
+[data]
+  # The directory where the TSM storage engine stores TSM files.
+  dir = "/var/lib/influxdb/data"
+
+  # The directory where the TSM storage engine stores WAL files.
+  wal-dir = "/var/lib/influxdb/wal"
+
+  # The amount of time that a write will wait before fsyncing.  A duration
+  # greater than 0 can be used to batch up multiple fsync calls.  This is useful for slower
+  # disks or when WAL write contention is seen.  A value of 0s fsyncs every write to the WAL.
+  # Values in the range of 0-100ms are recommended for non-SSD disks.
+  # wal-fsync-delay = "0s"
+
+
+  # The type of shard index to use for new shards.  The default is an in-memory index that is
+  # recreated at startup.  A value of "tsi1" will use a disk based index that supports higher
+  # cardinality datasets.
+  # index-version = "inmem"
+
+  # Trace logging provides more verbose output around the tsm engine. Turning
+  # this on can provide more useful output for debugging tsm engine issues.
+  # trace-logging-enabled = false
+
+  # Whether queries should be logged before execution. Very useful for troubleshooting, but will
+  # log any sensitive data contained within a query.
+  # query-log-enabled = true
+
+  # Validates incoming writes to ensure keys only have valid unicode characters.
+  # This setting will incur a small overhead because every key must be checked.
+  # validate-keys = false
+
+  # Settings for the TSM engine
+
+  # CacheMaxMemorySize is the maximum size a shard's cache can
+  # reach before it starts rejecting writes.
+  # Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
+  # Values without a size suffix are in bytes.
+  # cache-max-memory-size = "1g"
+
+  # CacheSnapshotMemorySize is the size at which the engine will
+  # snapshot the cache and write it to a TSM file, freeing up memory
+  # Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
+  # Values without a size suffix are in bytes.
+  # cache-snapshot-memory-size = "25m"
+
+  # CacheSnapshotWriteColdDuration is the length of time at
+  # which the engine will snapshot the cache and write it to
+  # a new TSM file if the shard hasn't received writes or deletes
+  # cache-snapshot-write-cold-duration = "10m"
+
+  # CompactFullWriteColdDuration is the duration at which the engine
+  # will compact all TSM files in a shard if it hasn't received a
+  # write or delete
+  # compact-full-write-cold-duration = "4h"
+
+  # The maximum number of concurrent full and level compactions that can run at one time.  A
+  # value of 0 results in 50% of runtime.GOMAXPROCS(0) used at runtime.  Any number greater
+  # than 0 limits compactions to that value.  This setting does not apply
+  # to cache snapshotting.
+  # max-concurrent-compactions = 0
+
+  # CompactThroughput is the rate limit in bytes per second that we
+  # will allow TSM compactions to write to disk. Note that short bursts are allowed
+  # to happen at a possibly larger value, set by CompactThroughputBurst
+  # compact-throughput = "48m"
+
+  # CompactThroughputBurst is the rate limit in bytes per second that we
+  # will allow TSM compactions to write to disk.
+  # compact-throughput-burst = "48m"
+
+  # The threshold, in bytes, when an index write-ahead log file will compact
+  # into an index file. Lower sizes will cause log files to be compacted more
+  # quickly and result in lower heap usage at the expense of write throughput.
+  # Higher sizes will be compacted less frequently, store more series in-memory,
+  # and provide higher write throughput.
+  # Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
+  # Values without a size suffix are in bytes.
+  # max-index-log-file-size = "1m"
+
+  # The maximum series allowed per database before writes are dropped.  This limit can prevent
+  # high cardinality issues at the database level.  This limit can be disabled by setting it to
+  # 0.
+  # max-series-per-database = 1000000
+
+  # The maximum number of tag values per tag that are allowed before writes are dropped.  This limit
+  # can prevent high cardinality tag values from being written to a measurement.  This limit can be
+  # disabled by setting it to 0.
+  # max-values-per-tag = 100000
+
+  # If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to
+  # TSM files. This setting has been found to be problematic on some kernels, and defaults to off.
+  # It might help users who have slow disks in some cases.
+  # tsm-use-madv-willneed = false
+
+###
+### [coordinator]
+###
+### Controls the clustering service configuration.
+###
+
+[coordinator]
+  # The default time a write request will wait until a "timeout" error is returned to the caller.
+  # write-timeout = "10s"
+
+  # The maximum number of concurrent queries allowed to be executing at one time.  If a query is
+  # executed and exceeds this limit, an error is returned to the caller.  This limit can be disabled
+  # by setting it to 0.
+  # max-concurrent-queries = 0
+
+  # The maximum time a query will is allowed to execute before being killed by the system.  This limit
+  # can help prevent run away queries.  Setting the value to 0 disables the limit.
+  # query-timeout = "0s"
+
+  # The time threshold when a query will be logged as a slow query.  This limit can be set to help
+  # discover slow or resource intensive queries.  Setting the value to 0 disables the slow query logging.
+  # log-queries-after = "0s"
+
+  # The maximum number of points a SELECT can process.  A value of 0 will make
+  # the maximum point count unlimited.  This will only be checked every second so queries will not
+  # be aborted immediately when hitting the limit.
+  # max-select-point = 0
+
+  # The maximum number of series a SELECT can run.  A value of 0 will make the maximum series
+  # count unlimited.
+  # max-select-series = 0
+
+  # The maxium number of group by time bucket a SELECT can create.  A value of zero will max the maximum
+  # number of buckets unlimited.
+  # max-select-buckets = 0
+
+###
+### [retention]
+###
+### Controls the enforcement of retention policies for evicting old data.
+###
+
+[retention]
+  # Determines whether retention policy enforcement enabled.
+  # enabled = true
+
+  # The interval of time when retention policy enforcement checks run.
+  # check-interval = "30m"
+
+###
+### [shard-precreation]
+###
+### Controls the precreation of shards, so they are available before data arrives.
+### Only shards that, after creation, will have both a start- and end-time in the
+### future, will ever be created. Shards are never precreated that would be wholly
+### or partially in the past.
+
+[shard-precreation]
+  # Determines whether shard pre-creation service is enabled.
+  # enabled = true
+
+  # The interval of time when the check to pre-create new shards runs.
+  # check-interval = "10m"
+
+  # The default period ahead of the endtime of a shard group that its successor
+  # group is created.
+  # advance-period = "30m"
+
+###
+### Controls the system self-monitoring, statistics and diagnostics.
+###
+### The internal database for monitoring data is created automatically if
+### if it does not already exist. The target retention within this database
+### is called 'monitor' and is also created with a retention period of 7 days
+### and a replication factor of 1, if it does not exist. In all cases the
+### this retention policy is configured as the default for the database.
+
+[monitor]
+  # Whether to record statistics internally.
+  # store-enabled = true
+
+  # The destination database for recorded statistics
+  # store-database = "_internal"
+
+  # The interval at which to record statistics
+  # store-interval = "10s"
+
+###
+### [http]
+###
+### Controls how the HTTP endpoints are configured. These are the primary
+### mechanism for getting data into and out of InfluxDB.
+###
+
+[http]
+  # Determines whether HTTP endpoint is enabled.
+  # enabled = true
+
+  # Determines whether the Flux query endpoint is enabled.
+  # flux-enabled = false
+
+  # The bind address used by the HTTP service.
+  # bind-address = ":8086"
+
+  # Determines whether user authentication is enabled over HTTP/HTTPS.
+  # auth-enabled = false
+
+  # The default realm sent back when issuing a basic auth challenge.
+  # realm = "InfluxDB"
+
+  # Determines whether HTTP request logging is enabled.
+  # log-enabled = true
+
+  # Determines whether the HTTP write request logs should be suppressed when the log is enabled.
+  # suppress-write-log = false
+
+  # When HTTP request logging is enabled, this option specifies the path where
+  # log entries should be written. If unspecified, the default is to write to stderr, which
+  # intermingles HTTP logs with internal InfluxDB logging.
+  #
+  # If influxd is unable to access the specified path, it will log an error and fall back to writing
+  # the request log to stderr.
+  # access-log-path = ""
+
+  # Filters which requests should be logged. Each filter is of the pattern NNN, NNX, or NXX where N is
+  # a number and X is a wildcard for any number. To filter all 5xx responses, use the string 5xx.
+  # If multiple filters are used, then only one has to match. The default is to have no filters which
+  # will cause every request to be printed.
+  # access-log-status-filters = []
+
+  # Determines whether detailed write logging is enabled.
+  # write-tracing = false
+
+  # Determines whether the pprof endpoint is enabled.  This endpoint is used for
+  # troubleshooting and monitoring.
+  # pprof-enabled = true
+
+  # Enables a pprof endpoint that binds to localhost:6060 immediately on startup.
+  # This is only needed to debug startup issues.
+  # debug-pprof-enabled = false
+
+  # Determines whether HTTPS is enabled.
+   https-enabled = true
+
+  # The SSL certificate to use when HTTPS is enabled.
+   https-certificate = "/etc/ssl/influxdb.crt"
+
+  # Use a separate private key location.
+   https-private-key = "/etc/ssl/influxdb.key"
+
+  # The JWT auth shared secret to validate requests using JSON web tokens.
+  # shared-secret = ""
+
+  # The default chunk size for result sets that should be chunked.
+  # max-row-limit = 0
+
+  # The maximum number of HTTP connections that may be open at once.  New connections that
+  # would exceed this limit are dropped.  Setting this value to 0 disables the limit.
+  # max-connection-limit = 0
+
+  # Enable http service over unix domain socket
+  # unix-socket-enabled = false
+
+  # The path of the unix domain socket.
+  # bind-socket = "/var/run/influxdb.sock"
+
+  # The maximum size of a client request body, in bytes. Setting this value to 0 disables the limit.
+  # max-body-size = 25000000
+
+  # The maximum number of writes processed concurrently.
+  # Setting this to 0 disables the limit.
+  # max-concurrent-write-limit = 0
+
+  # The maximum number of writes queued for processing.
+  # Setting this to 0 disables the limit.
+  # max-enqueued-write-limit = 0
+
+  # The maximum duration for a write to wait in the queue to be processed.
+  # Setting this to 0 or setting max-concurrent-write-limit to 0 disables the limit.
+  # enqueued-write-timeout = 0
+
+###
+### [logging]
+###
+### Controls how the logger emits logs to the output.
+###
+
+[logging]
+  # Determines which log encoder to use for logs. Available options
+  # are auto, logfmt, and json. auto will use a more a more user-friendly
+  # output format if the output terminal is a TTY, but the format is not as
+  # easily machine-readable. When the output is a non-TTY, auto will use
+  # logfmt.
+  # format = "auto"
+
+  # Determines which level of logs will be emitted. The available levels
+  # are error, warn, info, and debug. Logs that are equal to or above the
+  # specified level will be emitted.
+  # level = "info"
+
+  # Suppresses the logo output that is printed when the program is started.
+  # The logo is always suppressed if STDOUT is not a TTY.
+  # suppress-logo = false
+
+###
+### [subscriber]
+###
+### Controls the subscriptions, which can be used to fork a copy of all data
+### received by the InfluxDB host.
+###
+
+[subscriber]
+  # Determines whether the subscriber service is enabled.
+  # enabled = true
+
+  # The default timeout for HTTP writes to subscribers.
+  # http-timeout = "30s"
+
+  # Allows insecure HTTPS connections to subscribers.  This is useful when testing with self-
+  # signed certificates.
+  # insecure-skip-verify = false
+
+  # The path to the PEM encoded CA certs file. If the empty string, the default system certs will be used
+  # ca-certs = ""
+
+  # The number of writer goroutines processing the write channel.
+  # write-concurrency = 40
+
+  # The number of in-flight writes buffered in the write channel.
+  # write-buffer-size = 1000
+
+
+###
+### [[graphite]]
+###
+### Controls one or many listeners for Graphite data.
+###
+
+[[graphite]]
+  # Determines whether the graphite endpoint is enabled.
+  # enabled = false
+  # database = "graphite"
+  # retention-policy = ""
+  # bind-address = ":2003"
+  # protocol = "tcp"
+  # consistency-level = "one"
+
+  # These next lines control how batching works. You should have this enabled
+  # otherwise you could get dropped metrics or poor performance. Batching
+  # will buffer points in memory if you have many coming in.
+
+  # Flush if this many points get buffered
+  # batch-size = 5000
+
+  # number of batches that may be pending in memory
+  # batch-pending = 10
+
+  # Flush at least this often even if we haven't hit buffer limit
+  # batch-timeout = "1s"
+
+  # UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max.
+  # udp-read-buffer = 0
+
+  ### This string joins multiple matching 'measurement' values providing more control over the final measurement name.
+  # separator = "."
+
+  ### Default tags that will be added to all metrics.  These can be overridden at the template level
+  ### or by tags extracted from metric
+  # tags = ["region=us-east", "zone=1c"]
+
+  ### Each template line requires a template pattern.  It can have an optional
+  ### filter before the template and separated by spaces.  It can also have optional extra
+  ### tags following the template.  Multiple tags should be separated by commas and no spaces
+  ### similar to the line protocol format.  There can be only one default template.
+  # templates = [
+  #   "*.app env.service.resource.measurement",
+  #   # Default template
+  #   "server.*",
+  # ]
+
+###
+### [collectd]
+###
+### Controls one or many listeners for collectd data.
+###
+
+[[collectd]]
+  # enabled = false
+  # bind-address = ":25826"
+  # database = "collectd"
+  # retention-policy = ""
+  #
+  # The collectd service supports either scanning a directory for multiple types
+  # db files, or specifying a single db file.
+  # typesdb = "/usr/local/share/collectd"
+  #
+  # security-level = "none"
+  # auth-file = "/etc/collectd/auth_file"
+
+  # These next lines control how batching works. You should have this enabled
+  # otherwise you could get dropped metrics or poor performance. Batching
+  # will buffer points in memory if you have many coming in.
+
+  # Flush if this many points get buffered
+  # batch-size = 5000
+
+  # Number of batches that may be pending in memory
+  # batch-pending = 10
+
+  # Flush at least this often even if we haven't hit buffer limit
+  # batch-timeout = "10s"
+
+  # UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max.
+  # read-buffer = 0
+
+  # Multi-value plugins can be handled two ways.
+  # "split" will parse and store the multi-value plugin data into separate measurements
+  # "join" will parse and store the multi-value plugin as a single multi-value measurement.
+  # "split" is the default behavior for backward compatability with previous versions of influxdb.
+  # parse-multivalue-plugin = "split"
+###
+### [opentsdb]
+###
+### Controls one or many listeners for OpenTSDB data.
+###
+
+[[opentsdb]]
+  # enabled = false
+  # bind-address = ":4242"
+  # database = "opentsdb"
+  # retention-policy = ""
+  # consistency-level = "one"
+  # tls-enabled = false
+  # certificate= "/etc/ssl/influxdb.pem"
+
+  # Log an error for every malformed point.
+  # log-point-errors = true
+
+  # These next lines control how batching works. You should have this enabled
+  # otherwise you could get dropped metrics or poor performance. Only points
+  # metrics received over the telnet protocol undergo batching.
+
+  # Flush if this many points get buffered
+  # batch-size = 1000
+
+  # Number of batches that may be pending in memory
+  # batch-pending = 5
+
+  # Flush at least this often even if we haven't hit buffer limit
+  # batch-timeout = "1s"
+
+###
+### [[udp]]
+###
+### Controls the listeners for InfluxDB line protocol data via UDP.
+###
+
+[[udp]]
+  # enabled = false
+  # bind-address = ":8089"
+  # database = "udp"
+  # retention-policy = ""
+
+  # InfluxDB precision for timestamps on received points ("" or "n", "u", "ms", "s", "m", "h")
+  # precision = ""
+
+  # These next lines control how batching works. You should have this enabled
+  # otherwise you could get dropped metrics or poor performance. Batching
+  # will buffer points in memory if you have many coming in.
+
+  # Flush if this many points get buffered
+  # batch-size = 5000
+
+  # Number of batches that may be pending in memory
+  # batch-pending = 10
+
+  # Will flush at least this often even if we haven't hit buffer limit
+  # batch-timeout = "1s"
+
+  # UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max.
+  # read-buffer = 0
+
+###
+### [continuous_queries]
+###
+### Controls how continuous queries are run within InfluxDB.
+###
+
+[continuous_queries]
+  # Determines whether the continuous query service is enabled.
+  # enabled = true
+
+  # Controls whether queries are logged when executed by the CQ service.
+  # log-enabled = true
+
+  # Controls whether queries are logged to the self-monitoring data store.
+  # query-stats-enabled = false
+
+  # interval for how often continuous queries will be checked if they need to run
+  # run-interval = "1s"
+
+###
+### [tls]
+###
+### Global configuration settings for TLS in InfluxDB.
+###
+
+[tls]
+  # Determines the available set of cipher suites. See https://golang.org/pkg/crypto/tls/#pkg-constants
+  # for a list of available ciphers, which depends on the version of Go (use the query
+  # SHOW DIAGNOSTICS to see the version of Go used to build InfluxDB). If not specified, uses
+  # the default settings from Go's crypto/tls package.
+  # ciphers = [
+  #   "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+  #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+  # ]
+
+  # Minimum version of the tls protocol that will be negotiated. If not specified, uses the
+  # default settings from Go's crypto/tls package.
+  # min-version = "tls1.2"
+
+  # Maximum version of the tls protocol that will be negotiated. If not specified, uses the
+  # default settings from Go's crypto/tls package.
+  # max-version = "tls1.2"

salt/common/init.sls

@@ -1,3 +1,8 @@
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set MASTER = salt['grains.get']('master') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %}
+{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -36,9 +41,16 @@ sensorpkgs:
     - skip_suggestions: False
     - pkgs:
       - docker-ce
+      - wget
+      - jq
       {% if grains['os'] != 'CentOS' %}
       - python-docker
       - python-m2crypto
+      - apache2-utils
+      {% else %}
+      - net-tools
+      - tcpdump
+      - httpd-tools
       {% endif %}
 
 # Always keep these packages up to date
@@ -56,28 +68,21 @@ alwaysupdated:
 Etc/UTC:
   timezone.system
 
+# Sync some Utilities
+utilsyncscripts:
+  file.recurse:
+    - name: /usr/sbin
+    - user: 0
+    - group: 0
+    - file_mode: 755
+    - template: jinja
+    - source: salt://common/tools/sbin
+
 # Make sure Docker is running!
 docker:
   service.running:
     - enable: True
 
-# Set up docker network
-# This is broken right now.
-#dockernet:
-#  docker_network.present:
-#    - name: so-elastic-net
-#    - driver: bridge
-
-# dockernet work around
-#dockernet:
-#  cmd.script:
-#    - source: salt://common/scripts/dockernet.sh
-
-
-# Snag the so-core docker
-toosmooth/so-core:test2:
-  docker_image.present
-
 # Drop the correct nginx config based on role
 
 nginxconfdir:
@@ -109,10 +114,9 @@ nginxtmp:
     - group: 939
     - makedirs: True
 
-# Start the core docker
 so-core:
   docker_container.running:
-    - image: soshybridhunter/so-core:HH1.0.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
     - hostname: so-core
     - user: socore
     - binds:
@@ -123,9 +127,289 @@ so-core:
       - /opt/so/tmp/nginx/:/run:rw
       - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
       - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
+      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
       - 80:80
       - 443:443
+    {%- if FLEETMASTER or FLEETNODE %}
+      - 8090:8090
+    {%- endif %}
     - watch:
       - file: /opt/so/conf/nginx/nginx.conf
+
+# Add Telegraf to monitor all the things.
+tgraflogdir:
+  file.directory:
+    - name: /opt/so/log/telegraf
+    - makedirs: True
+
+tgrafetcdir:
+  file.directory:
+    - name: /opt/so/conf/telegraf/etc
+    - makedirs: True
+
+tgrafetsdir:
+  file.directory:
+    - name: /opt/so/conf/telegraf/scripts
+    - makedirs: True
+
+tgrafsyncscripts:
+  file.recurse:
+    - name: /opt/so/conf/telegraf/scripts
+    - user: 939
+    - group: 939
+    - file_mode: 755
+    - template: jinja
+    - source: salt://common/telegraf/scripts
+
+tgrafconf:
+  file.managed:
+    - name: /opt/so/conf/telegraf/etc/telegraf.conf
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/telegraf/etc/telegraf.conf
+
+so-telegraf:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
+    - environment:
+      - HOST_PROC=/host/proc
+      - HOST_ETC=/host/etc
+      - HOST_SYS=/host/sys
+      - HOST_MOUNT_PREFIX=/host
+    - network_mode: host
+    - port_bindings:
+      - 127.0.0.1:8094:8094
+    - binds:
+      - /opt/so/log/telegraf:/var/log/telegraf:rw
+      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
+      - /var/run/utmp:/var/run/utmp:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /:/host/root:ro
+      - /sys:/host/sys:ro
+      - /proc:/host/proc:ro
+      - /nsm:/host/nsm:ro
+      - /etc:/host/etc:ro
+      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
+      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
+      {% else %}
+      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
+      {% endif %}
+      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
+      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
+      - /opt/so/conf/telegraf/scripts:/scripts:ro
+      - /opt/so/log/stenographer:/var/log/stenographer:ro
+      - /opt/so/log/suricata:/var/log/suricata:ro
+    - watch:
+      - /opt/so/conf/telegraf/etc/telegraf.conf
+      - /opt/so/conf/telegraf/scripts
+
+# If its a master or eval lets install the back end for now
+{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %}
+
+# Influx DB
+influxconfdir:
+  file.directory:
+    - name: /opt/so/conf/influxdb/etc
+    - makedirs: True
+
+influxdbdir:
+  file.directory:
+    - name: /nsm/influxdb
+    - makedirs: True
+
+influxdbconf:
+  file.managed:
+    - name: /opt/so/conf/influxdb/etc/influxdb.conf
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/influxdb/etc/influxdb.conf
+
+so-influxdb:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
+    - hostname: influxdb
+    - environment:
+      - INFLUXDB_HTTP_LOG_ENABLED=false
+    - binds:
+      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
+      - /nsm/influxdb:/var/lib/influxdb:rw
+      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
+      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
+    - port_bindings:
+      - 0.0.0.0:8086:8086
+    - watch:
+      - file: /opt/so/conf/influxdb/etc/influxdb.conf
+
+# Grafana all the things
+grafanadir:
+  file.directory:
+    - name: /nsm/grafana
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanaconfdir:
+  file.directory:
+    - name: /opt/so/conf/grafana/etc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashdir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashmdir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/master
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashevaldir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/eval
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashfndir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanadashsndir:
+  file.directory:
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+grafanaconf:
+  file.recurse:
+    - name: /opt/so/conf/grafana/etc
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/grafana/etc
+
+{% if salt['pillar.get']('mastertab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboard-master:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/grafana/grafana_dashboards/master/master.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MANINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.manint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+{% if salt['pillar.get']('sensorstab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboard-{{ SN }}:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/grafana/grafana_dashboards/sensor_nodes/sensor.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MONINT: {{ SNDATA.monint }}
+      MANINT: {{ SNDATA.manint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+{% if salt['pillar.get']('nodestab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboardsearch-{{ SN }}:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MANINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.manint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+{% if salt['pillar.get']('evaltab', False) %}
+{% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
+{% set NODETYPE = SN.split('_')|last %}
+{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
+dashboard-{{ SN }}:
+  file.managed:
+    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://common/grafana/grafana_dashboards/eval/eval.json
+    - defaults:
+      SERVERNAME: {{ SN }}
+      MANINT: {{ SNDATA.manint }}
+      MONINT: {{ SNDATA.monint }}
+      CPUS: {{ SNDATA.totalcpus }}
+      UID: {{ SNDATA.guid }}
+      ROOTFS: {{ SNDATA.rootfs }}
+      NSMFS: {{ SNDATA.nsmfs }}
+
+{% endfor %}
+{% endif %}
+
+so-grafana:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
+    - hostname: grafana
+    - user: socore
+    - binds:
+      - /nsm/grafana:/var/lib/grafana:rw
+      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
+      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
+      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
+      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
+    - environment:
+      - GF_SECURITY_ADMIN_PASSWORD=augusta
+    - port_bindings:
+      - 0.0.0.0:3000:3000
+    - watch:
+      - file: /opt/so/conf/grafana/*
+
+{% endif %}

salt/common/nginx/nginx.conf.so-eval

@@ -1,9 +1,11 @@
 {%- set masterip = salt['pillar.get']('master:mainip', '') %}
+{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %}
+{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
+{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %}
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
 
-user nginx;
 worker_processes auto;
 error_log /var/log/nginx/error.log;
 pid /run/nginx.pid;
@@ -27,6 +29,7 @@ http {
     tcp_nodelay         on;
     keepalive_timeout   65;
     types_hash_max_size 2048;
+    client_max_body_size 1024M;
 
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
@@ -58,11 +61,34 @@ http {
     #    }
     #}
     server {
-	      listen 80 default_server;
-	      server_name _;
-	      return 301 https://$host$request_uri;
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
     }
 
+{% if FLEET_MASTER %}
+    server {
+        listen       8090 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        blank.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
+            grpc_pass  grpcs://{{ masterip }}:8080;
+            grpc_set_header Host $host;
+            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_buffering off;
+        }
+
+    }
+{% endif %}
 
 # Settings for a TLS enabled server.
 
@@ -83,12 +109,34 @@ http {
         # Load configuration files for the default server block.
         #include /etc/nginx/default.d/*.conf;
 
-        #location / {
-    #      try_files $uri $uri.html /index.html;
-    #    }
+        location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
+          proxy_pass            http://{{ masterip }}:9822;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+        }
 
         location / {
-          proxy_pass http://{{ masterip }}:5601/;
+          auth_request          /auth/sessions/whoami;
+          proxy_pass            http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+        }
+
+        location ~ ^/auth/.*?(whoami|login|logout) {
+          rewrite               /auth/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -98,6 +146,159 @@ http {
 
         }
 
+        location /packages/ {
+          try_files $uri =206;
+          auth_request          /auth/sessions/whoami;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        } 
+        
+        location /grafana/ {
+          rewrite               /grafana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:3000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/ {
+          auth_request          /auth/sessions/whoami;
+          rewrite               /kibana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /nodered/ {
+          proxy_pass http://{{ masterip }}:1880/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header      Proxy "";
+
+        }
+        
+        location /playbook/ {
+          proxy_pass            http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+
+        location /navigator/ {
+          auth_request          /auth/sessions/whoami;
+          proxy_pass            http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+      {%- if FLEET_NODE %}
+        location /fleet/ {
+          return 301 https://{{ FLEET_IP }}/fleet;
+        }
+      {%- else %}
+        location /fleet/ {
+          proxy_pass https://{{ masterip }}:8080;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+      {%- endif %}
+
+        location /thehive/ {
+          proxy_pass            http://{{ masterip }}:9000/thehive/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version    1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cortex/ {
+          proxy_pass            http://{{ masterip }}:9001/cortex/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version    1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+        
+        location /soctopus/ {
+          proxy_pass            http://{{ masterip }}:7000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/app/soc/ {
+          rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
+        location /sensoroniagents/ {
+          proxy_pass            http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
+          return        302 /auth/self-service/browser/flows/login;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/nginx/nginx.conf.so-fleet

@@ -0,0 +1,98 @@
+{%- set MAINIP = salt['pillar.get']('node:mainip', '') %}
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+	      listen 80 default_server;
+	      server_name _;
+	      return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen       8090 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        blank.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
+            grpc_pass  grpcs://{{ MAINIP }}:8080;
+            grpc_set_header Host $host;
+            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_buffering off;
+        }
+
+    }
+
+
+    server {
+        listen       443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html/packages;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        location /fleet/ {
+          proxy_pass https://{{ MAINIP }}:8080;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+}

salt/common/nginx/nginx.conf.so-helix

@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}

salt/common/nginx/nginx.conf.so-master

@@ -1,9 +1,11 @@
 {%- set masterip = salt['pillar.get']('master:mainip', '') %}
+{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %}
+{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
+{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %}
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
 
-user nginx;
 worker_processes auto;
 error_log /var/log/nginx/error.log;
 pid /run/nginx.pid;
@@ -27,6 +29,7 @@ http {
     tcp_nodelay         on;
     keepalive_timeout   65;
     types_hash_max_size 2048;
+    client_max_body_size 1024M;
 
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
@@ -58,11 +61,34 @@ http {
     #    }
     #}
     server {
-	      listen 80 default_server;
-	      server_name _;
-	      return 301 https://$host$request_uri;
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
     }
 
+{% if FLEET_MASTER %}
+    server {
+        listen       8090 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        blank.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
+            grpc_pass  grpcs://{{ masterip }}:8080;
+            grpc_set_header Host $host;
+            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_buffering off;
+        }
+
+    }
+{% endif %}
 
 # Settings for a TLS enabled server.
 
@@ -83,12 +109,34 @@ http {
         # Load configuration files for the default server block.
         #include /etc/nginx/default.d/*.conf;
 
-        #location / {
-    #      try_files $uri $uri.html /index.html;
-    #    }
+        location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
+          proxy_pass            http://{{ masterip }}:9822;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+        }
 
         location / {
-          proxy_pass http://{{ masterip }}:5601/;
+          auth_request          /auth/sessions/whoami;
+          proxy_pass            http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+        }
+
+        location ~ ^/auth/.*?(whoami|login|logout) {
+          rewrite               /auth/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:4433;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -98,6 +146,159 @@ http {
 
         }
 
+        location /packages/ {
+          try_files $uri =206;
+          auth_request          /auth/sessions/whoami;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        } 
+        
+        location /grafana/ {
+          rewrite               /grafana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:3000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/ {
+          auth_request          /auth/sessions/whoami;
+          rewrite               /kibana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /nodered/ {
+          proxy_pass http://{{ masterip }}:1880/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header      Proxy "";
+
+        }
+        
+        location /playbook/ {
+          proxy_pass            http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+
+        location /navigator/ {
+          auth_request          /auth/sessions/whoami;
+          proxy_pass            http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+      {%- if FLEET_NODE %}
+        location /fleet/ {
+          return 301 https://{{ FLEET_IP }}/fleet;
+        }
+      {%- else %}
+        location /fleet/ {
+          proxy_pass https://{{ masterip }}:8080;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+      {%- endif %}
+
+        location /thehive/ {
+          proxy_pass            http://{{ masterip }}:9000/thehive/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version    1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cortex/ {
+          proxy_pass            http://{{ masterip }}:9001/cortex/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version    1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+        
+        location /soctopus/ {
+          proxy_pass            http://{{ masterip }}:7000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/app/soc/ {
+          rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
+        location /sensoroniagents/ {
+          proxy_pass            http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
+          return        302 /auth/self-service/browser/flows/login;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/nginx/nginx.conf.so-mastersearch

@@ -0,0 +1,311 @@
+{%- set masterip = salt['pillar.get']('master:mainip', '') %}
+{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %}
+{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
+{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %}
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+    client_max_body_size 1024M;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    #server {
+    #    listen       80 default_server;
+    #    listen       [::]:80 default_server;
+    #    server_name  _;
+    #    root         /opt/socore/html;
+    #    index        index.html;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+    #    location / {
+    #    }
+
+    #    error_page 404 /404.html;
+    #        location = /40x.html {
+    #    }
+
+    #    error_page 500 502 503 504 /50x.html;
+    #        location = /50x.html {
+    #    }
+    #}
+    server {
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+
+{% if FLEET_MASTER %}
+    server {
+        listen       8090 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        blank.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
+            grpc_pass  grpcs://{{ masterip }}:8080;
+            grpc_set_header Host $host;
+            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_buffering off;
+        }
+
+    }
+{% endif %}
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        #listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+        location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
+          proxy_pass            http://{{ masterip }}:9822;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+        }
+
+        location / {
+          auth_request          /auth/sessions/whoami;
+          proxy_pass            http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+        }
+
+        location ~ ^/auth/.*?(whoami|login|logout) {
+          rewrite               /auth/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:4433;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /packages/ {
+          try_files $uri =206;
+          auth_request          /auth/sessions/whoami;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        } 
+        
+        location /grafana/ {
+          rewrite               /grafana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:3000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/ {
+          auth_request          /auth/sessions/whoami;
+          rewrite               /kibana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /nodered/ {
+          proxy_pass http://{{ masterip }}:1880/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header      Proxy "";
+
+        }
+        
+        location /playbook/ {
+          proxy_pass            http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+
+        location /navigator/ {
+          auth_request          /auth/sessions/whoami;
+          proxy_pass            http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+      {%- if FLEET_NODE %}
+        location /fleet/ {
+          return 301 https://{{ FLEET_IP }}/fleet;
+        }
+      {%- else %}
+        location /fleet/ {
+          proxy_pass https://{{ masterip }}:8080;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+      {%- endif %}
+
+        location /thehive/ {
+          proxy_pass            http://{{ masterip }}:9000/thehive/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version    1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cortex/ {
+          proxy_pass            http://{{ masterip }}:9001/cortex/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version    1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+        
+        location /soctopus/ {
+          proxy_pass            http://{{ masterip }}:7000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/app/soc/ {
+          rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
+        location /sensoroniagents/ {
+          proxy_pass            http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
+          return        302 /auth/self-service/browser/flows/login;
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+}

salt/common/nginx/nginx.conf.so-sensor

@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}

salt/common/telegraf/scripts/broloss.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
+declare RESULT=($ZEEKLOG)
+CURRENTDROP=${RESULT[3]}
+PASTDROP=${RESULT[9]}
+DROPPED=$(($CURRENTDROP - $PASTDROP))
+if [ $DROPPED == 0 ]; then
+  LOSS=0
+  echo "brodrop drop=0"
+else
+  CURRENTPACKETS=${RESULT[5]}
+  PASTPACKETS=${RESULT[11]}
+  TOTAL=$(($CURRENTPACKETS - $PASTPACKETS))
+  LOSS=$(echo $DROPPED $TOTAL / p | dc)
+  echo "brodrop drop=$LOSS"
+fi

salt/common/telegraf/scripts/checkfiles.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+FILES=$(ls -1x /host/nsm/faf/complete/ | wc -l)
+
+echo "faffiles files=$FILES"

salt/common/telegraf/scripts/helixeps.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+PREVCOUNTFILE='/tmp/helixevents.txt'
+EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
+
+if [ ! -z "$EVENTCOUNTCURRENT" ]; then
+
+  if [ -f "$PREVCOUNTFILE" ]; then
+    EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
+  else
+    echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+    exit 0
+  fi
+
+  echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+  EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
+  if [ "$EVENTS" -lt 0 ]; then
+    EVENTS=0
+  fi
+
+  echo "helixeps eps=${EVENTS%%.*}"
+
+fi
+
+exit 0

salt/common/telegraf/scripts/influxdbsize.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'})
+
+echo "influxsize bytes=$INFLUXSIZE"

salt/common/telegraf/scripts/oldpcap.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Get the data
+OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'})
+DATE=$(date +%s)
+AGE=$(($DATE - $OLDPCAP))
+
+echo "pcapage seconds=$AGE"

salt/common/telegraf/scripts/redis.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}')
+PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}')
+
+echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED"

salt/common/telegraf/scripts/stenoloss.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Get the data
+DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}')
+
+echo "stenodrop drop=$DROP"

salt/common/telegraf/scripts/suriloss.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4)
+CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l)
+
+if [ $CHECKIT == 2 ]; then
+  declare RESULT=($SURILOG)
+
+  CURRENTDROP=${RESULT[4]}
+  PASTDROP=${RESULT[14]}
+  DROPPED=$(($CURRENTDROP - $PASTDROP))
+  if [ $DROPPED == 0 ]; then
+    LOSS=0
+    echo "suridrop drop=0"
+  else
+    CURRENTPACKETS=${RESULT[9]}
+    PASTPACKETS=${RESULT[19]}
+    TOTAL=$(($CURRENTPACKETS - $PASTPACKETS))
+
+    LOSS=$(echo $DROPPED $TOTAL / p | dc)
+    echo "suridrop drop=$LOSS"
+  fi
+else
+  echo "suridrop drop=0"
+fi

salt/common/tools/sbin/so-allow

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+SKIP=0
+
+while getopts "abowi:" OPTION
+do
+    case $OPTION in
+
+        h)
+            usage
+            exit 0
+            ;;
+        a)
+            FULLROLE="analyst"
+            SKIP=1
+            ;;
+        b)
+            FULLROLE="beats_endpoint"
+            SKIP=1
+            ;;
+        i)  IP=$OPTARG
+            ;;
+        o)
+            FULLROLE="osquery_endpoint"
+            SKIP=1
+            ;;
+        w)
+            FULLROLE="wazuh_endpoint"
+            SKIP=1
+            ;;
+    esac
+done
+
+if [ "$SKIP" -eq 0 ]; then
+
+    echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+    echo ""
+    echo "Choose the role for the IP or Range you would like to add"
+    echo ""
+    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+    echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[o] - Osquery endpoint - port 8090/tcp"
+    echo "[w] - Wazuh endpoint - port 1514"
+    echo ""
+    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+    read ROLE
+    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+    read IP
+
+    if [ "$ROLE" == "a" ]; then
+        FULLROLE=analyst
+    elif [ "$ROLE" == "b" ]; then
+        FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "o" ]; then
+        FULLROLE=osquery_endpoint
+    elif [ "$ROLE" == "w" ]; then
+        FULLROLE=wazuh_endpoint
+    else
+        echo "I don't recognize that role"
+        exit 1
+    fi
+
+fi
+
+echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
+/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+		  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi

salt/common/tools/sbin/so-bpf-compile

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""

salt/common/tools/sbin/so-bro-logs

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+bro_logs_enabled() {
+
+  echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls
+  echo "  enabled:" >> /opt/so/saltstack/pillar/brologs.sls
+  for BLOG in ${BLOGS[@]}; do
+    echo "    - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls
+  done
+
+}
+
+whiptail_master_adv_service_brologs() {
+
+  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
+  "conn" "Connection Logging" ON \
+  "dce_rpc" "RPC Logs" ON \
+  "dhcp" "DHCP Logs" ON \
+  "dhcpv6" "DHCP IPv6 Logs" ON \
+  "dnp3" "DNP3 Logs" ON \
+  "dns" "DNS Logs" ON \
+  "dpd" "DPD Logs" ON \
+  "files" "Files Logs" ON \
+  "ftp" "FTP Logs" ON \
+  "http" "HTTP Logs" ON \
+  "intel" "Intel Hits Logs" ON \
+  "irc" "IRC Chat Logs" ON \
+  "kerberos" "Kerberos Logs" ON \
+  "modbus" "MODBUS Logs" ON \
+  "mqtt" "MQTT Logs" ON \
+  "notice" "Zeek Notice Logs" ON \
+  "ntlm" "NTLM Logs" ON \
+  "openvpn" "OPENVPN Logs" ON \
+  "pe" "PE Logs" ON \
+  "radius" "Radius Logs" ON \
+  "rfb" "RFB Logs" ON \
+  "rdp" "RDP Logs" ON \
+  "signatures" "Signatures Logs" ON \
+  "sip" "SIP Logs" ON \
+  "smb_files" "SMB Files Logs" ON \
+  "smb_mapping" "SMB Mapping Logs" ON \
+  "smtp" "SMTP Logs" ON \
+  "snmp" "SNMP Logs" ON \
+  "software" "Software Logs" ON \
+  "ssh" "SSH Logs" ON \
+  "ssl" "SSL Logs" ON \
+  "syslog" "Syslog Logs" ON \
+  "telnet" "Telnet Logs" ON \
+  "tunnel" "Tunnel Logs" ON \
+  "weird" "Zeek Weird Logs" ON \
+  "mysql" "MySQL Logs" ON \
+  "socks" "SOCKS Logs" ON \
+  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
+}
+
+whiptail_master_adv_service_brologs
+bro_logs_enabled

salt/common/tools/sbin/so-checkin

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+salt-call state.highstate

salt/common/tools/sbin/so-common

@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check for prerequisites
+if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+fi
+
+# Define a banner to separate sections
+banner="========================================================================="
+
+header() {
+        echo
+        printf '%s\n' "$banner" "$*" "$banner"
+}

salt/common/tools/sbin/so-cortex-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart cortex $1

salt/common/tools/sbin/so-cortex-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start cortex $1

salt/common/tools/sbin/so-cortex-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop cortex $1

salt/common/tools/sbin/so-curator-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart curator $1

salt/common/tools/sbin/so-curator-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start curator $1

salt/common/tools/sbin/so-curator-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop curator $1

salt/common/tools/sbin/so-elastalert-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elastalert $1

salt/common/tools/sbin/so-elastalert-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elastalert $1

salt/common/tools/sbin/so-elastalert-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elastalert $1

salt/common/tools/sbin/so-elastalert-test

@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Originally written by Bryant Treacle
+# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
+# Modified by Doug Burks and Wes Lambert
+#
+# Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
+
+. /usr/sbin/so-elastic-common
+
+OPTIONS=""
+SKIP=0
+RESULTS_TO_LOG="n"
+RULE_NAME=""
+FILE_SAVE_LOCATION=""
+
+usage()
+{
+cat <<EOF
+
+Test Elastalert Rule
+  Options:
+  -h         		This message
+  -a         		Trigger real alerts instead of the debug alert
+  -l <path_to_file>     Write results to specified log file
+  -o '<options>'	Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
+  -r <rule_name>        Specify path/name of rule to test
+
+EOF
+}
+
+while getopts "hal:o:r:" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                a)
+                        OPTIONS="--alert"
+                        ;;
+                l)
+                        RESULTS_TO_LOG="y"
+                        FILE_SAVE_LOCATION=$OPTARG
+                        ;;
+                
+                o)
+			OPTIONS=$OPTARG
+                        ;;  
+                
+                r)
+                        RULE_NAME=$OPTARG
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+
+docker_exec(){
+	if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
+	else
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
+	fi	
+}
+
+rule_prompt(){
+	CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
+        echo
+        echo "This script will allow you to test an Elastalert rule."
+        echo
+        echo "Below is a list of active Elastalert rules:"
+        echo
+	echo "-----------------------------------"
+        echo
+        echo "$CURRENT_RULES"
+        echo
+	echo "-----------------------------------"
+	echo 
+        echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
+        echo
+        echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
+        echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
+        echo
+        while [ -z $RULE_NAME ]; do
+		echo "Please enter the file path and rule name you want to test."
+		read -e RULE_NAME
+	done
+}
+
+log_save_prompt(){
+	RESULTS_TO_LOG=""
+        while [ -z $RESULTS_TO_LOG ]; do
+		echo "The results can be rather long.  Would you like to write the results to a file? (Y/N)"
+		read RESULTS_TO_LOG
+	done
+}
+
+log_path_prompt(){
+        while [ -z $FILE_SAVE_LOCATION ]; do
+		echo "Please enter the file path and file name."
+		read -e FILE_SAVE_LOCATION
+        done
+		echo "Depending on the rule this may take a while."
+}
+
+if [ $SKIP -eq 0 ]; then
+	rule_prompt
+	log_save_prompt
+        if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	log_path_prompt
+        fi
+fi
+
+docker_exec
+
+if [ $? -eq 0 ]; then
+	echo "Test completed successfully!"
+else
+	echo "Something went wrong..."
+fi
+
+echo
+
+
+

salt/common/tools/sbin/so-elastic-clear

@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+

salt/common/tools/sbin/so-elastic-diagnose

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Source common settings
+. /usr/sbin/so-common
+
+# Check for log files
+for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
+
+# If file exists, then look for errors or warnings 
+if [ -f $FILE ]; then
+	MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE` 
+	if [ ! -z "$MESSAGE" ]; then
+		header $FILE
+		echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
+		echo
+	fi
+fi
+done

salt/common/tools/sbin/so-elastic-download

@@ -0,0 +1,44 @@
+#!/bin/bash
+MASTER=MASTER
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-core:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  echo "Downloading $i"
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-elasticsearch-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-templates

@@ -0,0 +1,54 @@
+{% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ELASTICSEARCH_HOST="{{ MASTERIP}}"
+ELASTICSEARCH_PORT=9200
+#ELASTICSEARCH_AUTH=""
+
+# Define a default directory to load pipelines from
+ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/"
+
+# Wait for ElasticSearch to initialize
+echo -n "Waiting for ElasticSearch..."
+COUNT=0
+ELASTICSEARCH_CONNECTED="no"
+while [[ "$COUNT" -le 240 ]]; do
+	curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+	if [ $? -eq 0 ]; then
+		ELASTICSEARCH_CONNECTED="yes"
+		echo "connected!"
+		break
+	else
+		((COUNT+=1))
+		sleep 1
+		echo -n "."
+	fi
+done
+if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+	echo
+	echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+	echo
+fi
+
+cd ${ELASTICSEARCH_TEMPLATES}
+
+
+echo "Loading templates..."
+for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
+echo
+
+cd - >/dev/null

salt/common/tools/sbin/so-features-enable

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+# Modify static.sls to enable Features
+sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+SUFFIX="-features"
+TRUSTED_CONTAINERS=( \
+  "so-elasticsearch:$VERSION$SUFFIX" \
+  "so-filebeat:$VERSION$SUFFIX" \
+  "so-kibana:$VERSION$SUFFIX" \
+  "so-logstash:$VERSION$SUFFIX" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+done
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-filebeat-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart filebeat $1

salt/common/tools/sbin/so-filebeat-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start filebeat $1

salt/common/tools/sbin/so-filebeat-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop filebeat $1

salt/common/tools/sbin/so-fleet-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart fleet $1

salt/common/tools/sbin/so-fleet-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start fleet $1

salt/common/tools/sbin/so-fleet-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop fleet $1

salt/common/tools/sbin/so-grafana-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart grafana $1