Merge pull request #14971 from Security-Onion-Solutions/mikebond

and nic channel customization

salt/manager/tools/sbin/so-minion

@@ -454,6 +454,7 @@ function add_sensor_to_minion() {
         echo "sensor:"
         echo "  interface: '$INTERFACE'"
         echo "  mtu: 9000"
+		echo "  channels: 1"
         echo "zeek:"
         echo "  enabled: True"
         echo "  config:"

salt/sensor/defaults.yaml

@@ -0,0 +1,4 @@
+sensor:
+  interface: bond0
+  mtu: 9000
+  channels: 1

salt/sensor/init.sls

@@ -9,6 +9,8 @@
 #    in the software, and you may not remove or obscure any functionality in the
 #    software that is protected by the license key."
 
+{% from 'sensor/map.jinja' import SENSORMERGED %}
+
 {% if 'vrt' in salt['pillar.get']('features') and salt['grains.get']('salt-cloud', {}) %}
 
 include:
@@ -28,3 +30,18 @@ execute_checksum:
     - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable
     - onchanges:
       - file: offload_script
+
+combine_bond_script:
+  file.managed:
+    - name: /usr/sbin/so-combine-bond
+    - source: salt://sensor/tools/sbin_jinja/so-combine-bond
+    - mode: 755
+    - template: jinja
+    - defaults:
+         CHANNELS: {{ SENSORMERGED.channels }}
+
+execute_combine_bond:
+  cmd.run:
+    - name: /usr/sbin/so-combine-bond
+    - onchanges:
+      - file: combine_bond_script

salt/sensor/map.jinja

@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'sensor/defaults.yaml' as SENSORDEFAULTS %}
+{% set SENSORMERGED = salt['pillar.get']('sensor', SENSORDEFAULTS.sensor, merge=True) %}

salt/sensor/soc_sensor.yaml

@@ -7,3 +7,9 @@ sensor:
     description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
     helpLink: network.html
     readonly: True
+  channels:
+    description: Set the size of the nic channels. This is rarely changed from 1 
+    helpLink: network.html
+    forcedType: int
+    node: True
+    advanced: True

salt/sensor/tools/sbin_jinja/so-combine-bond

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Script to find all interfaces of bond0 and set channel parameters
+# Compatible with Oracle Linux 9, Ubuntu, and Debian
+
+. /usr/sbin/so-common
+
+# Number of channels to set
+CHANNELS={{ CHANNELS }}
+
+# Exit on any error
+set -e
+
+# Check if running as root
+if [[ $EUID -ne 0 ]]; then
+   exit 1
+fi
+
+# Check if bond0 exists
+if ! ip link show bond0 &>/dev/null; then
+    exit 1
+fi
+
+# Function to get slave interfaces - works across distributions
+get_bond_slaves() {
+    local bond_name="$1"
+    local slaves=""
+    
+    # Method 1: Try /sys/class/net first (most reliable)
+    if [ -f "/sys/class/net/$bond_name/bonding/slaves" ]; then
+        slaves=$(cat "/sys/class/net/$bond_name/bonding/slaves" 2>/dev/null)
+    fi
+    
+    # Method 2: Try /proc/net/bonding (older systems)
+    if [ -z "$slaves" ] && [ -f "/proc/net/bonding/$bond_name" ]; then
+        slaves=$(grep "Slave Interface:" "/proc/net/bonding/$bond_name" 2>/dev/null | awk '{print $3}' | tr '\n' ' ')
+    fi
+    
+    # Method 3: Parse ip link output (universal fallback)
+    if [ -z "$slaves" ]; then
+        slaves=$(ip -o link show | grep "master $bond_name" | awk -F': ' '{print $2}' | cut -d'@' -f1 | tr '\n' ' ')
+    fi
+    
+    echo "$slaves"
+}
+
+# Get slave interfaces
+SLAVES=$(get_bond_slaves bond0)
+
+if [ -z "$SLAVES" ]; then
+    exit 1
+fi
+
+# Process each slave interface
+for interface in $SLAVES; do
+    # Skip if interface doesn't exist
+    if ! ip link show "$interface" &>/dev/null; then
+        continue
+    fi
+    
+    # Try combined mode first
+    if ethtool -L "$interface" combined $CHANNELS &>/dev/null; then
+        continue
+    fi
+    
+    # Fall back to separate rx/tx
+    ethtool -L "$interface" rx $CHANNELS tx $CHANNELS &>/dev/null || true
+done
+
+exit 0