Merge pull request #14200 from Security-Onion-Solutions/2.4/dev

2.4/dev
2025-12-06 17:22:49 +01:00 · 2025-02-06 17:41:22 -05:00
parent 924c0b63bd 4b51066327
commit 160c84ec1a
10 changed files with 27 additions and 7 deletions
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -18,7 +18,7 @@ jobs:
        with:
          path-to-signatures: 'signatures_v1.json'
          path-to-document: 'https://securityonionsolutions.com/cla' 
-          allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,weslambert,defensivedepth,m0duspwnens
+          allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,defensivedepth,m0duspwnens
          remote-organization-name: Security-Onion-Solutions
          remote-repository-name: licensing

--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -125,6 +125,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished"     # Telegraf script finished just as the auto kill timeout kicked in
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available"           # Typical error when making a query before ES has finished loading all indices
 fi

 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -77,9 +77,10 @@ do
 done

 printf "\n\n### Generating MSI...\n"
+cp /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64 /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64.exe
 docker run \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
-{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o /output/so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs
+--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ -w /output \
+{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs
 printf "\n### MSI Generated...\n"

 printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace\n"
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -638,12 +638,19 @@ elasticsearch:
              mapping:
                total_fields:
                  limit: 1500
+              lifecycle:
+                name: so-ip-mappings-logs
              number_of_replicas: 0
              number_of_shards: 1
              refresh_interval: 30s
              sort:
                field: '@timestamp'
                order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
    so-items:
      index_sorting: false
      index_template:
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -11,7 +11,7 @@ kratos:
      helpLink: oidc.html
    config:
      id: 
-        description: Customize the OIDC provider name. This name appears on the login page. Required.
+        description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it.
        global: True
        forcedType: string
        helpLink: oidc.html
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -511,8 +511,7 @@ post_to_2.4.90() {
 }

 post_to_2.4.100() {
-  echo "Regenerating Elastic Agent Installers"
-  /sbin/so-elastic-agent-gen-installers
+  echo "Nothing to apply"
  POSTVERSION=2.4.100
 }

@@ -532,6 +531,9 @@ post_to_2.4.120() {
  # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata'
  rollover_index "logs-suricata.alerts-so"

+  echo "Regenerating Elastic Agent Installers"
+  /sbin/so-elastic-agent-gen-installers
+
  POSTVERSION=2.4.120
 }

--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2147,6 +2147,7 @@ soc:
          eventFetchLimit: 500
          relativeTimeValue: 24
          relativeTimeUnit: 30
+          maxBulkEscalateEvents: 100
          mostRecentlyUsedLimit: 5
          ackEnabled: true
          escalateEnabled: true
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -51,6 +51,7 @@ so-soc:
      - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw
      - /nsm/backup/detections-migration:/nsm/backup/detections-migration:ro
      - /opt/so/state:/opt/so/state:rw
+      - /etc/pki/ca.crt:/opt/sensoroni/html/so-ca.crt:ro
    - extra_hosts:
    {% for node in DOCKER_EXTRA_HOSTS %}
    {%   for hostname, ip in node.items() %}
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -496,7 +496,11 @@ soc:
            global: True
            advanced: True
            forcedType: "[]{}"
-        alerts: *appSettings
+        alerts:
+          <<: *appSettings
+          maxBulkEscalateEvents:
+            description: Maximum number of events to escalate in a single bulk escalation. Large values may run into other limits.
+            global: True
        cases: *appSettings
        dashboards: *appSettings
        detections:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2326,6 +2326,9 @@ update_packages() {
 		retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
 		info "Running apt-get upgrade"
 		retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
+	else
+		info "Updating packages"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
 	fi
 }