From 217bb388a05d21151995f9c7e0ed3bb81bd25d40 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 16 Sep 2024 10:05:17 -0400 Subject: [PATCH] Clarify enabled settings --- salt/elastalert/soc_elastalert.yaml | 2 +- .../soc_elastic-fleet-package-registry.yaml | 2 +- salt/elasticfleet/soc_elasticfleet.yaml | 2 +- salt/elasticsearch/soc_elasticsearch.yaml | 3 ++- salt/idh/soc_idh.yaml | 2 +- salt/idstools/soc_idstools.yaml | 2 +- salt/influxdb/soc_influxdb.yaml | 2 +- salt/kibana/soc_kibana.yaml | 2 +- salt/kratos/soc_kratos.yaml | 2 +- salt/logstash/soc_logstash.yaml | 2 +- salt/manager/soc_manager.yaml | 2 +- salt/nginx/soc_nginx.yaml | 2 +- salt/patch/soc_patch.yaml | 2 +- salt/pcap/soc_pcap.yaml | 2 +- salt/redis/soc_redis.yaml | 2 +- salt/registry/soc_registry.yaml | 2 +- salt/sensoroni/soc_sensoroni.yaml | 2 +- salt/soc/soc_soc.yaml | 2 +- salt/stig/soc_stig.yaml | 2 +- salt/strelka/soc_strelka.yaml | 2 +- salt/suricata/soc_suricata.yaml | 2 +- salt/telegraf/soc_telegraf.yaml | 3 ++- salt/zeek/soc_zeek.yaml | 2 +- 23 files changed, 25 insertions(+), 23 deletions(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 905fd3884..764ec87fc 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,6 +1,6 @@ elastalert: enabled: - description: You can enable or disable Elastalert. + description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: title: Custom Configuration Parameters diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 70886c447..84303fd30 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,4 @@ elastic_fleet_package_registry: enabled: - description: You can enable or disable Elastic Fleet Package Registry. + description: Enables or disables the Fleet package registry process. This process must remain enabled for proper HIDS functionality. advanced: True diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 7ed97e6ec..b29d228a1 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -1,6 +1,6 @@ elasticfleet: enabled: - description: You can enable or disable Elastic Fleet. + description: Enables or disables the Elatic Fleet process. This process is critical for ensuring HIDS events are made available in SOC. advanced: True helpLink: elastic-fleet.html enable_manager_output: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index b489bfe78..8c28d256a 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -1,6 +1,7 @@ elasticsearch: enabled: - description: You can enable or disable Elasticsearch. + description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING: Disabling this process is unsupported. + advanced: True helpLink: elasticsearch.html version: description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure." diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index d3baaaab5..ecbc7cc43 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -1,6 +1,6 @@ idh: enabled: - description: You can enable or disable IDH. + description: Enables or disables the Intrustion Detection Honeypot (IDH) process. helpLink: idh.html opencanary: config: diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 993abfd51..a27a0e683 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -1,6 +1,6 @@ idstools: enabled: - description: You can enable or disable IDSTools. + description: Enables or disables the IDS tools process, which is used by the Detection system. config: oinkcode: description: Enter your registration code or oinkcode for paid NIDS rulesets. diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 42566a0a8..6234d17ac 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,6 +1,6 @@ influxdb: enabled: - description: You can enable or disable InfluxDB. + description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING: Disabling the process is unsupported, and will cause unexpected results. helpLink: influxdb.html config: assets-path: diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index c95512b58..8ac0e8e47 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -1,6 +1,6 @@ kibana: enabled: - description: You can enable or disable Kibana. + description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING: Disabling the process is unsupported, and will cause unexpected results. helpLink: kibana.html config: elasticsearch: diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 6285bf1ad..6e354e574 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -1,6 +1,6 @@ kratos: enabled: - description: You can enable or disable Kratos. + description: Enables or disables the Kratos authentication system. WARNING: Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH. advanced: True helpLink: kratos.html diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index cc81d3103..b617abfdd 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -1,6 +1,6 @@ logstash: enabled: - description: You can enable or disable Logstash. + description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend. helpLink: logstash.html assigned_pipelines: roles: diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index 076725691..cf78658de 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -1,7 +1,7 @@ manager: reposync: enabled: - description: This is the daily task of syncing the Security Onion OS packages. It is recommended that you leave this enabled. + description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis. global: True helpLink: soup.html hour: diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 56bbd888f..4dcf5b3b9 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -1,6 +1,6 @@ nginx: enabled: - description: You can enable or disable Nginx. + description: Enables or disables the Nginx web server and reverse proxy. WARNING: Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support. advanced: True helpLink: nginx.html external_suricata: diff --git a/salt/patch/soc_patch.yaml b/salt/patch/soc_patch.yaml index ba9b5a4b3..26cfc695e 100644 --- a/salt/patch/soc_patch.yaml +++ b/salt/patch/soc_patch.yaml @@ -1,7 +1,7 @@ patch: os: enabled: - description: Enable OS updates. + description: Enable OS updates. WARNING: Disabling this setting will prevent important operating system updates from being applied on a scheduled basis. helpLink: soup.html schedule_to_run: description: Currently running schedule for updates. diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 65fb99d86..c9136512f 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,6 +1,6 @@ pcap: enabled: - description: You can enable or disable Stenographer on all sensors or a single sensor. + description: Enables or disables the Stenographer packet recording process. This process may already be disabled if Suricata is being used as the packet capture process. helpLink: stenographer.html config: maxdirectoryfiles: diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index 45c63ffd3..76b7a1175 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -1,6 +1,6 @@ redis: enabled: - description: You can enable or disable Redis. + description: Enables the log event in-memory buffering process. Thsi may already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events. helpLink: redis.html config: bind: diff --git a/salt/registry/soc_registry.yaml b/salt/registry/soc_registry.yaml index 7fc3a161f..b1d51c827 100644 --- a/salt/registry/soc_registry.yaml +++ b/salt/registry/soc_registry.yaml @@ -1,4 +1,4 @@ registry: enabled: - description: You can enable or disable the registry. + description: Enables or disables the Docker registry on the manager node. WARNING: If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting. advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 7b8495dc5..71a2c779b 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,6 +1,6 @@ sensoroni: enabled: - description: Enable or disable Sensoroni. + description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html config: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 760001120..2f0464779 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -1,6 +1,6 @@ soc: enabled: - description: You can enable or disable SOC. + description: Enables or disables SOC. WARNING: Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH. advanced: True telemetryEnabled: title: SOC Telemetry diff --git a/salt/stig/soc_stig.yaml b/salt/stig/soc_stig.yaml index 597aab809..81794c5de 100644 --- a/salt/stig/soc_stig.yaml +++ b/salt/stig/soc_stig.yaml @@ -1,6 +1,6 @@ stig: enabled: - description: You can enable or disable the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible. Requires a valid Security Onion license key. + description: Enables or disables the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible. Requires a valid Security Onion license key. forcedType: bool advanced: True run_interval: diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index 947215bd5..1dc4fa455 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -1,7 +1,7 @@ strelka: backend: enabled: - description: You can enable or disable Strelka backend. + description: Enables or disables the Strelka file analysis process. helpLink: strelka.html config: backend: diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index f865468e1..35a9f6ce5 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,6 +1,6 @@ suricata: enabled: - description: You can enable or disable Suricata. + description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for packet meta-data collection and network packet recording. helpLink: suricata.html thresholding: sids__yaml: diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml index e6e7ea9a2..9a7090fe6 100644 --- a/salt/telegraf/soc_telegraf.yaml +++ b/salt/telegraf/soc_telegraf.yaml @@ -1,6 +1,7 @@ telegraf: enabled: - description: You can enable or disable Telegraf. + description: Enables the grid metrics collection process. WARNING: Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results. + advanced: True helpLink: influxdb.html config: interval: diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 1594eed58..47205bd69 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -1,6 +1,6 @@ zeek: enabled: - description: You can enable or disable ZEEK on all sensors or a single sensor. + description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in missed alerts and other important NIDS-related information. If Suricata was selected as the packet meta-data engine during setup then this will already be disabled. helpLink: zeek.html config: local: