From 1c092bf791557bdc462fd4b8ea054776149330d5 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 6 Feb 2026 11:53:49 -0600 Subject: [PATCH 1/6] allow network installs to use ISO for faster soup --- salt/manager/tools/sbin/soup | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index b0ac226d2..f0f2defcb 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -165,7 +165,7 @@ EOF } airgap_update_dockers() { - if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then + if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then # Let's copy the tarball if [[ ! -f $AGDOCKER/registry.tar ]]; then echo "Unable to locate registry. Exiting" @@ -200,7 +200,14 @@ update_registry() { check_airgap() { # See if this is an airgap install AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}' | tr '[:upper:]' '[:lower:]') - if [[ "$AIRGAP" == "true" ]]; then + if [[ ! -z "$ISOLOC" ]]; then + # flag to use ISO for non-airgap installs, won't be used everywhere is_airgap -eq 0 is used. Used to speed up network soups by using local storage for large files. + nonairgap_useiso=0 + else + nonairgap_useiso=1 + fi + # use ISO if its airgap install OR ISOLOC was set with -f + if [[ "$AIRGAP" == "true" ]] || [[ ! -z $ISOLOC ]]; then is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion AGDOCKER=/tmp/soagupdate/docker @@ -1385,7 +1392,7 @@ so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids } determine_elastic_agent_upgrade() { - if [[ $is_airgap -eq 0 ]]; then + if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then update_elastic_agent_airgap else set +e @@ -2003,15 +2010,10 @@ main() { MINION_ROLE=$(lookup_role) echo "Found that Security Onion $INSTALLEDVERSION is currently installed." echo "" - if [[ $is_airgap -eq 0 ]]; then - # Let's mount the ISO since this is airgap + if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then + # Let's mount the ISO since this is airgap or non-airgap with -f used airgap_mounted else - # if not airgap but -f was used - if [[ ! -z "$ISOLOC" ]]; then - airgap_mounted - AGDOCKER=/tmp/soagupdate/docker - fi echo "Cloning Security Onion github repo into $UPDATE_DIR." echo "Removing previous upgrade sources." rm -rf $UPDATE_DIR @@ -2031,7 +2033,8 @@ main() { upgrade_check_salt set -e - if [[ $is_airgap -eq 0 ]]; then + if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then + # non-airgap with -f used can do an initial ISO repo update and so-repo-sync cron job will sync any diff later via network update_airgap_repo dnf clean all check_os_updates From 19157aa76c089b70f1b699e51b3729af1105ed47 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 6 Feb 2026 11:55:50 -0600 Subject: [PATCH 2/6] consistently use nonairgap_useiso var --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index f0f2defcb..d2ddb4d99 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -207,7 +207,7 @@ check_airgap() { nonairgap_useiso=1 fi # use ISO if its airgap install OR ISOLOC was set with -f - if [[ "$AIRGAP" == "true" ]] || [[ ! -z $ISOLOC ]]; then + if [[ "$AIRGAP" == "true" ]] || [[ $nonairgap_useiso -eq 0 ]]; then is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion AGDOCKER=/tmp/soagupdate/docker From f0df6a171c9fdf41336bfd33b79976642351cb54 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 6 Feb 2026 13:13:42 -0600 Subject: [PATCH 3/6] don't set is_airgap when using nonairgap_useiso: not a true airgap system so we should keep it separate --- salt/manager/tools/sbin/soup | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index d2ddb4d99..4c9b60c3d 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -206,14 +206,18 @@ check_airgap() { else nonairgap_useiso=1 fi + + if [[ "$AIRGAP" == "true" ]]; then + is_airgap=0 + else + is_airgap=1 + fi + # use ISO if its airgap install OR ISOLOC was set with -f if [[ "$AIRGAP" == "true" ]] || [[ $nonairgap_useiso -eq 0 ]]; then - is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion AGDOCKER=/tmp/soagupdate/docker AGREPO=/tmp/soagupdate/minimal/Packages - else - is_airgap=1 fi } From 503346209864b74839b97e7fdb2df6e8930c2798 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 9 Feb 2026 09:29:07 -0500 Subject: [PATCH 4/6] default roles --- salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6f9fc0226..5368ff804 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1509,6 +1509,7 @@ soc: anonymousCidr: apiKey: staticrbac: + defaultRole: "" roleFiles: - rbac/permissions - rbac/roles diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index a9b09b813..3359217ac 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -455,6 +455,11 @@ soc: global: True advanced: True forcedType: int + staticrbac: + defaultRole: + description: "Default role for new users that have not been assigned a role. When a role is specified, an attempt will be made to permanently assign the role to the user once the user accesses SOC. The role name must match exactly the name of an existing RBAC role. Standard system roles include: limited-auditor, limited-analyst, auditor, analyst, superuser" + global: True + advanced: False strelkaengine: aiRepoUrl: description: URL to the AI repository. This is used to pull in AI models for use in Strelka rules. From 0661c3af1ab5aa724818e5bcdc8107cba76112cf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 9 Feb 2026 11:47:58 -0500 Subject: [PATCH 5/6] Remove QWEN 235B model from defaults.yaml Removed QWEN 235B model and its associated details from defaults.yaml. --- salt/soc/defaults.yaml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index ef0d59073..bbe9558e9 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2663,18 +2663,11 @@ soc: thresholdColorRatioMax: 1 availableModels: - id: sonnet-4.5 - displayName: Claude Sonnet 4.5 ($$$) + displayName: Claude Sonnet 4.5 origin: USA contextLimitSmall: 200000 contextLimitLarge: 1000000 lowBalanceColorAlert: 500000 enabled: true adapter: SOAI - - id: qwen-235b - displayName: QWEN 235B ($) - origin: China - contextLimitSmall: 256000 - contextLimitLarge: 256000 - lowBalanceColorAlert: 500000 - enabled: true - adapter: SOAI + From 04a757dde04d4f2347f839e42c0689b00e7b2f7e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 12 Feb 2026 16:04:04 -0500 Subject: [PATCH 6/6] clarify url_base description --- salt/global/soc_global.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 047bb525b..a378a7023 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -32,7 +32,7 @@ global: readonly: True advanced: True url_base: - description: Used for handling of authentication cookies. + description: The base URL for the Security Onion Console. Must be accessible by all nodes in the grid, as well as all analysts. Also used for handling of authentication cookies. Can be an IP address or a hostname/FQDN. Do not include protocol (http/https) or port number. global: True airgap: description: Airgapped systems do not have network connectivity to the internet. This setting represents how this grid was configured during initial setup. While it is technically possible to manually switch systems between airgap and non-airgap, there are some nuances and additional steps involved. For that reason this setting is marked read-only. Contact your support representative for guidance if there is a need to change this setting.