Merge remote-tracking branch 'origin/2.4/dev' into bravo

salt/global/soc_global.yaml

@@ -32,7 +32,7 @@ global:
     readonly: True
     advanced: True
   url_base:
-    description: Used for handling of authentication cookies. 
+    description: The base URL for the Security Onion Console. Must be accessible by all nodes in the grid, as well as all analysts. Also used for handling of authentication cookies. Can be an IP address or a hostname/FQDN. Do not include protocol (http/https) or port number.
     global: True
   airgap:
     description: Airgapped systems do not have network connectivity to the internet. This setting represents how this grid was configured during initial setup. While it is technically possible to manually switch systems between airgap and non-airgap, there are some nuances and additional steps involved. For that reason this setting is marked read-only. Contact your support representative for guidance if there is a need to change this setting.

salt/manager/tools/sbin/soup

@@ -165,7 +165,7 @@ EOF
 }
 
 airgap_update_dockers() {
-  if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then
+  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
     # Let's copy the tarball
     if [[ ! -f $AGDOCKER/registry.tar ]]; then
       echo "Unable to locate registry. Exiting"
@@ -200,13 +200,24 @@ update_registry() {
 check_airgap() {
   # See if this is an airgap install
   AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}' | tr '[:upper:]' '[:lower:]')
+  if [[ ! -z "$ISOLOC" ]]; then
+    # flag to use ISO for non-airgap installs, won't be used everywhere is_airgap -eq 0 is used. Used to speed up network soups by using local storage for large files.
+    nonairgap_useiso=0
+  else
+    nonairgap_useiso=1
+  fi
+
   if [[ "$AIRGAP" == "true" ]]; then
       is_airgap=0
+    else
+      is_airgap=1
+  fi
+
+  # use ISO if its airgap install OR ISOLOC was set with -f <path>
+  if [[ "$AIRGAP" == "true" ]] || [[ $nonairgap_useiso -eq 0 ]]; then
       UPDATE_DIR=/tmp/soagupdate/SecurityOnion
       AGDOCKER=/tmp/soagupdate/docker
       AGREPO=/tmp/soagupdate/minimal/Packages
-  else
-      is_airgap=1
   fi
 }
 
@@ -1385,7 +1396,7 @@ so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids
 }
 
 determine_elastic_agent_upgrade() {
-  if [[ $is_airgap -eq 0 ]]; then
+  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
     update_elastic_agent_airgap
   else
     set +e
@@ -2003,15 +2014,10 @@ main() {
   MINION_ROLE=$(lookup_role)
   echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
   echo ""
-  if [[ $is_airgap -eq 0 ]]; then
+  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
-    # Let's mount the ISO since this is airgap
+    # Let's mount the ISO since this is airgap or non-airgap with -f used
     airgap_mounted
   else
-    # if not airgap but -f was used
-    if [[ ! -z "$ISOLOC" ]]; then
-      airgap_mounted
-      AGDOCKER=/tmp/soagupdate/docker
-    fi
     echo "Cloning Security Onion github repo into $UPDATE_DIR."
     echo "Removing previous upgrade sources."
     rm -rf $UPDATE_DIR
@@ -2031,7 +2037,8 @@ main() {
   upgrade_check_salt
   set -e
 
-  if [[ $is_airgap -eq 0 ]]; then
+  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
+    # non-airgap with -f used can do an initial ISO repo update and so-repo-sync cron job will sync any diff later via network
     update_airgap_repo
     dnf clean all
     check_os_updates

salt/soc/defaults.yaml

@@ -1518,6 +1518,7 @@ soc:
           anonymousCidr:
           apiKey:
         staticrbac:
+          defaultRole: ""
           roleFiles:
             - rbac/permissions
             - rbac/roles
@@ -2662,18 +2663,11 @@ soc:
           thresholdColorRatioMax: 1
           availableModels:
             - id: sonnet-4.5
-              displayName: Claude Sonnet 4.5 ($$$)
+              displayName: Claude Sonnet 4.5 
               origin: USA
               contextLimitSmall: 200000
               contextLimitLarge: 1000000
               lowBalanceColorAlert: 500000
               enabled: true
               adapter: SOAI
-            - id: qwen-235b
+            
-              displayName: QWEN 235B ($)
-              origin: China
-              contextLimitSmall: 256000
-              contextLimitLarge: 256000
-              lowBalanceColorAlert: 500000
-              enabled: true
-              adapter: SOAI

salt/soc/soc_soc.yaml

@@ -455,6 +455,11 @@ soc:
             global: True
             advanced: True
             forcedType: int
+        staticrbac:
+          defaultRole:
+            description: "Default role for new users that have not been assigned a role. When a role is specified, an attempt will be made to permanently assign the role to the user once the user accesses SOC. The role name must match exactly the name of an existing RBAC role. Standard system roles include: limited-auditor, limited-analyst, auditor, analyst, superuser"
+            global: True
+            advanced: False
         strelkaengine:
           aiRepoUrl:
             description: URL to the AI repository. This is used to pull in AI models for use in Strelka rules.