Merge pull request #14933 from Security-Onion-Solutions/reyesj2/ol9stg

profile update

salt/elasticfleet/artifact_registry.sls

@@ -9,3 +9,6 @@ fleetartifactdir:
     - user: 947
     - group: 939
     - makedirs: True
+    - recurse:
+      - user
+      - group

salt/elasticfleet/config.sls

@@ -9,6 +9,9 @@
 {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {% set node_data = salt['pillar.get']('node_data') %}
 
+include:
+  - elasticfleet.artifact_registry
+
 # Add EA Group
 elasticfleetgroup:
   group.present:

salt/elasticfleet/enabled.sls

@@ -67,6 +67,8 @@ so-elastic-fleet-auto-configure-artifact-urls:
 elasticagent_syncartifacts:
   file.recurse:
     - name: /nsm/elastic-fleet/artifacts/beats
+    - user: 947
+    - group: 947
     - source: salt://beats
 {% endif %}
 

salt/ntp/chrony.conf

@@ -1,7 +1,7 @@
 
 # NTP server list
 {%- for SERVER in NTPCONFIG.servers %}
-server {{ SERVER }} iburst
+server {{ SERVER }} iburst maxpoll 10
 {%- endfor %}
 
 # Config options
@@ -9,3 +9,5 @@ driftfile /var/lib/chrony/drift
 makestep 1.0 3
 rtcsync
 logdir /var/log/chrony
+port 0
+cmdport 0

salt/pcap/init.sls

@@ -18,11 +18,19 @@ include:
 
 # This directory needs to exist regardless of whether STENO is enabled or not, in order for
 # Sensoroni to be able to look at old steno PCAP data
+
+# if stenographer has never run as the pcap engine no 941 user is created, so we use socore as a placeholder.
+# /nsm/pcap is empty until stenographer is used as pcap engine
+{% set pcap_id = 941 %}
+{% set user_list = salt['user.list_users']() %}
+{% if 'stenographer' not in user_list %}
+{%   set pcap_id = 939 %}
+{% endif %}
 pcapdir:
   file.directory:
     - name: /nsm/pcap
-    - user: 941
-    - group: 941
+    - user: {{ pcap_id }}
+    - group: {{ pcap_id }}
     - makedirs: True
 
 pcapoutdir:

salt/stig/enabled.sls

@@ -13,7 +13,11 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
 {%   if 'stg' in salt['pillar.get']('features', []) %}
-  {% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
+  {%   if GLOBALS.role != 'so-desktop' %}
+  {%     set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
+  {%   else %}
+  {%     set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig_gui' %}
+  {%   endif %}
   {% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
   {% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
 oscap_packages:
@@ -49,7 +53,7 @@ update_stig_profile:
 {% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
 run_initial_scan:
   cmd.run:
-    - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+    - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml'
     - success_retcodes:
       - 2
 {% endif %}

salt/zeek/config.sls

@@ -22,7 +22,8 @@ zeek:
   user.present:
     - uid: 937
     - gid: 937
-    - home: /home/zeek
+    - home: /opt/so/conf/zeek
+    - createhome: False
 
 # Create some directories
 zeekpolicydir: