From f8058a4a3a15f0c1d8aaa9d20d5ad62026682d57 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 20 Aug 2025 12:06:54 -0500 Subject: [PATCH 01/10] disable showing large stig profile update in salt log --- salt/stig/enabled.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/stig/enabled.sls b/salt/stig/enabled.sls index 0e5448f7d..91aae7069 100644 --- a/salt/stig/enabled.sls +++ b/salt/stig/enabled.sls @@ -47,6 +47,7 @@ update_stig_profile: - name: /opt/so/conf/stig/sos-oscap.xml - source: salt://stig/files/sos-oscap.xml - user: socore + - show_changes: False - group: socore - mode: 0644 From 24be2f869bdb64276ada1ed83572c3c94285f8a6 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 20 Aug 2025 12:08:50 -0500 Subject: [PATCH 02/10] enable stig on fleet nodes --- salt/allowed_states.map.jinja | 1 + salt/top.sls | 1 + 2 files changed, 2 insertions(+) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 068722ca2..2cd7f2f87 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -143,6 +143,7 @@ ), 'so-fleet': ( ssl_states + + stig_states + ['logstash', 'nginx', 'healthcheck', 'elasticfleet'] ), 'so-receiver': ( diff --git a/salt/top.sls b/salt/top.sls index a75346462..6c3135b45 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -299,6 +299,7 @@ base: - elasticfleet - elasticfleet.install_agent_grid - schedule + - stig '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}': - match: compound From 7968de06b4f4c2e41d13b3d719cf8896828ef2a8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 21 Aug 2025 11:06:29 -0500 Subject: [PATCH 03/10] enable access to global stig pillar --- pillar/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index 1fdb59deb..b15038e5e 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -262,6 +262,7 @@ base: - minions.adv_{{ grains.id }} - kafka.nodes - kafka.soc_kafka + - stig.soc_stig '*_import': - node_data.ips @@ -319,10 +320,12 @@ base: - elasticfleet.adv_elasticfleet - minions.{{ grains.id }} - minions.adv_{{ grains.id }} + - stig.soc_stig '*_hypervisor': - minions.{{ grains.id }} - minions.adv_{{ grains.id }} + - stig.soc_stig '*_desktop': - minions.{{ grains.id }} From 1ea7b3c09ff277fbca42f90f69dddef5987d50ad Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 28 Aug 2025 18:27:56 -0500 Subject: [PATCH 04/10] es 8.18.6 --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e08978e0d..8224a2450 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.18.4 + version: 8.18.6 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 29d9b9bf6..645821b6c 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.18.4" + discardCorruptObjects: "8.18.6" telemetry: enabled: False security: From a5675a79fe8e5d3fdee7b5e45fd2ace015b485f3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 28 Aug 2025 19:45:17 -0500 Subject: [PATCH 05/10] es 8.18.6 pipeline upd --- .../grid-nodes_general/import-evtx-logs.json | 2 +- ...nse.log-1.23.0 => logs-pfsense.log-1.23.1} | 20 +++++++++---------- ...icata => logs-pfsense.log-1.23.1-suricata} | 0 3 files changed, 11 insertions(+), 11 deletions(-) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.23.0 => logs-pfsense.log-1.23.1} (95%) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.23.0-suricata => logs-pfsense.log-1.23.1-suricata} (100%) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index 059e4b8cc..8132f4a09 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.3.3\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.3.3\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.3.3\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.5.4\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.2\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.5.4\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.5.4\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.2\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1 similarity index 95% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0 rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1 index e79b91b26..d3354f363 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1 @@ -107,61 +107,61 @@ }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-firewall", + "name": "logs-pfsense.log-1.23.1-firewall", "if": "ctx.event.provider == 'filterlog'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-openvpn", + "name": "logs-pfsense.log-1.23.1-openvpn", "if": "ctx.event.provider == 'openvpn'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-ipsec", + "name": "logs-pfsense.log-1.23.1-ipsec", "if": "ctx.event.provider == 'charon'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-dhcp", + "name": "logs-pfsense.log-1.23.1-dhcp", "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-unbound", + "name": "logs-pfsense.log-1.23.1-unbound", "if": "ctx.event.provider == 'unbound'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-haproxy", + "name": "logs-pfsense.log-1.23.1-haproxy", "if": "ctx.event.provider == 'haproxy'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-php-fpm", + "name": "logs-pfsense.log-1.23.1-php-fpm", "if": "ctx.event.provider == 'php-fpm'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-squid", + "name": "logs-pfsense.log-1.23.1-squid", "if": "ctx.event.provider == 'squid'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-snort", + "name": "logs-pfsense.log-1.23.1-snort", "if": "ctx.event.provider == 'snort'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.23.0-suricata", + "name": "logs-pfsense.log-1.23.1-suricata", "if": "ctx.event.provider == 'suricata'" } }, diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0-suricata b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1-suricata similarity index 100% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.0-suricata rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.23.1-suricata From f51cd008f27c69bcc34de92cf8f1626f2fe3fbb8 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 29 Aug 2025 10:04:56 -0400 Subject: [PATCH 06/10] only manage bond script if bond0 exists --- salt/sensor/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls index 1d7899b62..ee615bf9b 100644 --- a/salt/sensor/init.sls +++ b/salt/sensor/init.sls @@ -39,6 +39,8 @@ combine_bond_script: - template: jinja - defaults: CHANNELS: {{ SENSORMERGED.channels }} + - onlyif: + - ip link show bond0 execute_combine_bond: cmd.run: From a7a81e98253258257e0d14e269b7beef3498624f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 29 Aug 2025 11:05:42 -0400 Subject: [PATCH 07/10] always manage script, only run it if bond0 exists --- salt/sensor/init.sls | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls index ee615bf9b..7d1714c2c 100644 --- a/salt/sensor/init.sls +++ b/salt/sensor/init.sls @@ -39,11 +39,9 @@ combine_bond_script: - template: jinja - defaults: CHANNELS: {{ SENSORMERGED.channels }} - - onlyif: - - ip link show bond0 execute_combine_bond: cmd.run: - name: /usr/sbin/so-combine-bond - - onchanges: - - file: combine_bond_script + - onlyif: + - ip link show bond0 From 19362fe5e57f338e19389e21f027ac09e71d8ca1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 29 Aug 2025 11:06:25 -0400 Subject: [PATCH 08/10] Update so-combine-bond --- salt/sensor/tools/sbin_jinja/so-combine-bond | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensor/tools/sbin_jinja/so-combine-bond b/salt/sensor/tools/sbin_jinja/so-combine-bond index 0a8a2e66a..ded429470 100644 --- a/salt/sensor/tools/sbin_jinja/so-combine-bond +++ b/salt/sensor/tools/sbin_jinja/so-combine-bond @@ -18,7 +18,7 @@ fi # Check if bond0 exists if ! ip link show bond0 &>/dev/null; then - exit 1 + exit 0 fi # Function to get slave interfaces - works across distributions @@ -48,7 +48,7 @@ get_bond_slaves() { SLAVES=$(get_bond_slaves bond0) if [ -z "$SLAVES" ]; then - exit 1 + exit 0 fi # Process each slave interface From 2181cddf496cd50c0add0a10d88abf488fe53dc0 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 2 Sep 2025 14:09:55 -0600 Subject: [PATCH 09/10] Move EnableReverseLookup Move EnableReverseLookup and it's annotation from ClientParams to ServerConfig. --- salt/soc/defaults.yaml | 2 +- salt/soc/soc_soc.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8ce5d882a..7bb2c1f03 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1359,6 +1359,7 @@ soc: importUploadDir: /nsm/soc/uploads forceUserOtp: false customReportsPath: /opt/sensoroni/templates/reports/custom + enableReverseLookup: false modules: cases: soc filedatastore: @@ -1566,7 +1567,6 @@ soc: outputPath: /opt/sensoroni/navigator lookbackDays: 3 client: - enableReverseLookup: false docsUrl: /docs/ cheatsheetUrl: /docs/cheatsheet.pdf releaseNotesUrl: /docs/release-notes.html diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b2f509114..f08bfd52b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -180,6 +180,9 @@ soc: label: Subgrid Enabled forcedType: bool default: false + enableReverseLookup: + description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. + global: True modules: elastalertengine: aiRepoUrl: @@ -577,9 +580,6 @@ soc: label: Folder airgap: *pbRepos client: - enableReverseLookup: - description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. - global: True apiTimeoutMs: description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI. global: True From df0b484b452fdc2408742ade0cc7f9dfebba9c40 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 2 Sep 2025 15:07:13 -0600 Subject: [PATCH 10/10] More Descriptive Description Include instructions for how to add local lookups and a help link. --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f08bfd52b..2d0eb3792 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -181,8 +181,9 @@ soc: forcedType: bool default: false enableReverseLookup: - description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. + description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state." global: True + helpLink: soc-customization.html#reverse-dns modules: elastalertengine: aiRepoUrl: