diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index bf85fed80..123ead697 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,6 +1,7 @@ elastalert: enabled: description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. + forcedType: bool helpLink: elastalert alerter_parameters: title: Custom Configuration Parameters @@ -96,8 +97,15 @@ elastalert: file: True helpLink: elastalert config: + scan_subdirectories: + description: Recursively scan subdirectories for rules. + forcedType: bool + advanced: True + global: True + helpLink: elastalert disable_rules_on_error: description: Disable rules on failure. + forcedType: bool global: True helpLink: elastalert run_every: @@ -123,6 +131,18 @@ elastalert: description: The maximum number of documents that will be returned from Elasticsearch in a single query. global: True helpLink: elastalert + use_ssl: + description: Use SSL to connect to Elasticsearch. + forcedType: bool + advanced: True + global: True + helpLink: elastalert + verify_certs: + description: Verify TLS certificates when connecting to Elasticsearch. + forcedType: bool + advanced: True + global: True + helpLink: elastalert alert_time_limit: days: description: The retry window for failed alerts. @@ -137,3 +157,24 @@ elastalert: description: The number of replicas for elastalert indices. global: True helpLink: elastalert + logging: + incremental: + description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged. + forcedType: bool + advanced: True + global: True + helpLink: elastalert + disable_existing_loggers: + description: Disable existing loggers. + forcedType: bool + advanced: True + global: True + helpLink: elastalert + loggers: + '': + propagate: + description: Propagate log messages to parent loggers. + forcedType: bool + advanced: True + global: True + helpLink: elastalert diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 3d8a2112b..fff1a51c0 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,5 @@ elastic_fleet_package_registry: enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. + forcedType: bool advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index a24ac1985..c78d46c6c 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,4 +1,5 @@ elasticagent: enabled: description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. + forcedType: bool advanced: True diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index a212f669f..710b7c1ff 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -1,6 +1,7 @@ elasticfleet: enabled: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. + forcedType: bool advanced: True helpLink: elastic-fleet enable_manager_output: @@ -37,6 +38,7 @@ elasticfleet: defend_filters: enable_auto_configuration: description: Enable auto-configuration and management of the Elastic Defend Exclusion filters. + forcedType: bool global: True helpLink: elastic-fleet advanced: True @@ -99,6 +101,7 @@ elasticfleet: forcedType: "[]string" enable_auto_configuration: description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. + forcedType: bool global: True helpLink: elastic-fleet advanced: True diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 87de0e086..b96c58dbe 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -1,6 +1,7 @@ elasticsearch: enabled: description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported. + forcedType: bool advanced: True helpLink: elasticsearch version: @@ -42,8 +43,9 @@ elasticsearch: routing: allocation: disk: - threshold_enabled: + threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + forcedType: bool helpLink: elasticsearch watermark: low: @@ -55,18 +57,64 @@ elasticsearch: flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. helpLink: elasticsearch + action: + destructive_requires_name: + description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns. + advanced: True + forcedType: bool + helpLink: elasticsearch script: - max_compilations_rate: + max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True helpLink: elasticsearch indices: + id_field_data: + enabled: + description: Enables or disables loading of field data on the _id field. + advanced: True + forcedType: bool + helpLink: elasticsearch query: bool: - max_clause_count: + max_clause_count: description: Max number of boolean clauses per query. global: True helpLink: elasticsearch + xpack: + ml: + enabled: + description: Enables or disables machine learning on the node. + forcedType: bool + advanced: True + helpLink: elasticsearch + security: + enabled: + description: Enables or disables Elasticsearch security features. + forcedType: bool + advanced: True + helpLink: elasticsearch + authc: + anonymous: + authz_exception: + description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges. + advanced: True + forcedType: bool + helpLink: elasticsearch + http: + ssl: + enabled: + description: Enables or disables TLS/SSL for the HTTP layer. + advanced: True + forcedType: bool + helpLink: elasticsearch + transport: + ssl: + enabled: + description: Enables or disables TLS/SSL for the transport layer. + advanced: True + forcedType: bool + helpLink: elasticsearch pipelines: custom001: &pipelines description: @@ -264,8 +312,9 @@ elasticsearch: global: True helpLink: elasticsearch so-logs: &indexSettings - index_sorting: + index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. + forcedType: bool global: True advanced: True helpLink: elasticsearch @@ -609,6 +658,7 @@ elasticsearch: so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. + forcedType: bool advanced: True readonly: True helpLink: elasticsearch @@ -649,11 +699,13 @@ elasticsearch: data_stream: hidden: description: Hide the data stream. + forcedType: bool advanced: True readonly: True helpLink: elasticsearch allow_custom_routing: description: Allow custom routing for the data stream. + forcedType: bool advanced: True readonly: True helpLink: elasticsearch diff --git a/salt/hydra/soc_hydra.yaml b/salt/hydra/soc_hydra.yaml index 5242d0cc7..37613246b 100644 --- a/salt/hydra/soc_hydra.yaml +++ b/salt/hydra/soc_hydra.yaml @@ -1,6 +1,7 @@ hydra: enabled: - description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. + description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. + forcedType: bool helpLink: connect-api global: True config: diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 0ee103eb6..7cda82390 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -1,6 +1,11 @@ idh: enabled: - description: Enables or disables the Intrusion Detection Honeypot (IDH) process. + description: Enables or disables the Intrusion Detection Honeypot (IDH) process. + forcedType: bool + helpLink: idh + restrict_management_ip: + description: Restricts management IP access to the IDH node. + forcedType: bool helpLink: idh opencanary: config: @@ -24,6 +29,7 @@ idh: filename: *loggingOptions portscan_x_enabled: &serviceOptions description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid. + forcedType: bool helpLink: idh portscan_x_logfile: *loggingOptions portscan_x_synrate: @@ -125,8 +131,9 @@ idh: vnc_x_enabled: *serviceOptions vnc_x_port: *portOptions openssh: - enable: + enable: description: This is the real SSH service for the host machine. + forcedType: bool helpLink: idh config: port: diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 875e03d4a..3dbf0875b 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,6 +1,7 @@ influxdb: enabled: description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. + forcedType: bool helpLink: influxdb config: assets-path: @@ -25,11 +26,13 @@ influxdb: helpLink: influxdb flux-log-enabled: description: Controls whether detailed flux query logging is enabled. + forcedType: bool global: True advanced: True helpLink: influxdb hardening-enabled: description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -86,16 +89,19 @@ influxdb: helpLink: influxdb metrics-disabled: description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. + forcedType: bool global: True advanced: True helpLink: influxdb no-tasks: description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems. + forcedType: bool global: True advanced: True helpLink: influxdb pprof-disabled: description: If true, the profiling data HTTP endpoint will be inaccessible. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -126,6 +132,7 @@ influxdb: helpLink: influxdb reporting-disabled: description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -142,6 +149,7 @@ influxdb: helpLink: influxdb session-renew-disabled: description: If true, user login sessions will renew after each request. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -187,6 +195,7 @@ influxdb: helpLink: influxdb storage-no-validate-field-size: description: If true, incoming requests will skip the field size validation. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -217,11 +226,13 @@ influxdb: helpLink: influxdb storage-tsm-use-madv-willneed: description: If true, InfluxDB will manage TSM memory paging. + forcedType: bool global: True advanced: True helpLink: influxdb storage-validate-keys: description: If true, validates incoming requests for supported characters. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -268,6 +279,7 @@ influxdb: helpLink: influxdb tls-strict-ciphers: description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -276,8 +288,9 @@ influxdb: global: True advanced: True helpLink: influxdb - ui-disabled: + ui-disabled: description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -316,8 +329,9 @@ influxdb: global: True advanced: True helpLink: influxdb - vault-skip-verify: + vault-skip-verify: description: Skip certification validation of the Vault server. + forcedType: bool global: True advanced: True helpLink: influxdb diff --git a/salt/kafka/soc_kafka.yaml b/salt/kafka/soc_kafka.yaml index 93a2b871e..b8d0c7c32 100644 --- a/salt/kafka/soc_kafka.yaml +++ b/salt/kafka/soc_kafka.yaml @@ -1,6 +1,7 @@ kafka: enabled: description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key. + forcedType: bool helpLink: kafka cluster_id: description: The ID of the Kafka cluster. diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index ae488d2ec..168830bbd 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -1,10 +1,46 @@ kibana: - enabled: + enabled: description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. + forcedType: bool helpLink: kibana config: + server: + rewriteBasePath: + description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath. + forcedType: bool + global: True + advanced: True + helpLink: kibana elasticsearch: requestTimeout: description: The length of time before the request reaches timeout. global: True helpLink: kibana + telemetry: + enabled: + description: Enables or disables telemetry data collection in Kibana. + forcedType: bool + global: True + advanced: True + helpLink: kibana + xpack: + security: + secureCookies: + description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled. + forcedType: bool + global: True + advanced: True + helpLink: kibana + showInsecureClusterWarning: + description: Shows a warning in Kibana when the cluster does not have security enabled. + forcedType: bool + global: True + advanced: True + helpLink: kibana + apm: + enabled: + description: Enables or disables the APM agent in Kibana. + forcedType: bool + global: True + advanced: True + helpLink: kibana diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 13f50ac2b..1cd2728c8 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -1,12 +1,14 @@ kratos: enabled: description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH. + forcedType: bool advanced: True helpLink: kratos oidc: - enabled: + enabled: description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key. + forcedType: bool global: True helpLink: oidc config: @@ -80,6 +82,7 @@ kratos: email: essential: description: Specifies whether the email claim is necessary. Typically leave this value set to true. + forcedType: bool advanced: True global: True helpLink: oidc @@ -107,19 +110,22 @@ kratos: selfservice: methods: password: - enabled: + enabled: description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled. + forcedType: bool global: True advanced: True helpLink: oidc config: haveibeenpwned_enabled: description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. + forcedType: bool global: True helpLink: kratos totp: - enabled: + enabled: description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. + forcedType: bool global: True helpLink: kratos config: @@ -130,11 +136,13 @@ kratos: webauthn: enabled: description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. + forcedType: bool global: True helpLink: kratos config: - passwordless: + passwordless: description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. + forcedType: bool global: True helpLink: kratos rp: diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index 71255928b..5a5816a9e 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -1,6 +1,7 @@ logstash: - enabled: + enabled: description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend. + forcedType: bool helpLink: logstash assigned_pipelines: roles: diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index 7f67eef34..78711d782 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -2,6 +2,7 @@ manager: reposync: enabled: description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis. + forcedType: bool global: True helpLink: soup hour: diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 3e5395d8f..c901c4ad9 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -1,6 +1,7 @@ nginx: - enabled: + enabled: description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support. + forcedType: bool advanced: True helpLink: nginx external_suricata: diff --git a/salt/patch/soc_patch.yaml b/salt/patch/soc_patch.yaml index 893e901e0..b22c177f2 100644 --- a/salt/patch/soc_patch.yaml +++ b/salt/patch/soc_patch.yaml @@ -2,6 +2,7 @@ patch: os: enabled: description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis. + forcedType: bool helpLink: soup schedule_to_run: description: Currently running schedule for updates. diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index e19cb88c6..bce058bc3 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -1,6 +1,7 @@ redis: - enabled: + enabled: description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events. + forcedType: bool helpLink: redis config: bind: diff --git a/salt/registry/soc_registry.yaml b/salt/registry/soc_registry.yaml index 7d6cefe8c..7a936b343 100644 --- a/salt/registry/soc_registry.yaml +++ b/salt/registry/soc_registry.yaml @@ -1,4 +1,5 @@ registry: enabled: description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting. + forcedType: bool advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 5f306335b..73920e9b7 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,12 +1,14 @@ sensoroni: enabled: description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. + forcedType: bool advanced: True helpLink: grid config: analyze: enabled: description: Enable or disable the analyzer. + forcedType: bool advanced: True helpLink: cases timeout_ms: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b99ef4363..8fcfaa3d1 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -1,6 +1,7 @@ soc: enabled: description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH. + forcedType: bool advanced: True telemetryEnabled: title: SOC Telemetry diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index 001e28cb9..0066bd6c3 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -1,7 +1,8 @@ strelka: backend: - enabled: + enabled: description: Enables or disables the Strelka file analysis process. + forcedType: bool helpLink: strelka config: backend: @@ -420,8 +421,9 @@ strelka: helpLink: strelka multiline: True filestream: - enabled: + enabled: description: You can enable or disable Strelka filestream. + forcedType: bool helpLink: strelka config: conn: @@ -478,12 +480,14 @@ strelka: advanced: True delete: description: Boolean that determines if files should be deleted after being sent for scanning. + forcedType: bool readonly: False global: False helpLink: strelka advanced: True gatekeeper: description: Boolean that determines if events should be pulled from the temporary event cache. + forcedType: bool readonly: False global: False helpLink: strelka @@ -514,8 +518,9 @@ strelka: helpLink: strelka advanced: True frontend: - enabled: + enabled: description: You can enable or disable Strelka frontend. + forcedType: bool helpLink: strelka config: server: @@ -564,8 +569,9 @@ strelka: helpLink: strelka advanced: True manager: - enabled: + enabled: description: You can enable or disable Strelka manager. + forcedType: bool helpLink: strelka config: coordinator: @@ -582,16 +588,19 @@ strelka: helpLink: strelka advanced: True coordinator: - enabled: + enabled: description: You can enable or disable Strelka coordinator. + forcedType: bool helpLink: strelka gatekeeper: - enabled: + enabled: description: You can enable or disable Strelka gatekeeper. + forcedType: bool helpLink: strelka rules: enabled: description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. + forcedType: bool readonly: False global: False helpLink: strelka diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 811053cd0..818a7bf89 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,20 +1,20 @@ suricata: enabled: False pcap: - enabled: "no" + enabled: false filesize: 1000mb maxsize: 25 compression: "none" - lz4-checksum: "no" + lz4-checksum: false lz4-level: 8 filename: "%n/so-pcap.%t" mode: "multi" - use-stream-depth: "no" + use-stream-depth: false conditional: "all" dir: "/nsm/suripcap" config: threading: - set-cpu-affinity: "no" + set-cpu-affinity: false cpu-affinity: management-cpu-set: cpu: @@ -29,17 +29,17 @@ suricata: interface: bond0 cluster-id: 59 cluster-type: cluster_flow - defrag: "yes" - use-mmap: "yes" - mmap-locked: "no" + defrag: true + use-mmap: true + mmap-locked: false threads: 1 - tpacket-v3: "yes" + tpacket-v3: true ring-size: 5000 block-size: 69632 block-timeout: 10 - use-emergency-flush: "yes" + use-emergency-flush: true buffer-size: 32768 - disable-promisc: "no" + disable-promisc: false checksum-checks: kernel vars: address-groups: @@ -105,15 +105,15 @@ suricata: - 6081 default-log-dir: /var/log/suricata/ stats: - enabled: "yes" + enabled: true interval: 30 outputs: fast: - enabled: "no" + enabled: false filename: fast.log - append: "yes" + append: true eve-log: - enabled: "yes" + enabled: true filetype: regular filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour @@ -122,104 +122,104 @@ suricata: community-id-seed: 0 types: alert: - payload: "no" + payload: false payload-buffer-size: 4kb - payload-printable: "yes" - packet: "yes" + payload-printable: true + packet: true metadata: app-layer: false flow: false rule: metadata: true raw: true - tagged-packets: "no" + tagged-packets: false xff: - enabled: "no" + enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For unified2-alert: - enabled: "no" + enabled: false tls-store: - enabled: "no" + enabled: false alert-debug: - enabled: "no" + enabled: false alert-prelude: - enabled: "no" + enabled: false stats: - enabled: "yes" + enabled: true filename: stats.log - append: "yes" - totals: "yes" - threads: "no" - null-values: "yes" + append: true + totals: true + threads: false + null-values: true drop: - enabled: "no" + enabled: false file-store: version: 2 - enabled: "no" + enabled: false xff: - enabled: "no" + enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For tcp-data: - enabled: "no" + enabled: false type: file filename: tcp-data.log http-body-data: - enabled: "no" + enabled: false type: file filename: http-data.log lua: - enabled: "no" + enabled: false scripts: logging: default-log-level: notice outputs: - console: - enabled: "yes" + enabled: true - file: - enabled: "yes" + enabled: true level: info filename: suricata.log - syslog: - enabled: "no" + enabled: false facility: local5 format: "[%i] <%d> -- " app-layer: protocols: krb5: - enabled: "yes" + enabled: true snmp: - enabled: "yes" + enabled: true ikev2: - enabled: "yes" + enabled: true tls: - enabled: "yes" + enabled: true detection-ports: dp: 443 ja3-fingerprints: auto ja4-fingerprints: auto encryption-handling: track-only dcerpc: - enabled: "yes" + enabled: true ftp: - enabled: "yes" + enabled: true rdp: - enabled: "yes" + enabled: true ssh: - enabled: "yes" + enabled: true smtp: - enabled: "yes" - raw-extraction: "no" + enabled: true + raw-extraction: false mime: - decode-mime: "yes" - decode-base64: "yes" - decode-quoted-printable: "yes" + decode-mime: true + decode-base64: true + decode-quoted-printable: true header-value-depth: 2000 - extract-urls: "yes" - body-md5: "no" + extract-urls: true + body-md5: false inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 @@ -227,27 +227,27 @@ suricata: imap: enabled: detection-only smb: - enabled: "yes" + enabled: true detection-ports: dp: 139, 445 nfs: - enabled: "yes" + enabled: true tftp: - enabled: "yes" + enabled: true dns: global-memcap: 16mb state-memcap: 512kb request-flood: 500 tcp: - enabled: "yes" + enabled: true detection-ports: dp: 53 udp: - enabled: "yes" + enabled: true detection-ports: dp: 53 http: - enabled: "yes" + enabled: true libhtp: default-config: personality: IDS @@ -260,43 +260,43 @@ suricata: response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: - enabled: "no" + enabled: false type: both compress-depth: 100 KiB decompress-depth: 100 KiB - randomize-inspection-sizes: "yes" + randomize-inspection-sizes: true randomize-inspection-range: 10 - double-decode-path: "no" - double-decode-query: "no" + double-decode-path: false + double-decode-query: false server-config: modbus: - enabled: "yes" + enabled: true detection-ports: dp: 502 stream-depth: 0 dnp3: - enabled: "yes" + enabled: true detection-ports: dp: 20000 enip: - enabled: "yes" + enabled: true detection-ports: dp: 44818 sp: 44818 ntp: - enabled: "yes" + enabled: true dhcp: - enabled: "yes" + enabled: true sip: - enabled: "yes" + enabled: true rfb: - enabled: 'yes' + enabled: true detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: - enabled: 'no' + enabled: false http2: - enabled: 'yes' + enabled: true asn1-max-frames: 256 run-as: user: suricata @@ -312,8 +312,8 @@ suricata: legacy: uricontent: enabled engine-analysis: - rules-fast-pattern: "yes" - rules: "yes" + rules-fast-pattern: true + rules: true pcre: match-limit: 3500 match-limit-recursion: 1500 @@ -336,7 +336,7 @@ suricata: hash-size: 65536 trackers: 65535 max-frags: 65535 - prealloc: "yes" + prealloc: true timeout: 60 flow: memcap: 128mb @@ -380,14 +380,14 @@ suricata: emergency-bypassed: 50 stream: memcap: 64mb - checksum-validation: "yes" + checksum-validation: true inline: auto reassembly: memcap: 256mb depth: 1mb toserver-chunk-size: 2560 toclient-chunk-size: 2560 - randomize-chunk-size: "yes" + randomize-chunk-size: true host: hash-size: 4096 prealloc: 1000 @@ -432,38 +432,38 @@ suricata: allow-restricted-functions: false profiling: rules: - enabled: "yes" + enabled: true filename: rule_perf.log - append: "yes" + append: true limit: 10 - json: "yes" + json: true keywords: - enabled: "yes" + enabled: true filename: keyword_perf.log - append: "yes" + append: true prefilter: - enabled: "yes" + enabled: true filename: prefilter_perf.log - append: "yes" + append: true rulegroups: - enabled: "yes" + enabled: true filename: rule_group_perf.log - append: "yes" + append: true packets: - enabled: "yes" + enabled: true filename: packet_stats.log - append: "yes" + append: true csv: - enabled: "no" + enabled: false filename: packet_stats.csv locks: - enabled: "no" + enabled: false filename: lock_stats.log - append: "yes" + append: true pcap-log: - enabled: "no" + enabled: false filename: pcaplog_stats.log - append: "yes" + append: true default-rule-path: /etc/suricata/rules rule-files: - all-rulesets.rules diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index c99beff21..944e0e34d 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -43,22 +43,18 @@ - interface: {{ GLOBALS.sensor.interface }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} - defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}" - use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}" - mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}" + defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} + use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }} + mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }} threads: {{ SURICATAMERGED.config['af-packet'].threads }} - tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}" + tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }} block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }} - use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}" + use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }} buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }} - disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}" -{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %} - checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}" -{% else %} + disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }} checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }} -{% endif %} {% endload %} {% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index d754e2ede..254683443 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,6 +1,7 @@ suricata: - enabled: + enabled: description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture. + forcedType: bool helpLink: suricata thresholding: sids__yaml: @@ -37,8 +38,9 @@ suricata: description: Enable compression of Suricata PCAP files. advanced: True helpLink: suricata - lz4-checksum: + lz4-checksum: description: Enable PCAP lz4 checksum. + forcedType: bool advanced: True helpLink: suricata lz4-level: @@ -55,11 +57,10 @@ suricata: advanced: True readonly: True helpLink: suricata - use-stream-depth: - description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. + use-stream-depth: + description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth. + forcedType: bool advanced: True - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. helpLink: suricata conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. @@ -84,15 +85,16 @@ suricata: advanced: True regex: ^(cluster_flow|cluster_qm)$ defrag: + description: Enable defragmentation of IP packets before processing. + forcedType: bool advanced: True - regex: ^(yes|no)$ use-mmap: advanced: True readonly: True mmap-locked: description: Prevent swapping by locking the memory map. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata threads: description: The amount of worker threads. @@ -116,9 +118,9 @@ suricata: forcedType: int helpLink: suricata use-emergency-flush: - description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata buffer-size: description: Increasing the value of the receive buffer may improve performance. @@ -126,30 +128,33 @@ suricata: forcedType: int helpLink: suricata disable-promisc: - description: Promiscuous mode can be disabled by setting this to "yes". + description: Disable promiscuous mode on the capture interface. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata checksum-checks: description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." advanced: True - regex: ^(kernel|yes|no|auto)$ + options: + - kernel + - yes + - no + - auto helpLink: suricata threading: set-cpu-affinity: - description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. + description: Bind or unbind management and worker threads to a core or range of cores. + forcedType: bool helpLink: suricata cpu-affinity: management-cpu-set: cpu: - description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata worker-cpu-set: cpu: - description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata vars: @@ -198,11 +203,44 @@ suricata: GENEVE_PORTS: *suriportgroup outputs: eve-log: + pcap-file: + description: Log the PCAP filename that a packet was read from when processing pcap files. + forcedType: bool + advanced: True + helpLink: suricata + community-id: + description: Enable Community ID flow hashing for consistent event correlation across tools. + forcedType: bool + advanced: True + helpLink: suricata types: alert: + metadata: + app-layer: + description: Include app-layer metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + flow: + description: Include flow metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + rule: + metadata: + description: Include rule metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + raw: + description: Include raw rule text in alert events. + forcedType: bool + advanced: True + helpLink: suricata xff: enabled: description: Enable X-Forward-For support. + forcedType: bool helpLink: suricata mode: description: Operation mode. This should always be extra-data if you use PCAP. @@ -242,8 +280,9 @@ suricata: max-frags: description: Max number of fragments to keep helpLink: suricata - prealloc: + prealloc: description: Preallocate memory. + forcedType: bool helpLink: suricata timeout: description: Timeout value. @@ -264,6 +303,7 @@ suricata: helpLink: suricata checksum-validation: description: Validate checksum of packets. + forcedType: bool helpLink: suricata reassembly: memcap: @@ -286,6 +326,7 @@ suricata: teredo: enabled: description: Enable TEREDO capabilities + forcedType: bool helpLink: suricata ports: description: Ports to listen for. This should be a variable. @@ -293,14 +334,58 @@ suricata: vxlan: enabled: description: Enable VXLAN capabilities. + forcedType: bool helpLink: suricata - ports: - description: Ports to listen for. This should be a variable. + ports: + description: Ports to listen for. This should be a variable. helpLink: suricata geneve: enabled: description: Enable VXLAN capabilities. + forcedType: bool helpLink: suricata - ports: - description: Ports to listen for. This should be a variable. + ports: + description: Ports to listen for. This should be a variable. + helpLink: suricata + recursion-level: + use-for-tracking: + description: Controls whether the decoder recursion level is used for flow tracking. + forcedType: bool + advanced: True + helpLink: suricata + vlan: + use-for-tracking: + description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows. + forcedType: bool + advanced: True + helpLink: suricata + detect: + profiling: + grouping: + dump-to-disk: + description: Dump detection engine grouping information to disk for analysis. + forcedType: bool + advanced: True + helpLink: suricata + include-rules: + description: Include individual rule details in grouping profiling output. + forcedType: bool + advanced: True + helpLink: suricata + include-mpm-stats: + description: Include multi-pattern matcher statistics in grouping profiling output. + forcedType: bool + advanced: True + helpLink: suricata + security: + lua: + allow-rules: + description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks. + forcedType: bool + advanced: True + helpLink: suricata + allow-restricted-functions: + description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks. + forcedType: bool + advanced: True helpLink: suricata diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml index a46592e90..ef6c2bc77 100644 --- a/salt/telegraf/defaults.yaml +++ b/salt/telegraf/defaults.yaml @@ -7,8 +7,8 @@ telegraf: collection_jitter: '0s' flush_interval: '10s' flush_jitter: '0s' - debug: 'false' - quiet: 'false' + debug: false + quiet: false scripts: eval: - agentstatus.sh diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 05ed70d68..aafcf6d77 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -56,9 +56,9 @@ ## Logging configuration: ## Run telegraf with debug log messages. - debug = {{ TELEGRAFMERGED.config.debug }} + debug = {{ 'true' if TELEGRAFMERGED.config.debug else 'false' }} ## Run telegraf in quiet mode (error log messages only). - quiet = false + quiet = {{ 'true' if TELEGRAFMERGED.config.quiet else 'false'}} ## Specify the log file name. The empty string means to log to stderr. logfile = "/var/log/telegraf/telegraf.log" diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml index 19151f535..40ae7fed8 100644 --- a/salt/telegraf/soc_telegraf.yaml +++ b/salt/telegraf/soc_telegraf.yaml @@ -1,6 +1,7 @@ telegraf: - enabled: + enabled: description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results. + forcedType: bool advanced: True helpLink: influxdb config: @@ -34,13 +35,13 @@ telegraf: advanced: True helpLink: influxdb debug: - description: Data collection interval. - global: True + description: Run telegraf with debug log messages + forcedType: bool advanced: True helpLink: influxdb quiet: - description: Data collection interval. - global: True + description: Run telegraf in quiet mode (error log messages only). + forcedType: bool advanced: True helpLink: influxdb scripts: diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index ccb57acbb..a14594635 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -1,6 +1,7 @@ zeek: enabled: description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled. + forcedType: bool helpLink: zeek ja4plus: enabled: