From c2c5aea2443416186d9966cb2164de10d7fcd67d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 12:35:38 -0400 Subject: [PATCH 01/21] ensure bool sliders for each state:enabled annotation --- salt/elastalert/soc_elastalert.yaml | 1 + .../soc_elastic-fleet-package-registry.yaml | 1 + salt/elasticagent/soc_elasticagent.yaml | 1 + salt/elasticfleet/soc_elasticfleet.yaml | 1 + salt/elasticsearch/soc_elasticsearch.yaml | 1 + salt/hydra/soc_hydra.yaml | 3 ++- salt/idh/soc_idh.yaml | 3 ++- salt/influxdb/soc_influxdb.yaml | 1 + salt/kafka/soc_kafka.yaml | 1 + salt/kibana/soc_kibana.yaml | 3 ++- salt/kratos/soc_kratos.yaml | 1 + salt/logstash/soc_logstash.yaml | 3 ++- salt/nginx/soc_nginx.yaml | 3 ++- salt/redis/soc_redis.yaml | 3 ++- salt/registry/soc_registry.yaml | 1 + salt/sensoroni/soc_sensoroni.yaml | 1 + salt/soc/soc_soc.yaml | 1 + salt/suricata/soc_suricata.yaml | 3 ++- salt/telegraf/soc_telegraf.yaml | 3 ++- salt/zeek/soc_zeek.yaml | 1 + 20 files changed, 28 insertions(+), 8 deletions(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index bf85fed80..44868ab7b 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,6 +1,7 @@ elastalert: enabled: description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. + forcedType: bool helpLink: elastalert alerter_parameters: title: Custom Configuration Parameters diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 3d8a2112b..fff1a51c0 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,5 @@ elastic_fleet_package_registry: enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. + forcedType: bool advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index a24ac1985..c78d46c6c 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,4 +1,5 @@ elasticagent: enabled: description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. + forcedType: bool advanced: True diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index a212f669f..e2c40cca5 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -1,6 +1,7 @@ elasticfleet: enabled: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. + forcedType: bool advanced: True helpLink: elastic-fleet enable_manager_output: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 87de0e086..0d5eff4d6 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -1,6 +1,7 @@ elasticsearch: enabled: description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported. + forcedType: bool advanced: True helpLink: elasticsearch version: diff --git a/salt/hydra/soc_hydra.yaml b/salt/hydra/soc_hydra.yaml index 5242d0cc7..37613246b 100644 --- a/salt/hydra/soc_hydra.yaml +++ b/salt/hydra/soc_hydra.yaml @@ -1,6 +1,7 @@ hydra: enabled: - description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. + description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. + forcedType: bool helpLink: connect-api global: True config: diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 0ee103eb6..f23393974 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -1,6 +1,7 @@ idh: enabled: - description: Enables or disables the Intrusion Detection Honeypot (IDH) process. + description: Enables or disables the Intrusion Detection Honeypot (IDH) process. + forcedType: bool helpLink: idh opencanary: config: diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 875e03d4a..9aaa91a84 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,6 +1,7 @@ influxdb: enabled: description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. + forcedType: bool helpLink: influxdb config: assets-path: diff --git a/salt/kafka/soc_kafka.yaml b/salt/kafka/soc_kafka.yaml index 93a2b871e..b8d0c7c32 100644 --- a/salt/kafka/soc_kafka.yaml +++ b/salt/kafka/soc_kafka.yaml @@ -1,6 +1,7 @@ kafka: enabled: description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key. + forcedType: bool helpLink: kafka cluster_id: description: The ID of the Kafka cluster. diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index ae488d2ec..517ffe833 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -1,6 +1,7 @@ kibana: - enabled: + enabled: description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. + forcedType: bool helpLink: kibana config: elasticsearch: diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 13f50ac2b..d64ac6d47 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -1,6 +1,7 @@ kratos: enabled: description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH. + forcedType: bool advanced: True helpLink: kratos diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index 71255928b..5a5816a9e 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -1,6 +1,7 @@ logstash: - enabled: + enabled: description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend. + forcedType: bool helpLink: logstash assigned_pipelines: roles: diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 3e5395d8f..c901c4ad9 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -1,6 +1,7 @@ nginx: - enabled: + enabled: description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support. + forcedType: bool advanced: True helpLink: nginx external_suricata: diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index e19cb88c6..bce058bc3 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -1,6 +1,7 @@ redis: - enabled: + enabled: description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events. + forcedType: bool helpLink: redis config: bind: diff --git a/salt/registry/soc_registry.yaml b/salt/registry/soc_registry.yaml index 7d6cefe8c..7a936b343 100644 --- a/salt/registry/soc_registry.yaml +++ b/salt/registry/soc_registry.yaml @@ -1,4 +1,5 @@ registry: enabled: description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting. + forcedType: bool advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 5f306335b..f7f6d441b 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,6 +1,7 @@ sensoroni: enabled: description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. + forcedType: bool advanced: True helpLink: grid config: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b99ef4363..8fcfaa3d1 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -1,6 +1,7 @@ soc: enabled: description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH. + forcedType: bool advanced: True telemetryEnabled: title: SOC Telemetry diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index d754e2ede..60dbea356 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,6 +1,7 @@ suricata: - enabled: + enabled: description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture. + forcedType: bool helpLink: suricata thresholding: sids__yaml: diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml index 19151f535..cb6a8c333 100644 --- a/salt/telegraf/soc_telegraf.yaml +++ b/salt/telegraf/soc_telegraf.yaml @@ -1,6 +1,7 @@ telegraf: - enabled: + enabled: description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results. + forcedType: bool advanced: True helpLink: influxdb config: diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 787185469..332702687 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -1,6 +1,7 @@ zeek: enabled: description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled. + forcedType: bool helpLink: zeek ja4plus_enabled: description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." From c92aedfff3e04539f49e2399aef2e99729ede65a Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 13:06:32 -0400 Subject: [PATCH 02/21] ensure bool sliders for elastalert config options --- salt/elastalert/soc_elastalert.yaml | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 44868ab7b..f11d03ba6 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -97,8 +97,14 @@ elastalert: file: True helpLink: elastalert config: + scan_subdirectories: + description: Recursively scan subdirectories for rules. + forcedType: bool + global: True + helpLink: elastalert disable_rules_on_error: description: Disable rules on failure. + forcedType: bool global: True helpLink: elastalert run_every: @@ -124,6 +130,16 @@ elastalert: description: The maximum number of documents that will be returned from Elasticsearch in a single query. global: True helpLink: elastalert + use_ssl: + description: Use SSL to connect to Elasticsearch. + forcedType: bool + global: True + helpLink: elastalert + verify_certs: + description: Verify TLS certificates when connecting to Elasticsearch. + forcedType: bool + global: True + helpLink: elastalert alert_time_limit: days: description: The retry window for failed alerts. @@ -138,3 +154,21 @@ elastalert: description: The number of replicas for elastalert indices. global: True helpLink: elastalert + logging: + incremental: + description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged. + forcedType: bool + global: True + helpLink: elastalert + disable_existing_loggers: + description: Disable existing loggers. + forcedType: bool + global: True + helpLink: elastalert + loggers: + '': + propagate: + description: Propagate log messages to parent loggers. + forcedType: bool + global: True + helpLink: elastalert From d3f819017b982cb70f6c2ede969ae83e5117f169 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 13:13:26 -0400 Subject: [PATCH 03/21] ensure bool sliders for elasticfleet config options --- salt/elasticfleet/soc_elasticfleet.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index e2c40cca5..710b7c1ff 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -38,6 +38,7 @@ elasticfleet: defend_filters: enable_auto_configuration: description: Enable auto-configuration and management of the Elastic Defend Exclusion filters. + forcedType: bool global: True helpLink: elastic-fleet advanced: True @@ -100,6 +101,7 @@ elasticfleet: forcedType: "[]string" enable_auto_configuration: description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. + forcedType: bool global: True helpLink: elastic-fleet advanced: True From 20bf88b33825353371cbaaec0b0e9a2a3a1b6106 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 13:52:40 -0400 Subject: [PATCH 04/21] ensure bool sliders for elasticsearch --- salt/elasticsearch/soc_elasticsearch.yaml | 59 +++++++++++++++++++++-- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5eff4d6..b96c58dbe 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -43,8 +43,9 @@ elasticsearch: routing: allocation: disk: - threshold_enabled: + threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + forcedType: bool helpLink: elasticsearch watermark: low: @@ -56,18 +57,64 @@ elasticsearch: flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. helpLink: elasticsearch + action: + destructive_requires_name: + description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns. + advanced: True + forcedType: bool + helpLink: elasticsearch script: - max_compilations_rate: + max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True helpLink: elasticsearch indices: + id_field_data: + enabled: + description: Enables or disables loading of field data on the _id field. + advanced: True + forcedType: bool + helpLink: elasticsearch query: bool: - max_clause_count: + max_clause_count: description: Max number of boolean clauses per query. global: True helpLink: elasticsearch + xpack: + ml: + enabled: + description: Enables or disables machine learning on the node. + forcedType: bool + advanced: True + helpLink: elasticsearch + security: + enabled: + description: Enables or disables Elasticsearch security features. + forcedType: bool + advanced: True + helpLink: elasticsearch + authc: + anonymous: + authz_exception: + description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges. + advanced: True + forcedType: bool + helpLink: elasticsearch + http: + ssl: + enabled: + description: Enables or disables TLS/SSL for the HTTP layer. + advanced: True + forcedType: bool + helpLink: elasticsearch + transport: + ssl: + enabled: + description: Enables or disables TLS/SSL for the transport layer. + advanced: True + forcedType: bool + helpLink: elasticsearch pipelines: custom001: &pipelines description: @@ -265,8 +312,9 @@ elasticsearch: global: True helpLink: elasticsearch so-logs: &indexSettings - index_sorting: + index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. + forcedType: bool global: True advanced: True helpLink: elasticsearch @@ -610,6 +658,7 @@ elasticsearch: so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. + forcedType: bool advanced: True readonly: True helpLink: elasticsearch @@ -650,11 +699,13 @@ elasticsearch: data_stream: hidden: description: Hide the data stream. + forcedType: bool advanced: True readonly: True helpLink: elasticsearch allow_custom_routing: description: Allow custom routing for the data stream. + forcedType: bool advanced: True readonly: True helpLink: elasticsearch From 034b1d045b637ecea72ed90f786f827982142ebb Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:00:20 -0400 Subject: [PATCH 05/21] ensure bool sliders for idh --- salt/idh/soc_idh.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index f23393974..7cda82390 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -3,6 +3,10 @@ idh: description: Enables or disables the Intrusion Detection Honeypot (IDH) process. forcedType: bool helpLink: idh + restrict_management_ip: + description: Restricts management IP access to the IDH node. + forcedType: bool + helpLink: idh opencanary: config: logger: @@ -25,6 +29,7 @@ idh: filename: *loggingOptions portscan_x_enabled: &serviceOptions description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid. + forcedType: bool helpLink: idh portscan_x_logfile: *loggingOptions portscan_x_synrate: @@ -126,8 +131,9 @@ idh: vnc_x_enabled: *serviceOptions vnc_x_port: *portOptions openssh: - enable: + enable: description: This is the real SSH service for the host machine. + forcedType: bool helpLink: idh config: port: From 1b1e602716d8984bbc48cabed55a2bafd9a8d273 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:16:37 -0400 Subject: [PATCH 06/21] ensure bool sliders for influxdb --- salt/influxdb/soc_influxdb.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 9aaa91a84..3dbf0875b 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -26,11 +26,13 @@ influxdb: helpLink: influxdb flux-log-enabled: description: Controls whether detailed flux query logging is enabled. + forcedType: bool global: True advanced: True helpLink: influxdb hardening-enabled: description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -87,16 +89,19 @@ influxdb: helpLink: influxdb metrics-disabled: description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. + forcedType: bool global: True advanced: True helpLink: influxdb no-tasks: description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems. + forcedType: bool global: True advanced: True helpLink: influxdb pprof-disabled: description: If true, the profiling data HTTP endpoint will be inaccessible. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -127,6 +132,7 @@ influxdb: helpLink: influxdb reporting-disabled: description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -143,6 +149,7 @@ influxdb: helpLink: influxdb session-renew-disabled: description: If true, user login sessions will renew after each request. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -188,6 +195,7 @@ influxdb: helpLink: influxdb storage-no-validate-field-size: description: If true, incoming requests will skip the field size validation. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -218,11 +226,13 @@ influxdb: helpLink: influxdb storage-tsm-use-madv-willneed: description: If true, InfluxDB will manage TSM memory paging. + forcedType: bool global: True advanced: True helpLink: influxdb storage-validate-keys: description: If true, validates incoming requests for supported characters. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -269,6 +279,7 @@ influxdb: helpLink: influxdb tls-strict-ciphers: description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -277,8 +288,9 @@ influxdb: global: True advanced: True helpLink: influxdb - ui-disabled: + ui-disabled: description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations. + forcedType: bool global: True advanced: True helpLink: influxdb @@ -317,8 +329,9 @@ influxdb: global: True advanced: True helpLink: influxdb - vault-skip-verify: + vault-skip-verify: description: Skip certification validation of the Vault server. + forcedType: bool global: True advanced: True helpLink: influxdb From 8251d56a96e7adc1d0df46315e5402ba5f94c41d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:24:13 -0400 Subject: [PATCH 07/21] ensure bool sliders for kibana --- salt/kibana/soc_kibana.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index 517ffe833..168830bbd 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -4,8 +4,43 @@ kibana: forcedType: bool helpLink: kibana config: + server: + rewriteBasePath: + description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath. + forcedType: bool + global: True + advanced: True + helpLink: kibana elasticsearch: requestTimeout: description: The length of time before the request reaches timeout. global: True helpLink: kibana + telemetry: + enabled: + description: Enables or disables telemetry data collection in Kibana. + forcedType: bool + global: True + advanced: True + helpLink: kibana + xpack: + security: + secureCookies: + description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled. + forcedType: bool + global: True + advanced: True + helpLink: kibana + showInsecureClusterWarning: + description: Shows a warning in Kibana when the cluster does not have security enabled. + forcedType: bool + global: True + advanced: True + helpLink: kibana + apm: + enabled: + description: Enables or disables the APM agent in Kibana. + forcedType: bool + global: True + advanced: True + helpLink: kibana From bfeefeea2fa0dfff048e8212857a6927f72f2560 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:36:05 -0400 Subject: [PATCH 08/21] ensure bool sliders for kratos --- salt/kratos/soc_kratos.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index d64ac6d47..1cd2728c8 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -6,8 +6,9 @@ kratos: helpLink: kratos oidc: - enabled: + enabled: description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key. + forcedType: bool global: True helpLink: oidc config: @@ -81,6 +82,7 @@ kratos: email: essential: description: Specifies whether the email claim is necessary. Typically leave this value set to true. + forcedType: bool advanced: True global: True helpLink: oidc @@ -108,19 +110,22 @@ kratos: selfservice: methods: password: - enabled: + enabled: description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled. + forcedType: bool global: True advanced: True helpLink: oidc config: haveibeenpwned_enabled: description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. + forcedType: bool global: True helpLink: kratos totp: - enabled: + enabled: description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. + forcedType: bool global: True helpLink: kratos config: @@ -131,11 +136,13 @@ kratos: webauthn: enabled: description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. + forcedType: bool global: True helpLink: kratos config: - passwordless: + passwordless: description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. + forcedType: bool global: True helpLink: kratos rp: From 30ea309dffb2771e8ece537976042d6923c72cab Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:36:36 -0400 Subject: [PATCH 09/21] ensure bool sliders for manager --- salt/manager/soc_manager.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index 7f67eef34..78711d782 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -2,6 +2,7 @@ manager: reposync: enabled: description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis. + forcedType: bool global: True helpLink: soup hour: From 442bd1499ddf99c2e3f333a6a6488bf14d11372c Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:39:10 -0400 Subject: [PATCH 10/21] ensure bool sliders for patch --- salt/patch/soc_patch.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/patch/soc_patch.yaml b/salt/patch/soc_patch.yaml index 893e901e0..b22c177f2 100644 --- a/salt/patch/soc_patch.yaml +++ b/salt/patch/soc_patch.yaml @@ -2,6 +2,7 @@ patch: os: enabled: description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis. + forcedType: bool helpLink: soup schedule_to_run: description: Currently running schedule for updates. From ce972238fe9a00fdc420faa4b31092bc08f3cf70 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:41:49 -0400 Subject: [PATCH 11/21] ensure bool sliders sensoroni --- salt/sensoroni/soc_sensoroni.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index f7f6d441b..73920e9b7 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -8,6 +8,7 @@ sensoroni: analyze: enabled: description: Enable or disable the analyzer. + forcedType: bool advanced: True helpLink: cases timeout_ms: From 7af6efda1e4263ff4788015fbde2b2d479c985ac Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 14:46:49 -0400 Subject: [PATCH 12/21] ensure bool sliders strelka --- salt/strelka/soc_strelka.yaml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index 001e28cb9..0066bd6c3 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -1,7 +1,8 @@ strelka: backend: - enabled: + enabled: description: Enables or disables the Strelka file analysis process. + forcedType: bool helpLink: strelka config: backend: @@ -420,8 +421,9 @@ strelka: helpLink: strelka multiline: True filestream: - enabled: + enabled: description: You can enable or disable Strelka filestream. + forcedType: bool helpLink: strelka config: conn: @@ -478,12 +480,14 @@ strelka: advanced: True delete: description: Boolean that determines if files should be deleted after being sent for scanning. + forcedType: bool readonly: False global: False helpLink: strelka advanced: True gatekeeper: description: Boolean that determines if events should be pulled from the temporary event cache. + forcedType: bool readonly: False global: False helpLink: strelka @@ -514,8 +518,9 @@ strelka: helpLink: strelka advanced: True frontend: - enabled: + enabled: description: You can enable or disable Strelka frontend. + forcedType: bool helpLink: strelka config: server: @@ -564,8 +569,9 @@ strelka: helpLink: strelka advanced: True manager: - enabled: + enabled: description: You can enable or disable Strelka manager. + forcedType: bool helpLink: strelka config: coordinator: @@ -582,16 +588,19 @@ strelka: helpLink: strelka advanced: True coordinator: - enabled: + enabled: description: You can enable or disable Strelka coordinator. + forcedType: bool helpLink: strelka gatekeeper: - enabled: + enabled: description: You can enable or disable Strelka gatekeeper. + forcedType: bool helpLink: strelka rules: enabled: description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. + forcedType: bool readonly: False global: False helpLink: strelka From 14d254e81bce5d6d1d164125956caf0b4785ac67 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 15:02:45 -0400 Subject: [PATCH 13/21] ensure bool sliders suricata --- salt/suricata/soc_suricata.yaml | 84 +++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 4 deletions(-) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 60dbea356..34399fc7a 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -199,8 +199,39 @@ suricata: GENEVE_PORTS: *suriportgroup outputs: eve-log: + pcap-file: + description: Log the PCAP filename that a packet was read from when processing pcap files. + forcedType: bool + advanced: True + helpLink: suricata + community-id: + description: Enable Community ID flow hashing for consistent event correlation across tools. + forcedType: bool + helpLink: suricata types: alert: + metadata: + app-layer: + description: Include app-layer metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + flow: + description: Include flow metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + rule: + metadata: + description: Include rule metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + raw: + description: Include raw rule text in alert events. + forcedType: bool + advanced: True + helpLink: suricata xff: enabled: description: Enable X-Forward-For support. @@ -287,6 +318,7 @@ suricata: teredo: enabled: description: Enable TEREDO capabilities + forcedType: bool helpLink: suricata ports: description: Ports to listen for. This should be a variable. @@ -294,14 +326,58 @@ suricata: vxlan: enabled: description: Enable VXLAN capabilities. + forcedType: bool helpLink: suricata - ports: - description: Ports to listen for. This should be a variable. + ports: + description: Ports to listen for. This should be a variable. helpLink: suricata geneve: enabled: description: Enable VXLAN capabilities. + forcedType: bool helpLink: suricata - ports: - description: Ports to listen for. This should be a variable. + ports: + description: Ports to listen for. This should be a variable. + helpLink: suricata + recursion-level: + use-for-tracking: + description: Controls whether the decoder recursion level is used for flow tracking. + forcedType: bool + advanced: True + helpLink: suricata + vlan: + use-for-tracking: + description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows. + forcedType: bool + advanced: True + helpLink: suricata + detect: + profiling: + grouping: + dump-to-disk: + description: Dump detection engine grouping information to disk for analysis. + forcedType: bool + advanced: True + helpLink: suricata + include-rules: + description: Include individual rule details in grouping profiling output. + forcedType: bool + advanced: True + helpLink: suricata + include-mpm-stats: + description: Include multi-pattern matcher statistics in grouping profiling output. + forcedType: bool + advanced: True + helpLink: suricata + security: + lua: + allow-rules: + description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks. + forcedType: bool + advanced: True + helpLink: suricata + allow-restricted-functions: + description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks. + forcedType: bool + advanced: True helpLink: suricata From 7ece93d7e0c60567173fb358f7b9de8ab222a436 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 15:12:47 -0400 Subject: [PATCH 14/21] ensure bool sliders telegraf --- salt/telegraf/defaults.yaml | 4 ++-- salt/telegraf/etc/telegraf.conf | 4 ++-- salt/telegraf/soc_telegraf.yaml | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml index a46592e90..eaf691e74 100644 --- a/salt/telegraf/defaults.yaml +++ b/salt/telegraf/defaults.yaml @@ -7,8 +7,8 @@ telegraf: collection_jitter: '0s' flush_interval: '10s' flush_jitter: '0s' - debug: 'false' - quiet: 'false' + debug: False + quiet: False scripts: eval: - agentstatus.sh diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 05ed70d68..b215fec89 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -56,9 +56,9 @@ ## Logging configuration: ## Run telegraf with debug log messages. - debug = {{ TELEGRAFMERGED.config.debug }} + debug = {{ TELEGRAFMERGED.config.debug | lower }} ## Run telegraf in quiet mode (error log messages only). - quiet = false + quiet = {{ TELEGRAFMERGED.config.quiet | lower }} ## Specify the log file name. The empty string means to log to stderr. logfile = "/var/log/telegraf/telegraf.log" diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml index cb6a8c333..40ae7fed8 100644 --- a/salt/telegraf/soc_telegraf.yaml +++ b/salt/telegraf/soc_telegraf.yaml @@ -35,13 +35,13 @@ telegraf: advanced: True helpLink: influxdb debug: - description: Data collection interval. - global: True + description: Run telegraf with debug log messages + forcedType: bool advanced: True helpLink: influxdb quiet: - description: Data collection interval. - global: True + description: Run telegraf in quiet mode (error log messages only). + forcedType: bool advanced: True helpLink: influxdb scripts: From 5c53244b54b7d491fcda253f38595bf219f69f7a Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 16:41:17 -0400 Subject: [PATCH 15/21] convert suricata config yes/no to true/false --- salt/suricata/defaults.yaml | 184 ++++++++++++++++---------------- salt/suricata/soc_suricata.yaml | 45 ++++---- 2 files changed, 118 insertions(+), 111 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 811053cd0..818a7bf89 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,20 +1,20 @@ suricata: enabled: False pcap: - enabled: "no" + enabled: false filesize: 1000mb maxsize: 25 compression: "none" - lz4-checksum: "no" + lz4-checksum: false lz4-level: 8 filename: "%n/so-pcap.%t" mode: "multi" - use-stream-depth: "no" + use-stream-depth: false conditional: "all" dir: "/nsm/suripcap" config: threading: - set-cpu-affinity: "no" + set-cpu-affinity: false cpu-affinity: management-cpu-set: cpu: @@ -29,17 +29,17 @@ suricata: interface: bond0 cluster-id: 59 cluster-type: cluster_flow - defrag: "yes" - use-mmap: "yes" - mmap-locked: "no" + defrag: true + use-mmap: true + mmap-locked: false threads: 1 - tpacket-v3: "yes" + tpacket-v3: true ring-size: 5000 block-size: 69632 block-timeout: 10 - use-emergency-flush: "yes" + use-emergency-flush: true buffer-size: 32768 - disable-promisc: "no" + disable-promisc: false checksum-checks: kernel vars: address-groups: @@ -105,15 +105,15 @@ suricata: - 6081 default-log-dir: /var/log/suricata/ stats: - enabled: "yes" + enabled: true interval: 30 outputs: fast: - enabled: "no" + enabled: false filename: fast.log - append: "yes" + append: true eve-log: - enabled: "yes" + enabled: true filetype: regular filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour @@ -122,104 +122,104 @@ suricata: community-id-seed: 0 types: alert: - payload: "no" + payload: false payload-buffer-size: 4kb - payload-printable: "yes" - packet: "yes" + payload-printable: true + packet: true metadata: app-layer: false flow: false rule: metadata: true raw: true - tagged-packets: "no" + tagged-packets: false xff: - enabled: "no" + enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For unified2-alert: - enabled: "no" + enabled: false tls-store: - enabled: "no" + enabled: false alert-debug: - enabled: "no" + enabled: false alert-prelude: - enabled: "no" + enabled: false stats: - enabled: "yes" + enabled: true filename: stats.log - append: "yes" - totals: "yes" - threads: "no" - null-values: "yes" + append: true + totals: true + threads: false + null-values: true drop: - enabled: "no" + enabled: false file-store: version: 2 - enabled: "no" + enabled: false xff: - enabled: "no" + enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For tcp-data: - enabled: "no" + enabled: false type: file filename: tcp-data.log http-body-data: - enabled: "no" + enabled: false type: file filename: http-data.log lua: - enabled: "no" + enabled: false scripts: logging: default-log-level: notice outputs: - console: - enabled: "yes" + enabled: true - file: - enabled: "yes" + enabled: true level: info filename: suricata.log - syslog: - enabled: "no" + enabled: false facility: local5 format: "[%i] <%d> -- " app-layer: protocols: krb5: - enabled: "yes" + enabled: true snmp: - enabled: "yes" + enabled: true ikev2: - enabled: "yes" + enabled: true tls: - enabled: "yes" + enabled: true detection-ports: dp: 443 ja3-fingerprints: auto ja4-fingerprints: auto encryption-handling: track-only dcerpc: - enabled: "yes" + enabled: true ftp: - enabled: "yes" + enabled: true rdp: - enabled: "yes" + enabled: true ssh: - enabled: "yes" + enabled: true smtp: - enabled: "yes" - raw-extraction: "no" + enabled: true + raw-extraction: false mime: - decode-mime: "yes" - decode-base64: "yes" - decode-quoted-printable: "yes" + decode-mime: true + decode-base64: true + decode-quoted-printable: true header-value-depth: 2000 - extract-urls: "yes" - body-md5: "no" + extract-urls: true + body-md5: false inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 @@ -227,27 +227,27 @@ suricata: imap: enabled: detection-only smb: - enabled: "yes" + enabled: true detection-ports: dp: 139, 445 nfs: - enabled: "yes" + enabled: true tftp: - enabled: "yes" + enabled: true dns: global-memcap: 16mb state-memcap: 512kb request-flood: 500 tcp: - enabled: "yes" + enabled: true detection-ports: dp: 53 udp: - enabled: "yes" + enabled: true detection-ports: dp: 53 http: - enabled: "yes" + enabled: true libhtp: default-config: personality: IDS @@ -260,43 +260,43 @@ suricata: response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: - enabled: "no" + enabled: false type: both compress-depth: 100 KiB decompress-depth: 100 KiB - randomize-inspection-sizes: "yes" + randomize-inspection-sizes: true randomize-inspection-range: 10 - double-decode-path: "no" - double-decode-query: "no" + double-decode-path: false + double-decode-query: false server-config: modbus: - enabled: "yes" + enabled: true detection-ports: dp: 502 stream-depth: 0 dnp3: - enabled: "yes" + enabled: true detection-ports: dp: 20000 enip: - enabled: "yes" + enabled: true detection-ports: dp: 44818 sp: 44818 ntp: - enabled: "yes" + enabled: true dhcp: - enabled: "yes" + enabled: true sip: - enabled: "yes" + enabled: true rfb: - enabled: 'yes' + enabled: true detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: - enabled: 'no' + enabled: false http2: - enabled: 'yes' + enabled: true asn1-max-frames: 256 run-as: user: suricata @@ -312,8 +312,8 @@ suricata: legacy: uricontent: enabled engine-analysis: - rules-fast-pattern: "yes" - rules: "yes" + rules-fast-pattern: true + rules: true pcre: match-limit: 3500 match-limit-recursion: 1500 @@ -336,7 +336,7 @@ suricata: hash-size: 65536 trackers: 65535 max-frags: 65535 - prealloc: "yes" + prealloc: true timeout: 60 flow: memcap: 128mb @@ -380,14 +380,14 @@ suricata: emergency-bypassed: 50 stream: memcap: 64mb - checksum-validation: "yes" + checksum-validation: true inline: auto reassembly: memcap: 256mb depth: 1mb toserver-chunk-size: 2560 toclient-chunk-size: 2560 - randomize-chunk-size: "yes" + randomize-chunk-size: true host: hash-size: 4096 prealloc: 1000 @@ -432,38 +432,38 @@ suricata: allow-restricted-functions: false profiling: rules: - enabled: "yes" + enabled: true filename: rule_perf.log - append: "yes" + append: true limit: 10 - json: "yes" + json: true keywords: - enabled: "yes" + enabled: true filename: keyword_perf.log - append: "yes" + append: true prefilter: - enabled: "yes" + enabled: true filename: prefilter_perf.log - append: "yes" + append: true rulegroups: - enabled: "yes" + enabled: true filename: rule_group_perf.log - append: "yes" + append: true packets: - enabled: "yes" + enabled: true filename: packet_stats.log - append: "yes" + append: true csv: - enabled: "no" + enabled: false filename: packet_stats.csv locks: - enabled: "no" + enabled: false filename: lock_stats.log - append: "yes" + append: true pcap-log: - enabled: "no" + enabled: false filename: pcaplog_stats.log - append: "yes" + append: true default-rule-path: /etc/suricata/rules rule-files: - all-rulesets.rules diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 34399fc7a..6a1a78f54 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -38,8 +38,9 @@ suricata: description: Enable compression of Suricata PCAP files. advanced: True helpLink: suricata - lz4-checksum: + lz4-checksum: description: Enable PCAP lz4 checksum. + forcedType: bool advanced: True helpLink: suricata lz4-level: @@ -56,11 +57,10 @@ suricata: advanced: True readonly: True helpLink: suricata - use-stream-depth: - description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. + use-stream-depth: + description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth. + forcedType: bool advanced: True - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. helpLink: suricata conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. @@ -85,15 +85,16 @@ suricata: advanced: True regex: ^(cluster_flow|cluster_qm)$ defrag: + description: Enable defragmentation of IP packets before processing. + forcedType: bool advanced: True - regex: ^(yes|no)$ use-mmap: advanced: True readonly: True mmap-locked: description: Prevent swapping by locking the memory map. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata threads: description: The amount of worker threads. @@ -117,9 +118,9 @@ suricata: forcedType: int helpLink: suricata use-emergency-flush: - description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata buffer-size: description: Increasing the value of the receive buffer may improve performance. @@ -127,30 +128,33 @@ suricata: forcedType: int helpLink: suricata disable-promisc: - description: Promiscuous mode can be disabled by setting this to "yes". + description: Disable promiscuous mode on the capture interface. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata checksum-checks: - description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." + description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation." advanced: True - regex: ^(kernel|yes|no|auto)$ + options: + - kernel + - "true" + - "false" + - auto helpLink: suricata threading: set-cpu-affinity: - description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. + description: Bind or unbind management and worker threads to a core or range of cores. + forcedType: bool helpLink: suricata cpu-affinity: management-cpu-set: cpu: - description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata worker-cpu-set: cpu: - description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata vars: @@ -235,6 +239,7 @@ suricata: xff: enabled: description: Enable X-Forward-For support. + forcedType: bool helpLink: suricata mode: description: Operation mode. This should always be extra-data if you use PCAP. @@ -274,8 +279,9 @@ suricata: max-frags: description: Max number of fragments to keep helpLink: suricata - prealloc: + prealloc: description: Preallocate memory. + forcedType: bool helpLink: suricata timeout: description: Timeout value. @@ -296,6 +302,7 @@ suricata: helpLink: suricata checksum-validation: description: Validate checksum of packets. + forcedType: bool helpLink: suricata reassembly: memcap: From 82107f00a1ca369719447f540f760ddbcec8779f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 16:57:42 -0400 Subject: [PATCH 16/21] afpacket:checksum-checks yes/no options instead of true/false --- salt/suricata/soc_suricata.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 6a1a78f54..3c791af72 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -137,8 +137,8 @@ suricata: advanced: True options: - kernel - - "true" - - "false" + - yes + - no - auto helpLink: suricata threading: From f756ecb396c42d1306174a874b4005eff50c1e60 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 17:14:55 -0400 Subject: [PATCH 17/21] remove quotes from suricata af-packet config --- salt/suricata/map.jinja | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index c99beff21..944e0e34d 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -43,22 +43,18 @@ - interface: {{ GLOBALS.sensor.interface }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} - defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}" - use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}" - mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}" + defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} + use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }} + mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }} threads: {{ SURICATAMERGED.config['af-packet'].threads }} - tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}" + tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }} block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }} - use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}" + use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }} buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }} - disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}" -{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %} - checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}" -{% else %} + disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }} checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }} -{% endif %} {% endload %} {% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} From ca588d2e789b10f13855a2551b1f6d61e3f9f619 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 17:19:42 -0400 Subject: [PATCH 18/21] new elastalert options advanced --- salt/elastalert/soc_elastalert.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index f11d03ba6..123ead697 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -100,6 +100,7 @@ elastalert: scan_subdirectories: description: Recursively scan subdirectories for rules. forcedType: bool + advanced: True global: True helpLink: elastalert disable_rules_on_error: @@ -133,11 +134,13 @@ elastalert: use_ssl: description: Use SSL to connect to Elasticsearch. forcedType: bool + advanced: True global: True helpLink: elastalert verify_certs: description: Verify TLS certificates when connecting to Elasticsearch. forcedType: bool + advanced: True global: True helpLink: elastalert alert_time_limit: @@ -158,11 +161,13 @@ elastalert: incremental: description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged. forcedType: bool + advanced: True global: True helpLink: elastalert disable_existing_loggers: description: Disable existing loggers. forcedType: bool + advanced: True global: True helpLink: elastalert loggers: @@ -170,5 +175,6 @@ elastalert: propagate: description: Propagate log messages to parent loggers. forcedType: bool + advanced: True global: True helpLink: elastalert From 2585bdd23fd7e8fdcf832c3ddb738fbfaa588ebf Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 17:30:47 -0400 Subject: [PATCH 19/21] add more description to checksum-checks --- salt/suricata/soc_suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 3c791af72..7f6b7787a 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -133,7 +133,7 @@ suricata: advanced: True helpLink: suricata checksum-checks: - description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation." + description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." advanced: True options: - kernel From 6e3986b0b074182af20ff07da08efb1a6b325c1d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 17:37:40 -0400 Subject: [PATCH 20/21] set community-id annotation to advanced --- salt/suricata/soc_suricata.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 7f6b7787a..254683443 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -211,6 +211,7 @@ suricata: community-id: description: Enable Community ID flow hashing for consistent event correlation across tools. forcedType: bool + advanced: True helpLink: suricata types: alert: From 21868723177982cace24392ce204c967cfece031 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 20 Mar 2026 09:19:22 -0400 Subject: [PATCH 21/21] update telegraf lower true/false --- salt/telegraf/defaults.yaml | 4 ++-- salt/telegraf/etc/telegraf.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml index eaf691e74..ef6c2bc77 100644 --- a/salt/telegraf/defaults.yaml +++ b/salt/telegraf/defaults.yaml @@ -7,8 +7,8 @@ telegraf: collection_jitter: '0s' flush_interval: '10s' flush_jitter: '0s' - debug: False - quiet: False + debug: false + quiet: false scripts: eval: - agentstatus.sh diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index b215fec89..aafcf6d77 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -56,9 +56,9 @@ ## Logging configuration: ## Run telegraf with debug log messages. - debug = {{ TELEGRAFMERGED.config.debug | lower }} + debug = {{ 'true' if TELEGRAFMERGED.config.debug else 'false' }} ## Run telegraf in quiet mode (error log messages only). - quiet = {{ TELEGRAFMERGED.config.quiet | lower }} + quiet = {{ 'true' if TELEGRAFMERGED.config.quiet else 'false'}} ## Specify the log file name. The empty string means to log to stderr. logfile = "/var/log/telegraf/telegraf.log"