Remove version 3.0.0 from discussion template

salt/manager/tools/sbin/so-minion

@@ -462,14 +462,19 @@ function add_sensor_to_minion() {
         echo "      lb_procs: '$CORECOUNT'"
         echo "suricata:"
         echo "  enabled: True "
-        echo "  pcap:"
-        echo "    enabled: True"
         if [[ $is_pcaplimit ]]; then
+            echo "  pcap:"
             echo "    maxsize: $MAX_PCAP_SPACE"
         fi
         echo "  config:"
         echo "    af-packet:"
         echo "      threads: '$CORECOUNT'"
+        echo "pcap:"
+        echo "  enabled: True"
+        if [[ $is_pcaplimit ]]; then
+            echo "  config:"
+            echo "    diskfreepercentage: $DFREEPERCENT"
+        fi
         echo "  "
     } >> $PILLARFILE
     if [ $? -ne 0 ]; then

salt/manager/tools/sbin/so-yaml.py

@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
     pieces = key.split(".", 1)
     if len(pieces) > 1:
-        if pieces[0] not in content or content[pieces[0]] is None:
+        if not pieces[0] in content:
             content[pieces[0]] = {}
         addKey(content[pieces[0]], pieces[1], value)
     elif key in content:
@@ -346,12 +346,7 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    if isinstance(output, bool):
-        print(str(output).lower())
-    elif isinstance(output, (dict, list)):
-        print(yaml.safe_dump(output).strip())
-    else:
-        print(output)
+    print(yaml.safe_dump(output))
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -393,7 +393,7 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertEqual("45\n", mock_stdout.getvalue())
+            self.assertIn("45\n...", mock_stdout.getvalue())
 
     def test_get_str(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
@@ -404,18 +404,7 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertEqual("hello\n", mock_stdout.getvalue())
-
-    def test_get_bool(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get([filename, "key2"])
-            self.assertEqual(result, 0)
-            self.assertEqual("false\n", mock_stdout.getvalue())
+            self.assertIn("hello\n...", mock_stdout.getvalue())
 
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:

salt/manager/tools/sbin/soup

@@ -88,7 +88,7 @@ check_err() {
         echo 'No route to host'
       ;;
       160)
-        echo 'Incompatible Elasticsearch upgrade'
+        echo 'Incompatiable Elasticsearch upgrade'
       ;;
       161)
         echo 'Required intermediate Elasticsearch upgrade not complete'
@@ -362,7 +362,7 @@ preupgrade_changes() {
     # This function is to add any new pillar items if needed.
     echo "Checking to see if changes are needed."
 
-    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
+    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_3.0.0   
     true
 }
 
@@ -370,12 +370,12 @@ postupgrade_changes() {
     # This function is to add any new pillar items if needed.
     echo "Running post upgrade processes."
 
-    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
+    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_3.0.0
     true
 }
 
 check_minimum_version() {
-  if [[ ! "$INSTALLEDVERSION" =~ ^(2\.4\.21[0-9]+|3\.) ]]; then
+  if [[ "$INSTALLEDVERSION" != "2.4.210" ]] && [[ ! "$INSTALLEDVERSION" =~ ^3\. ]]; then
     echo "You must be on at least Security Onion 2.4.210 to upgrade. Currently installed version: $INSTALLEDVERSION"
     exit 1
   fi
@@ -385,23 +385,10 @@ check_minimum_version() {
 
 up_to_3.0.0() {
   determine_elastic_agent_upgrade
-  migrate_pcap_to_suricata
 
   INSTALLEDVERSION=3.0.0
 }
 
-migrate_pcap_to_suricata() {
-  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
-  local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
-
-  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
-    [[ -f "$pillar_file" ]] || continue
-    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
-    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
-    so-yaml.py remove "$pillar_file" pcap
-  done
-}
-
 post_to_3.0.0() {
   echo "Nothing to apply"
   POSTVERSION=3.0.0

salt/nginx/etc/nginx.conf

@@ -387,13 +387,15 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
 
-			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			if ($request_uri ~* ^/(?!(^/api/.*))) {
+				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			}
 
-			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;

salt/suricata/defaults.yaml

@@ -1,7 +1,6 @@
 suricata:
   enabled: False
   pcap:
-    enabled: "no"
     filesize: 1000mb
     maxsize: 25
     compression: "none"
@@ -142,6 +141,8 @@ suricata:
         enabled: "no"
       tls-store:
         enabled: "no"
+      pcap-log:
+        enabled: "no"
       alert-debug:
         enabled: "no"
       alert-prelude:

salt/suricata/map.jinja

@@ -16,8 +16,8 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}

salt/suricata/soc_suricata.yaml

@@ -22,9 +22,6 @@ suricata:
       title: Classifications
       helpLink: suricata.html
   pcap:
-    enabled:
-      description: Enables or disables the Suricata packet recording process.
-      helpLink: suricata.html
     filesize: 
       description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
       advanced: True
@@ -212,6 +209,12 @@ suricata:
               header:
                 description: Header name where the actual IP address will be reported.
                 helpLink: suricata.html
+      pcap-log:
+        enabled:
+          description: This value is ignored by SO. pcapengine in globals takes precedence.
+          readonly: True
+          helpLink: suricata.html
+          advanced: True        
     asn1-max-frames:
       description: Maximum nuber of asn1 frames to decode.
       helpLink: suricata.html