Compare commits

..

10 Commits

Author SHA1 Message Date
reyesj2
256c1122c3 remove old pillar 2026-02-19 11:08:23 -06:00
reyesj2
aa2a1a3d3c typo for so-yaml file input 2026-02-19 11:08:06 -06:00
reyesj2
0ebd8e4d6c migrate elasticsearch:managed_integrations pillar to new manager:managed_integrations pillar 2026-02-18 19:00:35 -06:00
Matthew Wright
3349c1a936 Merge pull request #15492 from Security-Onion-Solutions/mwright/investigate-refactor
Assistant: Investigated Query Toggle Filter
2026-02-18 15:04:33 -05:00
Jorge Reyes
7dfd212519 Merge pull request #15497 from Security-Onion-Solutions/revert-15465-reyesj2/iso-soup
Revert "allow network installs to use ISO for faster soupin"
2026-02-18 10:04:16 -06:00
Jorge Reyes
b8fb0fa735 Revert "allow network installs to use ISO for faster soupin" 2026-02-18 10:02:24 -06:00
Jorge Reyes
e6f767b613 Merge pull request #15496 from Security-Onion-Solutions/revert-15468-reyesj2/iso-soup
Revert "don't set is_airgap when using nonairgap_useiso: not a true airgap sy…"
2026-02-18 10:02:13 -06:00
Jorge Reyes
d00fb4ccf7 Revert "don't set is_airgap when using nonairgap_useiso: not a true airgap sy…" 2026-02-18 09:42:12 -06:00
Josh Patterson
a29eff37a0 Merge pull request #15494 from Security-Onion-Solutions/bravo
fix sensor and heavynode first highstate failure
2026-02-18 09:32:37 -05:00
Matthew Wright
3d1a2c12ec add investigated query toggle filter 2026-02-17 13:17:12 -05:00
6 changed files with 50 additions and 42 deletions

View File

@@ -20,20 +20,20 @@ dockergroup:
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1~debian.12~bookworm
- docker-ce: 5:29.2.1-1~debian.12~bookworm
- docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
- docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
- containerd.io: 1.7.21-1
- docker-ce: 5:27.2.0-1~debian.12~bookworm
- docker-ce-cli: 5:27.2.0-1~debian.12~bookworm
- docker-ce-rootless-extras: 5:27.2.0-1~debian.12~bookworm
- hold: True
- update_holds: True
{% elif grains.oscodename == 'jammy' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1~ubuntu.22.04~jammy
- docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
- docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
- docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
- containerd.io: 1.7.21-1
- docker-ce: 5:27.2.0-1~ubuntu.22.04~jammy
- docker-ce-cli: 5:27.2.0-1~ubuntu.22.04~jammy
- docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.22.04~jammy
- hold: True
- update_holds: True
{% else %}
@@ -51,10 +51,10 @@ dockerheldpackages:
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1.el9
- docker-ce: 3:29.2.1-1.el9
- docker-ce-cli: 1:29.2.1-1.el9
- docker-ce-rootless-extras: 29.2.1-1.el9
- containerd.io: 1.7.21-3.1.el9
- docker-ce: 3:27.2.0-1.el9
- docker-ce-cli: 1:27.2.0-1.el9
- docker-ce-rootless-extras: 27.2.0-1.el9
- hold: True
- update_holds: True
{% endif %}
@@ -106,8 +106,6 @@ dockerreserveports:
- source: salt://common/files/99-reserved-ports.conf
- name: /etc/sysctl.d/99-reserved-ports.conf
# If this network doesn't already exist
{% if not salt['docker.networks'](names='sobridge') %}
sos_docker_net:
docker_network.present:
- name: sobridge
@@ -119,4 +117,4 @@ sos_docker_net:
com.docker.network.bridge.enable_ip_masquerade: 'true'
com.docker.network.bridge.enable_icc: 'true'
com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
{% endif %}
- unless: 'docker network ls | grep sobridge'

View File

@@ -84,13 +84,6 @@ elasticsearch:
custom008: *pipelines
custom009: *pipelines
custom010: *pipelines
managed_integrations:
description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
forcedType: "[]string"
multiline: True
global: True
advanced: True
helpLink: elasticsearch.html
index_settings:
global_overrides:
index_template:

View File

@@ -4,7 +4,7 @@
# Elastic License 2.0.
{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #}
{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %}
{% set managed_integrations = salt['pillar.get']('manager:managed_integrations', []) %}
{% if managed_integrations and salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') and salt['file.file_exists']('/opt/so/state/esfleet_component_templates.json') %}
{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %}
{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %}

View File

@@ -78,3 +78,10 @@ manager:
advanced: True
helpLink: elastic-fleet.html
forcedType: int
managed_integrations:
description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
forcedType: "[]string"
multiline: True
global: True
advanced: True
helpLink: elasticsearch.html

View File

@@ -165,7 +165,7 @@ EOF
}
airgap_update_dockers() {
if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then
# Let's copy the tarball
if [[ ! -f $AGDOCKER/registry.tar ]]; then
echo "Unable to locate registry. Exiting"
@@ -200,24 +200,13 @@ update_registry() {
check_airgap() {
# See if this is an airgap install
AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}' | tr '[:upper:]' '[:lower:]')
if [[ ! -z "$ISOLOC" ]]; then
# flag to use ISO for non-airgap installs, won't be used everywhere is_airgap -eq 0 is used. Used to speed up network soups by using local storage for large files.
nonairgap_useiso=0
else
nonairgap_useiso=1
fi
if [[ "$AIRGAP" == "true" ]]; then
is_airgap=0
else
is_airgap=1
fi
# use ISO if its airgap install OR ISOLOC was set with -f <path>
if [[ "$AIRGAP" == "true" ]] || [[ $nonairgap_useiso -eq 0 ]]; then
UPDATE_DIR=/tmp/soagupdate/SecurityOnion
AGDOCKER=/tmp/soagupdate/docker
AGREPO=/tmp/soagupdate/minimal/Packages
else
is_airgap=1
fi
}
@@ -708,6 +697,19 @@ post_to_2.4.210() {
echo "Regenerating Elastic Agent Installers"
/sbin/so-elastic-agent-gen-installers
# migrate elasticsearch:managed_integrations pillar to manager:managed_integrations
if managed_integrations=$(/usr/sbin/so-yaml.py get /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls elasticsearch.managed_integrations); then
local managed_integrations_old_pillar="/tmp/elasticsearch-managed_integrations.yaml"
echo "Migrating managed_integrations pillar"
echo -e "$managed_integrations" > "$managed_integrations_old_pillar"
/usr/sbin/so-yaml.py add /opt/so/saltstack/local/pillar/manager/soc_manager.sls manager.managed_integrations file:$managed_integrations_old_pillar > /dev/null 2>&1
/usr/sbin/so-yaml.py remove /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls elasticsearch.managed_integrations
fi
POSTVERSION=2.4.210
}
@@ -1398,7 +1400,7 @@ so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids
}
determine_elastic_agent_upgrade() {
if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
if [[ $is_airgap -eq 0 ]]; then
update_elastic_agent_airgap
else
set +e
@@ -2016,10 +2018,15 @@ main() {
MINION_ROLE=$(lookup_role)
echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
echo ""
if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
# Let's mount the ISO since this is airgap or non-airgap with -f used
if [[ $is_airgap -eq 0 ]]; then
# Let's mount the ISO since this is airgap
airgap_mounted
else
# if not airgap but -f was used
if [[ ! -z "$ISOLOC" ]]; then
airgap_mounted
AGDOCKER=/tmp/soagupdate/docker
fi
echo "Cloning Security Onion github repo into $UPDATE_DIR."
echo "Removing previous upgrade sources."
rm -rf $UPDATE_DIR
@@ -2039,8 +2046,7 @@ main() {
upgrade_check_salt
set -e
if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
# non-airgap with -f used can do an initial ISO repo update and so-repo-sync cron job will sync any diff later via network
if [[ $is_airgap -eq 0 ]]; then
update_airgap_repo
dnf clean all
check_os_updates

View File

@@ -2380,6 +2380,10 @@ soc:
exclusive: true
enablesToggles:
- acknowledged
- name: investigated
filter: event.investigated:true
enabled: false
exclusive: false
queries:
- name: 'Group By Name, Module'
query: '* | groupby rule.name event.module* event.severity_label rule.uuid'