Fix unsafe PyYAML load in filecheck

Merge pull request #15851 from Security-Onion-Solutions/reyesj2/integration-transforms
excluding additional integration transform job failures
2026-05-06 11:28:46 +02:00 · 2026-05-04 12:09:35 -04:00 · 2026-05-01 14:11:12 -05:00 · 2026-05-01 12:57:59 -05:00 · 2026-05-01 12:44:08 -05:00 · 2026-04-30 09:46:28 -05:00
7 changed files with 166 additions and 27 deletions
@@ -227,7 +227,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal"           # docker container getting recycled
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tcp 127.0.0.1:6791: bind: address already in use" # so-elastic-fleet agent restarting. Seen starting w/ 8.18.8 https://github.com/elastic/kibana/issues/201459
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|TransformTask\] \[logs-(tychon|aws_billing|microsoft_defender_endpoint|armis|o365_metrics|microsoft_sentinel|snyk).*user so_kibana lacks the required permissions \[(logs|metrics)-\1" # Known issue with integrations starting transform jobs that are explicitly not allowed to start as a system user. (installed as so_elastic / so_kibana)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|TransformTask\] \[logs-(tychon|aws_billing|microsoft_defender_endpoint|armis|o365_metrics|microsoft_sentinel|snyk|cyera|island_browser).*user so_kibana lacks the required permissions \[(logs|metrics)-\1" # Known issue with integrations starting transform jobs that are explicitly not allowed to start as a system user. This error should not be seen on fresh ES 9.3.3 installs or after SO 3.1.0 with soups addition of check_transform_health_and_reauthorize()
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|manifest unknown"             # appears in so-dockerregistry log for so-tcpreplay following docker upgrade to 29.2.1-1
 fi
@@ -18,17 +18,6 @@ so-elastic-fleet-auto-configure-logstash-outputs:
    - retry:
        attempts: 4
        interval: 30
 {# Separate from above in order to catch elasticfleet-logstash.crt changes and force update to fleet output policy #}
 so-elastic-fleet-auto-configure-logstash-outputs-force:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-outputs-update --certs
    - retry:
        attempts: 4
        interval: 30
    - onchanges:
        - x509: etc_elasticfleet_logstash_crt
        - x509: elasticfleet_kafka_crt
 {% endif %}
 # If enabled, automatically update Fleet Server URLs & ES Connection
@@ -240,7 +240,7 @@ elastic_fleet_policy_create() {
        --arg DESC "$DESC" \
        --arg TIMEOUT $TIMEOUT \
        --arg FLEETSERVER "$FLEETSERVER" \
-            '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}'
+            '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER,"advanced_settings":{"agent_logging_level": "warning"}}'
        )
    # Create Fleet Policy
    if ! fleet_api "agent_policies" -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"; then
@@ -398,6 +398,7 @@ firewall:
                - elasticsearch_rest
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -410,6 +411,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -427,6 +429,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
            searchnode:
              portgroups:
@@ -437,6 +440,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -450,6 +454,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -459,6 +464,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -492,6 +498,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - elastic_agent_control
@@ -502,6 +509,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -610,6 +618,7 @@ firewall:
                - elasticsearch_rest
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -622,6 +631,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -639,6 +649,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
            searchnode:
              portgroups:
@@ -649,6 +660,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -662,6 +674,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -671,6 +684,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -702,6 +716,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - elastic_agent_control
@@ -712,6 +727,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -820,6 +836,7 @@ firewall:
                - elasticsearch_rest
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -832,6 +849,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -849,6 +867,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
            searchnode:
              portgroups:
@@ -858,6 +877,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -870,6 +890,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -879,6 +900,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -912,6 +934,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - elastic_agent_control
@@ -922,6 +945,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -1040,6 +1064,7 @@ firewall:
                - elasticsearch_rest
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -1052,6 +1077,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -1063,6 +1089,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - beats_5044
@@ -1074,6 +1101,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - redis
@@ -1083,6 +1111,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - redis
@@ -1093,6 +1122,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -1129,6 +1159,7 @@ firewall:
              portgroups:
                - docker_registry
                - influxdb
                - postgres
                - sensoroni
                - yum
                - elastic_agent_control
@@ -1139,6 +1170,7 @@ firewall:
                - yum
                - docker_registry
                - influxdb
                - postgres
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
@@ -1482,6 +1514,7 @@ firewall:
                - kibana
                - redis
                - influxdb
                - postgres
                - elasticsearch_rest
                - elasticsearch_node
                - elastic_agent_control
@@ -1,6 +1,5 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
 {# add our ip to self #}
@@ -56,16 +55,4 @@
 {% endif %}
 {# Open Postgres (5432) to minion hostgroups when Telegraf is configured to write to Postgres #}
 {% set TG_OUT = TELEGRAFMERGED.output | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}
 {%   if role.startswith('manager') or role == 'standalone' or role == 'eval' %}
 {%     for r in ['sensor', 'searchnode', 'heavynode', 'receiver', 'fleet', 'idh', 'desktop', 'import'] %}
 {%       if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %}
 {%         do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('postgres') %}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
 {% endif %}
 {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}
@@ -485,6 +485,130 @@ elasticsearch_backup_index_templates() {
  tar -czf /nsm/backup/3.0.0_elasticsearch_index_templates.tar.gz -C /opt/so/conf/elasticsearch/templates/index/ .
 }
 elasticfleet_set_agent_logging_level_warn() {
    . /usr/sbin/so-elastic-fleet-common
    local current_agent_policies
    if ! current_agent_policies=$(fleet_api "agent_policies?perPage=1000"); then
        echo "Warning: unable to retrieve Fleet agent policies"
        return 0
    fi
    # Only updating policies that are within Security Onion defaults and do not already have any user configured advanced_settings.
    local policies_to_update
    policies_to_update=$(jq -c '
        .items[]
        | select(has("advanced_settings") | not)
        | select(
            .id == "so-grid-nodes_general"
            or .id == "so-grid-nodes_heavy"
            or .id == "endpoints-initial"
            or (.id | startswith("FleetServer_"))
          )
    ' <<< "$current_agent_policies")
    if [[ -z "$policies_to_update" ]]; then
        return 0
    fi
    while IFS= read -r policy; do
        [[ -z "$policy" ]] && continue
        local policy_id policy_name policy_namespace
        policy_id=$(jq -r '.id' <<< "$policy")
        policy_name=$(jq -r '.name' <<< "$policy")
        policy_namespace=$(jq -r '.namespace' <<< "$policy")
        local update_logging
        update_logging=$(jq -n \
            --arg name "$policy_name" \
            --arg namespace "$policy_namespace" \
            '{name: $name, namespace: $namespace, advanced_settings: {agent_logging_level: "warning"}}'
        )
        echo "Setting elastic agent_logging_level to warning on policy '$policy_name' ($policy_id)."
        if ! fleet_api "agent_policies/$policy_id" -XPUT -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$update_logging" >/dev/null; then
            echo "  warning: failed to update agent policy '$policy_name' ($policy_id)" >&2
        fi
    done <<< "$policies_to_update"
 }
 check_transform_health_and_reauthorize() {
    . /usr/sbin/so-elastic-fleet-common
    echo "Checking integration transform jobs for unhealthy / unauthorized status..."
    local transforms_doc stats_doc installed_doc
    if ! transforms_doc=$(so-elasticsearch-query "_transform/_all?size=1000" --fail --retry 3 --retry-delay 5 2>/dev/null); then
        echo "Unable to query for transform jobs, skipping reauthorization."
        return 0
    fi
    if ! stats_doc=$(so-elasticsearch-query "_transform/_all/_stats?size=1000" --fail --retry 3 --retry-delay 5 2>/dev/null); then
        echo "Unable to query for transform job stats, skipping reauthorization."
        return 0
    fi
    if ! installed_doc=$(fleet_api "epm/packages/installed?perPage=500"); then
        echo "Unable to list installed Fleet packages, skipping reauthorization."
        return 0
    fi
    # Get all transforms that meet the following
    # - unhealthy (any non-green health status)
    # - metadata has run_as_kibana_system: false (this fix is specific to transforms started prior to Kibana 9.3.3)
    # - are not orphaned (integration is not somehow missing/corrupt/uninstalled)
    local unhealthy_transforms
    unhealthy_transforms=$(jq -c -n \
        --argjson t "$transforms_doc" \
        --argjson s "$stats_doc" \
        --argjson i "$installed_doc" '
        ($i.items | map({key: .name, value: .version}) | from_entries) as $pkg_ver
        | ($s.transforms | map({key: .id, value: .health.status}) | from_entries) as $health
        | [ $t.transforms[]
            | select(._meta.run_as_kibana_system == false)
            | select(($health[.id] // "unknown") != "green")
            | {id, pkg: ._meta.package.name, ver: ($pkg_ver[._meta.package.name])}
          ]
        | if length == 0 then empty else . end
        | (map(select(.ver == null)) | map({orphan: .id})[]),
          (map(select(.ver != null))
           | group_by(.pkg)
           | map({pkg: .[0].pkg, ver: .[0].ver, transformIds: map(.id)})[])
    ')
    if [[ -z "$unhealthy_transforms" ]]; then
        return 0
    fi
    local unhealthy_count
    unhealthy_count=$(jq -s '[.[].transformIds? // empty | .[]] | length' <<< "$unhealthy_transforms")
    echo "Found $unhealthy_count transform(s) needing reauthorization."
    local total_failures=0
    while IFS= read -r transform; do
        [[ -z "$transform" ]] && continue
        if jq -e 'has("orphan")' <<< "$transform" >/dev/null 2>&1; then
            echo "Skipping transform not owned by any installed Fleet package: $(jq -r '.orphan' <<< "$transform")"
            continue
        fi
        local pkg ver body resp
        pkg=$(jq -r '.pkg' <<< "$transform")
        ver=$(jq -r '.ver' <<< "$transform")
        body=$(jq -c '{transforms: (.transformIds | map({transformId: .}))}' <<< "$transform")
        echo "Reauthorizing transform(s) for ${pkg}-${ver}..."
        resp=$(fleet_api "epm/packages/${pkg}/${ver}/transforms/authorize" \
                        -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
                        -d "$body") || { echo "Could not reauthorize transform(s) for ${pkg}-${ver}"; continue; }
        (( total_failures += $(jq 'map(select(.success != true)) | length' <<< "$resp" 2>/dev/null) ))
    done <<< "$unhealthy_transforms"
    if [[ "$total_failures" -gt 0 ]]; then
        echo "Some transform(s) failed to reauthorize."
    fi
 }
 ensure_postgres_local_pillar() {
  # Postgres was added as a service after 3.0.0, so the new pillar/top.sls
  # references postgres.soc_postgres / postgres.adv_postgres unconditionally.
@@ -553,6 +677,12 @@ post_to_3.1.0() {
  # file_roots of its own and --local would fail with "No matching sls found".
  salt-call state.apply postgres.telegraf_users queue=True || true
  # Update default agent policies to use logging level warn.
  elasticfleet_set_agent_logging_level_warn || true
  # Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations
  check_transform_health_and_reauthorize || true
  POSTVERSION=3.1.0
 }
@@ -15,7 +15,7 @@ from watchdog.observers import Observer
 from watchdog.events import FileSystemEventHandler
 with open("/opt/so/conf/strelka/filecheck.yaml", "r") as ymlfile:
-    cfg = yaml.load(ymlfile, Loader=yaml.Loader)
+    cfg = yaml.safe_load(ymlfile)
 extract_path = cfg["filecheck"]["extract_path"]
 historypath = cfg["filecheck"]["historypath"]
Author	SHA1	Message	Date
Mike Reeves	b701664e04	Fix unsafe PyYAML load in filecheck	2026-05-04 12:09:35 -04:00
Jorge Reyes	77a4ad877e	Merge pull request #15851 from Security-Onion-Solutions/reyesj2/integration-transforms	2026-05-01 14:11:12 -05:00
reyesj2	702b3585cc	excluding additional integration transform job failures	2026-05-01 12:57:59 -05:00
reyesj2	86966d2778	reauthorize unhealthy transform jobs using kibana 9.3.3 auth flow	2026-05-01 12:44:08 -05:00
Jorge Reyes	ce3ad3a895	Merge pull request #15844 from Security-Onion-Solutions/reyesj2/elastic-agent-warning update default elastic agent logging level to warning	2026-04-30 09:46:28 -05:00
reyesj2	39d0947102	update default elastic agent logging level to warning	2026-04-29 17:38:40 -05:00
Jorge Reyes	0085d9a353	Merge pull request #15842 from Security-Onion-Solutions/reyesj2-patch-1 so-elastic-fleet-outputs-update now checks for cert drift. Remove run…	2026-04-29 12:37:04 -05:00
Jorge Reyes	2f01ce3b23	so-elastic-fleet-outputs-update now checks for cert drift. Remove running --cert arg on cert change to prevent highstate from running outputs-update 2x	2026-04-29 12:33:28 -05:00
Mike Reeves	71b19c1b5f	Merge pull request #15840 from Security-Onion-Solutions/fix/import-postgres-firewall Open postgres in DOCKER-USER firewall everywhere influxdb is open	2026-04-29 09:20:03 -04:00
Mike Reeves	82e55ae87f	Open postgres on every hostgroup that opens influxdb The static defaults only listed postgres on each role's self-hostgroup, leaving sensor/searchnode/heavynode/receiver/fleet/idh/desktop/hypervisor hostgroups unable to reach the manager's so-postgres in distributed grids. A dynamic block in firewall/map.jinja added postgres to those hostgroups only when telegraf.output was switched to POSTGRES/BOTH, which left postgres unreachable by default. Mirror influxdb statically across manager/managerhype/managersearch/ standalone for every hostgroup that already lists influxdb, and drop the now-redundant telegraf-gated dynamic block from firewall/map.jinja.	2026-04-29 09:09:50 -04:00
Mike Reeves	3e02001544	Open postgres port for import role in DOCKER-USER firewall When so-postgres was wired in (`868cd1187`), the import role's firewall defaults were missed while every other manager-class role (manager, managerhype, managersearch, standalone, eval) had postgres added to their DOCKER-USER manager-hostgroup portgroups. As a result, on a fresh import install the so-postgres container starts but tcp/5432 is dropped at DOCKER-USER, so soc/kratos/telegraf can't reach it. Add postgres alongside the existing influxdb entry so import nodes match the other roles.	2026-04-29 08:48:45 -04:00
Mike Reeves	82f70bb53a	Merge pull request #15839 from Security-Onion-Solutions/fix/drop-postgres-soc-module-injection drop postgres module from soc defaults injection	2026-04-28 15:48:49 -04:00