Change ulimits to structured dict format and add daemon.json ulimit support

Convert ulimits from flat strings to structured dicts with name, soft,
and hard fields for better UI experience. Add default_ulimits as a
configurable setting that dynamically renders into daemon.json, giving
two layers of control: global defaults via the daemon and per-container
overrides.

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -33,7 +33,7 @@ body:
         - 2.4.200
         - 2.4.201
         - 2.4.210
-        - 3.0.0
+        - 2.4.211
         - Other (please provide detail below)
     validations:
       required: true

.github/DISCUSSION_TEMPLATE/3-0.yml

@@ -0,0 +1,177 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
+  - type: dropdown
+    attributes:
+      label: Version
+      description: Which version of Security Onion are you asking about?
+      options:
+        -
+        - 3.0.0
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Method
+      description: How did you install Security Onion?
+      options:
+        -
+        - Security Onion ISO image
+        - Cloud image (Amazon, Azure, Google)
+        - Network installation on Oracle 9 (unsupported)
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Description
+      description: >
+        Is this discussion about installation, configuration, upgrading, or other?
+      options:
+        -
+        - installation
+        - configuration
+        - upgrading
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Type
+      description: >
+        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
+      options:
+        -
+        - Import
+        - Eval
+        - Standalone
+        - Distributed
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Location
+      description: >
+        Is this deployment in the cloud, on-prem with Internet access, or airgap?
+      options:
+        -
+        - cloud
+        - on-prem with Internet access
+        - airgap
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Hardware Specs
+      description: >
+        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://securityonion.net/docs/hardware?
+      options:
+        -
+        - Meets minimum requirements
+        - Exceeds minimum requirements
+        - Does not meet minimum requirements
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: CPU
+      description: How many CPU cores do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: RAM
+      description: How much RAM do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /
+      description: How much storage do you have for the / partition?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /nsm
+      description: How much storage do you have for the /nsm partition?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Collection
+      description: >
+        Are you collecting network traffic from a tap or span port?
+      options:
+        -
+        - tap
+        - span port
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Speeds
+      description: >
+        How much network traffic are you monitoring?
+      options:
+        -
+        - Less than 1Gbps
+        - 1Gbps to 10Gbps
+        - more than 10Gbps
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Status
+      description: >
+        Does SOC Grid show all services on all nodes as running OK?
+      options:
+        -
+        - Yes, all services on all nodes are running OK
+        - No, one or more services are failed (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Salt Status
+      description: >
+        Do you get any failures when you run "sudo salt-call state.highstate"?
+      options:
+        -
+        - Yes, there are salt failures (please provide detail below)
+        - No, there are no failures
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Logs
+      description: >
+        Are there any additional clues in /opt/so/log/?
+      options:
+        -
+        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
+        - No, there are no additional clues
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detail
+      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
+      placeholder: |-
+        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
+
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Guidelines
+      options:
+        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
+          required: true

.github/workflows/pythontest.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.13"]
+        python-version: ["3.14"]
         python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
 
     steps:

salt/_modules/needs_restarting.py

@@ -1,24 +1,14 @@
-from os import path
 import subprocess
 
 def check():
 
-  osfam = __grains__['os_family']
   retval = 'False'
 
-  if osfam == 'Debian':
-    if path.exists('/var/run/reboot-required'):
-      retval = 'True'
+  cmd = 'needs-restarting -r > /dev/null 2>&1'
 
-  elif osfam == 'RedHat':
-    cmd = 'needs-restarting -r > /dev/null 2>&1'
-    
-    try:
-      needs_restarting = subprocess.check_call(cmd, shell=True)
-    except subprocess.CalledProcessError:
-      retval = 'True'
-
-  else:
-    retval = 'Unsupported OS: %s' % os
+  try:
+    needs_restarting = subprocess.check_call(cmd, shell=True)
+  except subprocess.CalledProcessError:
+    retval = 'True'
 
   return retval

salt/ca/trustca.sls

@@ -3,8 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 include:
   - docker
 
@@ -18,9 +16,3 @@ trusttheca:
     - show_changes: False
     - makedirs: True
 
-{% if GLOBALS.os_family == 'Debian' %}
-symlinkca:
-  file.symlink:
-    - target: /etc/pki/tls/certs/intca.crt
-    - name: /etc/ssl/certs/intca.crt
-{% endif %}

salt/common/files/daemon.json

@@ -1,3 +1,4 @@
+{% from 'docker/docker.map.jinja' import DOCKER -%}
 {
   "registry-mirrors": [
     "https://:5000"
@@ -9,4 +10,15 @@
       "size": 24
     }
   ]
+{%- if DOCKER.default_ulimits %},
+  "default-ulimits": {
+{%-   for ULIMIT in DOCKER.default_ulimits %}
+    "{{ ULIMIT.name }}": {
+      "Name": "{{ ULIMIT.name }}",
+      "Soft": {{ ULIMIT.soft }},
+      "Hard": {{ ULIMIT.hard }}
+    }{{ "," if not loop.last else "" }}
+{%-   endfor %}
+  }
+{%- endif %}
 }

salt/common/init.sls

@@ -20,11 +20,6 @@ kernel.printk:
   sysctl.present:
     - value: "3 4 1 3"
 
-# Remove variables.txt from /tmp - This is temp
-rmvariablesfile:
-  file.absent:
-    - name: /tmp/variables.txt
-
 # Add socore Group
 socoregroup:
   group.present:
@@ -149,28 +144,6 @@ common_sbin_jinja:
       - so-import-pcap
 {% endif %}
 
-{% if GLOBALS.role == 'so-heavynode' %}
-remove_so-pcap-import_heavynode:
-  file.absent:
-    - name: /usr/sbin/so-pcap-import
-
-remove_so-import-pcap_heavynode:
-  file.absent:
-    - name: /usr/sbin/so-import-pcap
-{% endif %}
-
-{% if not GLOBALS.is_manager%}
-# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
-# these two states remove the scripts from non manager nodes
-remove_soup:
-  file.absent:
-    - name: /usr/sbin/soup
-
-remove_so-firewall:
-  file.absent:
-    - name: /usr/sbin/so-firewall
-{% endif %}
-
 so-status_script:
   file.managed:
     - name: /usr/sbin/so-status

salt/common/packages.sls

@@ -1,52 +1,5 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
-{% if grains.os_family == 'Debian' %}
-commonpkgs:
-  pkg.installed:
-    - skip_suggestions: True
-    - pkgs:
-      - apache2-utils
-      - wget
-      - ntpdate
-      - jq
-      - curl
-      - ca-certificates
-      - software-properties-common
-      - apt-transport-https
-      - openssl
-      - netcat-openbsd
-      - sqlite3
-      - libssl-dev
-      - procps
-      - python3-dateutil
-      - python3-docker
-      - python3-packaging
-      - python3-lxml
-      - git
-      - rsync
-      - vim
-      - tar
-      - unzip
-      - bc
-      {% if grains.oscodename != 'focal' %}
-      - python3-rich
-      {% endif %}
-
-{%     if grains.oscodename == 'focal' %}
-# since Ubuntu requires and internet connection we can use pip to install modules
-python3-pip:
-  pkg.installed
-
-python-rich:
-  pip.installed:
-    - name: rich
-    - target: /usr/local/lib/python3.8/dist-packages/
-    - require:
-      - pkg: python3-pip
-{%     endif %}
-{% endif %}
-
-{% if grains.os_family == 'RedHat' %}
 
 remove_mariadb:
   pkg.removed:
@@ -84,5 +37,3 @@ commonpkgs:
       - unzip
       - wget
       - yum-utils
-
-{% endif %}

salt/common/soup_scripts.sls

@@ -11,14 +11,6 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 
-remove_common_soup:
-  file.absent:
-    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
-
-remove_common_so-firewall:
-  file.absent:
-    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
-
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:

salt/common/tools/sbin/so-common

@@ -349,21 +349,16 @@ get_random_value() {
 }
 
 gpg_rpm_import() {
-	if [[ $is_oracle ]]; then
-	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	    else
-	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
-	    fi
-		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-		for RPMKEY in "${RPMKEYS[@]}"; do
-    	        rpm --import $RPMKEYSLOC/$RPMKEY
-	        echo "Imported $RPMKEY"
-	    done
-	elif [[ $is_rpm ]]; then
-		echo "Importing the security onion GPG key"
-		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
+	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	else
+		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	fi
+	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	for RPMKEY in "${RPMKEYS[@]}"; do
+		rpm --import $RPMKEYSLOC/$RPMKEY
+		echo "Imported $RPMKEY"
+	done
 }
 
 header() {
@@ -615,69 +610,19 @@ salt_minion_count() {
 }
 
 set_os() {
-	if [ -f /etc/redhat-release ]; then
-		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
-			OS=rocky
-			OSVER=9
-			is_rocky=true
-			is_rpm=true
-		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
-			OS=centos
-			OSVER=9
-			is_centos=true
-			is_rpm=true
-		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
-			OS=alma
-			OSVER=9
-			is_alma=true
-			is_rpm=true
-		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
-			if [ -f /etc/oracle-release ]; then
-				OS=oracle
-				OSVER=9
-				is_oracle=true
-				is_rpm=true
-			else
-				OS=rhel
-				OSVER=9
-				is_rhel=true
-				is_rpm=true
-			fi
-		fi
-		cron_service_name="crond"
-	elif [ -f /etc/os-release ]; then
-		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
-			OSVER=focal
-			UBVER=20.04
-			OS=ubuntu
-			is_ubuntu=true
-			is_deb=true
-		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
-			OSVER=jammy
-			UBVER=22.04
-			OS=ubuntu
-			is_ubuntu=true
-			is_deb=true
-		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
-			OSVER=bookworm
-			DEBVER=12
-			is_debian=true
-			OS=debian
-			is_deb=true
-		fi
-		cron_service_name="cron"
+	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+		OS=oracle
+		OSVER=9
+		is_oracle=true
+		is_rpm=true
 	fi
+	cron_service_name="crond"
 }
 
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 
-set_palette() {
-	if [[ $is_deb ]]; then
-	    update-alternatives --set newt-palette /etc/newt/palette.original
-    fi
-}
 
 set_version() {
 	CURRENTVERSION=0.0.0

salt/curator/disabled.sls

@@ -1,34 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-so-curator:
-  docker_container.absent:
-    - force: True
-
-so-curator_so-status.disabled:
-  file.line:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - match: ^so-curator$
-    - mode: delete
-
-so-curator-cluster-close:
-  cron.absent:
-    - identifier: so-curator-cluster-close
-
-so-curator-cluster-delete:
-  cron.absent:
-    - identifier: so-curator-cluster-delete
-
-delete_curator_configuration:
-  file.absent:
-    - name: /opt/so/conf/curator
-    - recurse: True
-
-{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
-{% if files|length > 0 %}
-delete_curator_scripts:
-  file.absent:
-    - names: {{files|yaml}}
-{% endif %}

salt/docker/defaults.yaml

@@ -1,6 +1,10 @@
 docker:
   range: '172.17.1.0/24'
   gateway: '172.17.1.1'
+  default_ulimits:
+    - name: nofile
+      soft: 1048576
+      hard: 1048576
   containers:
     'so-dockerregistry':
       final_octet: 20
@@ -9,6 +13,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastic-fleet':
       final_octet: 21
       port_bindings:
@@ -16,6 +21,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elasticsearch':
       final_octet: 22
       port_bindings:
@@ -24,6 +30,16 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits:
+        - name: memlock
+          soft: -1
+          hard: -1
+        - name: nofile
+          soft: 65536
+          hard: 65536
+        - name: nproc
+          soft: 4096
+          hard: 4096
     'so-influxdb':
       final_octet: 26
       port_bindings:
@@ -31,6 +47,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-kibana':
       final_octet: 27
       port_bindings:
@@ -38,6 +55,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-kratos':
       final_octet: 28
       port_bindings:
@@ -46,6 +64,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-hydra':
       final_octet: 30
       port_bindings:
@@ -54,6 +73,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-logstash':
       final_octet: 29
       port_bindings:
@@ -70,6 +90,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-nginx':
       final_octet: 31
       port_bindings:
@@ -81,6 +102,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-nginx-fleet-node':
       final_octet: 31
       port_bindings:
@@ -88,6 +110,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-redis':
       final_octet: 33
       port_bindings:
@@ -96,11 +119,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-sensoroni':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-soc':
       final_octet: 34
       port_bindings:
@@ -108,16 +133,19 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-backend':
       final_octet: 36
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-filestream':
       final_octet: 37
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-frontend':
       final_octet: 38
       port_bindings:
@@ -125,11 +153,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-manager':
       final_octet: 39
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-gatekeeper':
       final_octet: 40
       port_bindings:
@@ -137,6 +167,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-coordinator':
       final_octet: 41
       port_bindings:
@@ -144,11 +175,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastalert':
       final_octet: 42
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastic-fleet-package-registry':
       final_octet: 44
       port_bindings:
@@ -156,11 +189,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-idh':
       final_octet: 45
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastic-agent':
       final_octet: 46
       port_bindings:
@@ -169,23 +204,34 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-telegraf':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-suricata':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
       ulimits:
-        - memlock=524288000
+        - name: memlock
+          soft: 524288000
+          hard: 524288000
     'so-zeek':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits:
+        - name: core
+          soft: 0
+          hard: 0
+        - name: nofile
+          soft: 1048576
+          hard: 1048576
     'so-kafka':
       final_octet: 88
       port_bindings:
@@ -196,3 +242,4 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []

salt/docker/init.sls

@@ -15,39 +15,6 @@ dockergroup:
     - name: docker
     - gid: 920
 
-{% if GLOBALS.os_family == 'Debian' %}
-{%    if grains.oscodename == 'bookworm' %}
-dockerheldpackages:
-  pkg.installed:
-    - pkgs:
-      - containerd.io: 2.2.1-1~debian.12~bookworm
-      - docker-ce: 5:29.2.1-1~debian.12~bookworm
-      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
-      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
-    - hold: True
-    - update_holds: True
-{%    elif grains.oscodename == 'jammy' %}
-dockerheldpackages:
-  pkg.installed:
-    - pkgs:
-      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
-      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
-      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
-      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
-    - hold: True
-    - update_holds: True
-{%    else %}
-dockerheldpackages:
-  pkg.installed:
-    - pkgs:
-      - containerd.io: 1.7.21-1
-      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
-      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
-      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
-    - hold: True
-    - update_holds: True
-{%   endif %}
-{% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
@@ -57,7 +24,6 @@ dockerheldpackages:
       - docker-ce-rootless-extras: 29.2.1-1.el9
     - hold: True
     - update_holds: True
-{% endif %}
 
 #disable docker from managing iptables
 iptables_disabled:

salt/docker/soc_docker.yaml

@@ -7,6 +7,22 @@ docker:
     description: Default docker IP range for containers.
     helpLink: docker.html
     advanced: True
+  default_ulimits:
+    description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
+    advanced: True
+    helpLink: docker.html
+    forcedType: "[]{}"
+    syntax: json
+    uiElements:
+    - field: name
+      label: Resource Name
+      required: True
+    - field: soft
+      label: Soft Limit
+      forcedType: int
+    - field: hard
+      label: Hard Limit
+      forcedType: int
   containers:
     so-dockerregistry: &dockerOptions
       final_octet:
@@ -39,6 +55,22 @@ docker:
         helpLink: docker.html
         multiline: True
         forcedType: "[]string"
+      ulimits:
+        description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
+        advanced: True
+        helpLink: docker.html
+        forcedType: "[]{}"
+        syntax: json
+        uiElements:
+        - field: name
+          label: Resource Name
+          required: True
+        - field: soft
+          label: Soft Limit
+          forcedType: int
+        - field: hard
+          label: Hard Limit
+          forcedType: int
     so-elastic-fleet: *dockerOptions
     so-elasticsearch: *dockerOptions
     so-influxdb: *dockerOptions
@@ -62,42 +94,6 @@ docker:
     so-idh: *dockerOptions
     so-elastic-agent: *dockerOptions
     so-telegraf: *dockerOptions
-    so-suricata:
-      final_octet:
-        description: Last octet of the container IP address.
-        helpLink: docker.html
-        readonly: True
-        advanced: True
-        global: True
-      port_bindings:
-        description: List of port bindings for the container.
-        helpLink: docker.html
-        advanced: True
-        multiline: True
-        forcedType: "[]string"
-      custom_bind_mounts:
-        description: List of custom local volume bindings.
-        advanced: True
-        helpLink: docker.html
-        multiline: True
-        forcedType: "[]string"
-      extra_hosts:
-        description: List of additional host entries for the container.
-        advanced: True
-        helpLink: docker.html
-        multiline: True
-        forcedType: "[]string"
-      extra_env:
-        description: List of additional ENV entries for the container.
-        advanced: True
-        helpLink: docker.html
-        multiline: True
-        forcedType: "[]string"
-      ulimits:
-        description: Ulimits for the container, in bytes.
-        advanced: True
-        helpLink: docker.html
-        multiline: True
-        forcedType: "[]string"
+    so-suricata: *dockerOptions
     so-zeek: *dockerOptions
     so-kafka: *dockerOptions

salt/elastalert/enabled.sls

@@ -51,6 +51,12 @@ so-elastalert:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-elastalert'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - require:
       - cmd: wait_for_elasticsearch
       - file: elastarules

salt/elastalert/files/custom/placeholder

@@ -1 +0,0 @@
-THIS IS A PLACEHOLDER FILE

salt/elastic-fleet-package-registry/enabled.sls

@@ -45,6 +45,12 @@ so-elastic-fleet-package-registry:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
   file.uncomment:
     - name: /opt/so/conf/so-status/so-status.conf

salt/elasticagent/enabled.sls

@@ -54,6 +54,12 @@ so-elastic-agent:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-elastic-agent'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - require:
       - file: create-elastic-agent-config
       - file: trusttheca

salt/elasticfleet/enabled.sls

@@ -133,6 +133,12 @@ so-elastic-fleet:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-elastic-fleet'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: trusttheca
       - x509: etc_elasticfleet_key

salt/elasticsearch/config.map.jinja

@@ -6,8 +6,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
-
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -36,14 +34,8 @@
       {% endfor %}
     {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
-  {% if HIGHLANDER %}
-        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
-  {% endif %}
   {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
-{% if HIGHLANDER %}
-      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
-{% endif %}
 
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}

salt/elasticsearch/config.sls

@@ -98,10 +98,6 @@ esrolesdir:
     - group: 939
     - makedirs: True
 
-eslibdir:
-  file.absent:
-    - name: /opt/so/conf/elasticsearch/lib
-
 esingestdynamicconf:
   file.recurse:
     - name: /opt/so/conf/elasticsearch/ingest
@@ -119,11 +115,6 @@ esingestconf:
     - group: 939
     - show_changes: False
 
-# Remove .fleet_final_pipeline-1 because we are using global@custom now
-so-fleet-final-pipeline-remove:
-  file.absent:
-    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
-
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:

salt/elasticsearch/enabled.sls

@@ -45,15 +45,17 @@ so-elasticsearch:
       - discovery.type=single-node
       {% endif %}
       - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      ulimits:
-      - memlock=-1:-1
-      - nofile=65536:65536
-      - nproc=4096
       {% if DOCKER.containers['so-elasticsearch'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-elasticsearch'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
       - {{ BINDING }}

salt/elasticsearch/files/ingest/common

@@ -1,5 +1,3 @@
-{%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
-{%- raw -%}
 {
   "description" : "common",
   "processors" : [
@@ -67,19 +65,7 @@
     { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
     { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
     { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
-{%- endraw %}
-{%- if HIGHLANDER %}
-    ,
-    {
-      "pipeline": {
-        "name": "ecs"
-      }
-    }
-{%- endif %}
-{%- raw %}
-    ,
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
     { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
   ]
 }
-{% endraw %}

salt/firewall/init.sls

@@ -27,14 +27,12 @@ iptables_config:
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
-{%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
   service.dead:
     - name: firewalld
     - enable: False
     - require:
       - file: iptables_config
-{%   endif %}
 
 iptables_restore:
   cmd.run:
@@ -44,7 +42,6 @@ iptables_restore:
     - onlyif:
       - iptables-restore --test {{ iptmap.configfile }}
 
-{%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
   service.running:
     - name: firewalld
@@ -52,7 +49,6 @@ enable_firewalld:
     - onfail:
       - file: iptables_config
       - cmd: iptables_restore
-{%   endif %}
 
 {% else %}
 

salt/firewall/ipt.map.jinja

@@ -1,14 +1,6 @@
-{% set iptmap = salt['grains.filter_by']({
-    'Debian': {
-        'service': 'netfilter-persistent',
-        'iptpkg': 'iptables',
-        'persistpkg': 'iptables-persistent',
-        'configfile': '/etc/iptables/rules.v4'
-    },
-    'RedHat': {
-        'service': 'iptables',
-        'iptpkg': 'iptables-nft',
-        'persistpkg': 'iptables-nft-services',
-        'configfile': '/etc/sysconfig/iptables'
-    },
-}) %}
+{% set iptmap = {
+    'service': 'iptables',
+    'iptpkg': 'iptables-nft',
+    'persistpkg': 'iptables-nft-services',
+    'configfile': '/etc/sysconfig/iptables'
+} %}

salt/hydra/enabled.sls

@@ -52,6 +52,12 @@ so-hydra:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers['so-hydra'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-hydra'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - restart_policy: unless-stopped
     - watch:
       - file: hydraconfig
@@ -67,7 +73,7 @@ delete_so-hydra_so-status.disabled:
 
 wait_for_hydra:
   http.wait_for_successful_query:
-    - name: 'http://{{ GLOBALS.manager }}:4444/'
+    - name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
     - ssl: True
     - verify_ssl: False
     - status:

salt/idh/enabled.sls

@@ -39,6 +39,12 @@ so-idh:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers['so-idh'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-idh'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: opencanary_config
     - require:

salt/idh/openssh/config.sls

@@ -3,7 +3,6 @@
 include:
   - idh.openssh
 
-{% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
   selinux.port_policy_present:
     - port: {{ openssh_map.config.port }}
@@ -13,7 +12,6 @@ idh_sshd_selinux:
       - file: openssh_config
     - require:
       - pkg: python_selinux_mgmt_tools
-{% endif %}
 
 openssh_config:
   file.replace:

salt/idh/openssh/init.sls

@@ -16,8 +16,6 @@ openssh:
     - name: {{ openssh_map.service }}
   {% endif %}
 
-{% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
   pkg.installed:
     - name: policycoreutils-python-utils
-{% endif %}

salt/influxdb/enabled.sls

@@ -58,6 +58,12 @@ so-influxdb:
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers['so-influxdb'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: influxdbconf
       - x509: influxdb_key

salt/kafka/enabled.sls

@@ -60,6 +60,12 @@ so-kafka:
       {% if KAFKA_EXTERNAL_ACCESS %}
       - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
       {% endif %}
+    {% if DOCKER.containers['so-kafka'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-kafka'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       {% for sc in ['server', 'client'] %}
       - file: kafka_kraft_{{sc}}_properties

salt/kibana/enabled.sls

@@ -51,6 +51,12 @@ so-kibana:
       {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
+    {% if DOCKER.containers['so-kibana'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-kibana'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: kibanaconfig
 

salt/kibana/map.jinja

@@ -5,7 +5,6 @@
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}

salt/kibana/so_dashboard_load.sls

@@ -3,7 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
   - kibana.enabled
 
@@ -29,27 +28,3 @@ so-kibana-dashboard-load:
     - require:
       - sls: kibana.enabled
       - file: dashboard_saved_objects_template
-{%- if HIGHLANDER %}
-dashboard_saved_objects_template_hl:
-  file.managed:
-    - name: /opt/so/conf/kibana/hl.ndjson.template
-    - source: salt://kibana/files/hl.ndjson
-    - user: 932
-    - group: 939
-    - show_changes: False
-
-dashboard_saved_objects_hl_changes:
-  file.absent:
-    - names:
-      - /opt/so/state/kibana_hl.txt
-    - onchanges:
-      - file: dashboard_saved_objects_template_hl
-
-so-kibana-dashboard-load_hl:
-  cmd.run:
-    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
-    - cwd: /opt/so
-    - require:
-      - sls: kibana.enabled
-      - file: dashboard_saved_objects_template_hl
-{%- endif %}

salt/kibana/tools/sbin_jinja/so-kibana-space-defaults

@@ -1,6 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
 
@@ -9,10 +8,6 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Space:"
-{% if HIGHLANDER %}
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
-{% else %}
+echo "Setting up default Kibana Space:"
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
-{% endif %}
 echo

salt/kratos/enabled.sls

@@ -45,6 +45,12 @@ so-kratos:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers['so-kratos'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-kratos'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - restart_policy: unless-stopped
     - watch:
       - file: kratosschema

salt/logstash/config.sls

@@ -36,10 +36,6 @@ logstash:
     - gid: 931
     - home: /opt/so/conf/logstash
 
-lslibdir:
-  file.absent:
-    - name: /opt/so/conf/logstash/lib
-
 logstash_sbin:
   file.recurse:
     - name: /usr/sbin

salt/logstash/enabled.sls

@@ -96,6 +96,12 @@ so-logstash:
       - {{ BIND }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-logstash'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-logstash'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: lsetcsync
       - file: trusttheca

salt/manager/init.sls

@@ -63,11 +63,9 @@ yara_log_dir:
       - user
       - group
 
-{% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
   pkg.installed:
     - name: createrepo_c
-{% endif %}
 
 repo_conf_dir:
   file.directory:

salt/manager/tools/sbin/so-client

@@ -134,8 +134,8 @@ function require() {
 function verifyEnvironment() {
   require "jq"
   require "curl"
-  response=$(curl -Ss -L ${hydraUrl}/)
-  [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
+  response=$(curl -Ss -L ${hydraUrl}/health/alive)
+  [[ "$response" != '{"status":"ok"}' ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
 }
 
 function createFile() {

salt/manager/tools/sbin/so-minion

@@ -462,19 +462,14 @@ function add_sensor_to_minion() {
         echo "      lb_procs: '$CORECOUNT'"
         echo "suricata:"
         echo "  enabled: True "
+        echo "  pcap:"
+        echo "    enabled: True"
         if [[ $is_pcaplimit ]]; then
-            echo "  pcap:"
             echo "    maxsize: $MAX_PCAP_SPACE"
         fi
         echo "  config:"
         echo "    af-packet:"
         echo "      threads: '$CORECOUNT'"
-        echo "pcap:"
-        echo "  enabled: True"
-        if [[ $is_pcaplimit ]]; then
-            echo "  config:"
-            echo "    diskfreepercentage: $DFREEPERCENT"
-        fi
         echo "  "
     } >> $PILLARFILE
     if [ $? -ne 0 ]; then

salt/manager/tools/sbin/so-yaml.py

@@ -22,7 +22,7 @@ def showUsage(args):
     print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
     print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
     print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
+    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
     print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
     print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
     print('    help             - Prints this usage information.', file=sys.stderr)
@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
     pieces = key.split(".", 1)
     if len(pieces) > 1:
-        if not pieces[0] in content:
+        if pieces[0] not in content or content[pieces[0]] is None:
             content[pieces[0]] = {}
         addKey(content[pieces[0]], pieces[1], value)
     elif key in content:
@@ -332,6 +332,11 @@ def getKeyValue(content, key):
 
 
 def get(args):
+    raw = False
+    if len(args) > 0 and args[0] == '-r':
+        raw = True
+        args = args[1:]
+
     if len(args) != 2:
         print('Missing filename or key arg', file=sys.stderr)
         showUsage(None)
@@ -346,7 +351,15 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    print(yaml.safe_dump(output))
+    if raw:
+        if isinstance(output, bool):
+            print(str(output).lower())
+        elif isinstance(output, (dict, list)):
+            print(yaml.safe_dump(output).strip())
+        else:
+            print(output)
+    else:
+        print(yaml.safe_dump(output))
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -395,6 +395,17 @@ class TestRemove(unittest.TestCase):
             self.assertEqual(result, 0)
             self.assertIn("45\n...", mock_stdout.getvalue())
 
+    def test_get_int_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
+            self.assertEqual(result, 0)
+            self.assertEqual("45\n", mock_stdout.getvalue())
+
     def test_get_str(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
             filename = "/tmp/so-yaml_test-get.yaml"
@@ -406,6 +417,51 @@ class TestRemove(unittest.TestCase):
             self.assertEqual(result, 0)
             self.assertIn("hello\n...", mock_stdout.getvalue())
 
+    def test_get_str_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
+            self.assertEqual(result, 0)
+            self.assertEqual("hello\n", mock_stdout.getvalue())
+
+    def test_get_bool(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get([filename, "key2"])
+            self.assertEqual(result, 0)
+            self.assertIn("false\n...", mock_stdout.getvalue())
+
+    def test_get_bool_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key2"])
+            self.assertEqual(result, 0)
+            self.assertEqual("false\n", mock_stdout.getvalue())
+
+    def test_get_dict_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1"])
+            self.assertEqual(result, 0)
+            self.assertIn("child1: 123", mock_stdout.getvalue())
+            self.assertNotIn("...", mock_stdout.getvalue())
+
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
             filename = "/tmp/so-yaml_test-get.yaml"

salt/nginx/enabled.sls

@@ -75,6 +75,12 @@ so-nginx:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers[container_config].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers[container_config].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
       {% for BINDING in DOCKER.containers[container_config].port_bindings %}

salt/nginx/etc/nginx.conf

@@ -387,15 +387,13 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
 
-			if ($request_uri ~* ^/(?!(^/api/.*))) {
-				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
-			}
+			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 
-			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;

salt/ntp/init.sls

@@ -2,7 +2,6 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 
 chrony_pkg:
@@ -17,11 +16,7 @@ chronyconf:
     - defaults:
         NTPCONFIG: {{ NTPCONFIG }}
 
-{% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
-{% else %}
-chrony:
-{% endif %}
   service.running:
     - enable: True
     - watch: 

salt/pcap/cleanup.sls

@@ -0,0 +1,59 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.is_sensor %}
+
+delete_so-steno_so-status.conf:
+  file.line:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - mode: delete
+    - match: so-steno
+
+remove_stenographer_user:
+  user.absent:
+    - name: stenographer
+    - force: True
+
+remove_stenographer_log_dir:
+  file.absent:
+    - name: /opt/so/log/stenographer
+
+remove_stenoloss_script:
+  file.absent:
+    - name: /opt/so/conf/telegraf/scripts/stenoloss.sh
+
+remove_steno_conf_dir:
+  file.absent:
+    - name: /opt/so/conf/steno
+
+remove_so_pcap_export:
+  file.absent:
+    - name: /usr/sbin/so-pcap-export
+
+remove_so_pcap_restart:
+  file.absent:
+    - name: /usr/sbin/so-pcap-restart
+
+remove_so_pcap_start:
+  file.absent:
+    - name: /usr/sbin/so-pcap-start
+
+remove_so_pcap_stop:
+  file.absent:
+    - name: /usr/sbin/so-pcap-stop
+
+so-steno:
+  docker_container.absent:
+    - force: True
+
+{% else %}
+
+{{sls}}.non_sensor_node:
+  test.show_notification:
+    - text: "Stenographer cleanup not applicable on non-sensor nodes."
+
+{% endif %}

salt/podman/files/podman.service

@@ -1,17 +0,0 @@
-[Unit]
-Description=Podman API Service
-Requires=podman.socket
-After=podman.socket
-Documentation=man:podman-api(1)
-StartLimitIntervalSec=0
-
-[Service]
-Type=oneshot
-Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
-ExecStart=/usr/bin/podman system service
-TimeoutStopSec=30
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target
-Also=podman.socket

salt/podman/files/podman.socket

@@ -1,10 +0,0 @@
-[Unit]
-Description=Podman API Socket
-Documentation=man:podman-api(1)
-
-[Socket]
-ListenStream=%t/podman/podman.sock
-SocketMode=0660
-
-[Install]
-WantedBy=sockets.target

salt/podman/files/sobridge.conflist

@@ -1,48 +0,0 @@
-{
-   "args": {
-      "podman_options": {
-         "isolate": "true",
-         "mtu": "1500"
-      }
-   },
-   "cniVersion": "0.4.0",
-   "name": "sobridge",
-   "plugins": [
-      {
-         "type": "bridge",
-         "bridge": "sobridge",
-         "isGateway": true,
-         "ipMasq": false,
-         "mtu": 1500,
-         "hairpinMode": false,
-         "ipam": {
-            "type": "host-local",
-            "routes": [
-               {
-                  "dst": "0.0.0.0/0"
-               }
-            ],
-            "ranges": [
-               [
-                  {
-                     "subnet": "172.17.1.0/24",
-                     "gateway": "172.17.1.1"
-                  }
-               ]
-            ]
-         },
-         "capabilities": {
-            "ips": true
-         }
-      },
-      {
-         "type": "portmap",
-         "capabilities": {
-            "portMappings": false
-         }
-      },
-      {
-         "type": "tuning"
-      }
-   ]
-}

salt/podman/init.sls

@@ -1,56 +0,0 @@
-{% from 'docker/docker.map.jinja' import DOCKER %}
-
-Podman pkg:
-  pkg.installed:
-    - name: podman
-
-cnipkg:
-  pkg.installed:
-    - name: containernetworking-plugins
-
-{#
-Podman service:
-  file.managed:
-    - name: /usr/lib/systemd/system/podman.service
-    - source: salt://podman/podman.service
-#}
-
-sobridgeconf:
-  file.managed:
-    - name: /etc/cni/net.d/sobridge.conflist
-    - source: salt://podman/files/sobridge.conflist
-
-Podman_socket_service:
-  service.running:
-    - name: podman.socket
-    - enable: true
-
-Podman_service:
-  service.running:
-    - name: podman.service
-    - enable: true
-
-Docker socket:
-  file.symlink:
-    - name: /var/run/docker.sock
-    - target: /var/run/podman/podman.sock
-
-podman_docker_symlink:
-  file.symlink:
-    - name: /usr/bin/docker
-    - target: /usr/bin/podman
-
-{#
-sos_docker_net:
-  docker_network.present:
-    - name: sobridge
-    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.bip }}
-    - options:
-        com.docker.network.bridge.name: 'sobridge'
-        com.docker.network.driver.mtu: '1500'
-        com.docker.network.bridge.enable_ip_masquerade: 'true'
-        com.docker.network.bridge.enable_icc: 'true'
-        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
-    - unless: 'docker network ls | grep sobridge'
-#}

salt/redis/enabled.sls

@@ -51,6 +51,12 @@ so-redis:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers['so-redis'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-redis'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
     - watch:
       - file: trusttheca

salt/registry/enabled.sls

@@ -51,6 +51,12 @@ so-dockerregistry:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKER.containers['so-dockerregistry'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - retry:
         attempts: 5
         interval: 30

salt/repo/client/map.jinja

@@ -1,43 +1,29 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{% if GLOBALS.os_family == 'RedHat' %}
-  {% set REPOPATH = '/etc/yum.repos.d/' %}
-{%     if GLOBALS.os == 'OEL' %}
-  {% set ABSENTFILES = [
-         'centos-addons.repo',
-         'centos-devel.repo',
-         'centos-extras.repo',
-         'centos.repo',
-         'docker-ce.repo',
-         'epel.repo',
-         'epel-testing.repo',
-         'saltstack.repo',
-         'salt-latest.repo',
-         'wazuh.repo'
-         'Rocky-Base.repo',
-         'Rocky-CR.repo',
-         'Rocky-Debuginfo.repo',
-         'Rocky-fasttrack.repo',
-         'Rocky-Media.repo',
-         'Rocky-Sources.repo',
-         'Rocky-Vault.repo',
-         'Rocky-x86_64-kernel.repo',
-         'rocky-addons.repo',
-         'rocky-devel.repo',
-         'rocky-extras.repo',
-         'rocky.repo',
-         'oracle-linux-ol9.repo',
-         'uek-ol9.repo',
-         'virt-ol9.repo'
-       ]
-  %}
-{%     else %}
-  {% set ABSENTFILES = [] %}
-{%    endif %}
-
-{% else %}
-
-  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
-  {% set ABSENTFILES = [] %}
-
-{% endif %}
+{% set REPOPATH = '/etc/yum.repos.d/' %}
+{% set ABSENTFILES = [
+       'centos-addons.repo',
+       'centos-devel.repo',
+       'centos-extras.repo',
+       'centos.repo',
+       'docker-ce.repo',
+       'epel.repo',
+       'epel-testing.repo',
+       'saltstack.repo',
+       'salt-latest.repo',
+       'wazuh.repo'
+       'Rocky-Base.repo',
+       'Rocky-CR.repo',
+       'Rocky-Debuginfo.repo',
+       'Rocky-fasttrack.repo',
+       'Rocky-Media.repo',
+       'Rocky-Sources.repo',
+       'Rocky-Vault.repo',
+       'Rocky-x86_64-kernel.repo',
+       'rocky-addons.repo',
+       'rocky-devel.repo',
+       'rocky-extras.repo',
+       'rocky.repo',
+       'oracle-linux-ol9.repo',
+       'uek-ol9.repo',
+       'virt-ol9.repo'
+     ]
+%}

salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja

@@ -29,7 +29,11 @@ sool9_{{host}}:
     hypervisor_host: {{host ~ "_" ~ role}}
   preflight_cmds:
     - |
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
+      {%- set hostnames = [MANAGERHOSTNAME] %}
+      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
+      {%-   do hostnames.append(URL_BASE) %}
+      {%- endif %}
+      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
     - |
       timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
         while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \

salt/salt/cloud/config.sls

@@ -14,6 +14,7 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
+{%     from 'vars/globals.map.jinja' import GLOBALS %}
 
 {%     if HYPERVISORS %}
 cloud_providers:
@@ -34,6 +35,7 @@ cloud_profiles:
         MANAGERHOSTNAME: {{ grains.host }}
         MANAGERIP: {{ pillar.host.mainip }}
         SALTVERSION: {{ SALTVERSION }}
+        URL_BASE: {{ GLOBALS.url_base }}
     - template: jinja
     - makedirs: True
 {%     else %}

salt/salt/engines/master/virtual_node_manager.py

@@ -805,11 +805,6 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                     mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                         {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                     return
-                if size > 10000:  # 10TB reasonable maximum
-                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
-                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
-                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
-                    return
                 log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
             except (ValueError, TypeError) as e:
                 log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))

salt/salt/init.sls

@@ -1,10 +1,3 @@
-{% if grains.oscodename == 'focal' %}
-saltpymodules:
-  pkg.installed:
-    - pkgs:
-      - python3-docker
-{% endif %}
-
 # distribute to minions for salt upgrades
 salt_bootstrap:
   file.managed:

salt/salt/map.jinja

@@ -17,22 +17,12 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
 
-{% if grains.os_family == 'Debian' %}
-  {% set SPLITCHAR = '+' %}
-  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
-{% else %}
-  {% set SPLITCHAR = '-' %}
-  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
-{% endif %}
+{% set SPLITCHAR = '-' %}
+{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% if grains.os_family|lower == 'redhat' %}
-      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
-  {% elif grains.os_family|lower == 'debian' %}
-    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
-  {% endif %}
+  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
 {% else %}
   {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}

salt/salt/master.sls

@@ -23,15 +23,6 @@ sync_runners:
     - name: saltutil.sync_runners
 {% endif %}
 
-# prior to 2.4.30 this engine ran on the manager with salt-minion
-# this has changed to running with the salt-master in 2.4.30
-remove_engines_config:
-  file.absent:
-    - name: /etc/salt/minion.d/engines.conf
-    - source: salt://salt/files/engines.conf
-    - watch_in:
-      - service: salt_minion_service
-
 checkmine_engine:
   file.managed:
     - name: /etc/salt/engines/checkmine.py

salt/sensoroni/enabled.sls

@@ -40,6 +40,12 @@ so-sensoroni:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKER.containers['so-sensoroni'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: /opt/so/conf/sensoroni/sensoroni.json
     - require: