Add support for websockets

add yes/no to true/false conversion for suricata to soup postupgrade

salt/common/files/daemon.json

@@ -1,19 +0,0 @@
-{
-  "registry-mirrors": [
-    "https://:5000"
-  ],
-  "bip": "172.17.0.1/24",
-  "default-address-pools": [
-    {
-      "base": "172.17.0.0/24",
-      "size": 24
-    }
-  ],
-  "default-ulimits": {
-      "nofile": {
-        "Name": "nofile",
-        "Soft": 1048576,
-        "Hard": 1048576
-      }
-  }
-}

salt/common/tools/sbin/so-common

@@ -545,6 +545,22 @@ retry() {
         return $exitcode
 }
 
+rollover_index() {
+  idx=$1
+  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
+  if [[ $exists -eq 200 ]]; then
+    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
+
+    if [[ $rollover -eq 200 ]]; then
+      echo "Successfully triggered rollover for $idx..."
+    else
+      echo "Could not trigger rollover for $idx..."
+    fi
+  else
+    echo "Could not find index $idx..."
+  fi
+}
+
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable

salt/docker/defaults.yaml

@@ -1,6 +1,10 @@
 docker:
   range: '172.17.1.0/24'
   gateway: '172.17.1.1'
+  ulimits:
+    - name: nofile
+      soft: 1048576
+      hard: 1048576
   containers:
     'so-dockerregistry':
       final_octet: 20
@@ -9,6 +13,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastic-fleet':
       final_octet: 21
       port_bindings:
@@ -16,6 +21,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elasticsearch':
       final_octet: 22
       port_bindings:
@@ -24,6 +30,16 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits:
+        - name: memlock
+          soft: -1
+          hard: -1
+        - name: nofile
+          soft: 65536
+          hard: 65536
+        - name: nproc
+          soft: 4096
+          hard: 4096
     'so-influxdb':
       final_octet: 26
       port_bindings:
@@ -31,6 +47,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-kibana':
       final_octet: 27
       port_bindings:
@@ -38,6 +55,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-kratos':
       final_octet: 28
       port_bindings:
@@ -46,6 +64,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-hydra':
       final_octet: 30
       port_bindings:
@@ -54,6 +73,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-logstash':
       final_octet: 29
       port_bindings:
@@ -70,6 +90,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-nginx':
       final_octet: 31
       port_bindings:
@@ -81,6 +102,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-nginx-fleet-node':
       final_octet: 31
       port_bindings:
@@ -88,6 +110,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-redis':
       final_octet: 33
       port_bindings:
@@ -96,11 +119,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-sensoroni':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-soc':
       final_octet: 34
       port_bindings:
@@ -108,16 +133,19 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-backend':
       final_octet: 36
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-filestream':
       final_octet: 37
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-frontend':
       final_octet: 38
       port_bindings:
@@ -125,11 +153,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-manager':
       final_octet: 39
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-gatekeeper':
       final_octet: 40
       port_bindings:
@@ -137,6 +167,7 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-strelka-coordinator':
       final_octet: 41
       port_bindings:
@@ -144,11 +175,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastalert':
       final_octet: 42
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastic-fleet-package-registry':
       final_octet: 44
       port_bindings:
@@ -156,11 +189,13 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-idh':
       final_octet: 45
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-elastic-agent':
       final_octet: 46
       port_bindings:
@@ -169,23 +204,28 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-telegraf':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []
     'so-suricata':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits:
-        - memlock=524288000
+      ulimits: []
     'so-zeek':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits:
+        - name: core
+          soft: 0
+          hard: 0
     'so-kafka':
       final_octet: 88
       port_bindings:
@@ -196,3 +236,4 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+      ulimits: []

salt/docker/docker.map.jinja

@@ -1,8 +1,8 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
-{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.range.split('.') %}
+{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 
-{% for container, vals in DOCKER.containers.items() %}
-{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
+{% for container, vals in DOCKERMERGED.containers.items() %}
+{%   do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
 {% endfor %}

salt/docker/files/daemon.json.jinja

@@ -0,0 +1,24 @@
+{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
+{
+  "registry-mirrors": [
+    "https://:5000"
+  ],
+  "bip": "172.17.0.1/24",
+  "default-address-pools": [
+    {
+      "base": "172.17.0.0/24",
+      "size": 24
+    }
+  ]
+{%- if DOCKERMERGED.ulimits %},
+  "default-ulimits": {
+{%-   for ULIMIT in DOCKERMERGED.ulimits %}
+      "{{ ULIMIT.name }}": {
+        "Name": "{{ ULIMIT.name }}",
+        "Soft": {{ ULIMIT.soft }},
+        "Hard": {{ ULIMIT.hard }}
+      }{{ "," if not loop.last else "" }}
+{%-   endfor %}
+  }
+{%- endif %}
+}

salt/docker/init.sls

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 # docker service requires the ca.crt
@@ -41,10 +41,9 @@ dockeretc:
   file.directory:
     - name: /etc/docker
 
-# Manager daemon.json
 docker_daemon:
   file.managed:
-    - source: salt://common/files/daemon.json
+    - source: salt://docker/files/daemon.json.jinja
     - name: /etc/docker/daemon.json
     - template: jinja 
 
@@ -75,8 +74,8 @@ dockerreserveports:
 sos_docker_net:
   docker_network.present:
     - name: sobridge
-    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.gateway }}
+    - subnet: {{ DOCKERMERGED.range }}
+    - gateway: {{ DOCKERMERGED.gateway }}
     - options:
         com.docker.network.bridge.name: 'sobridge'
         com.docker.network.driver.mtu: '1500'

salt/docker/soc_docker.yaml

@@ -7,6 +7,25 @@ docker:
     description: Default docker IP range for containers.
     helpLink: docker
     advanced: True
+  ulimits:
+    description: |
+      Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
+    forcedType: "[]{}"
+    syntax: json
+    advanced: True
+    helpLink: docker.html
+    uiElements:
+    - field: name
+      label: Resource Name
+      required: True
+      regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
+      regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
+    - field: soft
+      label: Soft Limit
+      forcedType: int
+    - field: hard
+      label: Hard Limit
+      forcedType: int
   containers:
     so-dockerregistry: &dockerOptions
       final_octet:
@@ -39,6 +58,25 @@ docker:
         helpLink: docker
         multiline: True
         forcedType: "[]string"
+      ulimits:
+        description: |
+          Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
+        advanced: True
+        helpLink: docker.html
+        forcedType: "[]{}"
+        syntax: json
+        uiElements:
+        - field: name
+          label: Resource Name
+          required: True
+          regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
+          regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
+        - field: soft
+          label: Soft Limit
+          forcedType: int
+        - field: hard
+          label: Hard Limit
+          forcedType: int
     so-elastic-fleet: *dockerOptions
     so-elasticsearch: *dockerOptions
     so-influxdb: *dockerOptions
@@ -62,42 +100,6 @@ docker:
     so-idh: *dockerOptions
     so-elastic-agent: *dockerOptions
     so-telegraf: *dockerOptions
-    so-suricata:
-      final_octet:
-        description: Last octet of the container IP address.
-        helpLink: docker
-        readonly: True
-        advanced: True
-        global: True
-      port_bindings:
-        description: List of port bindings for the container.
-        helpLink: docker
-        advanced: True
-        multiline: True
-        forcedType: "[]string"
-      custom_bind_mounts:
-        description: List of custom local volume bindings.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
-      extra_hosts:
-        description: List of additional host entries for the container.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
-      extra_env:
-        description: List of additional ENV entries for the container.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
-      ulimits:
-        description: Ulimits for the container, in bytes.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
+    so-suricata: *dockerOptions
     so-zeek: *dockerOptions
     so-kafka: *dockerOptions

salt/elastalert/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 include:
   - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
     - user: so-elastalert
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
     - detach: True
     - binds:
       - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,24 +33,30 @@ so-elastalert:
       - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
       - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
       - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - extra_hosts:
       - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
-      {% if DOCKER.containers['so-elastalert'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
     - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - require:
       - cmd: wait_for_elasticsearch
       - file: elastarules

salt/elastalert/soc_elastalert.yaml

@@ -1,6 +1,7 @@
 elastalert:
   enabled:
     description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
+    forcedType: bool
     helpLink: elastalert
   alerter_parameters:
     title: Custom Configuration Parameters
@@ -96,8 +97,15 @@ elastalert:
         file: True
         helpLink: elastalert
   config:
+    scan_subdirectories:
+      description: Recursively scan subdirectories for rules.
+      forcedType: bool
+      advanced: True
+      global: True
+      helpLink: elastalert
     disable_rules_on_error:
       description: Disable rules on failure.
+      forcedType: bool
       global: True
       helpLink: elastalert
     run_every:
@@ -123,6 +131,18 @@ elastalert:
       description: The maximum number of documents that will be returned from Elasticsearch in a single query.
       global: True
       helpLink: elastalert
+    use_ssl:
+      description: Use SSL to connect to Elasticsearch.
+      forcedType: bool
+      advanced: True
+      global: True
+      helpLink: elastalert
+    verify_certs:
+      description: Verify TLS certificates when connecting to Elasticsearch.
+      forcedType: bool
+      advanced: True
+      global: True
+      helpLink: elastalert
     alert_time_limit:
       days:
         description: The retry window for failed alerts.
@@ -137,3 +157,24 @@ elastalert:
         description: The number of replicas for elastalert indices.
         global: True
         helpLink: elastalert
+    logging:
+      incremental:
+        description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged.
+        forcedType: bool
+        advanced: True
+        global: True
+        helpLink: elastalert
+      disable_existing_loggers:
+        description: Disable existing loggers.
+        forcedType: bool
+        advanced: True
+        global: True
+        helpLink: elastalert
+      loggers:
+        '':
+          propagate:
+            description: Propagate log messages to parent loggers.
+            forcedType: bool
+            advanced: True
+            global: True
+            helpLink: elastalert

salt/elastic-fleet-package-registry/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 include:
   - elastic-fleet-package-registry.config
@@ -21,30 +21,36 @@ so-elastic-fleet-package-registry:
     - user: 948
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
     - extra_hosts:
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
         - {{ XTRAHOST }}
           {% endfor %}
         {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
     - binds:
-        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
     - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
   file.uncomment:
     - name: /opt/so/conf/so-status/so-status.conf

salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml

@@ -1,4 +1,5 @@
 elastic_fleet_package_registry:
   enabled:
     description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
+    forcedType: bool
     advanced: True

salt/elasticagent/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 include:
   - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
     - user: 949
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
     - extra_hosts:
         - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
         - {{ XTRAHOST }}
           {% endfor %}
         {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -41,19 +41,25 @@ so-elastic-agent:
       - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
       - /nsm:/nsm:ro
       - /opt/so/log:/opt/so/log:ro
-     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - environment:
       - FLEET_CA=/etc/pki/tls/certs/intca.crt
       - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - require:
       - file: create-elastic-agent-config
       - file: trusttheca

salt/elasticagent/soc_elasticagent.yaml

@@ -1,4 +1,5 @@
 elasticagent:
   enabled:
     description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events.
+    forcedType: bool
     advanced: True

salt/elasticfleet/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 
 {#   This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
     - user: 947
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
     - extra_hosts:
         - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
         - {{ XTRAHOST }}
           {% endfor %}
         {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
       - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
       - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
       - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
-     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}      
@@ -128,11 +128,17 @@ so-elastic-fleet:
       - FLEET_CA=/etc/pki/tls/certs/intca.crt     
       - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
       - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: trusttheca
       - x509: etc_elasticfleet_key

salt/elasticfleet/soc_elasticfleet.yaml

@@ -1,6 +1,7 @@
 elasticfleet:
   enabled:
     description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
+    forcedType: bool
     advanced: True
     helpLink: elastic-fleet
   enable_manager_output:
@@ -37,6 +38,7 @@ elasticfleet:
     defend_filters:
       enable_auto_configuration:
         description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
+        forcedType: bool
         global: True
         helpLink: elastic-fleet
         advanced: True
@@ -99,6 +101,7 @@ elasticfleet:
         forcedType: "[]string"
       enable_auto_configuration:
         description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
+        forcedType: bool
         global: True
         helpLink: elastic-fleet
         advanced: True

salt/elasticsearch/defaults.yaml

@@ -119,7 +119,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-case*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -131,8 +131,6 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
-              lifecycle:
-                name: so-case-logs
               mapping:
                 total_fields:
                   limit: 1500
@@ -143,14 +141,7 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     so-common:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -214,7 +205,9 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - winlog-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-*-so*
@@ -274,7 +267,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-detection*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -286,8 +279,6 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
-              lifecycle:
-                name: so-detection-logs
               mapping:
                 total_fields:
                   limit: 1500
@@ -298,11 +289,6 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     sos-backup:
       index_sorting: false
       index_template:
@@ -462,7 +448,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - endgame*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -510,8 +496,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-idh:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -566,10 +550,13 @@ elasticsearch:
         - dtc-user_agent-mappings
         - common-settings
         - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
-        - so-idh-*
-        priority: 500
+        - logs-idh-so*
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -679,11 +666,13 @@ elasticsearch:
         - common-dynamic-mappings
         - winlog-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-import-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -738,7 +727,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-ip*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -753,19 +742,12 @@ elasticsearch:
               mapping:
                 total_fields:
                   limit: 1500
-              lifecycle:
-                name: so-ip-mappings-logs
               number_of_replicas: 0
               number_of_shards: 1
               refresh_interval: 30s
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     so-items:
       index_sorting: false
       index_template:
@@ -774,7 +756,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - .items-default-**
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -853,8 +835,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-kratos:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -875,7 +855,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - logs-kratos-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -923,8 +903,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-hydra:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -985,7 +963,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - logs-hydra-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -1040,7 +1018,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - .lists-default-**
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -1526,6 +1504,9 @@ elasticsearch:
         - so-fleet_integrations.ip_mappings-1
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates:
         - logs-elastic_agent.cloudbeat@custom
         index_patterns:
@@ -1761,6 +1742,9 @@ elasticsearch:
         - so-fleet_integrations.ip_mappings-1
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates:
         - logs-elastic_agent.heartbeat@custom
         index_patterns:
@@ -3020,8 +3004,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-logs-soc:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -3076,11 +3058,13 @@ elasticsearch:
         - dtc-user_agent-mappings
         - common-settings
         - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-soc-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -3670,10 +3654,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-logstash-default*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -3971,10 +3958,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
-        - logs-redis-default*
-        priority: 500
+        - logs-redis.log*
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4085,11 +4075,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-strelka-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4199,11 +4191,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-suricata-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4313,11 +4307,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4427,11 +4423,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-syslog-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4543,11 +4541,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-zeek-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false

salt/elasticsearch/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
     - user: elasticsearch
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
     - extra_hosts:
     {% for node in ELASTICSEARCH_NODES %}
     {%   for hostname, ip in node.items() %}
       - {{hostname}}:{{ip}}
     {%   endfor %}
     {% endfor %}
-    {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
@@ -45,17 +45,19 @@ so-elasticsearch:
       - discovery.type=single-node
       {% endif %}
       - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      ulimits:
-      - memlock=-1:-1
-      - nofile=65536:65536
-      - nproc=4096
-      {% if DOCKER.containers['so-elasticsearch'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -75,8 +77,8 @@ so-elasticsearch:
       - {{ repo }}:{{ repo }}:rw
         {% endfor %}
       {% endif %}
-      {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}

salt/elasticsearch/files/ingest/zeek.websocket

@@ -0,0 +1,18 @@
+{
+  "description" : "zeek.websocket",
+  "processors" : [
+    { "set":      { "field": "event.dataset",                           "value": "websocket" } },
+    { "remove":   { "field": ["host"],                                                          "ignore_failure": true    } },
+    { "json":     { "field": "message",                                 "target_field": "message2",                       "ignore_failure": true    } },
+    { "rename": 	{ "field": "message2.host",	                    "target_field": "websocket.host",		              "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.uri",	                    "target_field": "websocket.uri",		              "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.user_agent",	            "target_field": "websocket.user_agent",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.subprotocol",	            "target_field": "websocket.subprotocol",		      "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_protocols",	    "target_field": "websocket.client_protocols",	      "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_extensions",	    "target_field": "websocket.client_extensions",	      "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_extensions",	    "target_field": "websocket.server_extensions",	      "ignore_missing": true 	} },
+    { "remove":		{ "field": "message2.tags",		                                                                      "ignore_failure": true    } },
+    { "set":      { "field": "network.transport",                       "value": "tcp"  } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/soc_elasticsearch.yaml

@@ -1,6 +1,7 @@
 elasticsearch:
   enabled:
     description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
+    forcedType: bool
     advanced: True
     helpLink: elasticsearch
   version:
@@ -42,8 +43,9 @@ elasticsearch:
       routing:
         allocation:
           disk:
-            threshold_enabled: 
+            threshold_enabled:
               description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
+              forcedType: bool
               helpLink: elasticsearch
             watermark:
               low: 
@@ -55,18 +57,64 @@ elasticsearch:
               flood_stage: 
                 description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
                 helpLink: elasticsearch
+    action:
+      destructive_requires_name:
+        description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns.
+        advanced: True
+        forcedType: bool
+        helpLink: elasticsearch
     script:
-      max_compilations_rate: 
+      max_compilations_rate:
         description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
         global: True
         helpLink: elasticsearch
     indices:
+      id_field_data:
+        enabled:
+          description: Enables or disables loading of field data on the _id field.
+          advanced: True
+          forcedType: bool
+          helpLink: elasticsearch
       query:
         bool:
-          max_clause_count: 
+          max_clause_count:
             description: Max number of boolean clauses per query.
             global: True
             helpLink: elasticsearch
+    xpack:
+      ml:
+        enabled:
+          description: Enables or disables machine learning on the node.
+          forcedType: bool
+          advanced: True
+          helpLink: elasticsearch
+      security:
+        enabled:
+          description: Enables or disables Elasticsearch security features.
+          forcedType: bool
+          advanced: True
+          helpLink: elasticsearch
+        authc:
+          anonymous:
+            authz_exception:
+              description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges.
+              advanced: True
+              forcedType: bool
+              helpLink: elasticsearch
+        http:
+          ssl:
+            enabled:
+              description: Enables or disables TLS/SSL for the HTTP layer.
+              advanced: True
+              forcedType: bool
+              helpLink: elasticsearch
+        transport:
+          ssl:
+            enabled:
+              description: Enables or disables TLS/SSL for the transport layer.
+              advanced: True
+              forcedType: bool
+              helpLink: elasticsearch
   pipelines:
     custom001: &pipelines
       description:
@@ -264,8 +312,9 @@ elasticsearch:
               global: True
               helpLink: elasticsearch
     so-logs: &indexSettings
-      index_sorting: 
+      index_sorting:
         description: Sorts the index by event time, at the cost of additional processing resource consumption.
+        forcedType: bool
         global: True
         advanced: True
         helpLink: elasticsearch
@@ -609,6 +658,7 @@ elasticsearch:
     so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
       index_sorting:
         description: Sorts the index by event time, at the cost of additional processing resource consumption.
+        forcedType: bool
         advanced: True
         readonly: True
         helpLink: elasticsearch
@@ -649,11 +699,13 @@ elasticsearch:
         data_stream:
           hidden:
             description: Hide the data stream.
+            forcedType: bool
             advanced: True
             readonly: True
             helpLink: elasticsearch
           allow_custom_routing:
             description: Allow custom routing for the data stream.
+            forcedType: bool
             advanced: True
             readonly: True
             helpLink: elasticsearch

salt/firewall/iptables.jinja

@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
 {%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
 {%- set D1 = [] %}
 {%- set D2 = [] %}
 {%- for container in NODE_CONTAINERS %}
-{%-   set IP = DOCKER.containers[container].ip %}
-{%-   if DOCKER.containers[container].port_bindings is defined %}
-{%-     for binding in DOCKER.containers[container].port_bindings %}
+{%-   set IP = DOCKERMERGED.containers[container].ip %}
+{%-   if DOCKERMERGED.containers[container].port_bindings is defined %}
+{%-     for binding in DOCKERMERGED.containers[container].port_bindings %}
 {#-       cant split int so we convert to string #}
 {%-       set binding = binding|string %}
 {#-          split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
 {%-           set hostPort = bsa[0] %}
 {%-           set containerPort = bsa[1] %}
 {%-         endif %}
-{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}

salt/firewall/map.jinja

@@ -1,11 +1,11 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
 
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
 
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

salt/hydra/enabled.sls

@@ -11,7 +11,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   if 'api' in salt['pillar.get']('features', []) %}
 
@@ -26,32 +26,38 @@ so-hydra:
     - name: so-hydra
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
     - binds:
       - /opt/so/conf/hydra/:/hydra-conf:ro
       - /opt/so/log/hydra/:/hydra-log:rw
       - /nsm/hydra/db:/hydra-data:rw
-      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-    {% if DOCKER.containers['so-hydra'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-hydra'].extra_env %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - restart_policy: unless-stopped
     - watch:
       - file: hydraconfig

salt/hydra/soc_hydra.yaml

@@ -1,6 +1,7 @@
 hydra:
   enabled:
-    description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. 
+    description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
+    forcedType: bool
     helpLink: connect-api
     global: True
   config:

salt/idh/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 include:
   - idh.config
@@ -22,23 +22,29 @@ so-idh:
       - /nsm/idh:/var/tmp:rw
       - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
       - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
-      {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_env %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-idh'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: opencanary_config
     - require:

salt/idh/soc_idh.yaml

@@ -1,6 +1,11 @@
 idh:
   enabled:
-    description: Enables or disables the Intrusion Detection Honeypot (IDH) process. 
+    description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
+    forcedType: bool
+    helpLink: idh
+  restrict_management_ip:
+    description: Restricts management IP access to the IDH node.
+    forcedType: bool
     helpLink: idh
   opencanary:
     config:
@@ -24,6 +29,7 @@ idh:
                   filename: *loggingOptions
       portscan_x_enabled: &serviceOptions
         description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
+        forcedType: bool
         helpLink: idh
       portscan_x_logfile: *loggingOptions
       portscan_x_synrate:
@@ -125,8 +131,9 @@ idh:
       vnc_x_enabled: *serviceOptions
       vnc_x_port: *portOptions
   openssh:
-    enable: 
+    enable:
       description: This is the real SSH service for the host machine.
+      forcedType: bool
       helpLink: idh
     config:
       port:

salt/influxdb/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
 
@@ -21,7 +21,7 @@ so-influxdb:
     - hostname: influxdb
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
     - environment:
       - INFLUXD_CONFIG_PATH=/conf/config.yaml
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
       - DOCKER_INFLUXDB_INIT_ORG=Security Onion
       - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
       - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
-      {% if DOCKER.containers['so-influxdb'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
+      {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
@@ -43,21 +43,27 @@ so-influxdb:
       - /nsm/influxdb:/var/lib/influxdb2:rw
       - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
       - /etc/pki/influxdb.key:/conf/influxdb.key:ro
-      {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-    {% if DOCKER.containers['so-influxdb'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: influxdbconf
       - x509: influxdb_key

salt/influxdb/soc_influxdb.yaml

@@ -1,6 +1,7 @@
 influxdb:
   enabled:
     description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
+    forcedType: bool
     helpLink: influxdb
   config:
     assets-path:
@@ -25,11 +26,13 @@ influxdb:
       helpLink: influxdb
     flux-log-enabled:
       description: Controls whether detailed flux query logging is enabled.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
     hardening-enabled:
       description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -86,16 +89,19 @@ influxdb:
       helpLink: influxdb
     metrics-disabled:
       description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
     no-tasks:
       description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
     pprof-disabled:
       description: If true, the profiling data HTTP endpoint will be inaccessible.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -126,6 +132,7 @@ influxdb:
       helpLink: influxdb
     reporting-disabled:
       description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -142,6 +149,7 @@ influxdb:
       helpLink: influxdb
     session-renew-disabled:
       description: If true, user login sessions will renew after each request.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -187,6 +195,7 @@ influxdb:
       helpLink: influxdb
     storage-no-validate-field-size:
       description: If true, incoming requests will skip the field size validation.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -217,11 +226,13 @@ influxdb:
       helpLink: influxdb
     storage-tsm-use-madv-willneed:
       description: If true, InfluxDB will manage TSM memory paging.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
     storage-validate-keys:
       description: If true, validates incoming requests for supported characters.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -268,6 +279,7 @@ influxdb:
       helpLink: influxdb
     tls-strict-ciphers:
       description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -276,8 +288,9 @@ influxdb:
       global: True
       advanced: True
       helpLink: influxdb
-    ui-disabled: 
+    ui-disabled:
       description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb
@@ -316,8 +329,9 @@ influxdb:
       global: True
       advanced: True
       helpLink: influxdb
-    vault-skip-verify: 
+    vault-skip-verify:
       description: Skip certification validation of the Vault server.
+      forcedType: bool
       global: True
       advanced: True
       helpLink: influxdb

salt/kafka/enabled.sls

@@ -12,7 +12,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
 {%   set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
 {%   if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
     - name: so-kafka
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
     - user: kafka
     - environment:
         KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
-        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
+        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
     - extra_hosts:
       {% for node in KAFKANODES %}
       - {{ node }}:{{ KAFKANODES[node].ip }}
       {% endfor %}
-      {% if DOCKER.containers['so-kafka'].extra_hosts %}
-      {%   for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
+      {%   for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
       - {{ XTRAHOST }}
       {%   endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -60,6 +60,12 @@ so-kafka:
       {% if KAFKA_EXTERNAL_ACCESS %}
       - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
       {% endif %}
+    {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       {% for sc in ['server', 'client'] %}
       - file: kafka_kraft_{{sc}}_properties

salt/kafka/soc_kafka.yaml

@@ -1,6 +1,7 @@
 kafka:
   enabled:
     description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
+    forcedType: bool
     helpLink: kafka
   cluster_id:
     description: The ID of the Kafka cluster.

salt/kibana/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -20,20 +20,20 @@ so-kibana:
     - user: kibana
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
     - environment:
       - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
       - ELASTICSEARCH_PORT=9200
       - MANAGER={{ GLOBALS.manager }}
-      {% if DOCKER.containers['so-kibana'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
+      {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
     - extra_hosts:
       - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers['so-kibana'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
@@ -42,15 +42,21 @@ so-kibana:
       - /opt/so/log/kibana:/var/log/kibana:rw
       - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
+    {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: kibanaconfig
 

salt/kibana/soc_kibana.yaml

@@ -1,10 +1,46 @@
 kibana:
-  enabled: 
+  enabled:
     description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
+    forcedType: bool
     helpLink: kibana
   config:
+    server:
+      rewriteBasePath:
+        description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath.
+        forcedType: bool
+        global: True
+        advanced: True
+        helpLink: kibana
     elasticsearch:
       requestTimeout:
         description: The length of time before the request reaches timeout.
         global: True
         helpLink: kibana
+    telemetry:
+      enabled:
+        description: Enables or disables telemetry data collection in Kibana.
+        forcedType: bool
+        global: True
+        advanced: True
+        helpLink: kibana
+    xpack:
+      security:
+        secureCookies:
+          description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled.
+          forcedType: bool
+          global: True
+          advanced: True
+          helpLink: kibana
+        showInsecureClusterWarning:
+          description: Shows a warning in Kibana when the cluster does not have security enabled.
+          forcedType: bool
+          global: True
+          advanced: True
+          helpLink: kibana
+      apm:
+        enabled:
+          description: Enables or disables the APM agent in Kibana.
+          forcedType: bool
+          global: True
+          advanced: True
+          helpLink: kibana

salt/kratos/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -19,32 +19,38 @@ so-kratos:
     - name: so-kratos
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
     - binds:
       - /opt/so/conf/kratos/:/kratos-conf:ro
       - /opt/so/log/kratos/:/kratos-log:rw
       - /nsm/kratos/db:/kratos-data:rw
-      {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-    {% if DOCKER.containers['so-kratos'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-kratos'].extra_env %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - restart_policy: unless-stopped
     - watch:
       - file: kratosschema

salt/kratos/soc_kratos.yaml

@@ -1,12 +1,14 @@
 kratos:
   enabled:
     description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
+    forcedType: bool
     advanced: True
     helpLink: kratos
 
   oidc:
-    enabled: 
+    enabled:
       description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
+      forcedType: bool
       global: True
       helpLink: oidc
     config:
@@ -80,6 +82,7 @@ kratos:
           email:
             essential:
               description: Specifies whether the email claim is necessary. Typically leave this value set to true.
+              forcedType: bool
               advanced: True
               global: True
               helpLink: oidc
@@ -107,19 +110,22 @@ kratos:
     selfservice:
       methods:
         password:
-          enabled: 
+          enabled:
             description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
+            forcedType: bool
             global: True
             advanced: True
             helpLink: oidc
           config:
             haveibeenpwned_enabled:
               description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
+              forcedType: bool
               global: True
               helpLink: kratos
         totp:
-          enabled: 
+          enabled:
             description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
+            forcedType: bool
             global: True
             helpLink: kratos
           config:
@@ -130,11 +136,13 @@ kratos:
         webauthn:
           enabled:
             description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
+            forcedType: bool
             global: True
             helpLink: kratos
           config:
-            passwordless: 
+            passwordless:
               description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
+              forcedType: bool
               global: True
               helpLink: kratos
             rp:

salt/logstash/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
     - name: so-logstash
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
     - user: logstash
     - extra_hosts:
     {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
       - {{hostname}}:{{ip}}
     {%   endfor %}
     {% endfor %}
-    {% if DOCKER.containers['so-logstash'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
       - {{ XTRAHOST }}
     {%   endfor %}
     {% endif %}
     - environment:
       - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
-    {% if DOCKER.containers['so-logstash'].extra_env %}
-    {%   for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
       - {{ XTRAENV }}
     {%   endfor %}
     {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -91,11 +91,17 @@ so-logstash:
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/log/strelka:/strelka:ro
       {% endif %}
-      {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: lsetcsync
       - file: trusttheca

salt/logstash/soc_logstash.yaml

@@ -1,6 +1,7 @@
 logstash:
-  enabled: 
+  enabled:
     description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
+    forcedType: bool
     helpLink: logstash
   assigned_pipelines:
     roles:

salt/manager/soc_manager.yaml

@@ -2,6 +2,7 @@ manager:
   reposync:
     enabled:
       description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
+      forcedType: bool
       global: True
       helpLink: soup
     hour:

salt/manager/tools/sbin/soup

@@ -383,6 +383,67 @@ check_minimum_version() {
 
 ### 3.0.0 Scripts ###
 
+convert_suricata_yes_no() {
+  echo "Starting suricata yes/no values to true/false conversion."
+  local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
+  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+  local pillar_files=()
+
+  [[ -f "$SURICATA_FILE" ]] && pillar_files+=("$SURICATA_FILE")
+  for suffix in _eval _heavynode _sensor _standalone; do
+    for f in "$MINIONDIR"/*${suffix}.sls; do
+      [[ -f "$f" ]] && pillar_files+=("$f")
+    done
+  done
+
+  for pillar_file in "${pillar_files[@]}"; do
+    echo "Checking $pillar_file for suricata yes/no values."
+    local yaml_output
+    yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
+
+    local keys_to_fix
+    keys_to_fix=$(python3 -c "
+import yaml, sys
+def find(d, prefix=''):
+    if isinstance(d, dict):
+        for k, v in d.items():
+            path = f'{prefix}.{k}' if prefix else k
+            if isinstance(v, dict):
+                find(v, path)
+            elif isinstance(v, str) and v.lower() in ('yes', 'no'):
+                print(f'{path} {v.lower()}')
+find(yaml.safe_load(sys.stdin) or {})
+" <<< "$yaml_output") || continue
+
+    while IFS=' ' read -r key value; do
+      [[ -z "$key" ]] && continue
+      if [[ "$value" == "yes" ]]; then
+        echo "Replacing suricata.${key} yes -> true in $pillar_file"
+        so-yaml.py replace "$pillar_file" "suricata.${key}" true
+      else
+        echo "Replacing suricata.${key} no -> false in $pillar_file"
+        so-yaml.py replace "$pillar_file" "suricata.${key}" false
+      fi
+    done <<< "$keys_to_fix"
+  done
+  echo "Completed suricata yes/no conversion."
+}
+
+migrate_pcap_to_suricata() {
+  echo "Starting pillar pcap.enabled to suricata.pcap.enabled migration."
+  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+  local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
+
+  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
+    [[ -f "$pillar_file" ]] || continue
+    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    echo "Migrating pcap.enabled -> suricata.pcap.enabled in $pillar_file"
+    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
+    so-yaml.py remove "$pillar_file" pcap
+  done
+  echo "Completed pcap.enabled to suricata.pcap.enabled pillar migration."
+}
+
 up_to_3.0.0() {
   determine_elastic_agent_upgrade
   migrate_pcap_to_suricata
@@ -390,20 +451,19 @@ up_to_3.0.0() {
   INSTALLEDVERSION=3.0.0
 }
 
-migrate_pcap_to_suricata() {
-  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
-  local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
-
-  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
-    [[ -f "$pillar_file" ]] || continue
-    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
-    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
-    so-yaml.py remove "$pillar_file" pcap
-  done
-}
-
 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
+    rollover_index "$idx"
+  done
+
+  # Remove ILM for so-case and so-detection indices
+  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
+    so-elasticsearch-query $idx/_ilm/remove -XPOST
+  done
+
+  # convert yes/no in suricata pillars to true/false
+  convert_suricata_yes_no
+
   POSTVERSION=3.0.0
 }
 

salt/nginx/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
 
 include:
@@ -37,11 +37,11 @@ so-nginx:
     - hostname: so-nginx
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
     - extra_hosts:
       - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers[container_config].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
+    {% if DOCKERMERGED.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
@@ -64,20 +64,26 @@ so-nginx:
       - /opt/so/rules/nids/suri:/surirules:ro
       {%   endif %}
       {% endif %}
-      {% if DOCKER.containers[container_config].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers[container_config].extra_env %}
+    {% if DOCKERMERGED.containers[container_config].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers[container_config].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
-      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - watch:

salt/nginx/etc/nginx.conf

@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'nginx/map.jinja' import NGINXMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
@@ -387,7 +387,7 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
 

salt/nginx/soc_nginx.yaml

@@ -1,6 +1,7 @@
 nginx:
-  enabled: 
+  enabled:
     description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
+    forcedType: bool
     advanced: True
     helpLink: nginx
   external_suricata:

salt/patch/soc_patch.yaml

@@ -2,6 +2,7 @@ patch:
   os:
     enabled:
       description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
+      forcedType: bool
       helpLink: soup
     schedule_to_run: 
       description: Currently running schedule for updates.

salt/redis/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -21,9 +21,9 @@ so-redis:
     - user: socore
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -34,23 +34,29 @@ so-redis:
       - /etc/pki/redis.crt:/certs/redis.crt:ro
       - /etc/pki/redis.key:/certs/redis.key:ro
       - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_env %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-redis'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
     - watch:
       - file: trusttheca

salt/redis/soc_redis.yaml

@@ -1,6 +1,7 @@
 redis:
-  enabled: 
+  enabled:
     description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
+    forcedType: bool
     helpLink: redis
   config:
     bind:

salt/registry/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 include:
   - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
     - hostname: so-registry
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
     - restart_policy: always
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
@@ -32,25 +32,31 @@ so-dockerregistry:
       - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
       - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
       - /etc/pki/registry.key:/etc/pki/registry.key:ro
-      {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
     - client_timeout: 180
     - environment:
       - HOME=/root
-      {% if DOCKER.containers['so-dockerregistry'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - retry:
         attempts: 5
         interval: 30

salt/registry/soc_registry.yaml

@@ -1,4 +1,5 @@
 registry:
   enabled:
     description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting.
+    forcedType: bool
     advanced: True

salt/sensoroni/enabled.sls

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 
 include:
@@ -23,23 +23,29 @@ so-sensoroni:
       - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
       - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
       - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_env %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: /opt/so/conf/sensoroni/sensoroni.json
     - require:

salt/sensoroni/soc_sensoroni.yaml

@@ -1,12 +1,14 @@
 sensoroni:
   enabled:
     description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
+    forcedType: bool
     advanced: True
     helpLink: grid
   config:
     analyze:
       enabled:
         description: Enable or disable the analyzer.
+        forcedType: bool
         advanced: True
         helpLink: cases
       timeout_ms:

salt/soc/defaults.map.jinja

@@ -5,7 +5,7 @@
 
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER -%}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
 
@@ -32,7 +32,7 @@
 {%   endif %}
 {% endfor %}
 
-{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
 
 {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
 {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}

salt/soc/defaults.yaml

@@ -584,6 +584,18 @@ soc:
         - destination.port
         - event.action
         - tunnel.type
+      '::websocket':
+        - soc_timestamp
+        - event.dataset
+        - source.ip
+        - source.port
+        - destination.ip
+        - destination.port
+        - websocket.host
+        - websocket.uri
+        - websocket.user_agent
+        - log.id.uid
+        - network.community_id
       '::weird':
         - soc_timestamp
         - event.dataset

salt/soc/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}
 
@@ -22,7 +22,7 @@ so-soc:
     - name: so-soc
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
     - binds:
       - /nsm/rules:/nsm/rules:rw
       - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,21 +63,27 @@ so-soc:
       - {{hostname}}:{{ip}}
     {%   endfor %}
     {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
       - {{ XTRAHOST }}
     {%   endfor %}
     {% endif %}
     - port_bindings:
-    {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+    {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
       - {{ BINDING }}
     {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_env %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_env %}
     - environment:
-    {%   for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
       - {{ XTRAENV }}
     {%   endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-soc'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: trusttheca
       - file: /opt/so/conf/soc/*

salt/soc/soc_soc.yaml

@@ -1,6 +1,7 @@
 soc:
   enabled:
     description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH.
+    forcedType: bool
     advanced: True
   telemetryEnabled:
     title: SOC Telemetry

salt/strelka/backend/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -18,29 +18,35 @@ strelka_backend:
     - binds:
       - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
       - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
-      {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - name: so-strelka-backend
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
     - command: strelka-backend
     - extra_hosts:
       - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-strelka-backend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - restart_policy: on-failure
     - watch:
       - file: strelkasensorcompiledrules

salt/strelka/coordinator/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -18,32 +18,38 @@ strelka_coordinator:
     - name: so-strelka-coordinator
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
     - entrypoint: redis-server --save "" --appendonly no
     - extra_hosts:
       - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-  {% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
+  {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
     - binds:
       - /nsm/strelka/coord-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
 delete_so-strelka-coordinator_so-status.disabled:
   file.uncomment:
     - name: /opt/so/conf/so-status/so-status.conf

salt/strelka/filestream/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -18,29 +18,35 @@ strelka_filestream:
     - binds:
       - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
       - /nsm/strelka:/nsm/strelka
-      {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - name: so-strelka-filestream
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
     - command: strelka-filestream
     - extra_hosts:
       - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-strelka-filestream'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: filestream_config
 

salt/strelka/frontend/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -18,8 +18,8 @@ strelka_frontend:
     - binds:
       - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
       - /nsm/strelka/log/:/var/log/strelka/:rw
-      {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
@@ -27,25 +27,31 @@ strelka_frontend:
     - name: so-strelka-frontend
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
     - command: strelka-frontend
     - extra_hosts:
       - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-    {% if DOCKER.containers['so-strelka-frontend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: frontend_config
 

salt/strelka/gatekeeper/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -18,32 +18,38 @@ strelka_gatekeeper:
     - name: so-strelka-gatekeeper
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
     - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
     - extra_hosts:
       - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
     - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
     - binds:
       - /nsm/strelka/gk-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
-    {% endif %}   
+    {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
 
 delete_so-strelka-gatekeeper_so-status.disabled:
   file.uncomment:

salt/strelka/manager/enabled.sls

@@ -5,7 +5,7 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
@@ -17,29 +17,35 @@ strelka_manager:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
     - binds:
       - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
-      {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - name: so-strelka-manager
     - networks:
       - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
     - command: strelka-manager
     - extra_hosts:
       - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
       - {{ XTRAHOST }}
         {% endfor %}
       {% endif %}
-   {% if DOCKER.containers['so-strelka-manager'].extra_env %}
+   {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: manager_config
 

salt/strelka/soc_strelka.yaml

@@ -1,7 +1,8 @@
 strelka:
   backend:
-    enabled: 
+    enabled:
       description: Enables or disables the Strelka file analysis process.
+      forcedType: bool
       helpLink: strelka
     config:
       backend:
@@ -420,8 +421,9 @@ strelka:
         helpLink: strelka
         multiline: True
   filestream:
-    enabled: 
+    enabled:
       description: You can enable or disable Strelka filestream.
+      forcedType: bool
       helpLink: strelka
     config:
       conn:
@@ -478,12 +480,14 @@ strelka:
           advanced: True
         delete:
           description: Boolean that determines if files should be deleted after being sent for scanning.
+          forcedType: bool
           readonly: False
           global: False
           helpLink: strelka
           advanced: True
         gatekeeper:
           description: Boolean that determines if events should be pulled from the temporary event cache.
+          forcedType: bool
           readonly: False
           global: False
           helpLink: strelka
@@ -514,8 +518,9 @@ strelka:
         helpLink: strelka
         advanced: True
   frontend:
-    enabled: 
+    enabled:
       description: You can enable or disable Strelka frontend.
+      forcedType: bool
       helpLink: strelka
     config:
       server:
@@ -564,8 +569,9 @@ strelka:
           helpLink: strelka
           advanced: True
   manager:
-    enabled: 
+    enabled:
       description: You can enable or disable Strelka manager.
+      forcedType: bool
       helpLink: strelka
     config:
       coordinator:
@@ -582,16 +588,19 @@ strelka:
           helpLink: strelka
           advanced: True
   coordinator:
-    enabled: 
+    enabled:
       description: You can enable or disable Strelka coordinator.
+      forcedType: bool
       helpLink: strelka
   gatekeeper:
-    enabled: 
+    enabled:
       description: You can enable or disable Strelka gatekeeper.
+      forcedType: bool
       helpLink: strelka
   rules:
     enabled:
       description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
+      forcedType: bool
       readonly: False
       global: False
       helpLink: strelka

salt/suricata/defaults.yaml

@@ -1,20 +1,20 @@
 suricata:
   enabled: False
   pcap:
-    enabled: "no"
+    enabled: false
     filesize: 1000mb
     maxsize: 25
     compression: "none"
-    lz4-checksum: "no"
+    lz4-checksum: false
     lz4-level: 8
     filename: "%n/so-pcap.%t"
     mode: "multi"
-    use-stream-depth: "no"
+    use-stream-depth: false
     conditional: "all"
     dir: "/nsm/suripcap"
   config:
     threading:
-      set-cpu-affinity: "no"
+      set-cpu-affinity: false
       cpu-affinity:
         management-cpu-set:
           cpu:
@@ -29,17 +29,17 @@ suricata:
       interface: bond0
       cluster-id: 59
       cluster-type: cluster_flow
-      defrag: "yes"
-      use-mmap: "yes"
-      mmap-locked: "no"
+      defrag: true
+      use-mmap: true
+      mmap-locked: false
       threads: 1
-      tpacket-v3: "yes"
+      tpacket-v3: true
       ring-size: 5000
       block-size: 69632
       block-timeout: 10
-      use-emergency-flush: "yes"
+      use-emergency-flush: true
       buffer-size: 32768
-      disable-promisc: "no"
+      disable-promisc: false
       checksum-checks: kernel
     vars:
       address-groups:
@@ -105,15 +105,15 @@ suricata:
           - 6081
     default-log-dir: /var/log/suricata/
     stats:
-      enabled: "yes"
+      enabled: true
       interval: 30
     outputs:
       fast:
-        enabled: "no"
+        enabled: false
         filename: fast.log
-        append: "yes"
+        append: true
       eve-log:
-        enabled: "yes"
+        enabled: true
         filetype: regular
         filename: /nsm/eve-%Y-%m-%d-%H:%M.json
         rotate-interval: hour
@@ -122,104 +122,104 @@ suricata:
         community-id-seed: 0
         types:
           alert:
-            payload: "no"
+            payload: false
             payload-buffer-size: 4kb
-            payload-printable: "yes"
-            packet: "yes"
+            payload-printable: true
+            packet: true
             metadata:
               app-layer: false
               flow: false
               rule:
                 metadata: true
                 raw: true
-            tagged-packets: "no"
+            tagged-packets: false
             xff:
-              enabled: "no"
+              enabled: false
               mode: extra-data
               deployment: reverse
               header: X-Forwarded-For
       unified2-alert:
-        enabled: "no"
+        enabled: false
       tls-store:
-        enabled: "no"
+        enabled: false
       alert-debug:
-        enabled: "no"
+        enabled: false
       alert-prelude:
-        enabled: "no"
+        enabled: false
       stats:
-        enabled: "yes"
+        enabled: true
         filename: stats.log
-        append: "yes"
-        totals: "yes"
-        threads: "no"
-        null-values: "yes"
+        append: true
+        totals: true
+        threads: false
+        null-values: true
       drop:
-        enabled: "no"
+        enabled: false
       file-store:
         version: 2
-        enabled: "no"
+        enabled: false
         xff:
-          enabled: "no"
+          enabled: false
           mode: extra-data
           deployment: reverse
           header: X-Forwarded-For
       tcp-data:
-        enabled: "no"
+        enabled: false
         type: file
         filename: tcp-data.log
       http-body-data:
-          enabled: "no"
+          enabled: false
           type: file
           filename: http-data.log
       lua:
-        enabled: "no"
+        enabled: false
         scripts:
     logging:
       default-log-level: notice
       outputs:
       - console:
-          enabled: "yes"
+          enabled: true
       - file:
-          enabled: "yes"
+          enabled: true
           level: info
           filename: suricata.log
       - syslog:
-          enabled: "no"
+          enabled: false
           facility: local5
           format: "[%i] <%d> -- "
     app-layer:
       protocols:
         krb5:
-          enabled: "yes"
+          enabled: true
         snmp:
-          enabled: "yes"
+          enabled: true
         ikev2:
-          enabled: "yes"
+          enabled: true
         tls:
-          enabled: "yes"
+          enabled: true
           detection-ports:
             dp: 443
           ja3-fingerprints: auto
           ja4-fingerprints: auto
           encryption-handling: track-only
         dcerpc:
-          enabled: "yes"
+          enabled: true
         ftp:
-          enabled: "yes"
+          enabled: true
         rdp:
-          enabled: "yes"
+          enabled: true
         ssh:
-          enabled: "yes"
+          enabled: true
         smtp:
-          enabled: "yes"
-          raw-extraction: "no"
+          enabled: true
+          raw-extraction: false
           mime:
-            decode-mime: "yes"
-            decode-base64: "yes"
-            decode-quoted-printable: "yes"
+            decode-mime: true
+            decode-base64: true
+            decode-quoted-printable: true
             header-value-depth: 2000
-            extract-urls: "yes"
-            body-md5: "no"
+            extract-urls: true
+            body-md5: false
           inspected-tracker:
             content-limit: 100000
             content-inspect-min-size: 32768
@@ -227,27 +227,27 @@ suricata:
         imap:
           enabled: detection-only
         smb:
-          enabled: "yes"
+          enabled: true
           detection-ports:
             dp: 139, 445
         nfs:
-          enabled: "yes"
+          enabled: true
         tftp:
-          enabled: "yes"
+          enabled: true
         dns:
           global-memcap: 16mb
           state-memcap: 512kb
           request-flood: 500
           tcp:
-            enabled: "yes"
+            enabled: true
             detection-ports:
               dp: 53
           udp:
-            enabled: "yes"
+            enabled: true
             detection-ports:
               dp: 53
         http:
-          enabled: "yes"
+          enabled: true
           libhtp:
              default-config:
                personality: IDS
@@ -260,43 +260,43 @@ suricata:
                response-body-decompress-layer-limit: 2
                http-body-inline: auto
                swf-decompression:
-                 enabled: "no"
+                 enabled: false
                  type: both
                  compress-depth: 100 KiB
                  decompress-depth: 100 KiB
-               randomize-inspection-sizes: "yes"
+               randomize-inspection-sizes: true
                randomize-inspection-range: 10
-               double-decode-path: "no"
-               double-decode-query: "no"
+               double-decode-path: false
+               double-decode-query: false
              server-config:
         modbus:
-          enabled: "yes"
+          enabled: true
           detection-ports:
             dp: 502
           stream-depth: 0
         dnp3:
-          enabled: "yes"
+          enabled: true
           detection-ports:
             dp: 20000
         enip:
-          enabled: "yes"
+          enabled: true
           detection-ports:
             dp: 44818
             sp: 44818
         ntp:
-          enabled: "yes"
+          enabled: true
         dhcp:
-          enabled: "yes"
+          enabled: true
         sip:
-          enabled: "yes"
+          enabled: true
         rfb:
-          enabled: 'yes'
+          enabled: true
           detection-ports:
             dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
         mqtt:
-          enabled: 'no'
+          enabled: false
         http2:
-          enabled: 'yes'
+          enabled: true
     asn1-max-frames: 256
     run-as:
       user: suricata
@@ -312,8 +312,8 @@ suricata:
     legacy:
       uricontent: enabled
     engine-analysis:
-      rules-fast-pattern: "yes"
-      rules: "yes"
+      rules-fast-pattern: true
+      rules: true
     pcre:
       match-limit: 3500
       match-limit-recursion: 1500
@@ -336,7 +336,7 @@ suricata:
       hash-size: 65536
       trackers: 65535
       max-frags: 65535
-      prealloc: "yes"
+      prealloc: true
       timeout: 60    
     flow:
       memcap: 128mb
@@ -380,14 +380,14 @@ suricata:
         emergency-bypassed: 50
     stream:
       memcap: 64mb
-      checksum-validation: "yes"
+      checksum-validation: true
       inline: auto
       reassembly:
         memcap: 256mb
         depth: 1mb
         toserver-chunk-size: 2560
         toclient-chunk-size: 2560
-        randomize-chunk-size: "yes"
+        randomize-chunk-size: true
     host:
       hash-size: 4096
       prealloc: 1000
@@ -432,38 +432,38 @@ suricata:
         allow-restricted-functions: false
     profiling:
       rules:
-        enabled: "yes"
+        enabled: true
         filename: rule_perf.log
-        append: "yes"
+        append: true
         limit: 10
-        json: "yes"
+        json: true
       keywords:
-        enabled: "yes"
+        enabled: true
         filename: keyword_perf.log
-        append: "yes"
+        append: true
       prefilter:
-        enabled: "yes"
+        enabled: true
         filename: prefilter_perf.log
-        append: "yes"
+        append: true
       rulegroups:
-        enabled: "yes"
+        enabled: true
         filename: rule_group_perf.log
-        append: "yes"
+        append: true
       packets:
-        enabled: "yes"
+        enabled: true
         filename: packet_stats.log
-        append: "yes"
+        append: true
         csv:
-          enabled: "no"
+          enabled: false
           filename: packet_stats.csv
       locks:
-        enabled: "no"
+        enabled: false
         filename: lock_stats.log
-        append: "yes"    
+        append: true    
       pcap-log:
-        enabled: "no"
+        enabled: false
         filename: pcaplog_stats.log
-        append: "yes"
+        append: true
     default-rule-path: /etc/suricata/rules
     rule-files:
       - all-rulesets.rules

salt/suricata/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
 
 
@@ -20,16 +20,15 @@ so-suricata:
     - privileged: True
     - environment:
       - INTERFACE={{ GLOBALS.sensor.interface }}
-      {% if DOCKER.containers['so-suricata'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
+      {% if DOCKERMERGED.containers['so-suricata'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
-    {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
+    {% if DOCKERMERGED.containers['so-suricata'].ulimits %}
     - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
-      - {{ ULIMIT }}
+    {%   for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
     {%   endfor %}
     {% endif %}
     - binds:
@@ -42,15 +41,15 @@ so-suricata:
       - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
       - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
       - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
     - network_mode: host
-    {% if DOCKER.containers['so-suricata'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}

salt/suricata/map.jinja

@@ -43,22 +43,18 @@
 - interface: {{ GLOBALS.sensor.interface }}
   cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
   cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
-  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
-  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
-  mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
+  defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
+  use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
+  mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
   threads: {{ SURICATAMERGED.config['af-packet'].threads }}
-  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
+  tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
   ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
   block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
   block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
-  use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
+  use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
   buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
-  disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
-{%   if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
-  checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
-{%   else %}
+  disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
   checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
-{%   endif %}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

salt/suricata/soc_suricata.yaml

@@ -1,6 +1,7 @@
 suricata:
-  enabled: 
+  enabled:
     description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
+    forcedType: bool
     helpLink: suricata
   thresholding:
     sids__yaml:
@@ -37,8 +38,9 @@ suricata:
       description: Enable compression of Suricata PCAP files.
       advanced: True
       helpLink: suricata
-    lz4-checksum: 
+    lz4-checksum:
       description: Enable PCAP lz4 checksum.
+      forcedType: bool
       advanced: True
       helpLink: suricata
     lz4-level: 
@@ -55,11 +57,10 @@ suricata:
       advanced: True
       readonly: True
       helpLink: suricata
-    use-stream-depth: 
-      description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
+    use-stream-depth:
+      description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth.
+      forcedType: bool
       advanced: True
-      regex: ^(yes|no)$
-      regexFailureMessage: You must enter either yes or no.
       helpLink: suricata
     conditional: 
       description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
@@ -84,15 +85,16 @@ suricata:
         advanced: True
         regex: ^(cluster_flow|cluster_qm)$
       defrag:
+        description: Enable defragmentation of IP packets before processing.
+        forcedType: bool
         advanced: True
-        regex: ^(yes|no)$
       use-mmap:
         advanced: True
         readonly: True
       mmap-locked:
         description: Prevent swapping by locking the memory map.
+        forcedType: bool
         advanced: True
-        regex: ^(yes|no)$
         helpLink: suricata
       threads:
         description: The amount of worker threads.
@@ -116,9 +118,9 @@ suricata:
         forcedType: int
         helpLink: suricata
       use-emergency-flush:
-        description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
+        description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
+        forcedType: bool
         advanced: True
-        regex: ^(yes|no)$
         helpLink: suricata
       buffer-size:
         description: Increasing the value of the receive buffer may improve performance.
@@ -126,30 +128,33 @@ suricata:
         forcedType: int
         helpLink: suricata
       disable-promisc:
-        description: Promiscuous mode can be disabled by setting this to "yes".
+        description: Disable promiscuous mode on the capture interface.
+        forcedType: bool
         advanced: True
-        regex: ^(yes|no)$
         helpLink: suricata
       checksum-checks:
         description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
         advanced: True
-        regex: ^(kernel|yes|no|auto)$
+        options:
+        - kernel
+        - yes
+        - no
+        - auto
         helpLink: suricata
     threading:
       set-cpu-affinity:
-        description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
-        regex: ^(yes|no)$
-        regexFailureMessage: You must enter either yes or no.
+        description: Bind or unbind management and worker threads to a core or range of cores.
+        forcedType: bool
         helpLink: suricata
       cpu-affinity:
         management-cpu-set:
           cpu:
-            description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
+            description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
             forcedType: "[]string"
             helpLink: suricata
         worker-cpu-set:
           cpu:
-            description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
+            description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
             forcedType: "[]string"
             helpLink: suricata
     vars:
@@ -198,11 +203,44 @@ suricata:
         GENEVE_PORTS: *suriportgroup
     outputs:
       eve-log:
+        pcap-file:
+          description: Log the PCAP filename that a packet was read from when processing pcap files.
+          forcedType: bool
+          advanced: True
+          helpLink: suricata
+        community-id:
+          description: Enable Community ID flow hashing for consistent event correlation across tools.
+          forcedType: bool
+          advanced: True
+          helpLink: suricata
         types:
           alert:
+            metadata:
+              app-layer:
+                description: Include app-layer metadata in alert events.
+                forcedType: bool
+                advanced: True
+                helpLink: suricata
+              flow:
+                description: Include flow metadata in alert events.
+                forcedType: bool
+                advanced: True
+                helpLink: suricata
+              rule:
+                metadata:
+                  description: Include rule metadata in alert events.
+                  forcedType: bool
+                  advanced: True
+                  helpLink: suricata
+                raw:
+                  description: Include raw rule text in alert events.
+                  forcedType: bool
+                  advanced: True
+                  helpLink: suricata
             xff:
               enabled:
                 description: Enable X-Forward-For support.
+                forcedType: bool
                 helpLink: suricata
               mode:
                 description: Operation mode. This should always be extra-data if you use PCAP.
@@ -242,8 +280,9 @@ suricata:
       max-frags: 
         description: Max number of fragments to keep
         helpLink: suricata
-      prealloc: 
+      prealloc:
         description: Preallocate memory.
+        forcedType: bool
         helpLink: suricata
       timeout:    
         description: Timeout value.
@@ -264,6 +303,7 @@ suricata:
         helpLink: suricata
       checksum-validation:
         description: Validate checksum of packets.
+        forcedType: bool
         helpLink: suricata
       reassembly:
         memcap:
@@ -286,6 +326,7 @@ suricata:
       teredo:
         enabled:
           description: Enable TEREDO capabilities
+          forcedType: bool
           helpLink: suricata
         ports:
           description: Ports to listen for. This should be a variable.
@@ -293,14 +334,58 @@ suricata:
       vxlan:
         enabled:
           description: Enable VXLAN capabilities.
+          forcedType: bool
           helpLink: suricata
-        ports: 
-          description: Ports to listen for. This should be a variable.    
+        ports:
+          description: Ports to listen for. This should be a variable.
           helpLink: suricata
       geneve:
         enabled:
           description: Enable VXLAN capabilities.
+          forcedType: bool
           helpLink: suricata
-        ports: 
-          description: Ports to listen for. This should be a variable.    
+        ports:
+          description: Ports to listen for. This should be a variable.
+          helpLink: suricata
+      recursion-level:
+        use-for-tracking:
+          description: Controls whether the decoder recursion level is used for flow tracking.
+          forcedType: bool
+          advanced: True
+          helpLink: suricata
+    vlan:
+      use-for-tracking:
+        description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows.
+        forcedType: bool
+        advanced: True
+        helpLink: suricata
+    detect:
+      profiling:
+        grouping:
+          dump-to-disk:
+            description: Dump detection engine grouping information to disk for analysis.
+            forcedType: bool
+            advanced: True
+            helpLink: suricata
+          include-rules:
+            description: Include individual rule details in grouping profiling output.
+            forcedType: bool
+            advanced: True
+            helpLink: suricata
+          include-mpm-stats:
+            description: Include multi-pattern matcher statistics in grouping profiling output.
+            forcedType: bool
+            advanced: True
+            helpLink: suricata
+    security:
+      lua:
+        allow-rules:
+          description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks.
+          forcedType: bool
+          advanced: True
+          helpLink: suricata
+        allow-restricted-functions:
+          description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks.
+          forcedType: bool
+          advanced: True
           helpLink: suricata

salt/telegraf/defaults.yaml

@@ -7,8 +7,8 @@ telegraf:
     collection_jitter: '0s'
     flush_interval: '10s'
     flush_jitter: '0s'
-    debug: 'false'
-    quiet: 'false'
+    debug: false
+    quiet: false
   scripts:
     eval:
       - agentstatus.sh

salt/telegraf/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
 include:
@@ -25,8 +25,8 @@ so-telegraf:
       - HOST_SYS=/host/sys
       - HOST_MOUNT_PREFIX=/host
       - GODEBUG=x509ignoreCN=0
-      {% if DOCKER.containers['so-telegraf'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
+      {% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
@@ -55,17 +55,23 @@ so-telegraf:
       {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
       - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
       {% endif %}
-      {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-telegraf'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
+    {% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - watch:
       - file: trusttheca
       - x509: telegraf_crt

salt/telegraf/etc/telegraf.conf

@@ -56,9 +56,9 @@
 
   ## Logging configuration:
   ## Run telegraf with debug log messages.
-  debug = {{ TELEGRAFMERGED.config.debug }}
+  debug = {{ 'true' if TELEGRAFMERGED.config.debug else 'false' }}
   ## Run telegraf in quiet mode (error log messages only).
-  quiet = false
+  quiet = {{ 'true' if TELEGRAFMERGED.config.quiet else 'false'}}
   ## Specify the log file name. The empty string means to log to stderr.
   logfile = "/var/log/telegraf/telegraf.log"
 

salt/telegraf/soc_telegraf.yaml

@@ -1,6 +1,7 @@
 telegraf:
-  enabled: 
+  enabled:
     description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results.
+    forcedType: bool
     advanced: True
     helpLink: influxdb
   config:
@@ -34,13 +35,13 @@ telegraf:
       advanced: True
       helpLink: influxdb
     debug: 
-      description: Data collection interval.
-      global: True
+      description: Run telegraf with debug log messages
+      forcedType: bool
       advanced: True
       helpLink: influxdb
     quiet: 
-      description: Data collection interval.
-      global: True
+      description: Run telegraf in quiet mode (error log messages only).
+      forcedType: bool
       advanced: True
       helpLink: influxdb
   scripts:

salt/vars/globals.map.jinja

@@ -1,5 +1,5 @@
 {% import 'vars/init.map.jinja' as INIT %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'global/map.jinja' import GLOBALMERGED %}
 
 {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
     'pcap_engine': GLOBALMERGED.pcapengine,
     'pipeline': GLOBALMERGED.pipeline,
     'so_version': INIT.PILLAR.global.soversion,
-    'so_docker_gateway': DOCKER.gateway,
-    'so_docker_range': DOCKER.range,
+    'so_docker_gateway': DOCKERMERGED.gateway,
+    'so_docker_range': DOCKERMERGED.range,
     'url_base': INIT.PILLAR.global.url_base,
     'so_model': INIT.GRAINS.get('sosmodel',''),
     'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,

salt/zeek/config.sls

@@ -167,7 +167,7 @@ zeekja4cfg:
     - group: 939
     - template: jinja
     - defaults:
-        JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
+        JA4PLUS: {{ ZEEKMERGED.ja4plus.enabled }}
 
 # BPF compilation failed
 {% if ZEEKBPF and not ZEEK_BPF_STATUS %}

salt/zeek/defaults.yaml

@@ -1,6 +1,7 @@
 zeek:
   enabled: False
-  ja4plus_enabled: False
+  ja4plus:
+    enabled: False
   config:
     node:
       lb_procs: 0

salt/zeek/enabled.sls

@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 
 
 include:
@@ -18,9 +18,12 @@ so-zeek:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
     - start: True
     - privileged: True
+    {% if DOCKERMERGED.containers['so-zeek'].ulimits %}
     - ulimits:
-      - core=0
-      - nofile=1048576:1048576
+    {%   for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
     - binds:
       - /nsm/zeek/logs:/nsm/zeek/logs:rw
       - /nsm/zeek/spool:/nsm/zeek/spool:rw
@@ -36,21 +39,21 @@ so-zeek:
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
       - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
       - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
-      {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %} 
     - network_mode: host
-    {% if DOCKER.containers['so-zeek'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
     - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-zeek'].extra_env %}
+    {% if DOCKERMERGED.containers['so-zeek'].extra_env %}
     - environment:
-      {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}

salt/zeek/files/config.zeek.ja4

@@ -8,20 +8,20 @@ export {
   option JA4_raw:        bool = F;
 
   # FoxIO license required for JA4+
-  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
   option JA4S_raw:   bool = F;
 
-  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS else 'F' }};
 
-  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
   option JA4H_raw:   bool = F;
 
-  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
 
-  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
 
-  option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
-  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4T_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
+  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
 
-  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
 }

salt/zeek/soc_zeek.yaml

@@ -1,11 +1,14 @@
 zeek:
   enabled:
     description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
-    helpLink: zeek
-  ja4plus_enabled:
-    description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
     forcedType: bool
     helpLink: zeek
+  ja4plus:
+    enabled:
+      description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license  [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
+      forcedType: bool
+      helpLink: zeek
+      advanced: False
   config:
     local:
       load: