do not attempt to redirect to a source map after login

update helpLink references for new documentation

.github/workflows/pythontest.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.13"]
+        python-version: ["3.14"]
         python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
 
     steps:

salt/_modules/needs_restarting.py

@@ -1,24 +1,14 @@
-from os import path
 import subprocess
 
 def check():
 
-  osfam = __grains__['os_family']
   retval = 'False'
 
-  if osfam == 'Debian':
-    if path.exists('/var/run/reboot-required'):
-      retval = 'True'
+  cmd = 'needs-restarting -r > /dev/null 2>&1'
 
-  elif osfam == 'RedHat':
-    cmd = 'needs-restarting -r > /dev/null 2>&1'
-    
-    try:
-      needs_restarting = subprocess.check_call(cmd, shell=True)
-    except subprocess.CalledProcessError:
-      retval = 'True'
-
-  else:
-    retval = 'Unsupported OS: %s' % os
+  try:
+    needs_restarting = subprocess.check_call(cmd, shell=True)
+  except subprocess.CalledProcessError:
+    retval = 'True'
 
   return retval

salt/backup/soc_backup.yaml

@@ -1,10 +1,10 @@
 backup:
   locations:
     description: List of locations to back up to the destination.
-    helpLink: backup.html
+    helpLink: backup
     global: True
   destination:
     description: Directory to store the configuration backups in.
-    helpLink: backup.html
+    helpLink: backup
     global: True
     

salt/bpf/soc_bpf.yaml

@@ -3,14 +3,14 @@ bpf:
     description: List of BPF filters to apply to the PCAP engine.
     multiline: True
     forcedType: "[]string"
-    helpLink: bpf.html
+    helpLink: bpf
   suricata:
     description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata.
     multiline: True
     forcedType: "[]string"
-    helpLink: bpf.html
+    helpLink: bpf
   zeek:
     description: List of BPF filters to apply to Zeek.
     multiline: True
     forcedType: "[]string"
-    helpLink: bpf.html
+    helpLink: bpf

salt/ca/trustca.sls

@@ -3,8 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 include:
   - docker
 
@@ -18,9 +16,3 @@ trusttheca:
     - show_changes: False
     - makedirs: True
 
-{% if GLOBALS.os_family == 'Debian' %}
-symlinkca:
-  file.symlink:
-    - target: /etc/pki/tls/certs/intca.crt
-    - name: /etc/ssl/certs/intca.crt
-{% endif %}

salt/common/init.sls

@@ -20,11 +20,6 @@ kernel.printk:
   sysctl.present:
     - value: "3 4 1 3"
 
-# Remove variables.txt from /tmp - This is temp
-rmvariablesfile:
-  file.absent:
-    - name: /tmp/variables.txt
-
 # Add socore Group
 socoregroup:
   group.present:
@@ -149,28 +144,6 @@ common_sbin_jinja:
       - so-import-pcap
 {% endif %}
 
-{% if GLOBALS.role == 'so-heavynode' %}
-remove_so-pcap-import_heavynode:
-  file.absent:
-    - name: /usr/sbin/so-pcap-import
-
-remove_so-import-pcap_heavynode:
-  file.absent:
-    - name: /usr/sbin/so-import-pcap
-{% endif %}
-
-{% if not GLOBALS.is_manager%}
-# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
-# these two states remove the scripts from non manager nodes
-remove_soup:
-  file.absent:
-    - name: /usr/sbin/soup
-
-remove_so-firewall:
-  file.absent:
-    - name: /usr/sbin/so-firewall
-{% endif %}
-
 so-status_script:
   file.managed:
     - name: /usr/sbin/so-status

salt/common/packages.sls

@@ -1,52 +1,5 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
-{% if grains.os_family == 'Debian' %}
-commonpkgs:
-  pkg.installed:
-    - skip_suggestions: True
-    - pkgs:
-      - apache2-utils
-      - wget
-      - ntpdate
-      - jq
-      - curl
-      - ca-certificates
-      - software-properties-common
-      - apt-transport-https
-      - openssl
-      - netcat-openbsd
-      - sqlite3
-      - libssl-dev
-      - procps
-      - python3-dateutil
-      - python3-docker
-      - python3-packaging
-      - python3-lxml
-      - git
-      - rsync
-      - vim
-      - tar
-      - unzip
-      - bc
-      {% if grains.oscodename != 'focal' %}
-      - python3-rich
-      {% endif %}
-
-{%     if grains.oscodename == 'focal' %}
-# since Ubuntu requires and internet connection we can use pip to install modules
-python3-pip:
-  pkg.installed
-
-python-rich:
-  pip.installed:
-    - name: rich
-    - target: /usr/local/lib/python3.8/dist-packages/
-    - require:
-      - pkg: python3-pip
-{%     endif %}
-{% endif %}
-
-{% if grains.os_family == 'RedHat' %}
 
 remove_mariadb:
   pkg.removed:
@@ -84,5 +37,3 @@ commonpkgs:
       - unzip
       - wget
       - yum-utils
-
-{% endif %}

salt/common/soup_scripts.sls

@@ -11,14 +11,6 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 
-remove_common_soup:
-  file.absent:
-    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
-
-remove_common_so-firewall:
-  file.absent:
-    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
-
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:

salt/common/tools/sbin/so-log-check

@@ -131,6 +131,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP"     # SO does not bundle the maxminddb with Zeek
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found"          # Salt loops until Kratos returns 200, during startup Kratos may not be ready
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt
 fi
 
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then

salt/curator/disabled.sls

@@ -1,34 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-so-curator:
-  docker_container.absent:
-    - force: True
-
-so-curator_so-status.disabled:
-  file.line:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - match: ^so-curator$
-    - mode: delete
-
-so-curator-cluster-close:
-  cron.absent:
-    - identifier: so-curator-cluster-close
-
-so-curator-cluster-delete:
-  cron.absent:
-    - identifier: so-curator-cluster-delete
-
-delete_curator_configuration:
-  file.absent:
-    - name: /opt/so/conf/curator
-    - recurse: True
-
-{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
-{% if files|length > 0 %}
-delete_curator_scripts:
-  file.absent:
-    - names: {{files|yaml}}
-{% endif %}

salt/docker/init.sls

@@ -15,39 +15,6 @@ dockergroup:
     - name: docker
     - gid: 920
 
-{% if GLOBALS.os_family == 'Debian' %}
-{%    if grains.oscodename == 'bookworm' %}
-dockerheldpackages:
-  pkg.installed:
-    - pkgs:
-      - containerd.io: 2.2.1-1~debian.12~bookworm
-      - docker-ce: 5:29.2.1-1~debian.12~bookworm
-      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
-      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
-    - hold: True
-    - update_holds: True
-{%    elif grains.oscodename == 'jammy' %}
-dockerheldpackages:
-  pkg.installed:
-    - pkgs:
-      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
-      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
-      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
-      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
-    - hold: True
-    - update_holds: True
-{%    else %}
-dockerheldpackages:
-  pkg.installed:
-    - pkgs:
-      - containerd.io: 1.7.21-1
-      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
-      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
-      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
-    - hold: True
-    - update_holds: True
-{%   endif %}
-{% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
@@ -57,7 +24,6 @@ dockerheldpackages:
       - docker-ce-rootless-extras: 29.2.1-1.el9
     - hold: True
     - update_holds: True
-{% endif %}
 
 #disable docker from managing iptables
 iptables_disabled:

salt/docker/soc_docker.yaml

@@ -1,42 +1,42 @@
 docker:
   gateway:
     description: Gateway for the default docker interface.
-    helpLink: docker.html
+    helpLink: docker
     advanced: True
   range:
     description: Default docker IP range for containers.
-    helpLink: docker.html
+    helpLink: docker
     advanced: True
   containers:
     so-dockerregistry: &dockerOptions
       final_octet:
         description: Last octet of the container IP address.
-        helpLink: docker.html
+        helpLink: docker
         readonly: True
         advanced: True
         global: True
       port_bindings:
         description: List of port bindings for the container.
-        helpLink: docker.html
+        helpLink: docker
         advanced: True
         multiline: True
         forcedType: "[]string"
       custom_bind_mounts:
         description: List of custom local volume bindings.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
       extra_hosts:
         description: List of additional host entries for the container.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
       extra_env:
         description: List of additional ENV entries for the container.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
     so-elastic-fleet: *dockerOptions
@@ -65,38 +65,38 @@ docker:
     so-suricata:
       final_octet:
         description: Last octet of the container IP address.
-        helpLink: docker.html
+        helpLink: docker
         readonly: True
         advanced: True
         global: True
       port_bindings:
         description: List of port bindings for the container.
-        helpLink: docker.html
+        helpLink: docker
         advanced: True
         multiline: True
         forcedType: "[]string"
       custom_bind_mounts:
         description: List of custom local volume bindings.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
       extra_hosts:
         description: List of additional host entries for the container.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
       extra_env:
         description: List of additional ENV entries for the container.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
       ulimits:
         description: Ulimits for the container, in bytes.
         advanced: True
-        helpLink: docker.html
+        helpLink: docker
         multiline: True
         forcedType: "[]string"
     so-zeek: *dockerOptions

salt/elastalert/files/custom/placeholder

@@ -1 +0,0 @@
-THIS IS A PLACEHOLDER FILE

salt/elastalert/soc_elastalert.yaml

@@ -1,47 +1,47 @@
 elastalert:
   enabled:
     description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
-    helpLink: elastalert.html
+    helpLink: elastalert
   alerter_parameters:
     title: Custom Configuration Parameters
     description: Optional configuration parameters made available as defaults for all rules and alerters. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available configuration parameters. Requires a valid Security Onion license key.
     global: True
     multiline: True
     syntax: yaml
-    helpLink: elastalert.html
+    helpLink: elastalert
     forcedType: string
   jira_api_key:
     title: Jira API Key
     description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key.
     global: True
     sensitive: True
-    helpLink: elastalert.html
+    helpLink: elastalert
     forcedType: string
   jira_pass:
     title: Jira Password
     description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key.
     global: True
     sensitive: True
-    helpLink: elastalert.html
+    helpLink: elastalert
     forcedType: string
   jira_user:
     title: Jira Username
     description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key.
     global: True
-    helpLink: elastalert.html
+    helpLink: elastalert
     forcedType: string
   smtp_pass:
     title: SMTP Password
     description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key.
     global: True
     sensitive: True
-    helpLink: elastalert.html
+    helpLink: elastalert
     forcedType: string
   smtp_user:
     title: SMTP Username
     description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key.
     global: True
-    helpLink: elastalert.html
+    helpLink: elastalert
     forcedType: string
   files:
     custom:
@@ -49,91 +49,91 @@ elastalert:
         description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       gelf_ca__crt:
         description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       http_post_ca__crt:
         description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       http_post2_ca__crt:
         description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       ms_teams_ca__crt:
         description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       pagerduty_ca__crt:
         description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       rocket_chat_ca__crt:
         description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       smtp__crt:
         description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       smtp__key:
         description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       slack_ca__crt:
         description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
         global: True
         file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
   config:
     disable_rules_on_error:
       description: Disable rules on failure.
       global: True
-      helpLink: elastalert.html
+      helpLink: elastalert
     run_every:
       minutes:
         description: Amount of time in minutes between searches.
         global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
     buffer_time:
       minutes:
         description: Amount of time in minutes to look through.
         global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
     old_query_limit:
       minutes:
         description: Amount of time in minutes between queries to start at the most recently run query.
         global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
     es_conn_timeout:
       description: Timeout in seconds for connecting to and reading from Elasticsearch.
       global: True
-      helpLink: elastalert.html
+      helpLink: elastalert
     max_query_size:
       description: The maximum number of documents that will be returned from Elasticsearch in a single query.
       global: True
-      helpLink: elastalert.html
+      helpLink: elastalert
     alert_time_limit:
       days:
         description: The retry window for failed alerts.
         global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
     index_settings:
       shards:
         description: The number of shards for elastalert indices.
         global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
       replicas:
         description: The number of replicas for elastalert indices.
         global: True
-        helpLink: elastalert.html
+        helpLink: elastalert

salt/elasticfleet/soc_elasticfleet.yaml

@@ -2,13 +2,13 @@ elasticfleet:
   enabled:
     description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
     advanced: True
-    helpLink: elastic-fleet.html
+    helpLink: elastic-fleet
   enable_manager_output:
     description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers.
     advanced: True
     global: True
     forcedType: bool
-    helpLink: elastic-fleet.html
+    helpLink: elastic-fleet
   files:
     soc:
       elastic-defend-disabled-filters__yaml:
@@ -17,7 +17,7 @@ elasticfleet:
         syntax: yaml
         file: True
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
       elastic-defend-custom-filters__yaml:
         title: Custom Elastic Defend filters
@@ -25,31 +25,31 @@ elasticfleet:
         syntax: yaml
         file: True
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
   logging:
     zeek:
       excluded:
         description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors.
         forcedType: "[]string"
-        helpLink: zeek.html
+        helpLink: zeek
   config:
     defend_filters:
       enable_auto_configuration:
         description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
     subscription_integrations:
       description: Enable the installation of integrations that require an Elastic license.
       global: True
       forcedType: bool
-      helpLink: elastic-fleet.html
+      helpLink: elastic-fleet
     auto_upgrade_integrations:
       description: Enables or disables automatically upgrading Elastic Agent integrations.
       global: True
       forcedType: bool
-      helpLink: elastic-fleet.html
+      helpLink: elastic-fleet
     outputs:
       logstash:
         bulk_max_size:
@@ -57,67 +57,67 @@ elasticfleet:
           global: True
           forcedType: int
           advanced: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
         worker:
           description: The number of workers per configured host publishing events.
           global: True
           forcedType: int
           advanced: true
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
         queue_mem_events:
           title: queued events
           description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output.
           global: True
           forcedType: int
           advanced: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
         timeout:
           description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s
           regex: ^[0-9]+s$
           advanced: True
           global: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
         loadbalance:
           description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive.
           forcedType: bool
           advanced: True
           global: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
         compression_level:
           description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression).
           regex: ^[1-9]$
           forcedType: int
           advanced: True
           global: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
     server:
       custom_fqdn:
         description: Custom FQDN for Agents to connect to. One per line.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: "[]string"
       enable_auto_configuration:
         description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
       endpoints_enrollment:
         description: Endpoint enrollment key.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         sensitive: True
         advanced: True
       es_token:
         description: Elastic auth token.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         sensitive: True
         advanced: True
       grid_enrollment:
         description: Grid enrollment key.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         sensitive: True
         advanced: True
   optional_integrations:
@@ -125,57 +125,57 @@ elasticfleet:
       enabled_nodes:
         description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: "[]string"
       api_key:
         description: API key for Sublime Platform.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: string
         sensitive: True
       base_url:
         description: Base URL for Sublime Platform.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: string
       poll_interval:
         description: Poll interval for alerts from Sublime Platform.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: string
       limit:
         description: The maximum number of message groups to return from Sublime Platform.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: int
     kismet:
       base_url:
         description: Base URL for Kismet.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: string
       poll_interval:
         description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: string
       api_key:
         description: API key for Kismet.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: string
         sensitive: True
       enabled_nodes:
         description: Fleet nodes with the Kismet integration enabled. Enter one per line.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         advanced: True
         forcedType: "[]string"

salt/elasticsearch/config.map.jinja

@@ -6,8 +6,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
-
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -36,14 +34,8 @@
       {% endfor %}
     {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
-  {% if HIGHLANDER %}
-        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
-  {% endif %}
   {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
-{% if HIGHLANDER %}
-      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
-{% endif %}
 
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}

salt/elasticsearch/config.sls

@@ -10,7 +10,7 @@
 
 vm.max_map_count:
   sysctl.present:
-    - value: 262144
+    - value: {{ ELASTICSEARCHMERGED.vm.max_map_count }}
 
 # Add ES Group
 elasticsearchgroup:
@@ -98,10 +98,6 @@ esrolesdir:
     - group: 939
     - makedirs: True
 
-eslibdir:
-  file.absent:
-    - name: /opt/so/conf/elasticsearch/lib
-
 esingestdynamicconf:
   file.recurse:
     - name: /opt/so/conf/elasticsearch/ingest
@@ -119,11 +115,6 @@ esingestconf:
     - group: 939
     - show_changes: False
 
-# Remove .fleet_final_pipeline-1 because we are using global@custom now
-so-fleet-final-pipeline-remove:
-  file.absent:
-    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
-
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:

salt/elasticsearch/defaults.yaml

@@ -2,6 +2,8 @@ elasticsearch:
   enabled: false
   version: 9.0.8
   index_clean: true
+  vm:
+    max_map_count: 1048576
   config:
     action:
       destructive_requires_name: true

salt/elasticsearch/files/ingest/common

@@ -1,5 +1,3 @@
-{%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
-{%- raw -%}
 {
   "description" : "common",
   "processors" : [
@@ -67,19 +65,7 @@
     { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
     { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
     { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
-{%- endraw %}
-{%- if HIGHLANDER %}
-    ,
-    {
-      "pipeline": {
-        "name": "ecs"
-      }
-    }
-{%- endif %}
-{%- raw %}
-    ,
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
     { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
   ]
 }
-{% endraw %}

salt/elasticsearch/soc_elasticsearch.yaml

@@ -2,7 +2,7 @@ elasticsearch:
   enabled:
     description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
     advanced: True
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
   version:
     description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
     readonly: True
@@ -10,15 +10,20 @@ elasticsearch:
     advanced: True
   esheap:
     description: Specify the memory heap size in (m)egabytes for Elasticsearch.
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
   index_clean:
     description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
     forcedType: bool
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
+  vm:
+    max_map_count:
+      description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
+      forcedType: int
+      helpLink: elasticsearch
   retention: 
     retention_pct:
       decription: Total percentage of space used by Elasticsearch for multi node clusters
-      helpLink: elasticsearch.html
+      helpLink: elasticsearch
       global: True
   config:
     cluster:
@@ -26,55 +31,55 @@ elasticsearch:
         description: The name of the Security Onion Elasticsearch cluster, for identification purposes.
         readonly: True
         global: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
       logsdb:
         enabled:
           description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over.
           forcedType: bool
           global: True
           advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
       routing:
         allocation:
           disk:
             threshold_enabled: 
               description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
             watermark:
               low: 
                 description: The lower percentage of used disk space representing a healthy node.
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               high: 
                 description: The higher percentage of used disk space representing an unhealthy node.
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               flood_stage: 
                 description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
     script:
       max_compilations_rate: 
         description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
         global: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
     indices:
       query:
         bool:
           max_clause_count: 
             description: Max number of boolean clauses per query.
             global: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
   pipelines:
     custom001: &pipelines
       description:
         description: Description of the ingest node pipeline
         global: True
         advanced: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
       processors:
         description: Processors for the ingest node pipeline
         global: True
         advanced: True
         multiline: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
     custom002: *pipelines
     custom003: *pipelines
     custom004: *pipelines
@@ -94,24 +99,24 @@ elasticsearch:
                 description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
                 forcedType: int
                 global: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               refresh_interval: 
                 description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
                 global: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               number_of_shards: 
                 description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                 global: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               sort:
                 field:
                   description: The field to sort by. Must set index_sorting to True.
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                 order:
                   description: The order to sort by. Must set index_sorting to True.
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
       policy:
         phases:
           hot:
@@ -121,16 +126,16 @@ elasticsearch:
                   description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                   forcedType: int
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               rollover:
                 max_age:
                   description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                 max_primary_shard_size:
                   description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               shrink:
                 method:
                   description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -178,13 +183,13 @@ elasticsearch:
               regex: ^[0-9]{1,5}d$
               forcedType: string
               global: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
             actions:
               set_priority:
                 priority:
                   description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               allocate:
                 number_of_replicas:
                   description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -197,14 +202,14 @@ elasticsearch:
               regex: ^[0-9]{1,5}d$
               forcedType: string
               global: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
             actions:
               set_priority:
                 priority:
                   description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                   forcedType: int
                   global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               shrink:
                 method:
                   description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -257,13 +262,13 @@ elasticsearch:
               regex: ^[0-9]{1,5}d$
               forcedType: string
               global: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
     so-logs: &indexSettings
       index_sorting: 
         description: Sorts the index by event time, at the cost of additional processing resource consumption.
         global: True
         advanced: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
       index_template:
         index_patterns:
           description: Patterns for matching multiple indices or tables.
@@ -271,7 +276,7 @@ elasticsearch:
           multiline: True
           global: True
           advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         template:
           settings:
             index:
@@ -280,35 +285,35 @@ elasticsearch:
                 forcedType: int
                 global: True
                 advanced: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               mapping:
                 total_fields:
                   limit:
                     description: Max number of fields that can exist on a single index. Larger values will consume more resources.
                     global: True
                     advanced: True
-                    helpLink: elasticsearch.html
+                    helpLink: elasticsearch
               refresh_interval: 
                 description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
                 global: True
                 advanced: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               number_of_shards: 
                 description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                 global: True
                 advanced: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               sort:
                 field:
                   description: The field to sort by. Must set index_sorting to True.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                 order:
                   description: The order to sort by. Must set index_sorting to True.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
           mappings:
             _meta:
               package:
@@ -316,43 +321,43 @@ elasticsearch:
                   description: Meta settings for the mapping.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               managed_by:
                   description: Meta settings for the mapping.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               managed:
                   description: Meta settings for the mapping.
                   forcedType: bool
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
         composed_of:
           description: The index template is composed of these component templates.
           forcedType: "[]string"
           global: True
           advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         priority:
           description: The priority of the index template.
           forcedType: int
           global: True
           advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         data_stream:
           hidden:
             description: Hide the data stream.
             forcedType: bool
             global: True
             advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
           allow_custom_routing:
             description: Allow custom routing for the data stream.
             forcedType: bool
             global: True
             advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
       policy:
         phases:
           hot:
@@ -360,7 +365,7 @@ elasticsearch:
               description: Minimum age of index. This determines when the index should be moved to the hot tier.
               global: True
               advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
             actions:
               set_priority:
                 priority:
@@ -368,18 +373,18 @@ elasticsearch:
                   forcedType: int
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               rollover:
                 max_age:
                   description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                 max_primary_shard_size:
                   description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               shrink:
                 method:
                   description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -428,7 +433,7 @@ elasticsearch:
               forcedType: string
               global: True
               advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
             actions:
               set_priority:
                 priority:
@@ -436,18 +441,18 @@ elasticsearch:
                   forcedType: int
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               rollover:
                 max_age:
                   description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                 max_primary_shard_size:
                   description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               shrink:
                 method:
                   description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -501,7 +506,7 @@ elasticsearch:
               forcedType: string
               global: True
               advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
             actions:
               set_priority:
                 priority:
@@ -509,7 +514,7 @@ elasticsearch:
                   forcedType: int
                   global: True
                   advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
               allocate:
                 number_of_replicas:
                   description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -523,25 +528,25 @@ elasticsearch:
               forcedType: string
               global: True
               advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
         _meta:
           package:
             name:
               description: Meta settings for the mapping.
               global: True
               advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
           managed_by:
             description: Meta settings for the mapping.
             global: True
             advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
           managed:
             description: Meta settings for the mapping.
             forcedType: bool
             global: True
             advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
     so-logs-system_x_auth: *indexSettings
     so-logs-system_x_syslog: *indexSettings
     so-logs-system_x_system: *indexSettings
@@ -606,18 +611,18 @@ elasticsearch:
         description: Sorts the index by event time, at the cost of additional processing resource consumption.
         advanced: True
         readonly: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
       index_template:
         ignore_missing_component_templates:
           description: Ignore component templates if they aren't in Elasticsearch.
           advanced: True
           readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         index_patterns:
           description: Patterns for matching multiple indices or tables.
           advanced: True
           readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         template:
           settings:
             index:
@@ -625,33 +630,33 @@ elasticsearch:
                 description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage.
                 advanced: True
                 readonly: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
               number_of_replicas:
                 description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
                 advanced: True
                 readonly: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
         composed_of:
           description: The index template is composed of these component templates.
           advanced: True
           readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         priority:
           description: The priority of the index template.
           advanced: True
           readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
         data_stream:
           hidden:
             description: Hide the data stream.
             advanced: True
             readonly: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
           allow_custom_routing:
             description: Allow custom routing for the data stream.
             advanced: True
             readonly: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
     so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings
   so_roles:
     so-manager: &soroleSettings
@@ -662,7 +667,7 @@ elasticsearch:
             forcedType: "[]string"
             global: False
             advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
     so-managersearch: *soroleSettings
     so-standalone: *soroleSettings
     so-searchnode: *soroleSettings

salt/firewall/init.sls

@@ -27,14 +27,12 @@ iptables_config:
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
-{%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
   service.dead:
     - name: firewalld
     - enable: False
     - require:
       - file: iptables_config
-{%   endif %}
 
 iptables_restore:
   cmd.run:
@@ -44,7 +42,6 @@ iptables_restore:
     - onlyif:
       - iptables-restore --test {{ iptmap.configfile }}
 
-{%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
   service.running:
     - name: firewalld
@@ -52,7 +49,6 @@ enable_firewalld:
     - onfail:
       - file: iptables_config
       - cmd: iptables_restore
-{%   endif %}
 
 {% else %}
 

salt/firewall/ipt.map.jinja

@@ -1,14 +1,6 @@
-{% set iptmap = salt['grains.filter_by']({
-    'Debian': {
-        'service': 'netfilter-persistent',
-        'iptpkg': 'iptables',
-        'persistpkg': 'iptables-persistent',
-        'configfile': '/etc/iptables/rules.v4'
-    },
-    'RedHat': {
-        'service': 'iptables',
-        'iptpkg': 'iptables-nft',
-        'persistpkg': 'iptables-nft-services',
-        'configfile': '/etc/sysconfig/iptables'
-    },
-}) %}
+{% set iptmap = {
+    'service': 'iptables',
+    'iptpkg': 'iptables-nft',
+    'persistpkg': 'iptables-nft-services',
+    'configfile': '/etc/sysconfig/iptables'
+} %}

salt/firewall/soc_firewall.yaml

@@ -3,7 +3,7 @@ firewall:
     analyst: &hostgroupsettings
       description: List of IP or CIDR blocks to allow access to this hostgroup.
       forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
       multiline: True
       regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
       regexFailureMessage: You must enter a valid IP address or CIDR.
@@ -11,7 +11,7 @@ firewall:
     anywhere: &hostgroupsettingsadv
       description: List of IP or CIDR blocks to allow access to this hostgroup.
       forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
       multiline: True
       advanced: True
       regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -22,7 +22,7 @@ firewall:
     dockernet: &ROhostgroupsettingsadv
       description: List of IP or CIDR blocks to allow access to this hostgroup.
       forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
       multiline: True
       advanced: True
       readonly: True
@@ -53,7 +53,7 @@ firewall:
     customhostgroup0: &customhostgroupsettings
       description: List of IP or CIDR blocks to allow to this hostgroup.
       forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
       advanced: True
       multiline: True
       regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -73,14 +73,14 @@ firewall:
       tcp: &tcpsettings
         description: List of TCP ports for this port group.
         forcedType: "[]string"
-        helpLink: firewall.html
+        helpLink: firewall
         advanced: True
         multiline: True
         duplicates: True
       udp: &udpsettings
         description: List of UDP ports for this port group.
         forcedType: "[]string"
-        helpLink: firewall.html
+        helpLink: firewall
         advanced: True
         multiline: True
         duplicates: True
@@ -206,7 +206,7 @@ firewall:
                 advanced: True
                 multiline: True
                 forcedType: "[]string"
-                helpLink: firewall.html
+                helpLink: firewall
                 duplicates: True
             sensor:
               portgroups: *portgroupsdocker
@@ -262,7 +262,7 @@ firewall:
                 advanced: True
                 multiline: True
                 forcedType: "[]string"
-                helpLink: firewall.html
+                helpLink: firewall
                 duplicates: True
             dockernet: 
               portgroups: *portgroupshost

salt/host/soc_host.yaml

@@ -1,7 +1,7 @@
 host:
   mainint:
     description: Main interface of the grid host.
-    helpLink: host.html    
+    helpLink: ip-address
   mainip:
     description: Main IP address of the grid host.
-    helpLink: host.html
+    helpLink: ip-address

salt/hydra/enabled.sls

@@ -67,7 +67,7 @@ delete_so-hydra_so-status.disabled:
 
 wait_for_hydra:
   http.wait_for_successful_query:
-    - name: 'http://{{ GLOBALS.manager }}:4444/'
+    - name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
     - ssl: True
     - verify_ssl: False
     - status:

salt/hydra/soc_hydra.yaml

@@ -1,7 +1,7 @@
 hydra:
   enabled:
     description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. 
-    helpLink: connect.html
+    helpLink: connect-api
     global: True
   config:
     ttl:
@@ -9,16 +9,16 @@ hydra:
         description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours.
         global: True
         forcedType: string
-        helpLink: connect.html
+        helpLink: connect-api
     log:
       level: 
         description: Log level to use for Kratos logs.
         global: True
-        helpLink: connect.html
+        helpLink: connect-api
       format: 
         description: Log output format for Kratos logs.
         global: True
-        helpLink: connect.html
+        helpLink: connect-api
     secrets:
       system: 
         description: Secrets used for token generation. Generated during installation.
@@ -26,4 +26,4 @@ hydra:
         sensitive: True
         advanced: True
         forcedType: "[]string"
-        helpLink: connect.html
+        helpLink: connect-api

salt/idh/openssh/config.sls

@@ -3,7 +3,6 @@
 include:
   - idh.openssh
 
-{% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
   selinux.port_policy_present:
     - port: {{ openssh_map.config.port }}
@@ -13,7 +12,6 @@ idh_sshd_selinux:
       - file: openssh_config
     - require:
       - pkg: python_selinux_mgmt_tools
-{% endif %}
 
 openssh_config:
   file.replace:

salt/idh/openssh/init.sls

@@ -16,8 +16,6 @@ openssh:
     - name: {{ openssh_map.service }}
   {% endif %}
 
-{% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
   pkg.installed:
     - name: policycoreutils-python-utils
-{% endif %}

salt/idh/soc_idh.yaml

@@ -1,7 +1,7 @@
 idh:
   enabled:
     description: Enables or disables the Intrusion Detection Honeypot (IDH) process. 
-    helpLink: idh.html
+    helpLink: idh
   opencanary:
     config:
       logger:
@@ -10,7 +10,7 @@ idh:
           readonly: True
           advanced: True
           global: True
-          helpLink: idh.html
+          helpLink: idh
         kwargs:
             formatters:
               plain:
@@ -24,53 +24,53 @@ idh:
                   filename: *loggingOptions
       portscan_x_enabled: &serviceOptions
         description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
-        helpLink: idh.html
+        helpLink: idh
       portscan_x_logfile: *loggingOptions
       portscan_x_synrate:
         description: Portscan - syn rate limiting
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       portscan_x_nmaposrate:
         description: Portscan - nmap OS rate limiting
         advanced: True
-        helpLink: idh.html  
+        helpLink: idh  
       portscan_x_lorate: 
         description: Portscan - lo rate limiting
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       tcpbanner_x_maxnum:
         description:  Portscan - maxnum
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       tcpbanner_x_enabled: *serviceOptions
       tcpbanner_1_x_enabled: *serviceOptions
       tcpbanner_1_x_port: &portOptions
         description: Port the service should listen on.
         advanced: True
-        helpLink: idh.html
+        helpLink: idh
       tcpbanner_1_x_datareceivedbanner: &bannerOptions
         description: Data Received Banner
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       tcpbanner_1_x_initbanner: *bannerOptions
       tcpbanner_1_x_alertstring_x_enabled: *serviceOptions
       tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions
       tcpbanner_1_x_keep_alive_secret:
         description: Keep Alive Secret
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       tcpbanner_1_x_keep_alive_probes:
         description: Keep Alive Probes
         advanced: True
-        helpLink: idh.html  
+        helpLink: idh  
       tcpbanner_1_x_keep_alive_interval:
         description: Keep Alive Interval
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       tcpbanner_1_x_keep_alive_idle:
         description: Keep Alive Idle
         advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
       ftp_x_enabled: *serviceOptions
       ftp_x_port: *portOptions
       ftp_x_banner: *bannerOptions
@@ -82,11 +82,11 @@ idh:
       http_x_skin: &skinOptions
         description: HTTP skin
         advanced: True
-        helpLink: idh.html
+        helpLink: idh
       http_x_skinlist: &skinlistOptions
         description: List of skins to use for the service.
         advanced: True
-        helpLink: idh.html
+        helpLink: idh
       httpproxy_x_enabled: *serviceOptions
       httpproxy_x_port: *portOptions
       httpproxy_x_skin: *skinOptions
@@ -95,7 +95,7 @@ idh:
       mssql_x_version: &versionOptions
         description: Specify the version the service should present.
         advanced: True
-        helpLink: idh.html
+        helpLink: idh
       mssql_x_port: *portOptions
       mysql_x_enabled: *serviceOptions
       mysql_x_port: *portOptions
@@ -119,7 +119,7 @@ idh:
       telnet_x_honeycreds:
         description: Credentials list for the telnet service.
         advanced: True
-        helpLink: idh.html
+        helpLink: idh
       tftp_x_enabled: *serviceOptions
       tftp_x_port: *portOptions
       vnc_x_enabled: *serviceOptions
@@ -127,8 +127,8 @@ idh:
   openssh:
     enable: 
       description: This is the real SSH service for the host machine.
-      helpLink: idh.html
+      helpLink: idh
     config:
       port:
         description: Port that the real SSH service will listen on and will only be accessible from the manager.
-        helpLink: idh.html
+        helpLink: idh

salt/influxdb/soc_influxdb.yaml

@@ -1,358 +1,358 @@
 influxdb:
   enabled:
     description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
-    helpLink: influxdb.html
+    helpLink: influxdb
   config:
     assets-path:
       description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     bolt-path:
       description: Path to the bolt DB file located inside the so-influxdb container.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     engine-path:
       description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     feature-flags:
       description: List of key=value flags to enable.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     flux-log-enabled:
       description: Controls whether detailed flux query logging is enabled.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     hardening-enabled:
       description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     http-bind-address:
       description: The URL and port on which InfluxDB will listen for new connections.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     http-idle-timeout:
       description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     http-read-header-timeout:
       description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     http-read-timeout:
       description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     http-write-timeout:
       description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     influxql-max-select-buckets:
       description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     influxql-max-select-point:
       description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     influxql-max-select-series:
       description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     instance-id:
       description: Unique instance ID for this server, to avoid collisions in a replicated cluster.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     log-level:
       description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
       global: True
       advanced: false
       regex: ^(info|debug|error)$
-      helpLink: influxdb.html
+      helpLink: influxdb
     metrics-disabled:
       description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     no-tasks:
       description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     pprof-disabled:
       description: If true, the profiling data HTTP endpoint will be inaccessible.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     query-concurrency:
       description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     query-initial-memory-bytes:
       description: The initial number of bytes of memory to allocate for a new query.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     query-max-memory-bytes:
       description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     query-memory-bytes:
       description: Maximum number of bytes of memory to allocate to a query.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     query-queue-size:
       description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     reporting-disabled:
       description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     secret-store:
       description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
       global: True
       advanced: True
       regex: ^(bolt|vault)$
-      helpLink: influxdb.html
+      helpLink: influxdb
     session-length:
       description: Number of minutes that a user login session can remain authenticated. 
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     session-renew-disabled:
       description: If true, user login sessions will renew after each request.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     sqlite-path:
       description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-cache-max-memory-size:
       description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-cache-snapshot-memory-size:
       description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-cache-snapshot-write-cold-duration:
       description: Duration between snapshot writes to disk when the shard data hasn't been modified.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-compact-full-write-cold-duration:
       description: Duration between shard compactions when the shard data hasn't been modified.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-compact-throughput-burst:
       description: Maximum throughput (number of bytes per second) that compactions be written to disk.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-max-concurrent-compactions:
       description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs).
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-max-index-log-file-size:
       description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-no-validate-field-size:
       description: If true, incoming requests will skip the field size validation.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-retention-check-interval:
       description: Interval between reviewing each bucket's retention policy and the age of the associated data.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-series-file-max-concurrent-snapshot-compactions:
       description: Maximum number of concurrent snapshot compactions across all database partitions.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-series-id-set-cache-size:
       description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-shard-precreator-advance-period:
       description: The duration before a successor shard group is created after the end-time has been reached. 
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-shard-precreator-check-interval:
       description: Interval between checking if new shards should be created.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-tsm-use-madv-willneed:
       description: If true, InfluxDB will manage TSM memory paging.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-validate-keys:
       description: If true, validates incoming requests for supported characters.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-wal-fsync-delay:
       description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-wal-max-concurrent-writes:
       description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-wal-max-write-delay:
       description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     storage-write-timeout:
       description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     store:
       description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
       global: True
       advanced: True
       regex: ^(disk|memory)$
-      helpLink: influxdb.html
+      helpLink: influxdb
     tls-cert: 
       description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     tls-key: 
       description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     tls-min-version: 
       description: The minimum supported version of TLS to be enforced on all incoming HTTP requests.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     tls-strict-ciphers:
       description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     tracing-type: 
       description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     ui-disabled: 
       description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-addr: 
       description: Vault server address.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-cacert: 
       description: Path to the Vault's single certificate authority certificate file within the container.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-capath: 
       description: Path to the Vault's certificate authority directory within the container.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-client-cert: 
       description: Vault client certificate path within the container.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-client-key: 
       description: Vault client certificate key path within the container.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-client-timeout: 
       description: Duration to wait for a response from the Vault server before aborting.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-max-retries:
       description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-skip-verify: 
       description: Skip certification validation of the Vault server.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-tls-server-name: 
       description: SNI host to specify when using TLS to connect to the Vault server.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
     vault-token:   
       description: Vault token used for authentication.
       global: True
       advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
   buckets:
     so_short_term:
       duration:
         description: Amount of time (in seconds) to keep short term data.
         global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
       shard_duration:
         description: Amount of the time (in seconds) range covered by the shard group.
         global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
     so_long_term:
       duration:
         description: Amount of time (in seconds) to keep long term downsampled data.
         global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
       shard_duration:
         description: Amount of the time (in seconds) range covered by the shard group.
         global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
   downsample:
     so_long_term:
       resolution:
         description: Amount of time to turn into a single data point.
         global: True
-        helpLink: influxdb.html
+        helpLink: influxdb

salt/kafka/soc_kafka.yaml

@@ -1,257 +1,257 @@
 kafka:
   enabled:
     description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
-    helpLink: kafka.html
+    helpLink: kafka
   cluster_id:
     description: The ID of the Kafka cluster.
     readonly: True
     advanced: True
     sensitive: True
-    helpLink: kafka.html
+    helpLink: kafka
   controllers:
     description: A comma-separated list of hostnames that will act as Kafka controllers. These hosts will be responsible for managing the Kafka cluster. Note that only manager and receiver nodes are eligible to run Kafka. This configuration needs to be set before enabling Kafka. Failure to do so may result in Kafka topics becoming unavailable requiring manual intervention to restore functionality or reset Kafka, either of which can result in data loss.
     forcedType: string
-    helpLink: kafka.html
+    helpLink: kafka
   reset:
     description: Disable and reset the Kafka cluster. This will remove all Kafka data including logs that may have not yet been ingested into Elasticsearch and reverts the grid to using REDIS as the global pipeline. This is useful when testing different Kafka configurations such as rearranging Kafka brokers / controllers allowing you to reset the cluster rather than manually fixing any issues arising from attempting to reassign a Kafka broker into a controller. Enter 'YES_RESET_KAFKA' and submit to disable and reset Kafka. Make any configuration changes required and re-enable Kafka when ready. This action CANNOT be reversed.
     advanced: True
-    helpLink: kafka.html
+    helpLink: kafka
   logstash:
     description: By default logstash is disabled when Kafka is enabled. This option allows you to specify any hosts you would like to re-enable logstash on alongside Kafka.
     forcedType: "[]string"
     multiline: True
     advanced: True
-    helpLink: kafka.html
+    helpLink: kafka
   config:
     password:
       description: The password used for the Kafka certificates.
       readonly: True
       sensitive: True
-      helpLink: kafka.html
+      helpLink: kafka
     trustpass:
       description: The password used for the Kafka truststore.
       readonly: True
       sensitive: True
-      helpLink: kafka.html
+      helpLink: kafka
     broker:
       auto_x_create_x_topics_x_enable:
         description: Enable the auto creation of topics.
         title: auto.create.topics.enable
         forcedType: bool
-        helpLink: kafka.html
+        helpLink: kafka
       default_x_replication_x_factor:
         description: The default replication factor for automatically created topics. This value must be less than the amount of brokers in the cluster. Hosts specified in controllers should not be counted towards total broker count.
         title: default.replication.factor
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       inter_x_broker_x_listener_x_name:
         description: The name of the listener used for inter-broker communication.
         title: inter.broker.listener.name
-        helpLink: kafka.html
+        helpLink: kafka
       listeners:
         description: Set of URIs that is listened on and the listener names in a comma-seperated list.
-        helpLink: kafka.html
+        helpLink: kafka
       listener_x_security_x_protocol_x_map:
         description: Comma-seperated mapping of listener name and security protocols.
         title: listener.security.protocol.map
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_dirs:
         description: Where Kafka logs are stored within the Docker container.
         title: log.dirs
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_retention_x_check_x_interval_x_ms:
         description: Frequency at which log files are checked if they are qualified for deletion.
         title: log.retention.check.interval.ms
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_retention_x_hours:
         description: How long, in hours, a log file is kept.
         title: log.retention.hours
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_segment_x_bytes:
         description: The maximum allowable size for a log file.
         title: log.segment.bytes
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       num_x_io_x_threads:
         description: The number of threads used by Kafka.
         title: num.io.threads
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       num_x_network_x_threads:
         description: The number of threads used for network communication.
         title: num.network.threads
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       num_x_partitions:
         description: The number of log partitions assigned per topic.
         title: num.partitions
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       num_x_recovery_x_threads_x_per_x_data_x_dir:
         description: The number of threads used for log recuperation at startup and purging at shutdown. This ammount of threads is used per data directory.
         title: num.recovery.threads.per.data.dir
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       offsets_x_topic_x_replication_x_factor:
         description: The offsets topic replication factor.
         title: offsets.topic.replication.factor
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       process_x_roles:
         description: The role performed by Kafka brokers.
         title: process.roles
         readonly: True
-        helpLink: kafka.html
+        helpLink: kafka
       socket_x_receive_x_buffer_x_bytes:
         description: Size, in bytes of the SO_RCVBUF buffer. A value of -1 will use the OS default.
         title: socket.receive.buffer.bytes
         #forcedType: int - soc needs to allow -1 as an int before we can use this
-        helpLink: kafka.html
+        helpLink: kafka
       socket_x_request_x_max_x_bytes:
         description: The maximum bytes allowed for a request to the socket.
         title: socket.request.max.bytes
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       socket_x_send_x_buffer_x_bytes:
         description: Size, in bytes of the SO_SNDBUF buffer. A value of -1 will use the OS default.
         title: socket.send.buffer.byte
         #forcedType: int - soc needs to allow -1 as an int before we can use this
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_keystore_x_location:
         description: The key store file location within the Docker container.
         title: ssl.keystore.location
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_keystore_x_password:
         description: The key store file password. Invalid for PEM format.
         title: ssl.keystore.password
         sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_keystore_x_type: 
         description: The key store file format.
         title: ssl.keystore.type
         regex: ^(JKS|PKCS12|PEM)$
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_truststore_x_location:
         description: The trust store file location within the Docker container.
         title: ssl.truststore.location
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_truststore_x_type:
         description: The trust store file format.
         title: ssl.truststore.type
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_truststore_x_password:
         description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
         title: ssl.truststore.password
         sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
       transaction_x_state_x_log_x_min_x_isr:
         description: Overrides min.insync.replicas for the transaction topic. When a producer configures acks to "all" (or "-1"), this setting determines the minimum number of replicas required to acknowledge a write as successful. Failure to meet this minimum triggers an exception (either NotEnoughReplicas or NotEnoughReplicasAfterAppend). When used in conjunction, min.insync.replicas and acks enable stronger durability guarantees. For instance, creating a topic with a replication factor of 3, setting min.insync.replicas to 2, and using acks of "all" ensures that the producer raises an exception if a majority of replicas fail to receive a write.
         title: transaction.state.log.min.isr
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       transaction_x_state_x_log_x_replication_x_factor:
         description: Set the replication factor higher for the transaction topic to ensure availability. Internal topic creation will not proceed until the cluster size satisfies this replication factor prerequisite.
         title: transaction.state.log.replication.factor
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
     client:
       security_x_protocol:
         description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT'
         title: security.protocol
         regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT)
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_keystore_x_location:
         description: The key store file location within the Docker container.
         title: ssl.keystore.location
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_keystore_x_password:
         description: The key store file password. Invalid for PEM format.
         title: ssl.keystore.password
         sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_keystore_x_type:
         description: The key store file format.
         title: ssl.keystore.type
         regex: ^(JKS|PKCS12|PEM)$
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_truststore_x_location:
         description: The trust store file location within the Docker container.
         title: ssl.truststore.location
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_truststore_x_type:
         description: The trust store file format.
         title: ssl.truststore.type
-        helpLink: kafka.html
+        helpLink: kafka
       ssl_x_truststore_x_password:
         description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
         title: ssl.truststore.password
         sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
     controller:
       controller_x_listener_x_names:
         description: Set listeners used by the controller in a comma-seperated list.
         title: controller.listener.names
-        helpLink: kafka.html
+        helpLink: kafka
       listeners:
         description: Set of URIs that is listened on and the listener names in a comma-seperated list.
-        helpLink: kafka.html
+        helpLink: kafka
       listener_x_security_x_protocol_x_map:
         description: Comma-seperated mapping of listener name and security protocols.
         title: listener.security.protocol.map
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_dirs:
         description: Where Kafka logs are stored within the Docker container.
         title: log.dirs
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_retention_x_check_x_interval_x_ms:
         description: Frequency at which log files are checked if they are qualified for deletion.
         title: log.retention.check.interval.ms
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_retention_x_hours:
         description: How long, in hours, a log file is kept.
         title: log.retention.hours
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       log_x_segment_x_bytes:
         description: The maximum allowable size for a log file.
         title: log.segment.bytes
         forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
       process_x_roles:
         description: The role performed by controller node.
         title: process.roles
         readonly: True
-        helpLink: kafka.html
+        helpLink: kafka
     external_access:
       enabled:
         description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client.
         forcedType: bool
-        helpLink: kafka.html
+        helpLink: kafka
       listeners:
         description: Set of URIs that is listened on and the listener names in a comma-seperated list.
         title: listeners
         readonly: True
         advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
       listener_x_security_x_protocol_x_map:
         description: External listener name and mapped security protocol.
         title: listener.security.protocol.map
         readonly: True
         advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
       sasl_x_enabled_x_mechanisms:
         description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication.
         title: sasl.enabled.mechanisms
         readonly: True
         advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
       sasl_x_mechanism_x_inter_x_broker_x_protocol:
         description: SASL mechanism used for inter-broker communication
         title: sasl.mechanism.inter.broker.protocol
         readonly: True
         advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
       remote_users:
         user01: &remote_user
           username:

salt/kibana/map.jinja

@@ -5,7 +5,6 @@
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}

salt/kibana/so_dashboard_load.sls

@@ -3,7 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
   - kibana.enabled
 
@@ -29,27 +28,3 @@ so-kibana-dashboard-load:
     - require:
       - sls: kibana.enabled
       - file: dashboard_saved_objects_template
-{%- if HIGHLANDER %}
-dashboard_saved_objects_template_hl:
-  file.managed:
-    - name: /opt/so/conf/kibana/hl.ndjson.template
-    - source: salt://kibana/files/hl.ndjson
-    - user: 932
-    - group: 939
-    - show_changes: False
-
-dashboard_saved_objects_hl_changes:
-  file.absent:
-    - names:
-      - /opt/so/state/kibana_hl.txt
-    - onchanges:
-      - file: dashboard_saved_objects_template_hl
-
-so-kibana-dashboard-load_hl:
-  cmd.run:
-    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
-    - cwd: /opt/so
-    - require:
-      - sls: kibana.enabled
-      - file: dashboard_saved_objects_template_hl
-{%- endif %}

salt/kibana/soc_kibana.yaml

@@ -1,10 +1,10 @@
 kibana:
   enabled: 
     description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
-    helpLink: kibana.html
+    helpLink: kibana
   config:
     elasticsearch:
       requestTimeout:
         description: The length of time before the request reaches timeout.
         global: True
-        helpLink: kibana.html
+        helpLink: kibana

salt/kibana/tools/sbin_jinja/so-kibana-space-defaults

@@ -1,6 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
-{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
 
@@ -9,10 +8,6 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Space:"
-{% if HIGHLANDER %}
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
-{% else %}
+echo "Setting up default Kibana Space:"
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
-{% endif %}
 echo

salt/kratos/soc_kratos.yaml

@@ -2,79 +2,79 @@ kratos:
   enabled:
     description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
     advanced: True
-    helpLink: kratos.html
+    helpLink: kratos
 
   oidc:
     enabled: 
       description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
       global: True
-      helpLink: oidc.html
+      helpLink: oidc
     config:
       id: 
         description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       provider:
         description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
         global: True
         forcedType: string
         regex: "auth0|generic|github|google|microsoft"
         regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
-        helpLink: oidc.html
+        helpLink: oidc
       client_id: 
         description: Specify the client ID, also referenced as the application ID. Required.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       client_secret: 
         description: Specify the client secret. Required.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       microsoft_tenant:
         description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       subject_source: 
         description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
         global: True
         forcedType: string
         regex: me|userinfo
         regexFailureMessage: "Valid values are: me, userinfo"
-        helpLink: oidc.html
+        helpLink: oidc
       auth_url: 
         description: Provider's auth URL. Required when provider is 'generic'.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       issuer_url: 
         description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       mapper_url: 
         description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting.
         advanced: True
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       token_url: 
         description: Provider's token URL. Required when provider is 'generic'.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       scope: 
         description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'.
         global: True
         forcedType: "[]string"
-        helpLink: oidc.html
+        helpLink: oidc
       pkce:
         description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported.
         global: True
         forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
       requested_claims: 
         id_token:
           email:
@@ -82,7 +82,7 @@ kratos:
               description: Specifies whether the email claim is necessary. Typically leave this value set to true.
               advanced: True
               global: True
-              helpLink: oidc.html
+              helpLink: oidc
   files:
     oidc__jsonnet:
       title: OIDC Claims Mapping
@@ -90,20 +90,20 @@ kratos:
       advanced: True
       file: True
       global: True
-      helpLink: oidc.html
+      helpLink: oidc
 
   config:
     session:
       lifespan: 
         description: Defines the length of a login session.
         global: True
-        helpLink: kratos.html
+        helpLink: kratos
       whoami:
         required_aal: 
           description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
           global: True
           advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
     selfservice:
       methods:
         password:
@@ -111,143 +111,143 @@ kratos:
             description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
             global: True
             advanced: True
-            helpLink: oidc.html
+            helpLink: oidc
           config:
             haveibeenpwned_enabled:
               description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
               global: True
-              helpLink: kratos.html
+              helpLink: kratos
         totp:
           enabled: 
             description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
             global: True
-            helpLink: kratos.html
+            helpLink: kratos
           config:
             issuer: 
               description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
               global: True
-              helpLink: kratos.html
+              helpLink: kratos
         webauthn:
           enabled:
             description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
             global: True
-            helpLink: kratos.html
+            helpLink: kratos
           config:
             passwordless: 
               description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
               global: True
-              helpLink: kratos.html
+              helpLink: kratos
             rp:
               id: 
                 description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly.
                 global: True
                 advanced: True
-                helpLink: kratos.html
+                helpLink: kratos
               origin: 
                 description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly.
                 global: True
                 advanced: True
-                helpLink: kratos.html
+                helpLink: kratos
               display_name: 
                 description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations.
                 global: True
                 advanced: True
-                helpLink: kratos.html
+                helpLink: kratos
 
       flows:
         settings:
           privileged_session_max_age:
             description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
             global: True
-            helpLink: kratos.html
+            helpLink: kratos
           ui_url: 
             description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
             global: True
             advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
           required_aal:
             description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
             global: True
             advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
         verification:
           ui_url: 
             description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
             global: True
             advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
         login:
           ui_url: 
             description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
             global: True
             advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
           lifespan: 
             description: Defines the duration that a login form will remain valid.
             global: True
-            helpLink: kratos.html
+            helpLink: kratos
         error:
           ui_url: 
             description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
             global: True
             advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
         registration:
           ui_url: 
             description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
             global: True
             advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
       default_browser_return_url:
         description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
         global: True
         advanced: True
-        helpLink: kratos.html
+        helpLink: kratos
       allowed_return_urls:
         description: Internal redirect URL. Leave as default to ensure proper operation.
         global: True
         advanced: True
-        helpLink: kratos.html
+        helpLink: kratos
     log:
       level: 
         description: Log level to use for Kratos logs.
         global: True
-        helpLink: kratos.html
+        helpLink: kratos
       format: 
         description: Log output format for Kratos logs.
         global: True
-        helpLink: kratos.html
+        helpLink: kratos
     secrets:
       default: 
         description: Secret key used for protecting session cookie data. Generated during installation.
         global: True
         sensitive: True
         advanced: True
-        helpLink: kratos.html
+        helpLink: kratos
     serve:
       public:
         base_url: 
           description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
           global: True
           advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
       admin:
         base_url: 
           description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
           global: True
           advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
     hashers:
       bcrypt:
         cost: 
           description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
           global: True
           advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
     courier:
       smtp:
         connection_uri: 
           description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
           global: True
           advanced: True
-          helpLink: kratos.html
+          helpLink: kratos

salt/logstash/config.sls

@@ -36,10 +36,6 @@ logstash:
     - gid: 931
     - home: /opt/so/conf/logstash
 
-lslibdir:
-  file.absent:
-    - name: /opt/so/conf/logstash/lib
-
 logstash_sbin:
   file.recurse:
     - name: /usr/sbin

salt/logstash/soc_logstash.yaml

@@ -1,13 +1,13 @@
 logstash:
   enabled: 
     description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
-    helpLink: logstash.html
+    helpLink: logstash
   assigned_pipelines:
     roles:
       standalone: &assigned_pipelines
         description: List of defined pipelines to add to this role.
         advanced: True
-        helpLink: logstash.html
+        helpLink: logstash
         multiline: True
         forcedType: "[]string"
         duplicates: True
@@ -21,7 +21,7 @@ logstash:
     receiver: &defined_pipelines
       description: List of pipeline configurations assign to this group.
       advanced: True
-      helpLink: logstash.html
+      helpLink: logstash
       multiline: True
       forcedType: "[]string" 
       duplicates: True
@@ -39,7 +39,7 @@ logstash:
       advanced: True
       multiline: True
       forcedType: string
-      helpLink: logstash.html
+      helpLink: logstash
       duplicates: True
     custom002: *pipeline_config
     custom003: *pipeline_config
@@ -53,35 +53,35 @@ logstash:
   settings:
     lsheap: 
       description: Heap size to use for logstash
-      helpLink: logstash.html
+      helpLink: logstash
       global: False
   config:
     api_x_http_x_host:
       description: Host interface to listen to connections.
-      helpLink: logstash.html
+      helpLink: logstash
       readonly: True
       advanced: True
     path_x_logs: 
       description: Path inside the container to wrote logs.
-      helpLink: logstash.html
+      helpLink: logstash
       readonly: True
       advanced: True
     pipeline_x_workers: 
       description: Number of worker threads to process events in logstash.
-      helpLink: logstash.html
+      helpLink: logstash
       global: False
     pipeline_x_batch_x_size: 
       description: Logstash batch size.
-      helpLink: logstash.html
+      helpLink: logstash
       global: False
     pipeline_x_ecs_compatibility: 
       description: Sets ECS compatibility. This is set per pipeline so you should never need to change this.
-      helpLink: logstash.html
+      helpLink: logstash
       readonly: True
       advanced: True
   dmz_nodes:
     description: "List of receiver nodes in DMZs. Prevents sensors from sending to these receivers. Primarily used for external Elastic agents."
-    helpLink: logstash.html
+    helpLink: logstash
     multiline: True
     advanced: True
     forcedType: "[]string"

salt/manager/init.sls

@@ -63,11 +63,9 @@ yara_log_dir:
       - user
       - group
 
-{% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
   pkg.installed:
     - name: createrepo_c
-{% endif %}
 
 repo_conf_dir:
   file.directory:

salt/manager/soc_manager.yaml

@@ -3,80 +3,80 @@ manager:
     enabled:
       description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
       global: True
-      helpLink: soup.html
+      helpLink: soup
     hour:
       description: The hour of the day in which the repo sync takes place.
       global: True
-      helpLink: soup.html
+      helpLink: soup
     minute:
       description: The minute within the hour to run the repo sync.
       global: True
-      helpLink: soup.html
+      helpLink: soup
   elastalert:
     description: Enable elastalert 1=enabled 0=disabled.
     global: True
-    helpLink: elastalert.html
+    helpLink: elastalert
   no_proxy:
     description: String of hosts to ignore the proxy settings for.
     global: True
-    helpLink: proxy.html
+    helpLink: proxy
   proxy:
     description: Proxy server to use for updates.
     global: True
-    helpLink: proxy.html
+    helpLink: proxy
   additionalCA:
     description: Additional CA certificates to trust in PEM format.
     global: True
     advanced: True
     multiline: True
     forcedType: string
-    helpLink: proxy.html
+    helpLink: proxy
   insecureSkipVerify:
     description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
     advanced: True
     forcedType: bool
     global: True
-    helpLink: proxy.html
+    helpLink: proxy
   agent_monitoring:
     enabled:
       description: Enable monitoring elastic agents for health issues. Can be used to trigger an alert when a 'critical' agent hasn't checked in with fleet for longer than the configured offline threshold.
       global: True
-      helpLink: elastic-fleet.html
+      helpLink: elastic-fleet
       forcedType: bool
     config:
       critical_agents:
         description: List of 'critical' agents to log when they haven't checked in longer than the maximum allowed time. If there are no 'critical' agents specified all offline agents will be logged once they reach the offline threshold.
         global: True
         multiline: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         forcedType: "[]string"
       custom_kquery:
         description: For more granular control over what agents to monitor for offline|degraded status add a kquery here. It is recommended to create & test within Elastic Fleet first to ensure your agents are targeted correctly using the query. eg 'status:offline AND tags:INFRA'
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         forcedType: string
         advanced: True
       offline_threshold:
         description: The maximum allowed time in hours a 'critical' agent has been offline before being logged.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         forcedType: int
       realert_threshold:
         description: The time to pass before another alert for an offline agent exceeding the offline_threshold is generated.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         forcedType: int
       page_size:
         description: The amount of agents that can be processed per API request to fleet.
         global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         forcedType: int
         advanced: True
       run_interval:
         description: The time in minutes between checking fleet agent statuses.
         global: True
         advanced: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
         forcedType: int
   managed_integrations:
     description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
@@ -84,4 +84,4 @@ manager:
     multiline: True
     global: True
     advanced: True
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch

salt/manager/tools/sbin/so-client

@@ -134,8 +134,8 @@ function require() {
 function verifyEnvironment() {
   require "jq"
   require "curl"
-  response=$(curl -Ss -L ${hydraUrl}/)
-  [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
+  response=$(curl -Ss -L ${hydraUrl}/health/alive)
+  [[ "$response" != '{"status":"ok"}' ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
 }
 
 function createFile() {

salt/manager/tools/sbin/so-yaml.py

@@ -22,7 +22,7 @@ def showUsage(args):
     print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
     print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
     print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
+    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
     print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
     print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
     print('    help             - Prints this usage information.', file=sys.stderr)
@@ -332,6 +332,11 @@ def getKeyValue(content, key):
 
 
 def get(args):
+    raw = False
+    if len(args) > 0 and args[0] == '-r':
+        raw = True
+        args = args[1:]
+
     if len(args) != 2:
         print('Missing filename or key arg', file=sys.stderr)
         showUsage(None)
@@ -346,12 +351,15 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    if isinstance(output, bool):
-        print(str(output).lower())
-    elif isinstance(output, (dict, list)):
-        print(yaml.safe_dump(output).strip())
+    if raw:
+        if isinstance(output, bool):
+            print(str(output).lower())
+        elif isinstance(output, (dict, list)):
+            print(yaml.safe_dump(output).strip())
+        else:
+            print(output)
     else:
-        print(output)
+        print(yaml.safe_dump(output))
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -393,6 +393,17 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
+            self.assertIn("45\n...", mock_stdout.getvalue())
+
+    def test_get_int_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
+            self.assertEqual(result, 0)
             self.assertEqual("45\n", mock_stdout.getvalue())
 
     def test_get_str(self):
@@ -404,6 +415,17 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
+            self.assertIn("hello\n...", mock_stdout.getvalue())
+
+    def test_get_str_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
+            self.assertEqual(result, 0)
             self.assertEqual("hello\n", mock_stdout.getvalue())
 
     def test_get_bool(self):
@@ -415,8 +437,31 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key2"])
             self.assertEqual(result, 0)
+            self.assertIn("false\n...", mock_stdout.getvalue())
+
+    def test_get_bool_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key2"])
+            self.assertEqual(result, 0)
             self.assertEqual("false\n", mock_stdout.getvalue())
 
+    def test_get_dict_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1"])
+            self.assertEqual(result, 0)
+            self.assertIn("child1: 123", mock_stdout.getvalue())
+            self.assertNotIn("...", mock_stdout.getvalue())
+
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
             filename = "/tmp/so-yaml_test-get.yaml"

salt/manager/tools/sbin/soup

@@ -396,7 +396,7 @@ migrate_pcap_to_suricata() {
 
   for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
     [[ -f "$pillar_file" ]] || continue
-    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
     so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
     so-yaml.py remove "$pillar_file" pcap
   done

salt/nginx/etc/nginx.conf

@@ -387,7 +387,7 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
 				return    401;
 			}
 

salt/nginx/soc_nginx.yaml

@@ -2,11 +2,11 @@ nginx:
   enabled: 
     description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
     advanced: True
-    helpLink: nginx.html
+    helpLink: nginx
   external_suricata:
     description: Enable this to allow external access to Suricata Rulesets managed by Detections.
     advanced: True
-    helplink: nginx.html
+    helpLink: nginx
     forcedType: bool
   ssl:
     replace_cert:
@@ -15,33 +15,33 @@ nginx:
       advanced: True
       forcedType: bool
       title: Replace Default Cert
-      helpLink: nginx.html
+      helpLink: nginx
     ssl__key:
       description: If you enabled the replace_cert option, paste the contents of your .key file here.
       file: True
       title: SSL/TLS Key File
       advanced: True
       global: True
-      helpLink: nginx.html
+      helpLink: nginx
     ssl__crt:
       description: If you enabled the replace_cert option, paste the contents of your .crt file here.
       file: True
       title: SSL/TLS Cert File
       advanced: True
       global: True
-      helpLink: nginx.html
+      helpLink: nginx
     alt_names:
       description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname.
       global: True
       forcedType: '[]string'
       multiline: True
-      helpLink: nginx.html
+      helpLink: nginx
   config:
     throttle_login_burst:
       description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
       global: True
-      helpLink: nginx.html
+      helpLink: nginx
     throttle_login_rate:
       description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly.
       global: True
-      helpLink: nginx.html
+      helpLink: nginx

salt/ntp/init.sls

@@ -2,7 +2,6 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 
 chrony_pkg:
@@ -17,11 +16,7 @@ chronyconf:
     - defaults:
         NTPCONFIG: {{ NTPCONFIG }}
 
-{% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
-{% else %}
-chrony:
-{% endif %}
   service.running:
     - enable: True
     - watch: 

salt/ntp/soc_ntp.yaml

@@ -3,4 +3,4 @@ ntp:
     servers:
       description: NTP Server List
       title: NTP Servers
-      helpLink: ntp.html
+      helpLink: ntp

salt/patch/soc_patch.yaml

@@ -2,19 +2,19 @@ patch:
   os:
     enabled:
       description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
-      helpLink: soup.html
+      helpLink: soup
     schedule_to_run: 
       description: Currently running schedule for updates.
-      helpLink: soup.html
+      helpLink: soup
     schedules:
       auto:
         splay: &splayOptions
           description: Seconds to splay updates.
-          helpLink: soup.html 
+          helpLink: soup 
         schedule:
           hours: 
             description: Run the OS updates every X hours. 
-            helpLink: soup.html
+            helpLink: soup
       monday:
         splay: *splayOptions
         schedule: 
@@ -51,7 +51,7 @@ patch:
           Monday: &dailyOptions
             description: List of times to apply OS patches daily.
             multiline: True
-            helpLink: soup.html
+            helpLink: soup
           Tuesday: *dailyOptions
           Wednesday: *dailyOptions
           Thursday: *dailyOptions
@@ -64,7 +64,7 @@ patch:
           Monday: &weekdayOptions
             description: List of times for weekdays.
             multiline: True
-            helpLink: soup.html
+            helpLink: soup
           Tuesday: *weekdayOptions
           Wednesday: *weekdayOptions
           Thursday: *weekdayOptions
@@ -75,5 +75,5 @@ patch:
           Saturday: &weekendOptions
             description: List of times for weekend days.
             multiline: true
-            helpLink: soup.html
+            helpLink: soup
           Sunday: *weekendOptions

salt/podman/files/podman.service

@@ -1,17 +0,0 @@
-[Unit]
-Description=Podman API Service
-Requires=podman.socket
-After=podman.socket
-Documentation=man:podman-api(1)
-StartLimitIntervalSec=0
-
-[Service]
-Type=oneshot
-Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
-ExecStart=/usr/bin/podman system service
-TimeoutStopSec=30
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target
-Also=podman.socket

salt/podman/files/podman.socket

@@ -1,10 +0,0 @@
-[Unit]
-Description=Podman API Socket
-Documentation=man:podman-api(1)
-
-[Socket]
-ListenStream=%t/podman/podman.sock
-SocketMode=0660
-
-[Install]
-WantedBy=sockets.target

salt/podman/files/sobridge.conflist

@@ -1,48 +0,0 @@
-{
-   "args": {
-      "podman_options": {
-         "isolate": "true",
-         "mtu": "1500"
-      }
-   },
-   "cniVersion": "0.4.0",
-   "name": "sobridge",
-   "plugins": [
-      {
-         "type": "bridge",
-         "bridge": "sobridge",
-         "isGateway": true,
-         "ipMasq": false,
-         "mtu": 1500,
-         "hairpinMode": false,
-         "ipam": {
-            "type": "host-local",
-            "routes": [
-               {
-                  "dst": "0.0.0.0/0"
-               }
-            ],
-            "ranges": [
-               [
-                  {
-                     "subnet": "172.17.1.0/24",
-                     "gateway": "172.17.1.1"
-                  }
-               ]
-            ]
-         },
-         "capabilities": {
-            "ips": true
-         }
-      },
-      {
-         "type": "portmap",
-         "capabilities": {
-            "portMappings": false
-         }
-      },
-      {
-         "type": "tuning"
-      }
-   ]
-}

salt/podman/init.sls

@@ -1,56 +0,0 @@
-{% from 'docker/docker.map.jinja' import DOCKER %}
-
-Podman pkg:
-  pkg.installed:
-    - name: podman
-
-cnipkg:
-  pkg.installed:
-    - name: containernetworking-plugins
-
-{#
-Podman service:
-  file.managed:
-    - name: /usr/lib/systemd/system/podman.service
-    - source: salt://podman/podman.service
-#}
-
-sobridgeconf:
-  file.managed:
-    - name: /etc/cni/net.d/sobridge.conflist
-    - source: salt://podman/files/sobridge.conflist
-
-Podman_socket_service:
-  service.running:
-    - name: podman.socket
-    - enable: true
-
-Podman_service:
-  service.running:
-    - name: podman.service
-    - enable: true
-
-Docker socket:
-  file.symlink:
-    - name: /var/run/docker.sock
-    - target: /var/run/podman/podman.sock
-
-podman_docker_symlink:
-  file.symlink:
-    - name: /usr/bin/docker
-    - target: /usr/bin/podman
-
-{#
-sos_docker_net:
-  docker_network.present:
-    - name: sobridge
-    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.bip }}
-    - options:
-        com.docker.network.bridge.name: 'sobridge'
-        com.docker.network.driver.mtu: '1500'
-        com.docker.network.bridge.enable_ip_masquerade: 'true'
-        com.docker.network.bridge.enable_icc: 'true'
-        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
-    - unless: 'docker network ls | grep sobridge'
-#}

salt/redis/soc_redis.yaml

@@ -1,18 +1,18 @@
 redis:
   enabled: 
     description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
-    helpLink: redis.html
+    helpLink: redis
   config:
     bind:
       description: The IP address to bind to.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     protected-mode:
       description: Force authentication to access redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     requirepass:
       description: Password for accessing Redis.
       global: True
@@ -21,262 +21,262 @@ redis:
       description: TLS cert file location.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-key-file: 
       description: TLS key file location.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-ca-cert-file:
       description: TLS CA file location.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-port: 
       description: Port to use TLS encryption on.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-auth-clients: 
       description: Force TLS authentication.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     port: 
       description: Non TLS port for Redis access.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tcp-backlog: 
       description: Set the TCP backlog value. This is normally increasd in high request environments.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     timeout: 
       description: Time in seconds to close an idle connection. 0 to disable.
       global: True
-      helpLink: redis.html
+      helpLink: redis
     tcp-keepalive: 
       description: Time in seconds to send a keepalive.
       global: True
-      helpLink: redis.html
+      helpLink: redis
     tls-replication:
       description: Enable TLS replication links.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-protocols:
       description: List of acceptable TLS protocols separated by spaces.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-prefer-server-ciphers: 
       description: Prefer the server side ciphers.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-session-caching:
       description: Enable TLS session caching.
       global: True
-      helpLink: redis.html
+      helpLink: redis
     tls-session-cache-size: 
       description: The number of TLS sessions to cache.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     tls-session-cache-timeout: 
       description: Timeout in seconds to cache TLS sessions.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     loglevel:
       description: Log verbosity level.
       global: True
-      helpLink: redis.html
+      helpLink: redis
     logfile:
       description: Log file name.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     syslog-enabled: 
       description: Enable syslog output.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     syslog-ident:
       description: Set the syslog identity.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     syslog-facility:
       description: Set the syslog facility.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     databases:
       description: Total amount of databases.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     always-show-logo:
       description: The amount of time that a write will wait before fsyncing.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     save:
       '900':
         description: Set the amount of keys that need to change to save after 15 minutes.
         global: True
-        helpLink: redis.html
+        helpLink: redis
       '300': 
         description: Set the amount of keys that need to change to save after 5 minutes.
         global: True
-        helpLink: redis.html
+        helpLink: redis
       '60': 
         description: Set the amount of keys that need to change to save after 1 minute
         global: True
-        helpLink: redis.html
+        helpLink: redis
     stop-writes-on-bgsave-error: 
       description: Stop writes to redis is there is an error with the save.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     rdbcompression:
       description: Compress string objects with LZF.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     rdbchecksum:
       description: Enable checksum of rdb files.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     dbfilename:
       description: Filename of the rdb saves.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     acllog-max-len:
       description: Maximum length of the ACL log.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     maxmemory:
       description: Maximum memory for storing redis objects.
       global: True
-      helpLink: redis.html
+      helpLink: redis
     maxmemory-policy:
       description: The policy to use when maxmemory is reached.
       global: True
-      helpLink: redis.html
+      helpLink: redis
     maxmemory-samples:
       description: maxmemory sample size.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     lua-time-limit:
       description: Maximum execution time of LUA scripts.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     slowlog-log-slower-than:
       description: Time in microseconds to write to the slow log.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     slowlog-max-len:
       description: Maximum size of the slow log.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     hash-max-ziplist-entries:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     hash-max-ziplist-value:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     list-max-ziplist-size:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     list-compress-depth:
       description: Depth for list compression.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     set-max-intset-entries:
       description: Sets the limit on the size of the set in order to use the special memory saving encoding.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     zset-max-ziplist-entries:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     zset-max-ziplist-value:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     hll-sparse-max-bytes:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     stream-node-max-bytes:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     stream-node-max-entries:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     activerehashing:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     client-output-buffer-limit:
       normal: 
         description: Used for advanced performance tuning of Redis.
         global: True
         advanced: True
-        helpLink: redis.html
+        helpLink: redis
       replica:
         description: Used for advanced performance tuning of Redis.
         global: True
         advanced: True
-        helpLink: redis.html
+        helpLink: redis
       pubsub: 
         description: Used for advanced performance tuning of Redis.
         global: True
         advanced: True
-        helpLink: redis.html
+        helpLink: redis
     hz: 
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     dynamic-hz:
       description: Used for advanced performance tuning of Redis.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     rdb-save-incremental-fsync: 
       description: fsync redis data.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis
     jemalloc-bg-thread:
       description: Jemalloc background thread for purging.
       global: True
       advanced: True
-      helpLink: redis.html
+      helpLink: redis

salt/repo/client/map.jinja

@@ -1,43 +1,29 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{% if GLOBALS.os_family == 'RedHat' %}
-  {% set REPOPATH = '/etc/yum.repos.d/' %}
-{%     if GLOBALS.os == 'OEL' %}
-  {% set ABSENTFILES = [
-         'centos-addons.repo',
-         'centos-devel.repo',
-         'centos-extras.repo',
-         'centos.repo',
-         'docker-ce.repo',
-         'epel.repo',
-         'epel-testing.repo',
-         'saltstack.repo',
-         'salt-latest.repo',
-         'wazuh.repo'
-         'Rocky-Base.repo',
-         'Rocky-CR.repo',
-         'Rocky-Debuginfo.repo',
-         'Rocky-fasttrack.repo',
-         'Rocky-Media.repo',
-         'Rocky-Sources.repo',
-         'Rocky-Vault.repo',
-         'Rocky-x86_64-kernel.repo',
-         'rocky-addons.repo',
-         'rocky-devel.repo',
-         'rocky-extras.repo',
-         'rocky.repo',
-         'oracle-linux-ol9.repo',
-         'uek-ol9.repo',
-         'virt-ol9.repo'
-       ]
-  %}
-{%     else %}
-  {% set ABSENTFILES = [] %}
-{%    endif %}
-
-{% else %}
-
-  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
-  {% set ABSENTFILES = [] %}
-
-{% endif %}
+{% set REPOPATH = '/etc/yum.repos.d/' %}
+{% set ABSENTFILES = [
+       'centos-addons.repo',
+       'centos-devel.repo',
+       'centos-extras.repo',
+       'centos.repo',
+       'docker-ce.repo',
+       'epel.repo',
+       'epel-testing.repo',
+       'saltstack.repo',
+       'salt-latest.repo',
+       'wazuh.repo'
+       'Rocky-Base.repo',
+       'Rocky-CR.repo',
+       'Rocky-Debuginfo.repo',
+       'Rocky-fasttrack.repo',
+       'Rocky-Media.repo',
+       'Rocky-Sources.repo',
+       'Rocky-Vault.repo',
+       'Rocky-x86_64-kernel.repo',
+       'rocky-addons.repo',
+       'rocky-devel.repo',
+       'rocky-extras.repo',
+       'rocky.repo',
+       'oracle-linux-ol9.repo',
+       'uek-ol9.repo',
+       'virt-ol9.repo'
+     ]
+%}

salt/salt/init.sls

@@ -1,10 +1,3 @@
-{% if grains.oscodename == 'focal' %}
-saltpymodules:
-  pkg.installed:
-    - pkgs:
-      - python3-docker
-{% endif %}
-
 # distribute to minions for salt upgrades
 salt_bootstrap:
   file.managed:

salt/salt/map.jinja

@@ -17,22 +17,12 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
 
-{% if grains.os_family == 'Debian' %}
-  {% set SPLITCHAR = '+' %}
-  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
-{% else %}
-  {% set SPLITCHAR = '-' %}
-  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
-{% endif %}
+{% set SPLITCHAR = '-' %}
+{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% if grains.os_family|lower == 'redhat' %}
-      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
-  {% elif grains.os_family|lower == 'debian' %}
-    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
-  {% endif %}
+  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
 {% else %}
   {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}

salt/salt/master.sls

@@ -23,15 +23,6 @@ sync_runners:
     - name: saltutil.sync_runners
 {% endif %}
 
-# prior to 2.4.30 this engine ran on the manager with salt-minion
-# this has changed to running with the salt-master in 2.4.30
-remove_engines_config:
-  file.absent:
-    - name: /etc/salt/minion.d/engines.conf
-    - source: salt://salt/files/engines.conf
-    - watch_in:
-      - service: salt_minion_service
-
 checkmine_engine:
   file.managed:
     - name: /etc/salt/engines/checkmine.py

salt/sensor/soc_sensor.yaml

@@ -1,15 +1,15 @@
 sensor:
   interface:
     description: Main sensor monitoring interface.
-    helpLink: network.html
+    helpLink: network-visibility
     readonly: True
   mtu:
     description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
-    helpLink: network.html
+    helpLink: network-visibility
     readonly: True
   channels:
     description: Set the size of the nic channels. This is rarely changed from 1 
-    helpLink: network.html
+    helpLink: network-visibility
     forcedType: int
     node: True
     advanced: True