Merge pull request #15597 from Security-Onion-Solutions/2.4.211

2.4.211
2026-03-23 21:12:39 +01:00 · 2026-03-12 13:18:19 -04:00 · 2026-03-12 11:33:11 -04:00 · 2026-03-12 11:31:59 -04:00 · 2026-03-11 14:40:40 -04:00 · 2026-03-11 14:37:43 -04:00
14 changed files with 50 additions and 29 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -35,7 +35,7 @@ body:
        - 2.4.200
        - 2.4.201
        - 2.4.210
-        - 3.0.0
+        - 2.4.211
        - Other (please provide detail below)
    validations:
      required: true
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.210-20260302 ISO image released on 2026/03/02
+### 2.4.211-20260312 ISO image released on 2026/03/12


 ### Download and Verify

-2.4.210-20260302 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso
+2.4.211-20260312 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.211-20260312.iso
 
-MD5: 575F316981891EBED2EE4E1F42A1F016  
-SHA1: 600945E8823221CBC5F1C056084A71355308227E  
-SHA256: A6AA6471125F07FA6E2796430E94BEAFDEF728E833E9728FDFA7106351EBC47E  
+MD5: 7082210AE9FF4D2634D71EAD4DC8F7A3  
+SHA1: F76E08C47FD786624B2385B4235A3D61A4C3E9DC  
+SHA256: CE6E61788DFC492E4897EEDC139D698B2EDBEB6B631DE0043F66E94AF8A0FF4E  

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.211-20260312.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.211-20260312.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.211-20260312.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.210-20260302.iso.sig securityonion-2.4.210-20260302.iso
+gpg --verify securityonion-2.4.211-20260312.iso.sig securityonion-2.4.211-20260312.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 02 Mar 2026 11:55:24 AM EST using RSA key ID FE507013
+gpg: Signature made Wed 11 Mar 2026 03:05:09 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/1
+++ b/1
@@ -0,0 +1 @@
+
--- a/2
+++ b/2
@@ -1 +1 @@
-3.0.0
+2.4.211
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -8,5 +8,12 @@
      "base": "172.17.0.0/24",
      "size": 24
    }
-  ]
+  ],
+  "default-ulimits": {
+      "nofile": {
+        "Name": "nofile",
+        "Soft": 1048576,
+        "Hard": 1048576
+      }
+  }
 }
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -10,7 +10,7 @@

 vm.max_map_count:
  sysctl.present:
-    - value: {{ ELASTICSEARCHMERGED.vm.max_map_count }}
+    - value: 262144

 # Add ES Group
 elasticsearchgroup:
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -2,8 +2,6 @@ elasticsearch:
  enabled: false
  version: 9.0.8
  index_clean: true
-  vm:
-    max_map_count: 1048576
  config:
    action:
      destructive_requires_name: true
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -15,11 +15,6 @@ elasticsearch:
    description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
    forcedType: bool
    helpLink: elasticsearch.html
-  vm:
-    max_map_count:
-      description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
-      forcedType: int
-      helpLink: elasticsearch.html
  retention: 
    retention_pct:
      decription: Total percentage of space used by Elasticsearch for multi node clusters
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -467,6 +467,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.201
    [[ "$INSTALLEDVERSION" == 2.4.201 ]] && up_to_2.4.210
+    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_2.4.211
    true
 }

@@ -501,6 +502,7 @@ postupgrade_changes() {
    [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200
    [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201
    [[ "$POSTVERSION" == 2.4.201 ]] && post_to_2.4.210
+    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_2.4.211
    true
 }

@@ -719,6 +721,11 @@ post_to_2.4.210() {
  POSTVERSION=2.4.210
 }

+post_to_2.4.211() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.211
+}
+
 repo_sync() {
  echo "Sync the local repo."
  su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -1009,6 +1016,12 @@ up_to_2.4.210() {
  INSTALLEDVERSION=2.4.210
 }

+up_to_2.4.211() {
+  echo "Nothing to do for 2.4.211"
+
+  INSTALLEDVERSION=2.4.211
+}
+
 add_hydra_pillars() {
  mkdir -p /opt/so/saltstack/local/pillar/hydra
  touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
--- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
+++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
@@ -29,7 +29,11 @@ sool9_{{host}}:
    hypervisor_host: {{host ~ "_" ~ role}}
  preflight_cmds:
    - |
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
+      {%- set hostnames = [MANAGERHOSTNAME] %}
+      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
+      {%-   do hostnames.append(URL_BASE) %}
+      {%- endif %}
+      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
    - |
      timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
        while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \
--- a/salt/salt/cloud/config.sls
+++ b/salt/salt/cloud/config.sls
@@ -14,6 +14,7 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
+{%     from 'vars/globals.map.jinja' import GLOBALS %}

 {%     if HYPERVISORS %}
 cloud_providers:
@@ -34,6 +35,7 @@ cloud_profiles:
        MANAGERHOSTNAME: {{ grains.host }}
        MANAGERIP: {{ pillar.host.mainip }}
        SALTVERSION: {{ SALTVERSION }}
+        URL_BASE: {{ GLOBALS.url_base }}
    - template: jinja
    - makedirs: True
 {%     else %}
--- a/salt/salt/engines/master/virtual_node_manager.py
+++ b/salt/salt/engines/master/virtual_node_manager.py
@@ -805,11 +805,6 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                    return
-                if size > 10000:  # 10TB reasonable maximum
-                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
-                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
-                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
-                    return
                log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
            except (ValueError, TypeError) as e:
                log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -16,7 +16,13 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}

-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}
+{%   if PCAP.enabled and GLOBALS.role != 'so-import'%}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   else %}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'no'}) %}
+{%   endif %}
+
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
--- a/sigs/securityonion-2.4.211-20260312.iso.sig
+++ b/sigs/securityonion-2.4.211-20260312.iso.sig
Author	SHA1	Message	Date
Mike Reeves	89e470059e	Merge pull request #15597 from Security-Onion-Solutions/2.4.211 2.4.211	2026-03-12 13:18:19 -04:00
Mike Reeves	79b30e43d9	2.4.211	2026-03-12 11:33:11 -04:00
Mike Reeves	5cebce32f7	2.4.211	2026-03-12 11:31:59 -04:00
Josh Patterson	810681c92e	Merge pull request #15593 from Security-Onion-Solutions/ulimit set container ulimits to default	2026-03-11 14:40:40 -04:00
Josh Patterson	51f9104d0f	set container ulimits to default	2026-03-11 14:37:43 -04:00
Mike Reeves	8da5ed673b	Merge pull request #15586 from Security-Onion-Solutions/TOoSmOotH-patch-4 Add support for version 2.4.211 in soup script	2026-03-11 12:16:49 -04:00
Josh Patterson	83ba40b548	Merge pull request #15588 from Security-Onion-Solutions/m0duspwnens-patch-1 clear HOTFIX file	2026-03-11 12:16:21 -04:00
Josh Patterson	7de8528b34	clear HOTFIX file	2026-03-11 12:14:48 -04:00
Mike Reeves	e6bd57e08d	Fix conditional check for POSTVERSION 2.4.211	2026-03-11 12:13:05 -04:00
Mike Reeves	06664440ad	Add support for version 2.4.211 in soup script	2026-03-11 12:10:28 -04:00
Josh Patterson	bd31f2898b	Merge pull request #15584 from Security-Onion-Solutions/hypefix remove 10T virtual disk limit. URL_BASE to vm hosts file	2026-03-11 11:58:46 -04:00
Josh Patterson	5bf9d92b52	add URL_BASE to vm hosts file	2026-03-11 11:55:42 -04:00
Josh Patterson	48c369ed11	remove 10T limit for virtual disk	2026-03-11 11:55:01 -04:00
Josh Patterson	7fec2d59a7	Merge pull request #15583 from Security-Onion-Solutions/m0duspwnens-patch-1 fix enable/disable suricata pcap	2026-03-11 11:52:53 -04:00
Mike Reeves	a0ad589c3a	Merge pull request #15582 from Security-Onion-Solutions/TOoSmOotH-patch-3 Bump version from 2.4.210 to 2.4.211	2026-03-11 11:48:51 -04:00
Mike Reeves	0bd54e2835	Add version 2.4.211 to discussion template	2026-03-11 11:44:57 -04:00
Mike Reeves	58f5c56b72	Bump version from 2.4.210 to 2.4.211	2026-03-11 11:43:42 -04:00
Josh Patterson	6472c610d0	fix enable/disable suricata pcap suricata pcap can now be enabled/disabled through pcap:enabled grid config / pillar	2026-03-10 11:01:11 -04:00
Mike Reeves	179c1ea7f7	Merge pull request #15570 from Security-Onion-Solutions/TOoSmOotH-patch-1 Add date to HOTFIX file	2026-03-10 10:20:16 -04:00
Mike Reeves	db964cad21	Add date to HOTFIX file	2026-03-10 10:18:25 -04:00
@@ -1 +1 @@
 .0.0
 .4.211