Merge pull request #15661 from Security-Onion-Solutions/reyesj2-361

update stig profile v1r3
Merge pull request #15665 from Security-Onion-Solutions/delta
2026-03-24 05:22:38 +01:00 · 2026-03-23 18:09:33 -05:00 · 2026-03-23 17:34:21 -04:00 · 2026-03-23 17:24:12 -04:00 · 2026-03-23 16:30:51 -04:00 · 2026-03-23 16:26:56 -04:00
8 changed files with 74962 additions and 43853 deletions
--- a/.github/.gitleaks.toml
+++ b/.github/.gitleaks.toml
@@ -542,5 +542,6 @@ paths = [
    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
    '''(go.mod|go.sum)$''',
    '''salt/nginx/files/enterprise-attack.json''',
-    '''(.*?)whl$'''
+    '''(.*?)whl$''',
+    '''salt/stig/files/sos-oscap.xml'''
 ]
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -20,7 +20,7 @@ so-idh:
    - network_mode: host
    - binds:
      - /nsm/idh:/var/tmp:rw
-      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
+      - /opt/so/conf/idh/http-skins:/opt/opencanary/http-skins:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
--- a/salt/idh/opencanary_config.map.jinja
+++ b/salt/idh/opencanary_config.map.jinja
@@ -28,6 +28,7 @@
 {% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
 {% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
 {% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}
+{% do OPENCANARYCONFIG.update({'http_x_skindir': '/opt/opencanary/http-skins/' ~ OPENCANARYCONFIG['http_x_skin']}) %}

 {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}

--- a/salt/idh/skins/http/opencanary/basicLogin/redirect.html
+++ b/salt/idh/skins/http/opencanary/basicLogin/redirect.html
@@ -0,0 +1,29 @@
+<html>
+    <head>
+        <title>Redirect</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+              <a href="/index">Click here</a>
+            </div>
+        </div>
+    </body>
+</html>
+
--- a/salt/idh/skins/http/opencanary/nasLogin/redirect.html
+++ b/salt/idh/skins/http/opencanary/nasLogin/redirect.html
@@ -0,0 +1,29 @@
+<html>
+    <head>
+        <title>Redirect</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+              <a href="/index">Click here</a>
+            </div>
+        </div>
+    </body>
+</html>
+
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -387,7 +387,7 @@ http {
 		error_page 429 = @error429;

 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
 				return    401;
 			}

--- a/salt/stig/files/sos-oscap.xml
+++ b/salt/stig/files/sos-oscap.xml
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -161,7 +161,7 @@ suricata:
      address-groups:
        HOME_NET: 
          description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
-          regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
+          regex: ^!?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^!?((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
          regexFailureMessage: You must enter a valid IP address or CIDR.
          forcedType: "[]string"
          duplicates: True
Author	SHA1	Message	Date
Jorge Reyes	afcef1d0e7	Merge pull request #15661 from Security-Onion-Solutions/reyesj2-361 update stig profile v1r3	2026-03-23 18:09:33 -05:00
Josh Patterson	91b164b728	Merge pull request #15665 from Security-Onion-Solutions/delta allow negation in suricata address-group vars	2026-03-23 17:34:21 -04:00
Josh Patterson	6a4501241d	allow negation in suricata address-group vars	2026-03-23 17:24:12 -04:00
Josh Brower	c6978f9037	Merge pull request #15663 from Security-Onion-Solutions/fix/idh-skins Remove hardcoded path	2026-03-23 16:30:51 -04:00
Josh Brower	7300513636	Remove hardcoded path	2026-03-23 16:26:56 -04:00
Jorge Reyes	fb7b73c601	Merge pull request #15662 from Security-Onion-Solutions/reyesj2-patch-1 exclude oscap profile from gitleaks	2026-03-23 14:23:24 -05:00
Jorge Reyes	f2b6d59c65	exclude oscap profile from gitleaks	2026-03-23 14:17:39 -05:00
reyesj2	67162357a3	update stig profile v1r3	2026-03-23 14:04:48 -05:00
Jason Ertel	8ea97e4af3	Merge pull request #15658 from Security-Onion-Solutions/jertel/wip do not attempt to redirect to a source map after login	2026-03-23 09:55:31 -04:00
Jason Ertel	2f9a2e15b3	do not attempt to redirect to a source map after login	2026-03-23 09:48:06 -04:00
Josh Brower	a4fcf4ddf2	Merge pull request #15656 from Security-Onion-Solutions/zeek-websocket Add support for websockets	2026-03-23 08:21:08 -04:00