ensure bool sliders soc

Make AI adapter settings visible

.github/.gitleaks.toml

@@ -542,5 +542,6 @@ paths = [
     '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
     '''(go.mod|go.sum)$''',
     '''salt/nginx/files/enterprise-attack.json''',
-    '''(.*?)whl$'''
+    '''(.*?)whl$''',
+    '''salt/stig/files/sos-oscap.xml'''
 ]

salt/elasticsearch/files/ingest/suricata.common

@@ -22,6 +22,12 @@
                 "ignore_failure": true
             }
         },
+        {
+            "lowercase": {
+                "field": "network.transport",
+                "ignore_failure": true
+            }
+        },
         {
             "rename": {
                 "field": "message2.in_iface",

salt/idh/enabled.sls

@@ -20,7 +20,7 @@ so-idh:
     - network_mode: host
     - binds:
       - /nsm/idh:/var/tmp:rw
-      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
+      - /opt/so/conf/idh/http-skins:/opt/opencanary/http-skins:ro
       - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
       {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
         {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}

salt/idh/opencanary_config.map.jinja

@@ -28,6 +28,7 @@
 {% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %}
 {% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %}
 {% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %}
+{% do OPENCANARYCONFIG.update({'http_x_skindir': '/opt/opencanary/http-skins/' ~ OPENCANARYCONFIG['http_x_skin']}) %}
 
 {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %}
 

salt/idh/skins/http/opencanary/basicLogin/redirect.html

@@ -0,0 +1,29 @@
+<html>
+    <head>
+        <title>Redirect</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+              <a href="/index">Click here</a>
+            </div>
+        </div>
+    </body>
+</html>
+

salt/idh/skins/http/opencanary/nasLogin/redirect.html

@@ -0,0 +1,29 @@
+<html>
+    <head>
+        <title>Redirect</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+              <a href="/index">Click here</a>
+            </div>
+        </div>
+    </body>
+</html>
+

salt/nginx/etc/nginx.conf

@@ -387,7 +387,7 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
 				return    401;
 			}
 

salt/soc/defaults.yaml

@@ -2622,6 +2622,7 @@ soc:
               This is a YARA rule template. Replace all template values with your own values.
               The YARA rule name is the unique identifier for the rule.
               Docs: https://yara.readthedocs.io/en/stable/writingrules.html#writing-yara-rules
+              Delete these comments before attempting to "Create" the rule
               */
 
               rule Example // This identifier _must_ be unique

salt/soc/soc_soc.yaml

@@ -8,6 +8,7 @@ soc:
     description: When this setting is enabled and the grid is not in airgap mode, SOC will provide feature usage data to the Security Onion development team via Google Analytics. This data helps Security Onion developers determine which product features are being used and can also provide insight into improving the user interface. When changing this setting, wait for the grid to fully synchronize and then perform a hard browser refresh on SOC, to force the browser cache to update and reflect the new setting.
     global: True
     helpLink: telemetry
+    forcedType: bool
   files:
     soc:
       banner__md:
@@ -139,6 +140,7 @@ soc:
         title: Require TOTP
         description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC.
         global: True
+        forcedType: bool
       customReportsPath:
         title: Custom Reports Path
         description: Path to custom markdown templates for PDF report generation. All markdown files in this directory will be available as custom reports in the SOC Reports interface.
@@ -185,6 +187,7 @@ soc:
         description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state."
         global: True
         helpLink: security-onion-console-customization#reverse-dns
+        forcedType: bool
       modules:
         elastalertengine:
           aiRepoUrl:
@@ -202,6 +205,7 @@ soc:
           showAiSummaries:
             description: Show AI summaries for ElastAlert rules.
             global: True
+            forcedType: bool
           additionalAlerters:
             title: "Notifications: Sev 0/Default Alerters"
             description: "Specify default alerters to enable for outbound notifications. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
@@ -338,6 +342,7 @@ soc:
             description: 'Automatically update Sigma rules on a regular basis. This will update the rules based on the configured frequency.'
             global: True
             advanced: True
+            forcedType: bool
           communityRulesImportFrequencySeconds:
             description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
             global: True
@@ -395,6 +400,7 @@ soc:
             description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
             global: True
             advanced: True
+            forcedType: bool
           extractCommonObservables:
             description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
             global: True
@@ -421,6 +427,7 @@ soc:
           lookupTunnelParent:
             description: When true, if a pivoted event appears to be encapsulated, such as in a VXLAN packet, then SOC will pivot to the VXLAN packet stream. When false, SOC will attempt to pivot to the encapsulated packet stream itself, but at the risk that it may be unable to locate it in the stored PCAP data.
             global: True
+            forcedType: bool
           maxScrollSize:
             description: The maximum number of documents to request in a single Elasticsearch scroll request.
           bulkIndexWorkerCount:
@@ -477,10 +484,12 @@ soc:
           showAiSummaries:
             description: Show AI summaries for Strelka rules.
             global: True
+            forcedType: bool
           autoUpdateEnabled:
             description: 'Automatically update YARA rules on a regular basis. This will update the rules based on the configured frequency.'
             global: True
             advanced: True
+            forcedType: bool
           autoEnabledYaraRules:
             description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
             global: True
@@ -536,10 +545,12 @@ soc:
           showAiSummaries:
             description: Show AI summaries for Suricata rules.
             global: True
+            forcedType: bool
           autoUpdateEnabled:
             description: 'Automatically update Suricata rules on a regular basis. This will update the rules based on the configured frequency.'
             global: True
             advanced: True
+            forcedType: bool
           communityRulesImportFrequencySeconds:
             description: 'How often to check for new Suricata rules (in seconds).'
             global: True
@@ -669,7 +680,7 @@ soc:
           adapters:
             description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols.
             global: True
-            advanced: True
+            advanced: False
             forcedType: "[]{}"
             helpLink: onion-ai
             syntax: json
@@ -709,6 +720,7 @@ soc:
           enabled:
             description: Set to true to enable the Onion AI assistant in SOC.
             global: True
+            forcedType: bool
           investigationPrompt: 
             description: Prompt given to Onion AI when beginning an investigation.
             global: True
@@ -734,7 +746,7 @@ soc:
           availableModels:
             description: List of AI models available for use in SOC as well as model specific warning thresholds.
             global: True
-            advanced: True
+            advanced: False
             forcedType: "[]{}"
             helpLink: onion-ai
             syntax: json
@@ -789,9 +801,11 @@ soc:
         casesEnabled:
           description: Set to true to enable case management in SOC.
           global: True
+          forcedType: bool
         detectionsEnabled:
           description: Set to true to enable the Detections module in SOC.
           global: True
+          forcedType: bool
         inactiveTools:
           description: List of external tools to remove from the SOC UI.
           global: True
@@ -867,6 +881,7 @@ soc:
           showUnreviewedAiSummaries:
             description: Show AI summaries in detections even if they have not yet been reviewed by a human.
             global: True
+            forcedType: bool
           templateDetections:
             suricata:
               description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id.
@@ -904,6 +919,7 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own artifact types directly in the SOC UI.
                 global: True
+                forcedType: bool
             category:
               labels:
                 description: List of available case categories.
@@ -911,6 +927,7 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own categories directly in the SOC UI.
                 global: True
+                forcedType: bool
             pap:
               labels:
                 description: List of available PAP (Permissible Actions Protocol) values.
@@ -918,6 +935,7 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own PAP values directly in the SOC UI.
                 global: True
+                forcedType: bool
             severity:
               labels:
                 description: List of available case severities.
@@ -925,6 +943,7 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own severities directly in the SOC UI.
                 global: True
+                forcedType: bool
             status:
               labels:
                 description: List of available case statuses. Note that some default statuses have special characteristics and related functionality built into SOC.
@@ -932,6 +951,7 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own case statuses directly in the SOC UI.
                 global: True
+                forcedType: bool
             tags:
               labels:
                 description: List of available tags.
@@ -939,6 +959,7 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own tags directly in the SOC UI.
                 global: True
+                forcedType: bool
             tlp:
               labels:
                 description: List of available TLP (Traffic Light Protocol) values.
@@ -946,3 +967,4 @@ soc:
               customEnabled:
                 description: Set to true to allow users add their own TLP values directly in the SOC UI.
                 global: True
+                forcedType: bool

salt/suricata/soc_suricata.yaml

@@ -161,7 +161,7 @@ suricata:
       address-groups:
         HOME_NET: 
           description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
-          regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
+          regex: ^!?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^!?((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
           regexFailureMessage: You must enter a valid IP address or CIDR.
           forcedType: "[]string"
           duplicates: True

salt/zeek/config.sls

@@ -38,6 +38,7 @@ zeekzkgsync:
     - source: salt://zeek/zkg
     - user: 937
     - group: 939
+    - clean: True
     - makedirs: True
     - exclude_pat: README