mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-24 20:15:27 +02:00
Mike Reeves
a0cf0489d6
- schedule highstate every 2 hours (was 15 minutes); interval lives in global:push:highstate_interval_hours so the SOC admin UI can tune it and so-salt-minion-check derives its threshold as (interval + 1) * 3600 - add inotify beacon on the manager + master reactor + orch.push_batch that writes per-app intent files, with a so-push-drainer schedule on the manager that debounces, dedupes, and dispatches a single orchestration - pillar_push_map.yaml allowlists the apps whose pillar changes trigger an immediate targeted state.apply (targets verified against salt/top.sls); edits under pillar/minions/ trigger a state.highstate on that one minion - host-batch every push orchestration (batch: 25%, batch_wait: 15) so rule changes don't thundering-herd large fleets - new global:push:enabled kill-switch tears down the beacon, reactor config, and drainer schedule on the next highstate for operators who want to keep highstate-only behavior - set restart_policy: unless-stopped on 23 container states so docker recovers crashes without waiting for the next highstate; leave registry (always), strelka/backend (on-failure), kratos, and hydra alone with inline comments explaining why
100 lines
4.3 KiB
YAML
100 lines
4.3 KiB
YAML
global:
|
|
soversion:
|
|
description: Current version of Security Onion.
|
|
global: True
|
|
readonly: True
|
|
managerip:
|
|
description: The IP address of the grid manager.
|
|
global: True
|
|
advanced: True
|
|
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
|
|
regexFailureMessage: You must enter a valid IP address or CIDR.
|
|
mdengine:
|
|
description: Which engine to use for meta data generation. Options are ZEEK and SURICATA.
|
|
options:
|
|
- ZEEK
|
|
- SURICATA
|
|
global: True
|
|
pcapengine:
|
|
description: Which engine to use for generating pcap. Currently only SURICATA is supported.
|
|
options:
|
|
- SURICATA
|
|
global: True
|
|
ids:
|
|
description: Which IDS engine to use. Currently only Suricata is supported.
|
|
global: True
|
|
readonly: True
|
|
advanced: True
|
|
url_base:
|
|
description: The base URL for the Security Onion Console. Must be accessible by all nodes in the grid, as well as all analysts. Also used for handling of authentication cookies. Can be an IP address or a hostname/FQDN. Do not include protocol (http/https) or port number.
|
|
global: True
|
|
airgap:
|
|
description: Airgapped systems do not have network connectivity to the internet. This setting represents how this grid was configured during initial setup. While it is technically possible to manually switch systems between airgap and non-airgap, there are some nuances and additional steps involved. For that reason this setting is marked read-only. Contact your support representative for guidance if there is a need to change this setting.
|
|
global: True
|
|
readonly: True
|
|
imagerepo:
|
|
description: Image repo to pull image from.
|
|
global: True
|
|
advanced: True
|
|
pipeline:
|
|
description: Sets which pipeline technology for events to use. The use of Kafka requires a Security Onion Pro license.
|
|
options:
|
|
- REDIS
|
|
- KAFKA
|
|
global: True
|
|
advanced: True
|
|
repo_host:
|
|
description: Specify the host where operating system packages will be served from.
|
|
global: True
|
|
advanced: True
|
|
registry_host:
|
|
description: Specify the host where docker/podman images will be pulled from.
|
|
global: True
|
|
advanced: True
|
|
influxdb_host:
|
|
description: Specify the host where influxdb is hosted.
|
|
global: True
|
|
advanced: True
|
|
endgamehost:
|
|
description: Allows use of Endgame with Security Onion. This feature requires a license from Endgame.
|
|
global: True
|
|
advanced: True
|
|
push:
|
|
enabled:
|
|
description: Master kill-switch for the active push feature. When disabled, rule and pillar changes are picked up at the next scheduled highstate instead of being pushed immediately.
|
|
forcedType: bool
|
|
helpLink: push
|
|
global: True
|
|
highstate_interval_hours:
|
|
description: How often every minion in the grid runs a scheduled state.highstate, in hours. Lower values keep minions closer in sync at the cost of more load; higher values reduce load but increase worst-case latency for non-pushed changes. The salt-minion health check restarts a minion if its last highstate is older than this value plus one hour.
|
|
forcedType: int
|
|
helpLink: push
|
|
global: True
|
|
advanced: True
|
|
debounce_seconds:
|
|
description: Trailing-edge debounce window in seconds. A push intent must be quiet for this long before the drainer dispatches. Rapid bursts of edits within this window coalesce into one dispatch.
|
|
forcedType: int
|
|
helpLink: push
|
|
global: True
|
|
advanced: True
|
|
drain_interval:
|
|
description: How often the push drainer checks for ready intents, in seconds. Small values lower dispatch latency at the cost of more background work on the manager.
|
|
forcedType: int
|
|
helpLink: push
|
|
global: True
|
|
advanced: True
|
|
batch:
|
|
description: "Host batch size for push orchestrations. A number (e.g. '10') or a percentage (e.g. '25%'). Limits how many minions run the push state at once so large fleets don't thundering-herd."
|
|
helpLink: push
|
|
global: True
|
|
advanced: True
|
|
regex: '^([0-9]+%?)$'
|
|
regexFailureMessage: Enter a whole number or a whole-number percentage (e.g. 10 or 25%).
|
|
batch_wait:
|
|
description: Seconds to wait between host batches in a push orchestration. Gives the fleet time to breathe between waves.
|
|
forcedType: int
|
|
helpLink: push
|
|
global: True
|
|
advanced: True
|
|
|