Josh Patterson
12f4447875
Salt's stock inotify beacon leaks one kernel inotify instance every time the minion rebuilds the beacon loader's __context__ (the orphaned pyinotify.Notifier is never stopped), accumulating against fs.inotify.max_user_instances=128 until inotify_init() fails with EMFILE and rule-change push detection silently stops. This is independent of disable_during_state_run. Add a custom poll-based beacon (salt/_beacons/rules_db.py) modeled on pillar_db.py: it fingerprints the suricata/strelka rule dirs each interval (relpath + mtime_ns + size, temp files excluded) against a per-dir watermark, emitting an event only on change. It holds zero inotify instances, so the leak is impossible, and it keeps firing during state runs. Swap the inotify beacon config and reactor tag mappings accordingly; the push_suricata/push_strelka reactors are unchanged (they read only data['path']).
Security Onion
Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes a comprehensive suite of tools designed to work together to provide visibility into your network and host activity.
✨ Features
Security Onion includes everything you need to monitor your network and host systems:
- Security Onion Console (SOC): A unified web interface for analyzing security events and managing your grid.
- Elastic Stack: Powerful search backed by Elasticsearch.
- Intrusion Detection: Network-based IDS with Suricata and host-based monitoring with Elastic Fleet.
- Network Metadata: Detailed network metadata generated by Zeek or Suricata.
- Full Packet Capture: Retain and analyze raw network traffic with Suricata PCAP.
⭐ Security Onion Pro
For organizations and enterprises requiring advanced capabilities, Security Onion Pro offers additional features designed for scale and efficiency:
- Onion AI: Leverage powerful AI-driven insights to accelerate your analysis and investigations.
- Enterprise Features: Enhanced tools and integrations tailored for enterprise-grade security operations.
For more information, visit the Security Onion Pro page.
☁️ Cloud Deployment
Security Onion is available and ready to deploy in the AWS, Azure, and Google Cloud (GCP) marketplaces.
🚀 Getting Started
| Goal | Resource |
|---|---|
| Download | Security Onion ISO |
| Requirements | Hardware Guide |
| Install | Installation Instructions |
| What's New | Release Notes |
📖 Documentation & Support
For more detailed information, please visit our Documentation.
- FAQ: Frequently Asked Questions
- Community: Discussions & Support
- Training: Official Training
🤝 Contributing
We welcome contributions! Please see our CONTRIBUTING.md for guidelines on how to get involved.
🛡️ License
Security Onion is licensed under the terms of the license found in the LICENSE file.
Built with 🧅 by Security Onion Solutions.