mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-07 03:48:06 +02:00
Mike Reeves
92a7bb3053
Five blockers turned up the first time the so_pillar schema was applied against a fresh standalone install. Fixing them in order: 1. 006_rls.sql ordering bug 006 GRANTed on so_pillar.change_queue and its sequence, but the table isn't created until 008_change_notify.sql. 006 errored mid-file with "relation so_pillar.change_queue does not exist", short-circuiting the rest of the pillar staging chain. Moved the three change_queue grants into 008 alongside the table creation so each file is self-contained. 2. so_pillar_* roles unable to log in 006 created the roles as NOLOGIN and set no password. Salt-master's ext_pillar (postgres) and the pg_notify_pillar engine both connect as so_pillar_master via TCP, so both came up with "password authentication failed for user so_pillar_master". Added a templated cmd.run step in schema_pillar.sls (so_pillar_role_login_passwords) that ALTERs all three roles WITH LOGIN PASSWORD pulling from secrets:pillar_master_pass — the same password ext_pillar_postgres.conf.jinja and the engines.conf pg_notify_pillar block render with. 3. Missing GRANT CONNECT ON DATABASE securityonion USAGE on the schema is granted in 006 but CONNECT on the database isn't. Engine + ext_pillar succeeded auth then died with "permission denied for database securityonion". Added the explicit GRANT CONNECT in 006. 4. psycopg2 missing from salt's bundled python /opt/saltstack/salt/bin/python3 doesn't ship psycopg by default, so when salt-master tries to load the pg_notify_pillar engine its `import psycopg2` fails inside salt's loader and the engine silently doesn't start (no error in the salt log — you only notice when nothing ever drains so_pillar.change_queue). Added a pip.installed state in schema_pillar.sls bound to that interpreter via bin_env. 5. engines.conf vs pg_notify_pillar_engine.conf list-replace Salt's master.d/*.conf merge replaces top-level lists rather than concatenating them. The engine config used to live in its own master.d/pg_notify_pillar_engine.conf with `engines: [pg_notify_pillar]` alongside the legacy `engines.conf` carrying `engines: [checkmine, pillarWatch]`. Whichever loaded last won, so the engine never showed up in the loaded set even when the file existed. Fold the pg_notify_pillar declaration into engines.conf (now jinja-rendered, gated on postgres:so_pillar:enabled), drop the standalone state from pg_notify_pillar_engine.sls, and delete the now-orphaned conf jinja. End state validated against a live standalone-net install on the dev rig: salt-master ext_pillar reads from so_pillar.* with no errors, the pg_notify_pillar engine LISTENs on so_pillar_change and drains the change_queue (134-row backlog → 0 within seconds), and a so-yaml replace on a pillar key flows disk → PG → ext_pillar → salt pillar.get with the new value visible after a saltutil.refresh_pillar.
Security Onion
Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes a comprehensive suite of tools designed to work together to provide visibility into your network and host activity.
✨ Features
Security Onion includes everything you need to monitor your network and host systems:
- Security Onion Console (SOC): A unified web interface for analyzing security events and managing your grid.
- Elastic Stack: Powerful search backed by Elasticsearch.
- Intrusion Detection: Network-based IDS with Suricata and host-based monitoring with Elastic Fleet.
- Network Metadata: Detailed network metadata generated by Zeek or Suricata.
- Full Packet Capture: Retain and analyze raw network traffic with Suricata PCAP.
⭐ Security Onion Pro
For organizations and enterprises requiring advanced capabilities, Security Onion Pro offers additional features designed for scale and efficiency:
- Onion AI: Leverage powerful AI-driven insights to accelerate your analysis and investigations.
- Enterprise Features: Enhanced tools and integrations tailored for enterprise-grade security operations.
For more information, visit the Security Onion Pro page.
☁️ Cloud Deployment
Security Onion is available and ready to deploy in the AWS, Azure, and Google Cloud (GCP) marketplaces.
🚀 Getting Started
| Goal | Resource |
|---|---|
| Download | Security Onion ISO |
| Requirements | Hardware Guide |
| Install | Installation Instructions |
| What's New | Release Notes |
📖 Documentation & Support
For more detailed information, please visit our Documentation.
- FAQ: Frequently Asked Questions
- Community: Discussions & Support
- Training: Official Training
🤝 Contributing
We welcome contributions! Please see our CONTRIBUTING.md for guidelines on how to get involved.
🛡️ License
Security Onion is licensed under the terms of the license found in the LICENSE file.
Built with 🧅 by Security Onion Solutions.