Merge pull request #13164 from Security-Onion-Solutions/cogburn/tls-o…

…ptions AdditionalCA and InsecureSkipVerify
Security-Onion-Solutions · Jun 7, 2024 · fb07ff6 · fb07ff6
2 parents f35f6bd + ee696be
commit fb07ff6
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 6 deletions.
diff --git a/salt/manager/defaults.yaml b/salt/manager/defaults.yaml
@@ -2,4 +2,6 @@ manager:
   reposync:
     enabled: True
     hour: 3
-    minute: 0
+    minute: 0
+  additionalCA: ''
+  insecureSkipVerify: False
diff --git a/salt/manager/map.jinja b/salt/manager/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
+{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml
@@ -7,7 +7,7 @@ manager:
     hour:
       description: The hour of the day in which the repo sync takes place.
       global: True
-      helpLink: soup.html 
+      helpLink: soup.html
     minute:
       description: The minute within the hour to run the repo sync.
       global: True
@@ -16,11 +16,23 @@ manager:
     description: Enable elastalert 1=enabled 0=disabled.
     global: True
     helpLink: elastalert.html
-  no_proxy: 
-    description: String of hosts to ignore the proxy settings for. 
+  no_proxy:
+    description: String of hosts to ignore the proxy settings for.
     global: True
     helpLink: proxy.html
   proxy:
     description: Proxy server to use for updates.
     global: True
     helpLink: proxy.html
+  additionalCA:
+    description: Additional CA certificates to trust in PEM format.
+    global: True
+    advanced: True
+    multiline: True
+    helpLink: proxy.html
+  insecureSkipVerify:
+    description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
+    advanced: True
+    forcedType: bool
+    global: True
+    helpLink: proxy.html
diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
@@ -6,13 +6,15 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
+{% from 'manager/map.jinja' import MANAGERMERGED %}
 {% set DOCKER_EXTRA_HOSTS = LOGSTASH_NODES %}
 {% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %}
 
 {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}
 
-{% set MANAGER_PROXY = salt['pillar.get']('manager:proxy', '') %}
-{% do SOCMERGED.config.server.update({'proxy': MANAGER_PROXY}) %}
+{% do SOCMERGED.config.server.update({'proxy': MANAGERMERGED.proxy}) %}
+{% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %}
+{% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %}
 
 {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
 {% if SOCMERGED.config.server.modules.cases != 'soc' %}