From fa063722e102cc07da2f076f64375f061bfea2ad Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 6 Jun 2024 16:36:09 -0600 Subject: [PATCH 1/3] RootCA and InsecureSkipVerify New empty settings and their annotations. --- salt/soc/defaults.yaml | 2 ++ salt/soc/soc_soc.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index f5628f3c3e..03476c3f58 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1286,6 +1286,8 @@ soc: maxPacketCount: 5000 htmlDir: html importUploadDir: /nsm/soc/uploads + rootCA: '' + insecureSkipVerify: false modules: cases: soc filedatastore: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 47d051e4e1..ec633f7731 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -81,6 +81,14 @@ soc: description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser. global: True advanced: True + rootCA: + description: Root Certificate Authority (CA) public key in PEM format that SOC will use to validate outgoing requests. This is useful when the SOC server is behind a reverse proxy that performs SSL termination. + multiline: True + advanced: True + insecureSkipVerify: + description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes. + advanced: True + forcedType: bool modules: elastalertengine: additionalAlerters: From 5d3fd3d389b7ed5b751d0229153c05461966f472 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 7 Jun 2024 12:47:09 -0600 Subject: [PATCH 2/3] AdditionalCA and InsecureSkipVerify New fields have been added to manager and then duplicated over to SOC's config in the same vein as how proxy was updated earlier this week. AdditionalCA holds the PEM formatted public keys that should be trusted when making requests. It has been implemented for both Sigma's zip downloads and Sigma and Suricata's repository clones and pulls. InsecureSkipVerify has been added to help our users troubleshoot their configuration. Setting it to true will not verify the cert on outgoing requests. Self signed, missing, or invalid certs will not throw an error. --- salt/manager/defaults.yaml | 4 +++- salt/manager/map.jinja | 7 +++++++ salt/manager/soc_manager.yaml | 18 +++++++++++++++--- salt/soc/merged.map.jinja | 6 ++++-- salt/soc/soc_soc.yaml | 8 -------- 5 files changed, 29 insertions(+), 14 deletions(-) create mode 100644 salt/manager/map.jinja diff --git a/salt/manager/defaults.yaml b/salt/manager/defaults.yaml index 8bb34690eb..708900af6a 100644 --- a/salt/manager/defaults.yaml +++ b/salt/manager/defaults.yaml @@ -2,4 +2,6 @@ manager: reposync: enabled: True hour: 3 - minute: 0 \ No newline at end of file + minute: 0 + additionalCA: '' + insecureSkipVerify: False diff --git a/salt/manager/map.jinja b/salt/manager/map.jinja new file mode 100644 index 0000000000..1ab9c12c3f --- /dev/null +++ b/salt/manager/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} +{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %} \ No newline at end of file diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index f6461a0c7b..f3346269ec 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -7,7 +7,7 @@ manager: hour: description: The hour of the day in which the repo sync takes place. global: True - helpLink: soup.html + helpLink: soup.html minute: description: The minute within the hour to run the repo sync. global: True @@ -16,11 +16,23 @@ manager: description: Enable elastalert 1=enabled 0=disabled. global: True helpLink: elastalert.html - no_proxy: - description: String of hosts to ignore the proxy settings for. + no_proxy: + description: String of hosts to ignore the proxy settings for. global: True helpLink: proxy.html proxy: description: Proxy server to use for updates. global: True helpLink: proxy.html + additionalCA: + description: Additional CA certificates to trust in PEM format. + global: True + advanced: True + multiline: True + helpLink: proxy.html + insecureSkipVerify: + description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes. + advanced: True + forcedType: bool + global: True + helpLink: proxy.html diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 4ee0eea1ec..c823175cba 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -6,13 +6,15 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %} +{% from 'manager/map.jinja' import MANAGERMERGED %} {% set DOCKER_EXTRA_HOSTS = LOGSTASH_NODES %} {% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %} {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %} -{% set MANAGER_PROXY = salt['pillar.get']('manager:proxy', '') %} -{% do SOCMERGED.config.server.update({'proxy': MANAGER_PROXY}) %} +{% do SOCMERGED.config.server.update({'proxy': MANAGERMERGED.proxy}) %} +{% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %} +{% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %} {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #} {% if SOCMERGED.config.server.modules.cases != 'soc' %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ec633f7731..47d051e4e1 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -81,14 +81,6 @@ soc: description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser. global: True advanced: True - rootCA: - description: Root Certificate Authority (CA) public key in PEM format that SOC will use to validate outgoing requests. This is useful when the SOC server is behind a reverse proxy that performs SSL termination. - multiline: True - advanced: True - insecureSkipVerify: - description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes. - advanced: True - forcedType: bool modules: elastalertengine: additionalAlerters: From ee696be51d5fd01276aa8db15b26af4a3a44d40c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 7 Jun 2024 13:04:54 -0600 Subject: [PATCH 3/3] Remove rootCA and insecureSkipVerify from SOC defaults --- salt/soc/defaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 03476c3f58..f5628f3c3e 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1286,8 +1286,6 @@ soc: maxPacketCount: 5000 htmlDir: html importUploadDir: /nsm/soc/uploads - rootCA: '' - insecureSkipVerify: false modules: cases: soc filedatastore: