From 5d3fd3d389b7ed5b751d0229153c05461966f472 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 7 Jun 2024 12:47:09 -0600
Subject: [PATCH] AdditionalCA and InsecureSkipVerify

New fields have been added to manager and then duplicated over to SOC's config in the same vein as how proxy was updated earlier this week.

AdditionalCA holds the PEM formatted public keys that should be trusted when making requests. It has been implemented for both Sigma's zip downloads and Sigma and Suricata's repository clones and pulls.

InsecureSkipVerify has been added to help our users troubleshoot their configuration. Setting it to true will not verify the cert on outgoing requests. Self signed, missing, or invalid certs will not throw an error.
---
 salt/manager/defaults.yaml    |  4 +++-
 salt/manager/map.jinja        |  7 +++++++
 salt/manager/soc_manager.yaml | 18 +++++++++++++++---
 salt/soc/merged.map.jinja     |  6 ++++--
 salt/soc/soc_soc.yaml         |  8 --------
 5 files changed, 29 insertions(+), 14 deletions(-)
 create mode 100644 salt/manager/map.jinja

diff --git a/salt/manager/defaults.yaml b/salt/manager/defaults.yaml
index 8bb34690e..708900af6 100644
--- a/salt/manager/defaults.yaml
+++ b/salt/manager/defaults.yaml
@@ -2,4 +2,6 @@ manager:
   reposync:
     enabled: True
     hour: 3
-    minute: 0
\ No newline at end of file
+    minute: 0
+  additionalCA: ''
+  insecureSkipVerify: False
diff --git a/salt/manager/map.jinja b/salt/manager/map.jinja
new file mode 100644
index 000000000..1ab9c12c3
--- /dev/null
+++ b/salt/manager/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
+{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
\ No newline at end of file
diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml
index f6461a0c7..f3346269e 100644
--- a/salt/manager/soc_manager.yaml
+++ b/salt/manager/soc_manager.yaml
@@ -7,7 +7,7 @@ manager:
     hour:
       description: The hour of the day in which the repo sync takes place.
       global: True
-      helpLink: soup.html 
+      helpLink: soup.html
     minute:
       description: The minute within the hour to run the repo sync.
       global: True
@@ -16,11 +16,23 @@ manager:
     description: Enable elastalert 1=enabled 0=disabled.
     global: True
     helpLink: elastalert.html
-  no_proxy: 
-    description: String of hosts to ignore the proxy settings for. 
+  no_proxy:
+    description: String of hosts to ignore the proxy settings for.
     global: True
     helpLink: proxy.html
   proxy:
     description: Proxy server to use for updates.
     global: True
     helpLink: proxy.html
+  additionalCA:
+    description: Additional CA certificates to trust in PEM format.
+    global: True
+    advanced: True
+    multiline: True
+    helpLink: proxy.html
+  insecureSkipVerify:
+    description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
+    advanced: True
+    forcedType: bool
+    global: True
+    helpLink: proxy.html
diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index 4ee0eea1e..c823175cb 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -6,13 +6,15 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
+{% from 'manager/map.jinja' import MANAGERMERGED %}
 {% set DOCKER_EXTRA_HOSTS = LOGSTASH_NODES %}
 {% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %}
 
 {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}
 
-{% set MANAGER_PROXY = salt['pillar.get']('manager:proxy', '') %}
-{% do SOCMERGED.config.server.update({'proxy': MANAGER_PROXY}) %}
+{% do SOCMERGED.config.server.update({'proxy': MANAGERMERGED.proxy}) %}
+{% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %}
+{% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %}
 
 {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
 {% if SOCMERGED.config.server.modules.cases != 'soc' %}
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index ec633f773..47d051e4e 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -81,14 +81,6 @@ soc:
         description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.
         global: True
         advanced: True
-      rootCA:
-        description: Root Certificate Authority (CA) public key in PEM format that SOC will use to validate outgoing requests. This is useful when the SOC server is behind a reverse proxy that performs SSL termination.
-        multiline: True
-        advanced: True
-      insecureSkipVerify:
-        description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
-        advanced: True
-        forcedType: bool
       modules:
         elastalertengine:
           additionalAlerters: