AdditionalCA and InsecureSkipVerify

New fields have been added to manager and then duplicated over to SOC's config in the same vein as how proxy was updated earlier this week. AdditionalCA holds the PEM formatted public keys that should be trusted when making requests. It has been implemented for both Sigma's zip downloads and Sigma and Suricata's repository clones and pulls. InsecureSkipVerify has been added to help our users troubleshoot their configuration. Setting it to true will not verify the cert on outgoing requests. Self signed, missing, or invalid certs will not throw an error.
2025-12-06 17:22:49 +01:00 · 2024-06-07 12:47:09 -06:00
parent fa063722e1
commit 5d3fd3d389
5 changed files with 29 additions and 14 deletions
--- a/salt/manager/defaults.yaml
+++ b/salt/manager/defaults.yaml
@@ -2,4 +2,6 @@ manager:
  reposync:
    enabled: True
    hour: 3
-    minute: 0
+    minute: 0
+  additionalCA: ''
+  insecureSkipVerify: False
--- a/salt/manager/map.jinja
+++ b/salt/manager/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
+{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
--- a/salt/manager/soc_manager.yaml
+++ b/salt/manager/soc_manager.yaml
@@ -7,7 +7,7 @@ manager:
    hour:
      description: The hour of the day in which the repo sync takes place.
      global: True
-      helpLink: soup.html 
+      helpLink: soup.html
    minute:
      description: The minute within the hour to run the repo sync.
      global: True
@@ -16,11 +16,23 @@ manager:
    description: Enable elastalert 1=enabled 0=disabled.
    global: True
    helpLink: elastalert.html
-  no_proxy: 
-    description: String of hosts to ignore the proxy settings for. 
+  no_proxy:
+    description: String of hosts to ignore the proxy settings for.
    global: True
    helpLink: proxy.html
  proxy:
    description: Proxy server to use for updates.
    global: True
    helpLink: proxy.html
+  additionalCA:
+    description: Additional CA certificates to trust in PEM format.
+    global: True
+    advanced: True
+    multiline: True
+    helpLink: proxy.html
+  insecureSkipVerify:
+    description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
+    advanced: True
+    forcedType: bool
+    global: True
+    helpLink: proxy.html
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -6,13 +6,15 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
+{% from 'manager/map.jinja' import MANAGERMERGED %}
 {% set DOCKER_EXTRA_HOSTS = LOGSTASH_NODES %}
 {% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %}

 {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}

-{% set MANAGER_PROXY = salt['pillar.get']('manager:proxy', '') %}
-{% do SOCMERGED.config.server.update({'proxy': MANAGER_PROXY}) %}
+{% do SOCMERGED.config.server.update({'proxy': MANAGERMERGED.proxy}) %}
+{% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %}
+{% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %}

 {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
 {% if SOCMERGED.config.server.modules.cases != 'soc' %}
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -81,14 +81,6 @@ soc:
        description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.
        global: True
        advanced: True
-      rootCA:
-        description: Root Certificate Authority (CA) public key in PEM format that SOC will use to validate outgoing requests. This is useful when the SOC server is behind a reverse proxy that performs SSL termination.
-        multiline: True
-        advanced: True
-      insecureSkipVerify:
-        description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
-        advanced: True
-        forcedType: bool
      modules:
        elastalertengine:
          additionalAlerters: