From 3ab1b907e4a7b627740e34ed053b3d3a0b17f6df Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Jan 2025 13:45:42 -0500 Subject: [PATCH 1/3] subgrid config annotations --- salt/soc/soc_soc.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index eff21ccb9..32e522e88 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -85,6 +85,21 @@ soc: title: Require TOTP description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. global: True + subgrids: + title: Suboordinate Grids + description: Optional list of subgrids that this grid has access to manage. This is also known as a 'Manager of Managers' configuration. The values entered must originate from the remote suboordinate grid. Requires a valid Security Onion license key. + global: True + syntax: json + forcedType: []{} + uiElements: + - field: description + label: Description + - field: manager_url + label: Manager URL + - field: client_id + label: API Client ID + - field: client_secret + label: API Client Secret modules: elastalertengine: aiRepoUrl: From 964bbe6aa565b988bee744dc10ebd8c952cab357 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 17 Jan 2025 12:14:30 -0500 Subject: [PATCH 2/3] additional web server security measures --- salt/nginx/etc/nginx.conf | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 09c40624e..3168a5986 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -89,11 +89,18 @@ http { server_name _; return 307 https://{{ GLOBALS.url_base }}$request_uri; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; @@ -123,11 +130,19 @@ http { http2 on; server_name {{ GLOBALS.url_base }}; root /surirules; + + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; location / { @@ -153,13 +168,14 @@ http { add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; From 7705f45d789ee3dcb94da03710372ebed81a1cea Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 17 Jan 2025 12:16:12 -0500 Subject: [PATCH 3/3] Revert "subgrid config annotations" This reverts commit 3ab1b907e4a7b627740e34ed053b3d3a0b17f6df. --- salt/soc/soc_soc.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 8baffdb05..a667d1f7a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -85,21 +85,6 @@ soc: title: Require TOTP description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. global: True - subgrids: - title: Suboordinate Grids - description: Optional list of subgrids that this grid has access to manage. This is also known as a 'Manager of Managers' configuration. The values entered must originate from the remote suboordinate grid. Requires a valid Security Onion license key. - global: True - syntax: json - forcedType: []{} - uiElements: - - field: description - label: Description - - field: manager_url - label: Manager URL - - field: client_id - label: API Client ID - - field: client_secret - label: API Client Secret modules: elastalertengine: aiRepoUrl: