diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 68e0a5cb3..9dd97e190 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -1,7 +1,7 @@ { "description" : "suricata.alert", "processors" : [ - { "set": { "field": "_index", "value": "logs-suricata.alerts-so" } }, + { "set": { "if": "ctx.event?.imported != true", "field": "_index", "value": "logs-suricata.alerts-so" } }, { "set": { "field": "tags","value": "alert" }}, { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index d48463737..c0a6a4359 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -427,7 +427,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 - [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.120 + [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 + [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 true } @@ -528,6 +529,9 @@ post_to_2.4.111() { post_to_2.4.120() { update_elasticsearch_index_settings + # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' + rollover_index "logs-suricata.alerts-so" + # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True @@ -811,6 +815,22 @@ ASSIST_EOF fi } +rollover_index() { + idx=$1 + exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}") + if [[ $exists -eq 200 ]]; then + rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST) + + if [[ $rollover -eq 200 ]]; then + echo "Successfully triggered rollover for $idx..." + else + echo "Could not trigger rollover for $idx..." + fi + else + echo "Could not find index $idx..." + fi +} + suricata_idstools_migration() { #Backup the pillars for idstools mkdir -p /nsm/backup/detections-migration/idstools diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 09c40624e..3168a5986 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -89,11 +89,18 @@ http { server_name _; return 307 https://{{ GLOBALS.url_base }}$request_uri; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; @@ -123,11 +130,19 @@ http { http2 on; server_name {{ GLOBALS.url_base }}; root /surirules; + + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; location / { @@ -153,13 +168,14 @@ http { add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2;