From 3ab1b907e4a7b627740e34ed053b3d3a0b17f6df Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Jan 2025 13:45:42 -0500 Subject: [PATCH 1/8] subgrid config annotations --- salt/soc/soc_soc.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index eff21ccb9..32e522e88 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -85,6 +85,21 @@ soc: title: Require TOTP description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. global: True + subgrids: + title: Suboordinate Grids + description: Optional list of subgrids that this grid has access to manage. This is also known as a 'Manager of Managers' configuration. The values entered must originate from the remote suboordinate grid. Requires a valid Security Onion license key. + global: True + syntax: json + forcedType: []{} + uiElements: + - field: description + label: Description + - field: manager_url + label: Manager URL + - field: client_id + label: API Client ID + - field: client_secret + label: API Client Secret modules: elastalertengine: aiRepoUrl: From 45d3438d1873cab236a14f25bb3bf5762d9c278b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:33:14 -0600 Subject: [PATCH 2/8] update ingest pipeline for imported logs Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/suricata.alert | 2 +- salt/manager/tools/sbin/soup | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 68e0a5cb3..c92a406b4 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -1,7 +1,7 @@ { "description" : "suricata.alert", "processors" : [ - { "set": { "field": "_index", "value": "logs-suricata.alerts-so" } }, + { "set": { "if": "ctx.data_stream?.dataset != null && ctx.data_stream?.dataset == 'suricata'", "field": "_index", "value": "logs-suricata.alerts-so" } }, { "set": { "field": "tags","value": "alert" }}, { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fc0c7aca4..23c59eb6b 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -527,6 +527,10 @@ post_to_2.4.111() { post_to_2.4.120() { update_elasticsearch_index_settings + + # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' + rollover_index "logs-suricata.alerts-so" + POSTVERSION=2.4.120 } @@ -805,6 +809,19 @@ ASSIST_EOF fi } +rollover_index() { + idx=$1 + exists=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx") + + rollover=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx/_rollover" -XPOST) + + if [[ $rollover -eq 200 ]]; then + echo "Successfully triggered rollover for $idx..." + else + echo "Could not trigger rollover for $idx..." + fi +} + suricata_idstools_migration() { #Backup the pillars for idstools mkdir -p /nsm/backup/detections-migration/idstools From d573c0922d5c14f92beeda18e911b36f82745695 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 16 Jan 2025 18:25:06 -0600 Subject: [PATCH 3/8] add 2.4.111 -> postupgrade check Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/manager/tools/sbin/soup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 23c59eb6b..6264558fa 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -427,7 +427,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 - [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.120 + [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 + [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 true } From 9032d7d7bc90543d23278a7be3b5d8457885c92e Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 16 Jan 2025 18:48:31 -0600 Subject: [PATCH 4/8] any suricata.alert with event.imported: true remains in logs-import-so Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/suricata.alert | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index c92a406b4..9ee0acfd6 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -1,7 +1,7 @@ { "description" : "suricata.alert", "processors" : [ - { "set": { "if": "ctx.data_stream?.dataset != null && ctx.data_stream?.dataset == 'suricata'", "field": "_index", "value": "logs-suricata.alerts-so" } }, + { "set": { "if": "ctx.event?.imported != null && ctx.event?.imported != true", "field": "_index", "value": "logs-suricata.alerts-so" } }, { "set": { "field": "tags","value": "alert" }}, { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, From 01a2e4cd4f4f950f0145d410a17686bdf383024d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 17 Jan 2025 09:27:28 -0600 Subject: [PATCH 5/8] check for index existence before attemping rollover Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/manager/tools/sbin/soup | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 6264558fa..5e52388ac 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -814,12 +814,16 @@ rollover_index() { idx=$1 exists=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx") - rollover=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx/_rollover" -XPOST) + if [[ $exists -eq 200 ]]; then + rollover=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx/_rollover" -XPOST) - if [[ $rollover -eq 200 ]]; then - echo "Successfully triggered rollover for $idx..." + if [[ $rollover -eq 200 ]]; then + echo "Successfully triggered rollover for $idx..." + else + echo "Could not trigger rollover for $idx..." + fi else - echo "Could not trigger rollover for $idx..." + echo "Could not find index $idx..." fi } From 964bbe6aa565b988bee744dc10ebd8c952cab357 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 17 Jan 2025 12:14:30 -0500 Subject: [PATCH 6/8] additional web server security measures --- salt/nginx/etc/nginx.conf | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 09c40624e..3168a5986 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -89,11 +89,18 @@ http { server_name _; return 307 https://{{ GLOBALS.url_base }}$request_uri; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; @@ -123,11 +130,19 @@ http { http2 on; server_name {{ GLOBALS.url_base }}; root /surirules; + + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; + ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; location / { @@ -153,13 +168,14 @@ http { add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header referrer-Policy no-referrer; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; From 7705f45d789ee3dcb94da03710372ebed81a1cea Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 17 Jan 2025 12:16:12 -0500 Subject: [PATCH 7/8] Revert "subgrid config annotations" This reverts commit 3ab1b907e4a7b627740e34ed053b3d3a0b17f6df. --- salt/soc/soc_soc.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 8baffdb05..a667d1f7a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -85,21 +85,6 @@ soc: title: Require TOTP description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. global: True - subgrids: - title: Suboordinate Grids - description: Optional list of subgrids that this grid has access to manage. This is also known as a 'Manager of Managers' configuration. The values entered must originate from the remote suboordinate grid. Requires a valid Security Onion license key. - global: True - syntax: json - forcedType: []{} - uiElements: - - field: description - label: Description - - field: manager_url - label: Manager URL - - field: client_id - label: API Client ID - - field: client_secret - label: API Client Secret modules: elastalertengine: aiRepoUrl: From 1396083b7da0804c061176e0f32236115cadd1c0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:29:46 -0600 Subject: [PATCH 8/8] use so-elasticsearch-query where possible; simplify suricata.alerts index reroute Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/suricata.alert | 2 +- salt/manager/tools/sbin/soup | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 9ee0acfd6..9dd97e190 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -1,7 +1,7 @@ { "description" : "suricata.alert", "processors" : [ - { "set": { "if": "ctx.event?.imported != null && ctx.event?.imported != true", "field": "_index", "value": "logs-suricata.alerts-so" } }, + { "set": { "if": "ctx.event?.imported != true", "field": "_index", "value": "logs-suricata.alerts-so" } }, { "set": { "field": "tags","value": "alert" }}, { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 5e52388ac..88dd5c9d8 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -812,10 +812,9 @@ ASSIST_EOF rollover_index() { idx=$1 - exists=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx") - + exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}") if [[ $exists -eq 200 ]]; then - rollover=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -o /dev/null -w "%{http_code}" -k -L -H "Content-Type: application/json" "https://localhost:9200/$idx/_rollover" -XPOST) + rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST) if [[ $rollover -eq 200 ]]; then echo "Successfully triggered rollover for $idx..."