From eab7828bfe83c5c94a1372372a6cff7c9c2e7326 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 9 Sep 2024 18:39:19 -0400 Subject: [PATCH 1/3] Formatting and add setting --- salt/nginx/defaults.yaml | 1 + salt/nginx/enabled.sls | 3 +++ salt/nginx/etc/nginx.conf | 49 ++++++++++++++++++++++++++++----------- salt/nginx/soc_nginx.yaml | 5 ++++ 4 files changed, 45 insertions(+), 13 deletions(-) diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index 088ba9257..3e36233e7 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -1,5 +1,6 @@ nginx: enabled: False + external_suricata: False ssl: replace_cert: False config: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 273fb65be..91ea0fd24 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -130,6 +130,9 @@ so-nginx: - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro - /nsm/repo:/opt/socore/html/repo:ro - /nsm/rules:/nsm/rules:ro + {% if NGINXMERGED.external_suricata %} + - /opt/so/rules/nids/suri:/surirules:ro + {% endif %} {% endif %} {% if DOCKER.containers[container_config].custom_bind_mounts %} {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %} diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 52ea68daa..72ba07b89 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -116,6 +116,29 @@ http { autoindex_localtime on; } } + {%- if NGINXMERGED.external_suricata %} + server { + listen 7789 ssl http2; + server_name {{ GLOBALS.url_base }}; + root /surirules; + location / { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + } + } + {%- endif %} server { listen 443 ssl http2; @@ -251,20 +274,20 @@ http { proxy_cookie_path /api/ /influxdb/api/; } - location /app/dashboards/ { - auth_request /auth/sessions/whoami; - rewrite /app/dashboards/(.*) /app/dashboards/$1 break; - proxy_pass http://{{ GLOBALS.manager }}:5601/app/; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /app/dashboards/ { + auth_request /auth/sessions/whoami; + rewrite /app/dashboards/(.*) /app/dashboards/$1 break; + proxy_pass http://{{ GLOBALS.manager }}:5601/app/; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { + location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:5601/; diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 924a45ae9..56bbd888f 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -3,6 +3,11 @@ nginx: description: You can enable or disable Nginx. advanced: True helpLink: nginx.html + external_suricata: + description: Enable this to allow external access to Suricata Rulesets managed by Detections. + advanced: True + helplink: nginx.html + forcedType: bool ssl: replace_cert: description: Enable this if you would like to replace the Security Onion Certificate with your own. From 6e2c319e7e3a21b804c5b1c64f344b8b0b0fc9e0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 9 Sep 2024 19:42:04 -0400 Subject: [PATCH 2/3] Fix http2 declaration --- salt/nginx/etc/nginx.conf | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 72ba07b89..1c77426ef 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -84,7 +84,8 @@ http { } server { - listen 443 ssl http2 default_server; + listen 443 ssl default_server; + http2 on; server_name _; return 307 https://{{ GLOBALS.url_base }}$request_uri; @@ -118,17 +119,10 @@ http { } {%- if NGINXMERGED.external_suricata %} server { - listen 7789 ssl http2; + listen 7789 ssl; + http2 on; server_name {{ GLOBALS.url_base }}; root /surirules; - location / { - allow all; - sendfile on; - sendfile_max_chunk 1m; - autoindex on; - autoindex_exact_size off; - autoindex_format html; - autoindex_localtime on; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; @@ -136,12 +130,21 @@ http { ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; + location / { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; } } {%- endif %} server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name {{ GLOBALS.url_base }}; root /opt/socore/html; index index.html; From cac153909481e5538f33738f9846c48caa47919b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 12 Sep 2024 13:08:01 -0400 Subject: [PATCH 3/3] Add to firewall settings and annotations --- salt/firewall/defaults.yaml | 20 ++++++++++++++++++++ salt/firewall/soc_firewall.yaml | 14 ++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index fc5368e12..b9bfdbf63 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -10,6 +10,7 @@ firewall: elasticsearch_rest: [] endgame: [] eval: [] + external_suricata: [] fleet: [] heavynode: [] idh: [] @@ -86,6 +87,10 @@ firewall: tcp: - 3765 udp: [] + external_suricata: + tcp: + - 7789 + udp: [] influxdb: tcp: - 8086 @@ -216,6 +221,9 @@ firewall: analyst: portgroups: - nginx + external_suricata: + portgroups: + - external_suricata customhostgroup0: portgroups: [] customhostgroup1: @@ -462,6 +470,9 @@ firewall: endgame: portgroups: - endgame + external_suricata: + portgroups: + - external_suricata desktop: portgroups: - docker_registry @@ -654,6 +665,9 @@ firewall: endgame: portgroups: - endgame + external_suricata: + portgroups: + - external_suricata desktop: portgroups: - docker_registry @@ -850,6 +864,9 @@ firewall: endgame: portgroups: - endgame + external_suricata: + portgroups: + - external_suricata strelka_frontend: portgroups: - strelka_frontend @@ -1216,6 +1233,9 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + external_suricata: + portgroups: + - external_suricata analyst: portgroups: - nginx diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 3a8b4d3a0..222bcc8a2 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -32,6 +32,7 @@ firewall: elasticsearch_rest: *hostgroupsettingsadv endgame: *hostgroupsettingsadv eval: *hostgroupsettings + external_suricata: *hostgroupsettings fleet: *hostgroupsettings heavynode: *hostgroupsettings idh: *hostgroupsettings @@ -117,6 +118,9 @@ firewall: endgame: tcp: *tcpsettings udp: *udpsettings + external_suricata: + tcp: *tcpsettings + udp: *udpsettings influxdb: tcp: *tcpsettings udp: *udpsettings @@ -215,6 +219,8 @@ firewall: portgroups: *portgroupsdocker elastic_agent_endpoint: portgroups: *portgroupsdocker + external_suricata: + portgroups: *portgroupsdocker strelka_frontend: portgroups: *portgroupsdocker syslog: @@ -370,6 +376,8 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker + external_suricata: + portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker desktop: @@ -463,6 +471,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + external_suricata: + portgroups: *portgroupsdocker desktop: portgroups: *portgroupsdocker customhostgroup0: @@ -554,6 +564,8 @@ firewall: portgroups: *portgroupsdocker endgame: portgroups: *portgroupsdocker + external_suricata: + portgroups: *portgroupsdocker strelka_frontend: portgroups: *portgroupsdocker syslog: @@ -828,6 +840,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + external_suricata: + portgroups: *portgroupsdocker desktop: portgroups: *portgroupsdocker customhostgroup0: