CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-04 10:28:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

add back individual signing policies

Browse Source
This commit is contained in:
Josh Patterson
2026-01-12 09:25:15 -05:00
parent 3bc552ef38
commit 00fbc1c259
10 changed files with 86 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/ca/files/signing_policies.conf
+70 -1
View File
@@ -1,5 +1,5 @@
x509_signing_policies: x509_signing_policies:
general: filebeat:
- minions: '*' - minions: '*'
- signing_private_key: /etc/pki/ca.key - signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt - signing_cert: /etc/pki/ca.crt
@@ -12,3 +12,72 @@ x509_signing_policies:
- authorityKeyIdentifier: keyid,issuer:always - authorityKeyIdentifier: keyid,issuer:always
- days_valid: 820 - days_valid: 820
- copypath: /etc/pki/issued_certs/ - copypath: /etc/pki/issued_certs/
registry:
- minions: '*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- extendedKeyUsage: serverAuth
- days_valid: 820
- copypath: /etc/pki/issued_certs/
managerssl:
- minions: '*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment digitalSignature"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- extendedKeyUsage: serverAuth
- days_valid: 820
- copypath: /etc/pki/issued_certs/
influxdb:
- minions: '*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- extendedKeyUsage: serverAuth
- days_valid: 820
- copypath: /etc/pki/issued_certs/
elasticfleet:
- minions: '*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "digitalSignature, nonRepudiation"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 820
- copypath: /etc/pki/issued_certs/
kafka:
- minions: '*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "digitalSignature, keyEncipherment"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- extendedKeyUsage: "serverAuth, clientAuth"
- days_valid: 820
- copypath: /etc/pki/issued_certs/
salt/elasticfleet/ssl.sls
+3 -3
View File
@@ -31,7 +31,7 @@ etc_elasticfleet_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/elasticfleet-server.crt - name: /etc/pki/elasticfleet-server.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-server.key - private_key: /etc/pki/elasticfleet-server.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
@@ -88,7 +88,7 @@ etc_elasticfleet_agent_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/elasticfleet-agent.crt - name: /etc/pki/elasticfleet-agent.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-agent.key - private_key: /etc/pki/elasticfleet-agent.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- days_remaining: 7 - days_remaining: 7
@@ -148,7 +148,7 @@ elasticfleet_kafka_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/elasticfleet-kafka.crt - name: /etc/pki/elasticfleet-kafka.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: kafka
- private_key: /etc/pki/elasticfleet-kafka.key - private_key: /etc/pki/elasticfleet-kafka.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
salt/elasticsearch/ssl.sls
+1 -1
View File
@@ -27,7 +27,7 @@ elasticsearch_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/elasticsearch.crt - name: /etc/pki/elasticsearch.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: registry
- private_key: /etc/pki/elasticsearch.key - private_key: /etc/pki/elasticsearch.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
salt/influxdb/ssl.sls
+1 -1
View File
@@ -27,7 +27,7 @@ influxdb_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/influxdb.crt - name: /etc/pki/influxdb.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: influxdb
- private_key: /etc/pki/influxdb.key - private_key: /etc/pki/influxdb.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
salt/kafka/ssl.sls
+3 -3
View File
@@ -34,7 +34,7 @@ kafka_client_crt:
- name: /etc/pki/kafka-client.crt - name: /etc/pki/kafka-client.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- signing_policy: general - signing_policy: kafka
- private_key: /etc/pki/kafka-client.key - private_key: /etc/pki/kafka-client.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- days_remaining: 7 - days_remaining: 7
@@ -82,7 +82,7 @@ kafka_crt:
- name: /etc/pki/kafka.crt - name: /etc/pki/kafka.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- signing_policy: general - signing_policy: kafka
- private_key: /etc/pki/kafka.key - private_key: /etc/pki/kafka.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- days_remaining: 7 - days_remaining: 7
@@ -144,7 +144,7 @@ kafka_logstash_crt:
- name: /etc/pki/kafka-logstash.crt - name: /etc/pki/kafka-logstash.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- signing_policy: general - signing_policy: kafka
- private_key: /etc/pki/kafka-logstash.key - private_key: /etc/pki/kafka-logstash.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- days_remaining: 7 - days_remaining: 7
salt/logstash/ssl.sls
+4 -4
View File
@@ -31,7 +31,7 @@ etc_elasticfleet_logstash_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/elasticfleet-logstash.crt - name: /etc/pki/elasticfleet-logstash.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-logstash.key - private_key: /etc/pki/elasticfleet-logstash.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
@@ -92,7 +92,7 @@ etc_elasticfleetlumberjack_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/elasticfleet-lumberjack.crt - name: /etc/pki/elasticfleet-lumberjack.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-lumberjack.key - private_key: /etc/pki/elasticfleet-lumberjack.key
- CN: {{ GLOBALS.node_ip }} - CN: {{ GLOBALS.node_ip }}
- subjectAltName: DNS:{{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}
@@ -161,7 +161,7 @@ etc_filebeat_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/filebeat.crt - name: /etc/pki/filebeat.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: filebeat
- private_key: /etc/pki/filebeat.key - private_key: /etc/pki/filebeat.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
@@ -242,7 +242,7 @@ conf_filebeat_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: filebeat
- private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
salt/nginx/ssl.sls
+1 -1
View File
@@ -53,7 +53,7 @@ managerssl_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/managerssl.crt - name: /etc/pki/managerssl.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: managerssl
- private_key: /etc/pki/managerssl.key - private_key: /etc/pki/managerssl.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}"
salt/redis/ssl.sls
+1 -1
View File
@@ -27,7 +27,7 @@ redis_crt:
- name: /etc/pki/redis.crt - name: /etc/pki/redis.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- signing_policy: general - signing_policy: registry
- private_key: /etc/pki/redis.key - private_key: /etc/pki/redis.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- days_remaining: 7 - days_remaining: 7
salt/registry/ssl.sls
+1 -1
View File
@@ -47,7 +47,7 @@ registry_crt:
- name: /etc/pki/registry.crt - name: /etc/pki/registry.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }}
- signing_policy: general - signing_policy: registry
- private_key: /etc/pki/registry.key - private_key: /etc/pki/registry.key
- CN: {{ GLOBALS.manager }} - CN: {{ GLOBALS.manager }}
- days_remaining: 7 - days_remaining: 7
salt/telegraf/ssl.sls
+1 -1
View File
@@ -27,7 +27,7 @@ telegraf_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/telegraf.crt - name: /etc/pki/telegraf.crt
- ca_server: {{ CA.server }} - ca_server: {{ CA.server }}
- signing_policy: general - signing_policy: influxdb
- private_key: /etc/pki/telegraf.key - private_key: /etc/pki/telegraf.key
- CN: {{ GLOBALS.hostname }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}