CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

add timeouts and retries to ca/ssl states

Browse Source
This commit is contained in:
m0duspwnens
2021-01-28 11:40:31 -05:00
parent bfa6aabc4b
commit 0936dbdb1c
2 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/ca/init.sls
View File

@@ -42,6 +42,9 @@ pki_private_key:
- replace: False
- require:
- file: /etc/pki
- timeout: 60
- retry: 5
- interval: 30
x509_pem_entries:
module.run:

72
salt/ssl/init.sls
View File

@@ -67,6 +67,9 @@ removeesp12dir:
- prereq:
- x509: /etc/pki/influxdb.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Create a cert for the talking to influxdb
/etc/pki/influxdb.crt:
@@ -82,6 +85,9 @@ removeesp12dir:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
influxkeyperms:
file.managed:
@@ -104,6 +110,9 @@ influxkeyperms:
- prereq:
- x509: /etc/pki/redis.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
/etc/pki/redis.crt:
x509.certificate_managed:
@@ -118,6 +127,9 @@ influxkeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
rediskeyperms:
file.managed:
@@ -140,6 +152,9 @@ rediskeyperms:
- prereq:
- x509: /etc/pki/filebeat.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Request a cert and drop it where it needs to go to be distributed
/etc/pki/filebeat.crt:
@@ -159,6 +174,9 @@ rediskeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
- onchanges:
@@ -213,6 +231,9 @@ fbcrtlink:
- prereq:
- x509: /etc/pki/registry.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Create a cert for the docker registry
/etc/pki/registry.crt:
@@ -228,6 +249,9 @@ fbcrtlink:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
regkeyperms:
file.managed:
@@ -248,6 +272,9 @@ regkeyperms:
- prereq:
- x509: /etc/pki/minio.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Create a cert for minio
/etc/pki/minio.crt:
@@ -263,6 +290,9 @@ regkeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
miniokeyperms:
file.managed:
@@ -284,6 +314,9 @@ miniokeyperms:
- prereq:
- x509: /etc/pki/elasticsearch.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
/etc/pki/elasticsearch.crt:
x509.certificate_managed:
@@ -298,6 +331,9 @@ miniokeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
cmd.run:
- name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
- onchanges:
@@ -329,6 +365,9 @@ elasticp12perms:
- prereq:
- x509: /etc/pki/managerssl.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Create a cert for the reverse proxy
/etc/pki/managerssl.crt:
@@ -345,6 +384,9 @@ elasticp12perms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
msslkeyperms:
file.managed:
@@ -366,6 +408,9 @@ msslkeyperms:
- prereq:
- x509: /etc/pki/fleet.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
/etc/pki/fleet.crt:
x509.certificate_managed:
@@ -379,6 +424,9 @@ msslkeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
fleetkeyperms:
file.managed:
@@ -407,6 +455,9 @@ fbcertdir:
- prereq:
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Request a cert and drop it where it needs to go to be distributed
/opt/so/conf/filebeat/etc/pki/filebeat.crt:
@@ -426,6 +477,9 @@ fbcertdir:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
# Convert the key to pkcs#8 so logstash will work correctly.
filebeatpkcs:
@@ -465,6 +519,9 @@ chownfilebeatp8:
- prereq:
- x509: /etc/pki/managerssl.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
# Create a cert for the reverse proxy
/etc/pki/managerssl.crt:
@@ -481,6 +538,9 @@ chownfilebeatp8:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
msslkeyperms:
file.managed:
@@ -502,6 +562,9 @@ msslkeyperms:
- prereq:
- x509: /etc/pki/fleet.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
/etc/pki/fleet.crt:
x509.certificate_managed:
@@ -515,6 +578,9 @@ msslkeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
fleetkeyperms:
file.managed:
@@ -539,6 +605,9 @@ fleetkeyperms:
- prereq:
- x509: /etc/pki/elasticsearch.crt
{%- endif %}
- timeout: 60
- retry: 5
- interval: 30
/etc/pki/elasticsearch.crt:
x509.certificate_managed:
@@ -553,6 +622,9 @@ fleetkeyperms:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 60
- retry: 5
- interval: 30
cmd.run:
- name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
- onchanges: