CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-09 11:56:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

Hide telegraf password from console and close so-minion race

Browse Source 
Two fixes on the postgres telegraf fan-out path:

1. postgres.auth cmd.run leaked the password to the console because
   Salt always prints the Name: field and `show_changes: False` does
   not apply to cmd.run. Move the user and password into the `env:`
   attribute so the shell body still sees them via $PG_USER / $PG_PASS
   but Salt's state reporter never renders them.

2. so-minion's addMinion -> setupMinionFiles sequence removes the
   minion pillar file and rewrites it from scratch, which wipes the
   postgres.telegraf.* entries the reactor may have already written on
   salt-key accept. Add a postgres.auth fan-out step to
   orch.deploy_newnode (the orch so-minion kicks off after
   setupMinionFiles) and require it from the new minion's highstate.
   Idempotent via the existing unless: guard in postgres.auth.
This commit is contained in:
Mike Reeves
2026-04-21 15:10:57 -04:00
parent 81c0f2b464
commit 1abfd77351
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/orch/deploy_newnode.sls
+17
View File
@@ -12,6 +12,21 @@
attempts: 36
interval: 5
# so-minion's setupMinionFiles rebuilds the new minion's pillar file from
# scratch, wiping any postgres.telegraf.* entries the reactor may have written
# on salt-key accept. Re-fan the cred here so the highstate below sees it.
# Idempotent via the unless: guard in postgres.auth.
manager_fanout_postgres_telegraf_{{NEWNODE}}:
salt.state:
- tgt: {{ MANAGER }}
- sls:
- postgres.auth
- queue: True
- pillar:
postgres_fanout_minion: {{ NEWNODE }}
- require:
- salt: {{NEWNODE}}_update_mine
# we need to prepare the manager for a new searchnode or heavynode
{% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %}
manager_run_es_soc:
@@ -30,3 +45,5 @@ manager_run_es_soc:
- tgt: {{ NEWNODE }}
- highstate: True
- queue: True
- require:
- salt: manager_fanout_postgres_telegraf_{{NEWNODE}}
salt/postgres/auth.sls
+5 -2
View File
@@ -85,8 +85,11 @@ postgres_telegraf_minion_pillar_{{ safe }}:
chown socore:socore "$PILLAR_FILE" 2>/dev/null || true
chmod 640 "$PILLAR_FILE"
fi
/usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.user '{{ entry.user }}'
/usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.pass '{{ entry.pass }}'
/usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.user "$PG_USER"
/usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.pass "$PG_PASS"
- env:
- PG_USER: '{{ entry.user }}'
- PG_PASS: '{{ entry.pass }}'
- unless: |
[ "$(/usr/sbin/so-yaml.py get -r /opt/so/saltstack/local/pillar/minions/{{ mid }}.sls postgres.telegraf.user 2>/dev/null)" = '{{ entry.user }}' ]
- require: