From 7ebd861e322c7fae5efa75a701753ef7b6e5bbd9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 10 Nov 2021 16:05:40 -0500 Subject: [PATCH 1/2] enable secureCookies, security.encryptionKey and reporting.encryptionKey - https://github.com/Security-Onion-Solutions/securityonion/issues/6146 --- salt/kibana/config.map.jinja | 6 ++++-- salt/kibana/defaults.yaml | 2 ++ salt/kibana/secrets.sls | 6 ++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index 351ccdbe5..58f1fbf67 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -6,8 +6,10 @@ {% do KIBANACONFIG.kibana.config.xpack.update({'security': {'authc': {'providers': {'anonymous': {'anonymous1': {'order': 0, 'credentials': 'elasticsearch_anonymous_user'}}}}}}) %} {% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey'] }}) %} +{% if salt['pillar.get']('kibana:secrets') %} + {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} + {% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %} + {% do KIBANACONFIG.kibana.config.xpack.update({'reporting': {'encryptionKey': pillar['kibana']['secrets']['reporting']['encryptionKey']}}) %} {% endif %} {% set KIBANACONFIG = salt['pillar.get']('kibana:config', default=KIBANACONFIG.kibana.config, merge=True) %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index feb49f654..58632907c 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -30,3 +30,5 @@ kibana: xpack: ml: enabled: False + security: + secureCookies: True diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls index 8bc2c2cc4..a863f114b 100644 --- a/salt/kibana/secrets.sls +++ b/salt/kibana/secrets.sls @@ -2,6 +2,8 @@ {% if sls in allowed_states %} {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %} + {% set kibana_security_encryptionKey = salt['pillar.get']('kibana:secrets:security:encryptionKey', salt['random.get_str'](72)) %} + {% set kibana_reporting_encryptionKey = salt['pillar.get']('kibana:secrets:reporting:encryptionKey', salt['random.get_str'](72)) %} kibana_pillar_directory: file.directory: @@ -17,6 +19,10 @@ kibana_secrets_pillar: secrets: encryptedSavedObjects: encryptionKey: {{ kibana_encryptedSavedObjects_encryptionKey }} + security: + encryptionKey: {{ kibana_security_encryptionKey }} + reporting: + encryptionKey: {{ kibana_reporting_encryptionKey }} - show_changes: False {% else %} From 8da2133cffe1fa17aef2cc03dcdaa597b0b14386 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 11 Nov 2021 11:31:07 -0500 Subject: [PATCH 2/2] give kibana.secrets pillar to import node --- pillar/top.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index faf0387a6..5401b83e3 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -110,6 +110,9 @@ base: - elasticsearch.eval {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth +{% endif %} +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + - kibana.secrets {% endif %} - global - minions.{{ grains.id }}