CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Require either true | false in parameter to so-elastic-auth and ensure all minions are fully updated with the new auth setting

Browse Source
This commit is contained in:
Jason Ertel
2021-06-22 15:29:36 -04:00
parent 9fad0876c5
commit 26bb6cc011
2 changed files with 11 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
salt/common/tools/sbin/so-elastic-auth
View File

@@ -22,7 +22,7 @@ fi
ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls} ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls}
ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
authEnable=${1:-true} authEnable=$1
if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
echo "Elastic auth pillar file is invalid. Unable to proceed." echo "Elastic auth pillar file is invalid. Unable to proceed."
@@ -30,17 +30,18 @@ if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
fi fi
function restart() { function restart() {
so-elastic-stop if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
salt-call state.highstate queue=True echo "Elasticsearch on all affected minions will now be stopped and then restarted..."
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop
echo "Applying highstate to all affected minions..."
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True
fi
} }
if [[ "$authEnable" == "true" ]]; then if [[ "$authEnable" == "true" ]]; then
if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then
sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR" sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR"
if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then restart
echo "Applying highstate - this may take a few minutes..."
restart
fi
echo "Elastic auth is now enabled." echo "Elastic auth is now enabled."
if grep -q "argon" "$ES_USERS_FILE"; then if grep -q "argon" "$ES_USERS_FILE"; then
echo "" echo ""
@@ -53,10 +54,7 @@ if [[ "$authEnable" == "true" ]]; then
elif [[ "$authEnable" == "false" ]]; then elif [[ "$authEnable" == "false" ]]; then
if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then
sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR" sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR"
if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then restart
echo "Applying highstate - this may take a few minutes..."
restart
fi
echo "Elastic auth is now disabled." echo "Elastic auth is now disabled."
else else
echo "Auth is already disabled." echo "Auth is already disabled."
@@ -64,6 +62,6 @@ elif [[ "$authEnable" == "false" ]]; then
else else
echo "Usage: $0 <true|false>" echo "Usage: $0 <true|false>"
echo "" echo ""
echo "Enables Elastic authentication. Defaults to true." echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion."
echo "" echo ""
fi fi

2
setup/so-setup
View File

@@ -753,7 +753,7 @@ echo "1" > /root/accept_changes
salt-call state.apply -l info manager >> $setup_log 2>&1 salt-call state.apply -l info manager >> $setup_log 2>&1
echo "Executing so-elastic-auth..." >> $setup_log 2>&1 echo "Executing so-elastic-auth..." >> $setup_log 2>&1
ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth >> $setup_log 2>&1 ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1
echo "Finished so-elastic-auth..." >> $setup_log 2>&1 echo "Finished so-elastic-auth..." >> $setup_log 2>&1
fi fi