diff --git a/pillar/top.sls b/pillar/top.sls index 3ee40b752..074a0a9d4 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -121,6 +121,7 @@ base: '*_heavynode': - elasticsearch.auth - soc_global + - redis.soc_redis - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -137,6 +138,7 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + - redis.soc_redis - soc_global - adv_global - minions.{{ grains.id }} @@ -149,6 +151,8 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + - redis.soc_redis + - redis.adv_redis - soc_global - adv_global - minions.{{ grains.id }} diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count index e90e0754e..7f87b6a9f 100755 --- a/salt/common/tools/sbin/so-redis-count +++ b/salt/common/tools/sbin/so-redis-count @@ -4,9 +4,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} . /usr/sbin/so-common - -docker exec so-redis redis-cli llen logstash:unparsed +docker exec so-redis /bin/sh -c "export REDISCLI_AUTH={{ REDIS_PASS }} && redis-cli llen logstash:unparsed" \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 2d7a2d4fe..956bbbaa0 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,9 +1,10 @@ -{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%} -{% from 'logstash/map.jinja' import REDIS_NODES with context -%} +{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- from 'logstash/map.jinja' import REDIS_NODES with context %} +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %} -{% for index in range(REDIS_NODES|length) -%} -{% for host in REDIS_NODES[index] -%} +{%- for index in range(REDIS_NODES|length) %} +{%- for host in REDIS_NODES[index] %} input { redis { host => '{{ host }}' @@ -14,6 +15,7 @@ input { type => 'redis-input' threads => {{ THREADS }} batch_count => {{ BATCH }} + password => {{ REDIS_PASS }} } } {% endfor %} diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 68b5187f9..d16434148 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -4,6 +4,8 @@ {%- set HOST = GLOBALS.manager %} {%- endif %} {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %} + output { redis { host => '{{ HOST }}' @@ -14,5 +16,6 @@ output { congestion_threshold => 50000000 batch => true batch_events => {{ BATCH }} + password => {{ REDIS_PASS }} } } diff --git a/salt/redis/defaults.yaml b/salt/redis/defaults.yaml index a0ff4e685..ede78ad6b 100644 --- a/salt/redis/defaults.yaml +++ b/salt/redis/defaults.yaml @@ -1,7 +1,7 @@ redis: config: bind: '0.0.0.0' - protected-mode: 'no' + protected-mode: 'yes' tls-cert-file: '/certs/redis.crt' tls-key-file: '/certs/redis.key' tls-ca-cert-file: '/certs/ca.crt' diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index 374b613b5..5f5ac3da5 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -10,6 +10,10 @@ redis: global: True advanced: True helpLink: redis.html + requirepass: + description: Password for accessing Redis. + global: True + sensitive: True tls-cert-file: description: TLS cert file location. global: True diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index f0c361037..c730885d4 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -4,9 +4,8 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - - +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} +export REDISCLI_AUTH={{ REDIS_PASS }} # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/setup/so-functions b/setup/so-functions index 7c1ed8895..fb6cb7c48 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1209,6 +1209,7 @@ generate_passwords(){ GRAFANAPASS=$(get_random_value) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) + REDISPASS=$(get_random_value) } generate_interface_vars() { @@ -1503,7 +1504,10 @@ docker_pillar() { redis_pillar() { title "Create the redis pillar file" touch $adv_redis_pillar_file - touch $redis_pillar_file + printf '%s\n'\ + "redis:"\ + " config:"\ + " requirepass: '$REDISPASS'" > $redis_pillar_file } influxdb_pillar() {