From 831300b540e3584a543ca2c29ee2c77864642cf8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Jan 2023 11:02:40 -0500 Subject: [PATCH 1/6] Require password auth for redis access --- pillar/top.sls | 4 ++++ .../pipelines/config/so/0900_input_redis.conf.jinja | 12 +++++++----- .../pipelines/config/so/9999_output_redis.conf.jinja | 3 +++ salt/redis/defaults.yaml | 2 +- salt/redis/soc_redis.yaml | 4 ++++ setup/so-functions | 6 +++++- 6 files changed, 24 insertions(+), 7 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 1e684c682..345f7a689 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -120,6 +120,7 @@ base: '*_heavynode': - elasticsearch.auth - soc_global + - redis.soc_redis - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -136,6 +137,7 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + - redis.soc_redis - soc_global - adv_global - minions.{{ grains.id }} @@ -148,6 +150,8 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + - redis.soc_redis + - redis.adv_redis - soc_global - adv_global - minions.{{ grains.id }} diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 2d7a2d4fe..956bbbaa0 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,9 +1,10 @@ -{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%} -{% from 'logstash/map.jinja' import REDIS_NODES with context -%} +{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- from 'logstash/map.jinja' import REDIS_NODES with context %} +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %} -{% for index in range(REDIS_NODES|length) -%} -{% for host in REDIS_NODES[index] -%} +{%- for index in range(REDIS_NODES|length) %} +{%- for host in REDIS_NODES[index] %} input { redis { host => '{{ host }}' @@ -14,6 +15,7 @@ input { type => 'redis-input' threads => {{ THREADS }} batch_count => {{ BATCH }} + password => {{ REDIS_PASS }} } } {% endfor %} diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 68b5187f9..d16434148 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -4,6 +4,8 @@ {%- set HOST = GLOBALS.manager %} {%- endif %} {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %} + output { redis { host => '{{ HOST }}' @@ -14,5 +16,6 @@ output { congestion_threshold => 50000000 batch => true batch_events => {{ BATCH }} + password => {{ REDIS_PASS }} } } diff --git a/salt/redis/defaults.yaml b/salt/redis/defaults.yaml index 252082901..bd1fc74f5 100644 --- a/salt/redis/defaults.yaml +++ b/salt/redis/defaults.yaml @@ -1,7 +1,7 @@ redis: config: bind: '0.0.0.0' - protected-mode: 'no' + protected-mode: 'yes' tls-cert-file: '/certs/redis.crt' tls-key-file: '/certs/redis.key' tls-ca-cert-file: '/certs/ca.crt' diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index dad76bf80..13186ca6f 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -10,6 +10,10 @@ redis: global: True advanced: True helpLink: redis.html + requirepass: + description: Password for accessing Redis. + global: True + sensitive: True tls-cert-file: description: TLS cert file location. global: True diff --git a/setup/so-functions b/setup/so-functions index 4f6af0e7c..8545a4c6f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1209,6 +1209,7 @@ generate_passwords(){ GRAFANAPASS=$(get_random_value) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) + REDISPASS=$(get_random_value) } generate_interface_vars() { @@ -1496,7 +1497,10 @@ docker_pillar() { redis_pillar() { title "Create the redis pillar file" touch $adv_redis_pillar_file - touch $redis_pillar_file + printf '%s\n'\ + "redis:"\ + " config:"\ + " requirepass: '$REDISPASS'" > $redis_pillar_file } influxdb_pillar() { From 48a3f4e2619fa08b30a57587ec8c143f0ae53d81 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Jan 2023 14:14:10 -0500 Subject: [PATCH 2/6] Allow auth for redis check for tgraf --- salt/telegraf/scripts/redis.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index f0c361037..3dffa21d6 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -4,14 +4,13 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}') - PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}') + UNPARSED=$(redis-cli -a {{ REDIS_PASS }} llen logstash:unparsed | awk '{print $1}') + PARSED=$(redis-cli -a {{ REDIS_PASS }} llen logstash:parsed | awk '{print $1}') echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED" From 9bc08661c5031e0e480791c0dc4349722ac9df25 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Jan 2023 14:15:53 -0500 Subject: [PATCH 3/6] Allow auth for redis check for tgraf --- salt/common/tools/sbin/so-redis-count | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count index e90e0754e..e37526013 100755 --- a/salt/common/tools/sbin/so-redis-count +++ b/salt/common/tools/sbin/so-redis-count @@ -4,9 +4,8 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} . /usr/sbin/so-common -docker exec so-redis redis-cli llen logstash:unparsed +docker exec so-redis redis-cli -a {{ REDIS_PASS }} llen logstash:unparsed From 5afad52b3f051590a89b74ddb38cee3c220667f9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Jan 2023 14:18:08 -0500 Subject: [PATCH 4/6] Allow auth for redis check for tgraf --- salt/common/tools/sbin/so-redis-count | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count index e37526013..787c1b7e6 100755 --- a/salt/common/tools/sbin/so-redis-count +++ b/salt/common/tools/sbin/so-redis-count @@ -7,5 +7,5 @@ {%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} . /usr/sbin/so-common - -docker exec so-redis redis-cli -a {{ REDIS_PASS }} llen logstash:unparsed +REDISCLI_AUTH={{ REDIS_PASS }} +docker exec so-redis redis-cli llen logstash:unparsed From e52b54720ac7508ca4bd9b88adefb31142c2c858 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Jan 2023 14:26:24 -0500 Subject: [PATCH 5/6] Allow auth for redis check for tgraf --- salt/common/tools/sbin/so-redis-count | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count index 787c1b7e6..7f87b6a9f 100755 --- a/salt/common/tools/sbin/so-redis-count +++ b/salt/common/tools/sbin/so-redis-count @@ -7,5 +7,4 @@ {%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} . /usr/sbin/so-common -REDISCLI_AUTH={{ REDIS_PASS }} -docker exec so-redis redis-cli llen logstash:unparsed +docker exec so-redis /bin/sh -c "export REDISCLI_AUTH={{ REDIS_PASS }} && redis-cli llen logstash:unparsed" \ No newline at end of file From 275aead5b9a07e1a85e7c0def8768c5249c115af Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 4 Jan 2023 14:30:28 -0500 Subject: [PATCH 6/6] Allow auth for redis check for tgraf --- salt/telegraf/scripts/redis.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index 3dffa21d6..c730885d4 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -5,12 +5,12 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. {%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %} - +export REDISCLI_AUTH={{ REDIS_PASS }} # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - UNPARSED=$(redis-cli -a {{ REDIS_PASS }} llen logstash:unparsed | awk '{print $1}') - PARSED=$(redis-cli -a {{ REDIS_PASS }} llen logstash:parsed | awk '{print $1}') + UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}') + PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}') echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED"