Merge pull request #9516 from Security-Onion-Solutions/mkr24

Add PW auth for Redis
2025-12-06 17:22:49 +01:00 · 2023-01-04 14:50:27 -05:00
parent 723362e685 275aead5b9
commit 2e53476a06
8 changed files with 28 additions and 14 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -121,6 +121,7 @@ base:
  '*_heavynode':
    - elasticsearch.auth
    - soc_global
+    - redis.soc_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}

@@ -137,6 +138,7 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.soc_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
@@ -149,6 +151,8 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.soc_redis
+    - redis.adv_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
--- a/salt/common/tools/sbin/so-redis-count
+++ b/salt/common/tools/sbin/so-redis-count
@@ -4,9 +4,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}

 . /usr/sbin/so-common
-
-docker exec so-redis redis-cli llen logstash:unparsed
+docker exec so-redis /bin/sh -c "export REDISCLI_AUTH={{ REDIS_PASS }} && redis-cli llen logstash:unparsed"
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,9 +1,10 @@
-{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%}
-{% from 'logstash/map.jinja' import REDIS_NODES with context -%}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- from 'logstash/map.jinja' import REDIS_NODES with context %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}

-{% for index in range(REDIS_NODES|length) -%}
-{%   for host in REDIS_NODES[index] -%}
+{%- for index in range(REDIS_NODES|length) %}
+{%-   for host in REDIS_NODES[index] %}
 input {
        redis {
                host => '{{ host }}'
@@ -14,6 +15,7 @@ input {
                type => 'redis-input'
                threads => {{ THREADS }}
                batch_count => {{ BATCH }}
+                password => {{ REDIS_PASS }}
        }
 }
 {%   endfor %}
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -4,6 +4,8 @@
  {%- set HOST = GLOBALS.manager %}
 {%- endif %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
+
 output {
 	redis {
 		host => '{{ HOST }}'
@@ -14,5 +16,6 @@ output {
 		congestion_threshold => 50000000
 		batch => true
 		batch_events => {{ BATCH }}
+		password => {{ REDIS_PASS }}
 	}
 }
--- a/salt/redis/defaults.yaml
+++ b/salt/redis/defaults.yaml
@@ -1,7 +1,7 @@
 redis:
  config:
    bind: '0.0.0.0'
-    protected-mode: 'no'
+    protected-mode: 'yes'
    tls-cert-file: '/certs/redis.crt'
    tls-key-file: '/certs/redis.key'
    tls-ca-cert-file: '/certs/ca.crt'
--- a/salt/redis/soc_redis.yaml
+++ b/salt/redis/soc_redis.yaml
@@ -10,6 +10,10 @@ redis:
      global: True
      advanced: True
      helpLink: redis.html
+    requirepass:
+      description: Password for accessing Redis.
+      global: True
+      sensitive: True
    tls-cert-file: 
      description: TLS cert file location.
      global: True
--- a/salt/telegraf/scripts/redis.sh
+++ b/salt/telegraf/scripts/redis.sh
@@ -4,9 +4,8 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
-
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}
+export REDISCLI_AUTH={{ REDIS_PASS }}
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then

--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1209,6 +1209,7 @@ generate_passwords(){
  GRAFANAPASS=$(get_random_value)
  SENSORONIKEY=$(get_random_value)
  KRATOSKEY=$(get_random_value)
+  REDISPASS=$(get_random_value)
 }

 generate_interface_vars() {
@@ -1503,7 +1504,10 @@ docker_pillar() {
 redis_pillar() {
 	title "Create the redis pillar file"
 	touch $adv_redis_pillar_file
-	touch $redis_pillar_file
+	printf '%s\n'\
+		"redis:"\
+		"  config:"\
+		"    requirepass: '$REDISPASS'" > $redis_pillar_file
 }

 influxdb_pillar() {