From 451a4784a1d21b63cfe0e27466dc7a0f7acd5e4e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 2 Jun 2023 13:12:37 -0600
Subject: [PATCH] send-file and import-file security

Encrypt the file with a passphrase before sending and decrypt the file with the same passphrase before importing.
---
 salt/soc/files/bin/salt-relay.sh | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh
index d15b3ee22..313a21141 100755
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -184,9 +184,17 @@ function send_file() {
   log "Node: $node"
   log "Cleanup: $cleanup"
 
-  response=$($CMD_PREFIX salt-cp -C "$node" "$from" "$to")
+  log "encrypting..."
+  gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from"
+
+  fromgpg="$from.gpg"
+
+  log "sending..."
+  response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to")
   exit_code=$?
 
+  rm -f "$fromgpg"
+
   log Response:$'\n'"$response"
   log "Exit Code: $exit_code"
 
@@ -211,6 +219,12 @@ function import_file() {
   log "File: $file"
   log "Importer: $importer"
 
+  filegpg="$file.gpg"
+
+  log "decrypting..."
+  gpg --passphrase "infected" --batch --decrypt "$filegpg" > "$file"
+
+  log "importing..."
   case $importer in
     pcap)
       response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file'")
@@ -226,7 +240,7 @@ function import_file() {
       ;;
   esac
 
-  rm "$file"
+  rm "$file" "$filegpg"
 
   log Response:$'\n'"$response"
   log "Exit Code: $exit_code"