encrypt kibana saved objects - https://github.com/Security-Onion-Solutions/securityonion/issues/6146

2025-12-06 01:02:46 +01:00 · 2021-11-09 16:41:25 -05:00
parent b6a1d7418e
commit 57c6e26634
6 changed files with 24 additions and 37 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -24,6 +24,9 @@ base:
    - data.*
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
+{% endif %}
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
+    - kibana.secrets
 {% endif %}
    - secrets
    - global
@@ -43,6 +46,9 @@ base:
    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
+{% endif %}
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
+    - kibana.secrets
 {% endif %}
    - global
    - minions.{{ grains.id }}
@@ -54,6 +60,9 @@ base:
    - elasticsearch.search
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
+{% endif %}
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
+    - kibana.secrets
 {% endif %}
    - data.*
    - zeeklogs
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -30,4 +30,5 @@ kibana:
    xpack:
      ml:
        enabled: False
-
+      encryptedSavedObjects:
+        encryptionKey: {{ pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey'] }}
--- a/salt/kibana/etc/kibana.yml
+++ b/salt/kibana/etc/kibana.yml
@@ -1,28 +0,0 @@
---
-# Default Kibana configuration from kibana-docker.
-{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
-{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
-{%- set URLBASE = salt['pillar.get']('global:url_base') %}
-server.name: kibana
-server.host: "0"
-server.basePath: /kibana
-server.publicBaseUrl: https://{{ URLBASE }}/kibana
-elasticsearch.hosts: [ "https://{{ ES }}:9200" ]
-elasticsearch.ssl.verificationMode: none
-#kibana.index: ".kibana"
-{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-elasticsearch.username: {{ ES_USER }}
-elasticsearch.password: {{ ES_PASS }}
-{% endif %}
-#xpack.monitoring.ui.container.elasticsearch.enabled: true
-elasticsearch.requestTimeout: 90000
-logging.dest: /var/log/kibana/kibana.log
-telemetry.enabled: false
-security.showInsecureClusterWarning: false
-{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
-xpack.security.authc.providers:
-  anonymous.anonymous1:
-    order: 0
-    credentials: "elasticsearch_anonymous_user" 
-{% endif %}
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -101,14 +101,6 @@ append_so-kibana_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kibana

-# Keep the setting correct
-#KibanaHappy:
-#  cmd.script:
-#    - shell: /bin/bash
-#    - runas: socore
-#    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
-
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/kibana/secrets.sls
+++ b/salt/kibana/secrets.sls
@@ -0,0 +1,12 @@
+{% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
+
+kibana_secrets_pillar:
+  file.managed:
+    - name: /opt/so/saltstack/local/pillar/kibana/secrets.sls
+    - mode: 600
+    - reload_pillar: True
+    - contents: |
+        kibana:
+          secrets:
+            encryptedSavedObjects:
+              encryptionKey: {{ kibana_encryptedSavedObjects_encryptionKey }}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -22,6 +22,7 @@

 include:
  - elasticsearch.auth
+  - kibana.secrets
  - salt.minion

 socore_own_saltstack: