From 57c6e26634d25d1f7d661953925e4e3f7415611d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 9 Nov 2021 16:41:25 -0500 Subject: [PATCH] encrypt kibana saved objects - https://github.com/Security-Onion-Solutions/securityonion/issues/6146 --- pillar/top.sls | 9 +++++++++ salt/kibana/defaults.yaml | 3 ++- salt/kibana/etc/kibana.yml | 28 ---------------------------- salt/kibana/init.sls | 8 -------- salt/kibana/secrets.sls | 12 ++++++++++++ salt/manager/init.sls | 1 + 6 files changed, 24 insertions(+), 37 deletions(-) delete mode 100644 salt/kibana/etc/kibana.yml create mode 100644 salt/kibana/secrets.sls diff --git a/pillar/top.sls b/pillar/top.sls index cb170c0af..faf0387a6 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -24,6 +24,9 @@ base: - data.* {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth +{% endif %} +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + - kibana.secrets {% endif %} - secrets - global @@ -43,6 +46,9 @@ base: - elasticsearch.eval {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth +{% endif %} +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + - kibana.secrets {% endif %} - global - minions.{{ grains.id }} @@ -54,6 +60,9 @@ base: - elasticsearch.search {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth +{% endif %} +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + - kibana.secrets {% endif %} - data.* - zeeklogs diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 55409ae2f..959be6a34 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -30,4 +30,5 @@ kibana: xpack: ml: enabled: False - + encryptedSavedObjects: + encryptionKey: {{ pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey'] }} diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml deleted file mode 100644 index 2819f301d..000000000 --- a/salt/kibana/etc/kibana.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# Default Kibana configuration from kibana-docker. -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- set URLBASE = salt['pillar.get']('global:url_base') %} -server.name: kibana -server.host: "0" -server.basePath: /kibana -server.publicBaseUrl: https://{{ URLBASE }}/kibana -elasticsearch.hosts: [ "https://{{ ES }}:9200" ] -elasticsearch.ssl.verificationMode: none -#kibana.index: ".kibana" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -elasticsearch.username: {{ ES_USER }} -elasticsearch.password: {{ ES_PASS }} -{% endif %} -#xpack.monitoring.ui.container.elasticsearch.enabled: true -elasticsearch.requestTimeout: 90000 -logging.dest: /var/log/kibana/kibana.log -telemetry.enabled: false -security.showInsecureClusterWarning: false -{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %} -xpack.security.authc.providers: - anonymous.anonymous1: - order: 0 - credentials: "elasticsearch_anonymous_user" -{% endif %} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 8e921bdbd..ff88b731a 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -101,14 +101,6 @@ append_so-kibana_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-kibana -# Keep the setting correct -#KibanaHappy: -# cmd.script: -# - shell: /bin/bash -# - runas: socore -# - source: salt://kibana/bin/keepkibanahappy.sh -# - template: jinja - {% else %} {{sls}}_state_not_allowed: diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls new file mode 100644 index 000000000..6815ebda3 --- /dev/null +++ b/salt/kibana/secrets.sls @@ -0,0 +1,12 @@ +{% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %} + +kibana_secrets_pillar: + file.managed: + - name: /opt/so/saltstack/local/pillar/kibana/secrets.sls + - mode: 600 + - reload_pillar: True + - contents: | + kibana: + secrets: + encryptedSavedObjects: + encryptionKey: {{ kibana_encryptedSavedObjects_encryptionKey }} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 4a3769e1e..358a3b769 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -22,6 +22,7 @@ include: - elasticsearch.auth + - kibana.secrets - salt.minion socore_own_saltstack: