encrypt kibana saved objects - https://github.com/Security-Onion-Solutions/securityonion/issues/6146

2025-12-06 17:22:49 +01:00 · 2021-11-09 16:41:25 -05:00
parent b6a1d7418e
commit 57c6e26634
6 changed files with 24 additions and 37 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -24,6 +24,9 @@ base:
    - data.*
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
    - kibana.secrets
 {% endif %}
    - secrets
    - global
@@ -43,6 +46,9 @@ base:
    - elasticsearch.eval
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
    - kibana.secrets
 {% endif %}
    - global
    - minions.{{ grains.id }}
@@ -54,6 +60,9 @@ base:
    - elasticsearch.search
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
 {% endif %}
 {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
    - kibana.secrets
 {% endif %}
    - data.*
    - zeeklogs
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -30,4 +30,5 @@ kibana:
    xpack:
      ml:
        enabled: False
-
+      encryptedSavedObjects:
        encryptionKey: {{ pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey'] }}
--- a/salt/kibana/etc/kibana.yml
+++ b/salt/kibana/etc/kibana.yml
@@ -1,28 +0,0 @@
 ---
 # Default Kibana configuration from kibana-docker.
 {%- set ES = salt['pillar.get']('manager:mainip', '') -%}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
 server.name: kibana
 server.host: "0"
 server.basePath: /kibana
 server.publicBaseUrl: https://{{ URLBASE }}/kibana
 elasticsearch.hosts: [ "https://{{ ES }}:9200" ]
 elasticsearch.ssl.verificationMode: none
 #kibana.index: ".kibana"
 {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
 elasticsearch.username: {{ ES_USER }}
 elasticsearch.password: {{ ES_PASS }}
 {% endif %}
 #xpack.monitoring.ui.container.elasticsearch.enabled: true
 elasticsearch.requestTimeout: 90000
 logging.dest: /var/log/kibana/kibana.log
 telemetry.enabled: false
 security.showInsecureClusterWarning: false
 {% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 xpack.security.authc.providers:
  anonymous.anonymous1:
    order: 0
    credentials: "elasticsearch_anonymous_user" 
 {% endif %}
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -101,14 +101,6 @@ append_so-kibana_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kibana
 # Keep the setting correct
 #KibanaHappy:
 #  cmd.script:
 #    - shell: /bin/bash
 #    - runas: socore
 #    - source: salt://kibana/bin/keepkibanahappy.sh
 #    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/kibana/secrets.sls
+++ b/salt/kibana/secrets.sls
@@ -0,0 +1,12 @@
 {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
 kibana_secrets_pillar:
  file.managed:
    - name: /opt/so/saltstack/local/pillar/kibana/secrets.sls
    - mode: 600
    - reload_pillar: True
    - contents: |
        kibana:
          secrets:
            encryptedSavedObjects:
              encryptionKey: {{ kibana_encryptedSavedObjects_encryptionKey }}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -22,6 +22,7 @@
 include:
  - elasticsearch.auth
  - kibana.secrets
  - salt.minion
 socore_own_saltstack: