CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

x509 changes for salt 3006

Browse Source
This commit is contained in:
m0duspwnens
2023-04-04 08:55:10 -04:00
parent 0fc6a74b6d
commit 6039a1430e
3 changed files with 22 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/ca/init.sls
View File

@@ -18,7 +18,7 @@ include:
pki_private_key:
x509.private_key_managed:
- name: /etc/pki/ca.key
- bits: 4096
- keysize: 4096
- passphrase:
- cipher: aes_256_cbc
- backup: True
@@ -39,7 +39,7 @@ pki_public_ca_crt:
- keyUsage: "critical cRLSign, keyCertSign"
- extendedkeyUsage: "serverAuth, clientAuth"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- authorityKeyIdentifier: keyid:always, issuer
- days_valid: 3650
- days_remaining: 0
- backup: True

36
salt/ssl/init.sls
View File

@@ -52,7 +52,7 @@ influxdb_key:
x509.private_key_managed:
- name: /etc/pki/influxdb.key
- CN: {{ GLOBALS.hostname }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -72,7 +72,7 @@ influxdb_crt:
- name: /etc/pki/influxdb.crt
- ca_server: {{ ca_server }}
- signing_policy: influxdb
- public_key: /etc/pki/influxdb.key
- private_key: /etc/pki/influxdb.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
@@ -102,7 +102,7 @@ redis_key:
x509.private_key_managed:
- name: /etc/pki/redis.key
- CN: {{ GLOBALS.hostname }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -122,7 +122,7 @@ redis_crt:
- ca_server: {{ ca_server }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- signing_policy: registry
- public_key: /etc/pki/redis.key
- private_key: /etc/pki/redis.key
- CN: {{ GLOBALS.hostname }}
- days_remaining: 0
- days_valid: 820
@@ -151,7 +151,7 @@ etc_elasticfleet_key:
x509.private_key_managed:
- name: /etc/pki/elasticfleet.key
- CN: {{ COMMONNAME }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -171,7 +171,7 @@ etc_elasticfleet_crt:
- name: /etc/pki/elasticfleet.crt
- ca_server: {{ ca_server }}
- signing_policy: elasticfleet
- public_key: /etc/pki/elasticfleet.key
- private_key: /etc/pki/elasticfleet.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
@@ -233,7 +233,7 @@ etc_filebeat_key:
x509.private_key_managed:
- name: /etc/pki/filebeat.key
- CN: {{ COMMONNAME }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -253,7 +253,7 @@ etc_filebeat_crt:
- name: /etc/pki/filebeat.crt
- ca_server: {{ ca_server }}
- signing_policy: filebeat
- public_key: /etc/pki/filebeat.key
- private_key: /etc/pki/filebeat.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
@@ -314,7 +314,7 @@ registry_key:
x509.private_key_managed:
- name: /etc/pki/registry.key
- CN: {{ GLOBALS.manager }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -335,7 +335,7 @@ registry_crt:
- ca_server: {{ ca_server }}
- subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }}
- signing_policy: registry
- public_key: /etc/pki/registry.key
- private_key: /etc/pki/registry.key
- CN: {{ GLOBALS.manager }}
- days_remaining: 0
- days_valid: 820
@@ -362,7 +362,7 @@ regkeyperms:
/etc/pki/elasticsearch.key:
x509.private_key_managed:
- CN: {{ COMMONNAME }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -380,7 +380,7 @@ regkeyperms:
x509.certificate_managed:
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/elasticsearch.key
- private_key: /etc/pki/elasticsearch.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
@@ -419,7 +419,7 @@ managerssl_key:
x509.private_key_managed:
- name: /etc/pki/managerssl.key
- CN: {{ GLOBALS.manager }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -439,7 +439,7 @@ managerssl_crt:
- name: /etc/pki/managerssl.crt
- ca_server: {{ ca_server }}
- signing_policy: managerssl
- public_key: /etc/pki/managerssl.key
- private_key: /etc/pki/managerssl.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
@@ -477,7 +477,7 @@ conf_filebeat_key:
x509.private_key_managed:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.key
- CN: {{ COMMONNAME }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -497,7 +497,7 @@ conf_filebeat_crt:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
- ca_server: {{ ca_server }}
- signing_policy: filebeat
- public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
- private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
@@ -543,7 +543,7 @@ chownfilebeatp8:
/etc/pki/elasticsearch.key:
x509.private_key_managed:
- CN: {{ GLOBALS.manager }}
- bits: 4096
- keysize: 4096
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -561,7 +561,7 @@ chownfilebeatp8:
x509.certificate_managed:
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/elasticsearch.key
- private_key: /etc/pki/elasticsearch.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0

2
setup/so-functions
View File

@@ -634,6 +634,8 @@ configure_minion() {
printf '%s\n'\
"use_superseded:"\
" - module.run"\
"features:"\
" x509_v2: true"\
"log_level: info"\
"log_level_logfile: info"\
"log_file: /opt/so/log/salt/minion" >> "$minion_config"