CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

connect

Browse Source
This commit is contained in:
Jason Ertel
2024-11-01 15:37:59 -04:00
parent cd2e5bf2d0
commit 825dbb36dd
3 changed files with 15 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
salt/manager/tools/sbin/so-client
View File

@@ -45,6 +45,7 @@ function usage() {
--id <id> --id <id>
--name <name> --name <name>
--note <note> --note <note>
--searchusername <run-as username>
generate-secret: Regenerates a client's secret and outputs the new secret. generate-secret: Regenerates a client's secret and outputs the new secret.
Required parameters: Required parameters:
@@ -84,7 +85,12 @@ while [[ $# -gt 0 ]]; do
;; ;;
--note) --note)
note=$1 note=$1
[[ ${#note} -gt 50 ]] && fail "note cannot be longer than 500 characters" [[ ${#note} -gt 100 ]] && fail "note cannot be longer than 100 characters"
shift
;;
--searchusername)
searchusername=$1
[[ ${#searchusername} -gt 50 ]] && fail "search username cannot be longer than 50 characters"
shift shift
;; ;;
--json) --json)
@@ -199,7 +205,7 @@ function adjustClientPermission() {
echo "$perm:$identityId" >> "$filename" echo "$perm:$identityId" >> "$filename"
fi fi
elif [[ "$op" == "del" ]]; then elif [[ "$op" == "del" ]]; then
if [[ "$hasPermission" -ne 1 ]]; then if [[ "$hasPerm" -ne 1 ]]; then
fail "Client '$identityId' does not have the permission: $perm" fail "Client '$identityId' does not have the permission: $perm"
else else
sed -e "\!^$perm:$identityId\$!d" "$filename" > "$filename.tmp" sed -e "\!^$perm:$identityId\$!d" "$filename" > "$filename.tmp"
@@ -328,7 +334,7 @@ case "${operation}" in
if [[ "$json" == "1" ]]; then if [[ "$json" == "1" ]]; then
echo "{\"id\":\"$id\",\"secret\":\"$secret\"}" echo "{\"id\":\"$id\",\"secret\":\"$secret\"}"
else else
echo "Successfully added user ID $id with generated secret: $secret" echo "Successfully added client ID $id with generated secret: $secret"
fi fi
;; ;;
@@ -363,9 +369,10 @@ case "${operation}" in
[[ "$id" == "" ]] && fail "Id must be provided" [[ "$id" == "" ]] && fail "Id must be provided"
[[ "$name" == "" ]] && fail "Name must be provided" [[ "$name" == "" ]] && fail "Name must be provided"
[[ "$note" == "" ]] && fail "Note must be provided" [[ "$note" == "" ]] && fail "Note must be provided"
[[ "$searchusername" == "" ]] && fail "Search Username must be provided"
lock lock
update "$id" "$name" "$note" update "$id" "$name" "$note" "$searchusername"
echo "Successfully updated client" echo "Successfully updated client"
;; ;;
@@ -388,7 +395,7 @@ case "${operation}" in
lock lock
deleteClient "$id" deleteClient "$id"
echo "Successfully deleted client. Run 'so-user sync' to sync with Elasticsearch." echo "Successfully deleted client."
;; ;;
*) *)
fail "Unsupported operation: $operation" fail "Unsupported operation: $operation"

18
salt/manager/tools/sbin/so-user
View File

@@ -136,7 +136,6 @@ bcryptRounds=${BCRYPT_ROUNDS:-12}
elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles} elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_users_roles} socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_users_roles}
clientRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_clients_roles}
esUID=${ELASTIC_UID:-930} esUID=${ELASTIC_UID:-930}
esGID=${ELASTIC_GID:-930} esGID=${ELASTIC_GID:-930}
soUID=${SOCORE_UID:-939} soUID=${SOCORE_UID:-939}
@@ -283,18 +282,6 @@ function ensureRoleFileExists() {
fi fi
mv "${rolesTmpFile}" "${socRolesFile}" mv "${rolesTmpFile}" "${socRolesFile}"
fi fi
if [[ ! -f "$clientRolesFile" || ! -s "$clientRolesFile" ]]; then
# Generate the new client roles file
rolesTmpFile="${clientRolesFile}.tmp"
createFile "$rolesTmpFile" "$soUID" "$soGID"
if [[ -d "$clientRolesFile" ]]; then
echo "Removing invalid roles directory created by Docker"
rm -fr "$clientRolesFile"
fi
mv "${rolesTmpFile}" "${clientRolesFile}"
fi
} }
function syncElasticSystemUser() { function syncElasticSystemUser() {
@@ -370,7 +357,6 @@ function syncElastic() {
random_crypt=$(get_random_value 53) random_crypt=$(get_random_value 53)
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/") user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
fi fi
echo "${user_data_formatted}" >> "$usersTmpFile" echo "${user_data_formatted}" >> "$usersTmpFile"
# Append the user roles # Append the user roles
@@ -386,10 +372,6 @@ function syncElastic() {
sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" >> "$rolesTmpFile" sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" >> "$rolesTmpFile"
[[ $? != 0 ]] && fail "Unable to read role identities from database" [[ $? != 0 ]] && fail "Unable to read role identities from database"
done < "$socRolesFile" done < "$socRolesFile"
# Append the client roles
cat "$clientRolesFile" >> "$rolesTmpFile"
else else
echo "Database file or soc roles file does not exist yet, skipping users export" echo "Database file or soc roles file does not exist yet, skipping users export"
fi fi

10
salt/soc/files/bin/salt-relay.sh
View File

@@ -197,13 +197,9 @@ function manage_client() {
client_id=$(echo "$request" | jq -r .id) client_id=$(echo "$request" | jq -r .id)
name=$(echo "$request" | jq -r .name) name=$(echo "$request" | jq -r .name)
note=$(echo "$request" | jq -r .note) note=$(echo "$request" | jq -r .note)
log "Performing '$op' update for client '$client_id' with name '$name', and note '$note'" searchusername=$(echo "$request" | jq -r .searchusername)
response=$(so-client "$op" --id "$client_id" --name "$name" --note "$note") log "Performing '$op' update for client '$client_id' with name '$name', search username '$searchusername', and note '$note'"
exit_code=$? response=$(so-client "$op" --id "$client_id" --name "$name" --searchusername "$searchusername" --note "$note")
;;
sync)
log "Performing '$op'"
response=$(so-user "$op")
exit_code=$? exit_code=$?
;; ;;
*) *)