From 868cd1187431b0f99a74e0f35fd6526f6c70eeee Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 8 Apr 2026 10:58:52 -0400 Subject: [PATCH] Add so-postgres Salt states and integration wiring Phase 1 of the PostgreSQL central data platform: - Salt states: init, enabled, disabled, config, ssl, auth, sostatus - TLS via SO CA-signed certs with postgresql.conf template - Two-tier auth: postgres superuser + so_postgres application user - Firewall restricts port 5432 to manager-only (HA-ready) - Wired into top.sls, pillar/top.sls, allowed_states, firewall containers map, docker defaults, CA signing policies, and setup scripts for all manager-type roles --- pillar/top.sls | 20 ++++++ salt/allowed_states.map.jinja | 1 + salt/ca/files/signing_policies.conf | 14 ++++ salt/docker/defaults.yaml | 8 +++ salt/firewall/containers.map.jinja | 3 + salt/firewall/defaults.yaml | 9 +++ salt/postgres/auth.sls | 35 +++++++++ salt/postgres/config.sls | 63 ++++++++++++++++ salt/postgres/defaults.yaml | 14 ++++ salt/postgres/disabled.sls | 27 +++++++ salt/postgres/enabled.sls | 88 +++++++++++++++++++++++ salt/postgres/files/init-users.sh | 15 ++++ salt/postgres/files/postgresql.conf.jinja | 8 +++ salt/postgres/init.sls | 13 ++++ salt/postgres/map.jinja | 7 ++ salt/postgres/sostatus.sls | 21 ++++++ salt/postgres/ssl.sls | 54 ++++++++++++++ salt/top.sls | 5 ++ setup/so-functions | 13 +++- setup/so-variables | 6 ++ 20 files changed, 422 insertions(+), 2 deletions(-) create mode 100644 salt/postgres/auth.sls create mode 100644 salt/postgres/config.sls create mode 100644 salt/postgres/defaults.yaml create mode 100644 salt/postgres/disabled.sls create mode 100644 salt/postgres/enabled.sls create mode 100644 salt/postgres/files/init-users.sh create mode 100644 salt/postgres/files/postgresql.conf.jinja create mode 100644 salt/postgres/init.sls create mode 100644 salt/postgres/map.jinja create mode 100644 salt/postgres/sostatus.sls create mode 100644 salt/postgres/ssl.sls diff --git a/pillar/top.sls b/pillar/top.sls index 6cdc4808a..af18bee09 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -38,6 +38,9 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/postgres/auth.sls') %} + - postgres.auth + {% endif %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets {% endif %} @@ -60,6 +63,8 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb + - postgres.soc_postgres + - postgres.adv_postgres - elasticsearch.nodes - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch @@ -101,6 +106,9 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/postgres/auth.sls') %} + - postgres.auth + {% endif %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets {% endif %} @@ -126,6 +134,8 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb + - postgres.soc_postgres + - postgres.adv_postgres - backup.soc_backup - backup.adv_backup - zeek.soc_zeek @@ -146,6 +156,9 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/postgres/auth.sls') %} + - postgres.auth + {% endif %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets {% endif %} @@ -160,6 +173,8 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb + - postgres.soc_postgres + - postgres.adv_postgres - elasticsearch.nodes - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch @@ -260,6 +275,9 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/postgres/auth.sls') %} + - postgres.auth + {% endif %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets {% endif %} @@ -285,6 +303,8 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb + - postgres.soc_postgres + - postgres.adv_postgres - zeek.soc_zeek - zeek.adv_zeek - bpf.soc_bpf diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 1fac0f0e3..2fb61a664 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -29,6 +29,7 @@ 'manager', 'nginx', 'influxdb', + 'postgres', 'soc', 'kratos', 'hydra', diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index 4fc04aacc..5424d7b37 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -54,6 +54,20 @@ x509_signing_policies: - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ + postgres: + - minions: '*' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:false" + - keyUsage: "critical keyEncipherment" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - extendedKeyUsage: serverAuth + - days_valid: 820 + - copypath: /etc/pki/issued_certs/ elasticfleet: - minions: '*' - signing_private_key: /etc/pki/ca.key diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 044ec98b0..900d2cf53 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -237,3 +237,11 @@ docker: extra_hosts: [] extra_env: [] ulimits: [] + 'so-postgres': + final_octet: 89 + port_bindings: + - 0.0.0.0:5432:5432 + custom_bind_mounts: [] + extra_hosts: [] + extra_env: [] + ulimits: [] diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 2d1135e5f..b39ba2b31 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -11,6 +11,7 @@ 'so-kratos', 'so-hydra', 'so-nginx', + 'so-postgres', 'so-redis', 'so-soc', 'so-strelka-coordinator', @@ -34,6 +35,7 @@ 'so-hydra', 'so-logstash', 'so-nginx', + 'so-postgres', 'so-redis', 'so-soc', 'so-strelka-coordinator', @@ -77,6 +79,7 @@ 'so-kratos', 'so-hydra', 'so-nginx', + 'so-postgres', 'so-soc' ] %} diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index a11492e88..e9c82401d 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -98,6 +98,10 @@ firewall: tcp: - 8086 udp: [] + postgres: + tcp: + - 5432 + udp: [] kafka_controller: tcp: - 9093 @@ -193,6 +197,7 @@ firewall: - kibana - redis - influxdb + - postgres - elasticsearch_rest - elasticsearch_node - localrules @@ -379,6 +384,7 @@ firewall: - kibana - redis - influxdb + - postgres - elasticsearch_rest - elasticsearch_node - docker_registry @@ -590,6 +596,7 @@ firewall: - kibana - redis - influxdb + - postgres - elasticsearch_rest - elasticsearch_node - docker_registry @@ -799,6 +806,7 @@ firewall: - kibana - redis - influxdb + - postgres - elasticsearch_rest - elasticsearch_node - docker_registry @@ -1011,6 +1019,7 @@ firewall: - kibana - redis - influxdb + - postgres - elasticsearch_rest - elasticsearch_node - docker_registry diff --git a/salt/postgres/auth.sls b/salt/postgres/auth.sls new file mode 100644 index 000000000..a19b2341a --- /dev/null +++ b/salt/postgres/auth.sls @@ -0,0 +1,35 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + + {% set DIGITS = "1234567890" %} + {% set LOWERCASE = "qwertyuiopasdfghjklzxcvbnm" %} + {% set UPPERCASE = "QWERTYUIOPASDFGHJKLZXCVBNM" %} + {% set SYMBOLS = "~!@#^&*()-_=+[]|;:,.<>?" %} + {% set CHARS = DIGITS~LOWERCASE~UPPERCASE~SYMBOLS %} + {% set so_postgres_user_pass = salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', salt['random.get_str'](72, chars=CHARS)) %} + +postgres_auth_pillar: + file.managed: + - name: /opt/so/saltstack/local/pillar/postgres/auth.sls + - mode: 640 + - reload_pillar: True + - contents: | + postgres: + auth: + users: + so_postgres_user: + user: so_postgres + pass: "{{ so_postgres_user_pass }}" + - show_changes: False +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/postgres/config.sls b/salt/postgres/config.sls new file mode 100644 index 000000000..3502b6409 --- /dev/null +++ b/salt/postgres/config.sls @@ -0,0 +1,63 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'postgres/map.jinja' import PGMERGED %} + +# Postgres Setup +postgresconfdir: + file.directory: + - name: /opt/so/conf/postgres + - user: 939 + - group: 939 + - makedirs: True + +postgresdatadir: + file.directory: + - name: /nsm/postgres + - user: 939 + - group: 939 + - makedirs: True + +postgreslogdir: + file.directory: + - name: /opt/so/log/postgres + - user: 939 + - group: 939 + - makedirs: True + +postgresinitdir: + file.directory: + - name: /opt/so/conf/postgres/init + - user: 939 + - group: 939 + - makedirs: True + +postgresinitusers: + file.managed: + - name: /opt/so/conf/postgres/init/init-users.sh + - source: salt://postgres/files/init-users.sh + - user: 939 + - group: 939 + - mode: 755 + +postgresconf: + file.managed: + - name: /opt/so/conf/postgres/postgresql.conf + - source: salt://postgres/files/postgresql.conf.jinja + - user: 939 + - group: 939 + - template: jinja + - defaults: + PGMERGED: {{ PGMERGED }} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/postgres/defaults.yaml b/salt/postgres/defaults.yaml new file mode 100644 index 000000000..9757f08f3 --- /dev/null +++ b/salt/postgres/defaults.yaml @@ -0,0 +1,14 @@ +postgres: + enabled: False + config: + listen_addresses: '*' + port: 5432 + max_connections: 100 + shared_buffers: 256MB + ssl: 'on' + ssl_cert_file: '/conf/postgres.crt' + ssl_key_file: '/conf/postgres.key' + ssl_ca_file: '/conf/ca.crt' + log_destination: 'stderr' + logging_collector: 'off' + log_min_messages: 'warning' diff --git a/salt/postgres/disabled.sls b/salt/postgres/disabled.sls new file mode 100644 index 000000000..56dc451b7 --- /dev/null +++ b/salt/postgres/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - postgres.sostatus + +so-postgres: + docker_container.absent: + - force: True + +so-postgres_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-postgres$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/postgres/enabled.sls b/salt/postgres/enabled.sls new file mode 100644 index 000000000..c103245ea --- /dev/null +++ b/salt/postgres/enabled.sls @@ -0,0 +1,88 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} +{% set PASSWORD = salt['pillar.get']('secrets:postgres_pass') %} +{% set SO_POSTGRES_USER = salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres') %} +{% set SO_POSTGRES_PASS = salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', '') %} + +include: + - postgres.auth + - postgres.ssl + - postgres.config + - postgres.sostatus + +so-postgres: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-postgres:{{ GLOBALS.so_version }} + - hostname: so-postgres + - networks: + - sobridge: + - ipv4_address: {{ DOCKERMERGED.containers['so-postgres'].ip }} + - port_bindings: + {% for BINDING in DOCKERMERGED.containers['so-postgres'].port_bindings %} + - {{ BINDING }} + {% endfor %} + - environment: + - POSTGRES_DB=securityonion + - POSTGRES_PASSWORD={{ PASSWORD }} + - SO_POSTGRES_USER={{ SO_POSTGRES_USER }} + - SO_POSTGRES_PASS={{ SO_POSTGRES_PASS }} + {% if DOCKERMERGED.containers['so-postgres'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-postgres'].extra_env %} + - {{ XTRAENV }} + {% endfor %} + {% endif %} + - binds: + - /opt/so/log/postgres/:/log:rw + - /nsm/postgres:/var/lib/postgresql/data:rw + - /opt/so/conf/postgres/postgresql.conf:/conf/postgresql.conf:ro + - /opt/so/conf/postgres/init/init-users.sh:/docker-entrypoint-initdb.d/init-users.sh:ro + - /etc/pki/postgres.crt:/conf/postgres.crt:ro + - /etc/pki/postgres.key:/conf/postgres.key:ro + - /etc/pki/tls/certs/intca.crt:/conf/ca.crt:ro + {% if DOCKERMERGED.containers['so-postgres'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-postgres'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKERMERGED.containers['so-postgres'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKERMERGED.containers['so-postgres'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKERMERGED.containers['so-postgres'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-postgres'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} + - watch: + - file: postgresconf + - file: postgresinitusers + - x509: postgres_crt + - x509: postgres_key + - require: + - file: postgresconf + - file: postgresinitusers + - x509: postgres_crt + - x509: postgres_key + +delete_so-postgres_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-postgres$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/postgres/files/init-users.sh b/salt/postgres/files/init-users.sh new file mode 100644 index 000000000..6fa7e43ac --- /dev/null +++ b/salt/postgres/files/init-users.sh @@ -0,0 +1,15 @@ +#!/bin/bash +set -e + +# Create application user for SOC platform access +# This script runs on first database initialization only +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + DO \$\$ + BEGIN + IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '$SO_POSTGRES_USER') THEN + CREATE ROLE "$SO_POSTGRES_USER" WITH LOGIN PASSWORD '$SO_POSTGRES_PASS'; + END IF; + END + \$\$; + GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$SO_POSTGRES_USER"; +EOSQL diff --git a/salt/postgres/files/postgresql.conf.jinja b/salt/postgres/files/postgresql.conf.jinja new file mode 100644 index 000000000..6833b3dbc --- /dev/null +++ b/salt/postgres/files/postgresql.conf.jinja @@ -0,0 +1,8 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% for key, value in PGMERGED.config.items() %} +{{ key }} = '{{ value }}' +{% endfor %} diff --git a/salt/postgres/init.sls b/salt/postgres/init.sls new file mode 100644 index 000000000..2e3c9ffb7 --- /dev/null +++ b/salt/postgres/init.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'postgres/map.jinja' import PGMERGED %} + +include: +{% if PGMERGED.enabled %} + - postgres.enabled +{% else %} + - postgres.disabled +{% endif %} diff --git a/salt/postgres/map.jinja b/salt/postgres/map.jinja new file mode 100644 index 000000000..5250ca8fd --- /dev/null +++ b/salt/postgres/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'postgres/defaults.yaml' as PGDEFAULTS %} +{% set PGMERGED = salt['pillar.get']('postgres', PGDEFAULTS.postgres, merge=True) %} diff --git a/salt/postgres/sostatus.sls b/salt/postgres/sostatus.sls new file mode 100644 index 000000000..4a61af3d1 --- /dev/null +++ b/salt/postgres/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-postgres_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-postgres + - unless: grep -q so-postgres /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/postgres/ssl.sls b/salt/postgres/ssl.sls new file mode 100644 index 000000000..ebd3ccbc9 --- /dev/null +++ b/salt/postgres/ssl.sls @@ -0,0 +1,54 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} + +postgres_key: + x509.private_key_managed: + - name: /etc/pki/postgres.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/postgres.key') -%} + - prereq: + - x509: /etc/pki/postgres.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +postgres_crt: + x509.certificate_managed: + - name: /etc/pki/postgres.crt + - ca_server: {{ CA.server }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - signing_policy: postgres + - private_key: /etc/pki/postgres.key + - CN: {{ GLOBALS.hostname }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +postgresKeyperms: + file.managed: + - replace: False + - name: /etc/pki/postgres.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/top.sls b/salt/top.sls index c7c6aa65d..ff789e89d 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -68,6 +68,7 @@ base: - backup.config_backup - nginx - influxdb + - postgres - soc - kratos - hydra @@ -95,6 +96,7 @@ base: - backup.config_backup - nginx - influxdb + - postgres - soc - kratos - hydra @@ -123,6 +125,7 @@ base: - registry - nginx - influxdb + - postgres - strelka.manager - soc - kratos @@ -153,6 +156,7 @@ base: - registry - nginx - influxdb + - postgres - strelka.manager - soc - kratos @@ -181,6 +185,7 @@ base: - manager - nginx - influxdb + - postgres - strelka.manager - soc - kratos diff --git a/setup/so-functions b/setup/so-functions index bf95ea9d8..8be08a27c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -821,6 +821,7 @@ create_manager_pillars() { soc_pillar idh_pillar influxdb_pillar + postgres_pillar logrotate_pillar patch_pillar nginx_pillar @@ -1053,6 +1054,7 @@ generate_passwords(){ HYDRAKEY=$(get_random_value) HYDRASALT=$(get_random_value) REDISPASS=$(get_random_value) + POSTGRESPASS=$(get_random_value) SOCSRVKEY=$(get_random_value 64) IMPORTPASS=$(get_random_value) } @@ -1355,6 +1357,12 @@ influxdb_pillar() { " token: $INFLUXTOKEN" > $local_salt_dir/pillar/influxdb/token.sls } +postgres_pillar() { + title "Create the postgres pillar file" + touch $adv_postgres_pillar_file + touch $postgres_pillar_file +} + make_some_dirs() { mkdir -p /nsm mkdir -p "$default_salt_dir" @@ -1364,7 +1372,7 @@ make_some_dirs() { mkdir -p $local_salt_dir/salt/firewall/portgroups mkdir -p $local_salt_dir/salt/firewall/ports - for THEDIR in bpf elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do + for THEDIR in bpf elasticsearch ntp firewall redis backup influxdb postgres strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls @@ -1832,7 +1840,8 @@ secrets_pillar(){ printf '%s\n'\ "secrets:"\ " import_pass: $IMPORTPASS"\ - " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls + " influx_pass: $INFLUXPASS"\ + " postgres_pass: $POSTGRESPASS" > $local_salt_dir/pillar/secrets.sls fi } diff --git a/setup/so-variables b/setup/so-variables index a0d7aadc1..975debf20 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -202,6 +202,12 @@ export influxdb_pillar_file adv_influxdb_pillar_file="$local_salt_dir/pillar/influxdb/adv_influxdb.sls" export adv_influxdb_pillar_file +postgres_pillar_file="$local_salt_dir/pillar/postgres/soc_postgres.sls" +export postgres_pillar_file + +adv_postgres_pillar_file="$local_salt_dir/pillar/postgres/adv_postgres.sls" +export adv_postgres_pillar_file + logrotate_pillar_file="$local_salt_dir/pillar/logrotate/soc_logrotate.sls" export logrotate_pillar_file