From 8f97973fac8dc92dd6b3bd99748ed3b5ebf42f4a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 5 Feb 2021 22:17:31 -0500
Subject: [PATCH 1/4] Lock down Backups folder permissions

---
 salt/common/init.sls | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index b0289ed32..ff01dec5d 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -231,6 +231,14 @@ commonlogrotateconf:
     - dayweek: '*'
 
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
+# Lock permissions on the backup directory
+file.directory:
+    - name: /nsm/backup
+    - user: 0
+    - group: 0
+    - makedirs: True
+    - mode: 700
+  
 # Add config backup
 /usr/sbin/so-config-backup > /dev/null 2>&1:
   cron.present:

From bf79c9245615a92049382746eee0653b1073f032 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 5 Feb 2021 22:31:08 -0500
Subject: [PATCH 2/4] Lock down Backups folder permissions

---
 salt/common/tools/sbin/so-config-backup | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup
index dc8dc55a2..3b5c082ca 100755
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -33,6 +33,8 @@ if [ ! -f $BACKUPFILE ]; then
   {%- for LOCATION in BACKUPLOCATIONS %}
   tar -rf $BACKUPFILE {{ LOCATION }}
   {%- endfor %}
+  tar -rf $BACKUPFILE /etc/pki
+  tar -rf /etc/salt
 
 fi
 

From a3ca84db661545ea688b7098ea322a8bbaaa42a6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Sat, 6 Feb 2021 15:32:42 -0500
Subject: [PATCH 3/4] Fix backupdir name state

---
 salt/common/init.sls | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index ff01dec5d..870ae177f 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -232,7 +232,8 @@ commonlogrotateconf:
 
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
 # Lock permissions on the backup directory
-file.directory:
+backupdir:
+  file.directory:
     - name: /nsm/backup
     - user: 0
     - group: 0
@@ -294,4 +295,4 @@ dockerreserveports:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
\ No newline at end of file
+{% endif %}

From 5043b970ef0db2eaddf9b506437fd109a687dcc6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Sat, 6 Feb 2021 19:14:44 -0500
Subject: [PATCH 4/4] Fix tar syntax

---
 salt/common/tools/sbin/so-config-backup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup
index 3b5c082ca..f68417c6a 100755
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -34,7 +34,7 @@ if [ ! -f $BACKUPFILE ]; then
   tar -rf $BACKUPFILE {{ LOCATION }}
   {%- endfor %}
   tar -rf $BACKUPFILE /etc/pki
-  tar -rf /etc/salt
+  tar -rf $BACKUPFILE /etc/salt
 
 fi