CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

common name changes, allow cert to be managed regardless of expire date for heavy node

Browse Source
This commit is contained in:
m0duspwnens
2021-07-07 10:22:37 -04:00
parent c4293c6119
commit 9c2ead16cc
1 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
salt/ssl/init.sls
View File

@@ -62,7 +62,7 @@ removeesp12dir:
/etc/pki/influxdb.key: /etc/pki/influxdb.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -83,15 +83,17 @@ removeesp12dir:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: influxdb - signing_policy: influxdb
- public_key: /etc/pki/influxdb.key - public_key: /etc/pki/influxdb.key
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- subjectAltName: DNS:{{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless: - unless:
# https://github.com/saltstack/salt/issues/52167 # https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration # Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -132,10 +134,12 @@ influxkeyperms:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless: - unless:
# https://github.com/saltstack/salt/issues/52167 # https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration # Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -177,10 +181,12 @@ rediskeyperms:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless: - unless:
# https://github.com/saltstack/salt/issues/52167 # https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration # Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -229,7 +235,7 @@ fbcrtlink:
/etc/pki/registry.key: /etc/pki/registry.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -250,7 +256,7 @@ fbcrtlink:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: registry - signing_policy: registry
- public_key: /etc/pki/registry.key - public_key: /etc/pki/registry.key
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -272,7 +278,7 @@ regkeyperms:
/etc/pki/minio.key: /etc/pki/minio.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -293,7 +299,7 @@ regkeyperms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: registry - signing_policy: registry
- public_key: /etc/pki/minio.key - public_key: /etc/pki/minio.key
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -340,10 +346,12 @@ miniokeyperms:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless: - unless:
# https://github.com/saltstack/salt/issues/52167 # https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration # Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -369,7 +377,7 @@ elasticp12perms:
/etc/pki/managerssl.key: /etc/pki/managerssl.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -390,7 +398,7 @@ elasticp12perms:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: managerssl - signing_policy: managerssl
- public_key: /etc/pki/managerssl.key - public_key: /etc/pki/managerssl.key
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -414,7 +422,7 @@ msslkeyperms:
# Create a private key and cert for OSQuery # Create a private key and cert for OSQuery
/etc/pki/fleet.key: /etc/pki/fleet.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -432,7 +440,7 @@ msslkeyperms:
/etc/pki/fleet.crt: /etc/pki/fleet.crt:
x509.certificate_managed: x509.certificate_managed:
- signing_private_key: /etc/pki/fleet.key - signing_private_key: /etc/pki/fleet.key
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -488,10 +496,12 @@ fbcertdir:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless: - unless:
# https://github.com/saltstack/salt/issues/52167 # https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration # Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -525,7 +535,7 @@ chownfilebeatp8:
/etc/pki/managerssl.key: /etc/pki/managerssl.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -570,7 +580,7 @@ msslkeyperms:
# Create a private key and cert for Fleet # Create a private key and cert for Fleet
/etc/pki/fleet.key: /etc/pki/fleet.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
@@ -615,7 +625,7 @@ fleetkeyperms:
# Create a cert for elasticsearch # Create a cert for elasticsearch
/etc/pki/elasticsearch.key: /etc/pki/elasticsearch.key:
x509.private_key_managed: x509.private_key_managed:
- CN: {{ COMMONNAME }} - CN: {{ manager }}
- bits: 4096 - bits: 4096
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820