Merge pull request #7608 from Security-Onion-Solutions/fix/telegraf-non-root

FIX: Run telegraf as non-root #7468

salt/common/init.sls

@@ -300,8 +300,17 @@ sostatus_log:
     - month: '*'
     - dayweek: '*'
 
-
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
+# Install cron job to determine size of influxdb for telegraf
+'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1':
+  cron.present:
+    - user: root
+    - minute: '*/1'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+    
 # Lock permissions on the backup directory
 backupdir:
   file.directory:

salt/telegraf/init.sls

@@ -13,7 +13,12 @@ tgraflogdir:
   file.directory:
     - name: /opt/so/log/telegraf
     - makedirs: True
-
+    - user: 939
+    - group: 939
+    - recurse:
+      - user
+      - group
+      
 tgrafetcdir:
   file.directory:
     - name: /opt/so/conf/telegraf/etc
@@ -29,7 +34,7 @@ tgrafsyncscripts:
     - name: /opt/so/conf/telegraf/scripts
     - user: root
     - group: 939
-    - file_mode: 700
+    - file_mode: 770
     - template: jinja
     - source: salt://telegraf/scripts
 {% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %}
@@ -57,6 +62,8 @@ node_config:
 so-telegraf:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-telegraf:{{ VERSION }}
+    - user: 939
+    - group_add: 939,920
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc

salt/telegraf/scripts/influxdbsize.sh

@@ -18,9 +18,12 @@
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
 
-    INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'})
+    INFLUXLOG=/var/log/telegraf/influxdb_size.log
-    echo "influxsize kbytes=$INFLUXSIZE"
+ 
-    
+    if [ -f "$INFLUXLOG" ]; then
+        INFLUXSTATUS=$(cat $INFLUXLOG)
+        echo "influxsize kbytes=$INFLUXSTATUS"
+    fi
 fi
 
 exit 0