CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into foxtrot

Browse Source
This commit is contained in:
William Wernert
2021-10-29 10:01:46 -04:00
parent c2b18efdbb 3000c57428
commit a5cba5ecf8
29 changed files with 334 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
salt/ssl/init.sls
View File

@@ -30,6 +30,9 @@
{% set ca_server = global_ca_server[0] %}
{% endif %}
include:
- ca
# Trust the CA
trusttheca:
x509.pem_managed:
@@ -64,8 +67,9 @@ removeesp12dir:
- name: /etc/pki/elasticsearch.p12
- onlyif: "[ -d /etc/pki/elasticsearch.p12 ]"
/etc/pki/influxdb.key:
influxdb_key:
x509.private_key_managed:
- name: /etc/pki/influxdb.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -82,8 +86,9 @@ removeesp12dir:
interval: 30
# Create a cert for the talking to influxdb
/etc/pki/influxdb.crt:
influxdb_crt:
x509.certificate_managed:
- name: /etc/pki/influxdb.crt
- ca_server: {{ ca_server }}
- signing_policy: influxdb
- public_key: /etc/pki/influxdb.key
@@ -112,8 +117,9 @@ influxkeyperms:
{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %}
# Create a cert for Redis encryption
/etc/pki/redis.key:
redis_key:
x509.private_key_managed:
- name: /etc/pki/redis.key
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
@@ -129,8 +135,9 @@ influxkeyperms:
attempts: 5
interval: 30
/etc/pki/redis.crt:
redis_crt:
x509.certificate_managed:
- name: /etc/pki/redis.crt
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/redis.key
@@ -158,8 +165,9 @@ rediskeyperms:
{% endif %}
{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
/etc/pki/filebeat.key:
etc_filebeat_key:
x509.private_key_managed:
- name: /etc/pki/filebeat.key
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
@@ -168,7 +176,7 @@ rediskeyperms:
- new: True
{% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
- prereq:
- x509: /etc/pki/filebeat.crt
- x509: etc_filebeat_crt
{%- endif %}
- timeout: 30
- retry:
@@ -176,8 +184,9 @@ rediskeyperms:
interval: 30
# Request a cert and drop it where it needs to go to be distributed
/etc/pki/filebeat.crt:
etc_filebeat_crt:
x509.certificate_managed:
- name: /etc/pki/filebeat.crt
- ca_server: {{ ca_server }}
- signing_policy: filebeat
- public_key: /etc/pki/filebeat.key
@@ -198,7 +207,7 @@ rediskeyperms:
cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
- onchanges:
- x509: /etc/pki/filebeat.key
- x509: etc_filebeat_key
fbperms:
@@ -237,8 +246,9 @@ fbcrtlink:
- user: socore
- group: socore
/etc/pki/registry.key:
registry_key:
x509.private_key_managed:
- name: /etc/pki/registry.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -255,8 +265,9 @@ fbcrtlink:
interval: 30
# Create a cert for the docker registry
/etc/pki/registry.crt:
registry_crt:
x509.certificate_managed:
- name: /etc/pki/registry.crt
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/registry.key
@@ -280,8 +291,9 @@ regkeyperms:
- mode: 640
- group: 939
/etc/pki/minio.key:
minio_key:
x509.private_key_managed:
- name: /etc/pki/minio.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -298,8 +310,9 @@ regkeyperms:
interval: 30
# Create a cert for minio
/etc/pki/minio.crt:
minio_crt:
x509.certificate_managed:
- name: /etc/pki/minio.crt
- ca_server: {{ ca_server }}
- signing_policy: registry
- public_key: /etc/pki/minio.key
@@ -379,8 +392,9 @@ elasticp12perms:
- mode: 640
- group: 930
/etc/pki/managerssl.key:
managerssl_key:
x509.private_key_managed:
- name: /etc/pki/managerssl.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -397,8 +411,9 @@ elasticp12perms:
interval: 30
# Create a cert for the reverse proxy
/etc/pki/managerssl.crt:
managerssl_crt:
x509.certificate_managed:
- name: /etc/pki/managerssl.crt
- ca_server: {{ ca_server }}
- signing_policy: managerssl
- public_key: /etc/pki/managerssl.key
@@ -424,8 +439,9 @@ msslkeyperms:
- group: 939
# Create a private key and cert for OSQuery
/etc/pki/fleet.key:
fleet_key:
x509.private_key_managed:
- name: /etc/pki/fleet.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -441,8 +457,9 @@ msslkeyperms:
attempts: 5
interval: 30
/etc/pki/fleet.crt:
fleet_crt:
x509.certificate_managed:
- name: /etc/pki/fleet.crt
- signing_private_key: /etc/pki/fleet.key
- CN: {{ manager }}
- subjectAltName: DNS:{{ manager }},IP:{{ managerip }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %}
@@ -473,8 +490,9 @@ fbcertdir:
- name: /opt/so/conf/filebeat/etc/pki
- makedirs: True
/opt/so/conf/filebeat/etc/pki/filebeat.key:
conf_filebeat_key:
x509.private_key_managed:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.key
- CN: {{ COMMONNAME }}
- bits: 4096
- days_remaining: 0
@@ -483,7 +501,7 @@ fbcertdir:
- new: True
{% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
- prereq:
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt
- x509: conf_filebeat_crt
{%- endif %}
- timeout: 30
- retry:
@@ -491,8 +509,9 @@ fbcertdir:
interval: 30
# Request a cert and drop it where it needs to go to be distributed
/opt/so/conf/filebeat/etc/pki/filebeat.crt:
conf_filebeat_crt:
x509.certificate_managed:
- name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
- ca_server: {{ ca_server }}
- signing_policy: filebeat
- public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
@@ -516,7 +535,7 @@ filebeatpkcs:
cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
- onchanges:
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.key
- x509: conf_filebeat_key
filebeatkeyperms:
file.managed:
@@ -537,8 +556,9 @@ chownfilebeatp8:
{% if grains['role'] == 'so-fleet' %}
/etc/pki/managerssl.key:
managerssl_key:
x509.private_key_managed:
- name: /etc/pki/managerssl.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -555,8 +575,9 @@ chownfilebeatp8:
interval: 30
# Create a cert for the reverse proxy
/etc/pki/managerssl.crt:
managerssl_crt:
x509.certificate_managed:
- name: /etc/pki/managerssl.crt
- ca_server: {{ ca_server }}
- signing_policy: managerssl
- public_key: /etc/pki/managerssl.key
@@ -582,8 +603,9 @@ msslkeyperms:
- group: 939
# Create a private key and cert for Fleet
/etc/pki/fleet.key:
fleet_key:
x509.private_key_managed:
- name: /etc/pki/fleet.key
- CN: {{ manager }}
- bits: 4096
- days_remaining: 0
@@ -599,8 +621,9 @@ msslkeyperms:
attempts: 5
interval: 30
/etc/pki/fleet.crt:
fleet_crt:
x509.certificate_managed:
- name: /etc/pki/fleet.crt
- signing_private_key: /etc/pki/fleet.key
- CN: {{ HOSTNAME }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}