From be5f4b04c65822bc8f7dae334f6cad565a9df025 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 6 Jul 2020 17:21:23 -0400
Subject: [PATCH] Fix SSL Perms

---
 salt/ca/init.sls  |  7 ++++++
 salt/ssl/init.sls | 55 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/salt/ca/init.sls b/salt/ca/init.sls
index f3a1d431e..60d7adb3a 100644
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -44,3 +44,10 @@ send_x509_pem_entries_to_mine:
     - mine.send:
       - func: x509.get_pem_entries
       - glob_path: /etc/pki/ca.crt
+
+cakeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/ca.key
+    - mode: 640
+    - group: 939
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index fb8e9571a..bd7ab24b7 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -52,6 +52,13 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
+influxkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/influxdb.key
+    - mode: 640
+    - group: 939
+
 {% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %}
 
 # Request a cert and drop it where it needs to go to be distributed
@@ -75,6 +82,13 @@ m2cryptopkgs:
   cmd.run:
     - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
 
+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
 chownilogstashfilebeatp8:
   file.managed:
     - replace: False
@@ -114,6 +128,13 @@ fbcrtlink:
         bits: 4096
         backup: True
 
+regkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/registry.key
+    - mode: 640
+    - group: 939
+
 # Create a cert for the reverse proxy
 /etc/pki/masterssl.crt:
   x509.certificate_managed:
@@ -129,6 +150,13 @@ fbcrtlink:
         bits: 4096
         backup: True
 
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/masterssl.key
+    - mode: 640
+    - group: 939
+
 # Create a private key and cert for OSQuery
 /etc/pki/fleet.key:
   x509.private_key_managed:
@@ -151,6 +179,13 @@ fbcrtlink:
         bits: 4096
         backup: True
 
+fleetkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/fleet.key
+    - mode: 640
+    - group: 939
+
 {% endif %}
 {% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %}
 
@@ -183,6 +218,13 @@ filebeatpkcs:
   cmd.run:
     - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
 
+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
 chownfilebeatp8:
   file.managed:
     - replace: False
@@ -211,6 +253,12 @@ chownfilebeatp8:
         bits: 4096
         backup: True
 
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/masterssl.key
+    - mode: 640
+    - group: 939
 
 # Create a private key and cert for Fleet
 /etc/pki/fleet.key:
@@ -234,4 +282,11 @@ chownfilebeatp8:
         bits: 4096
         backup: True
 
+fleetkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/fleet.key
+    - mode: 640
+    - group: 939
+
 {% endif %}