CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix SSL Perms

Browse Source
This commit is contained in:
Mike Reeves
2020-07-06 17:21:23 -04:00
parent 3b452ab597
commit be5f4b04c6
2 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/ca/init.sls
View File

@@ -44,3 +44,10 @@ send_x509_pem_entries_to_mine:
- mine.send: - mine.send:
- func: x509.get_pem_entries - func: x509.get_pem_entries
- glob_path: /etc/pki/ca.crt - glob_path: /etc/pki/ca.crt
cakeyperms:
file.managed:
- replace: False
- name: /etc/pki/ca.key
- mode: 640
- group: 939

55
salt/ssl/init.sls
View File

@@ -52,6 +52,13 @@ m2cryptopkgs:
bits: 4096 bits: 4096
backup: True backup: True
influxkeyperms:
file.managed:
- replace: False
- name: /etc/pki/influxdb.key
- mode: 640
- group: 939
{% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %} {% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %}
# Request a cert and drop it where it needs to go to be distributed # Request a cert and drop it where it needs to go to be distributed
@@ -75,6 +82,13 @@ m2cryptopkgs:
cmd.run: cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
filebeatkeyperms:
file.managed:
- replace: False
- name: /etc/pki/filebeat.key
- mode: 640
- group: 939
chownilogstashfilebeatp8: chownilogstashfilebeatp8:
file.managed: file.managed:
- replace: False - replace: False
@@ -114,6 +128,13 @@ fbcrtlink:
bits: 4096 bits: 4096
backup: True backup: True
regkeyperms:
file.managed:
- replace: False
- name: /etc/pki/registry.key
- mode: 640
- group: 939
# Create a cert for the reverse proxy # Create a cert for the reverse proxy
/etc/pki/masterssl.crt: /etc/pki/masterssl.crt:
x509.certificate_managed: x509.certificate_managed:
@@ -129,6 +150,13 @@ fbcrtlink:
bits: 4096 bits: 4096
backup: True backup: True
msslkeyperms:
file.managed:
- replace: False
- name: /etc/pki/masterssl.key
- mode: 640
- group: 939
# Create a private key and cert for OSQuery # Create a private key and cert for OSQuery
/etc/pki/fleet.key: /etc/pki/fleet.key:
x509.private_key_managed: x509.private_key_managed:
@@ -151,6 +179,13 @@ fbcrtlink:
bits: 4096 bits: 4096
backup: True backup: True
fleetkeyperms:
file.managed:
- replace: False
- name: /etc/pki/fleet.key
- mode: 640
- group: 939
{% endif %} {% endif %}
{% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %} {% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %}
@@ -183,6 +218,13 @@ filebeatpkcs:
cmd.run: cmd.run:
- name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
filebeatkeyperms:
file.managed:
- replace: False
- name: /opt/so/conf/filebeat/etc/pki/filebeat.key
- mode: 640
- group: 939
chownfilebeatp8: chownfilebeatp8:
file.managed: file.managed:
- replace: False - replace: False
@@ -211,6 +253,12 @@ chownfilebeatp8:
bits: 4096 bits: 4096
backup: True backup: True
msslkeyperms:
file.managed:
- replace: False
- name: /etc/pki/masterssl.key
- mode: 640
- group: 939
# Create a private key and cert for Fleet # Create a private key and cert for Fleet
/etc/pki/fleet.key: /etc/pki/fleet.key:
@@ -234,4 +282,11 @@ chownfilebeatp8:
bits: 4096 bits: 4096
backup: True backup: True
fleetkeyperms:
file.managed:
- replace: False
- name: /etc/pki/fleet.key
- mode: 640
- group: 939
{% endif %} {% endif %}