Fix SSL Perms

2025-12-06 09:12:45 +01:00 · 2020-07-06 17:21:23 -04:00
parent 3b452ab597
commit be5f4b04c6
2 changed files with 62 additions and 0 deletions
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -44,3 +44,10 @@ send_x509_pem_entries_to_mine:
    - mine.send:
      - func: x509.get_pem_entries
      - glob_path: /etc/pki/ca.crt
+
+cakeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/ca.key
+    - mode: 640
+    - group: 939
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -52,6 +52,13 @@ m2cryptopkgs:
        bits: 4096
        backup: True

+influxkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/influxdb.key
+    - mode: 640
+    - group: 939
+
 {% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %}

 # Request a cert and drop it where it needs to go to be distributed
@@ -75,6 +82,13 @@ m2cryptopkgs:
  cmd.run:
    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"

+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
 chownilogstashfilebeatp8:
  file.managed:
    - replace: False
@@ -114,6 +128,13 @@ fbcrtlink:
        bits: 4096
        backup: True

+regkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/registry.key
+    - mode: 640
+    - group: 939
+
 # Create a cert for the reverse proxy
 /etc/pki/masterssl.crt:
  x509.certificate_managed:
@@ -129,6 +150,13 @@ fbcrtlink:
        bits: 4096
        backup: True

+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/masterssl.key
+    - mode: 640
+    - group: 939
+
 # Create a private key and cert for OSQuery
 /etc/pki/fleet.key:
  x509.private_key_managed:
@@ -151,6 +179,13 @@ fbcrtlink:
        bits: 4096
        backup: True

+fleetkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/fleet.key
+    - mode: 640
+    - group: 939
+
 {% endif %}
 {% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %}

@@ -183,6 +218,13 @@ filebeatpkcs:
  cmd.run:
    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"

+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
 chownfilebeatp8:
  file.managed:
    - replace: False
@@ -211,6 +253,12 @@ chownfilebeatp8:
        bits: 4096
        backup: True

+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/masterssl.key
+    - mode: 640
+    - group: 939

 # Create a private key and cert for Fleet
 /etc/pki/fleet.key:
@@ -234,4 +282,11 @@ chownfilebeatp8:
        bits: 4096
        backup: True

+fleetkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/fleet.key
+    - mode: 640
+    - group: 939
+
 {% endif %}