mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Ensure empty/aborted users/roles files do not get copied onto final filenames
This commit is contained in:
Jason Ertel
@@ -165,27 +165,29 @@ function syncElasticSystemRole() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function syncElastic() {
|
function syncElastic() {
|
||||||
createElasticFile "${elasticUsersFile}"
|
usersTmpFile="${elasticUsersFile}.tmp"
|
||||||
createElasticFile "${elasticRolesFile}"
|
rolesTmpFile="${elasticRolesFile}.tmp"
|
||||||
|
createElasticFile "${usersTmpFile}"
|
||||||
|
createElasticFile "${rolesTmpFile}"
|
||||||
|
|
||||||
authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
|
authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
|
||||||
|
|
||||||
syncElasticSystemUser "$authPillarJson" "so_elastic_user" "$elasticUsersFile"
|
syncElasticSystemUser "$authPillarJson" "so_elastic_user" "$usersTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$rolesTmpFile"
|
||||||
|
|
||||||
syncElasticSystemUser "$authPillarJson" "so_kibana_user" "$elasticUsersFile"
|
syncElasticSystemUser "$authPillarJson" "so_kibana_user" "$usersTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_kibana_user" "superuser" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_kibana_user" "superuser" "$rolesTmpFile"
|
||||||
|
|
||||||
syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$elasticUsersFile"
|
syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_logstash_user" "superuser" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_logstash_user" "superuser" "$rolesTmpFile"
|
||||||
|
|
||||||
syncElasticSystemUser "$authPillarJson" "so_beats_user" "$elasticUsersFile"
|
syncElasticSystemUser "$authPillarJson" "so_beats_user" "$usersTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_beats_user" "superuser" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_beats_user" "superuser" "$rolesTmpFile"
|
||||||
|
|
||||||
syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$elasticUsersFile"
|
syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$usersTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$rolesTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_agent" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_agent" "$rolesTmpFile"
|
||||||
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "monitoring_user" "$elasticRolesFile"
|
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "monitoring_user" "$rolesTmpFile"
|
||||||
|
|
||||||
if [[ -f "$databasePath" ]]; then
|
if [[ -f "$databasePath" ]]; then
|
||||||
# Generate the new users file
|
# Generate the new users file
|
||||||
@@ -195,7 +197,7 @@ function syncElastic() {
|
|||||||
"order by ici.identifier;" | \
|
"order by ici.identifier;" | \
|
||||||
sqlite3 "$databasePath" | \
|
sqlite3 "$databasePath" | \
|
||||||
jq -r '.user + ":" + .data.hashed_password' \
|
jq -r '.user + ":" + .data.hashed_password' \
|
||||||
>> "$elasticUsersFile"
|
>> "$usersTmpFile"
|
||||||
[[ $? != 0 ]] && fail "Unable to read credential hashes from database"
|
[[ $? != 0 ]] && fail "Unable to read credential hashes from database"
|
||||||
|
|
||||||
# Generate the new users_roles file
|
# Generate the new users_roles file
|
||||||
@@ -205,15 +207,22 @@ function syncElastic() {
|
|||||||
"where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
|
"where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
|
||||||
"order by ici.identifier;" | \
|
"order by ici.identifier;" | \
|
||||||
sqlite3 "$databasePath" \
|
sqlite3 "$databasePath" \
|
||||||
>> "$elasticRolesFile"
|
>> "$rolesTmpFile"
|
||||||
[[ $? != 0 ]] && fail "Unable to read credential IDs from database"
|
[[ $? != 0 ]] && fail "Unable to read credential IDs from database"
|
||||||
else
|
else
|
||||||
echo "Database file does not exist yet, skipping users export"
|
echo "Database file does not exist yet, skipping users export"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -z "$SKIP_STATE_APPLY" ]]; then
|
if [[ -s "${usersTmpFile}" ]]; then
|
||||||
echo "Applying elastic state..."
|
mv "${usersTmpFile}" "${elasticUsersFile}"
|
||||||
salt-call state.apply elasticsearch queue=True
|
mv "${rolesTmpFile}" "${elasticRolesFile}"
|
||||||
|
|
||||||
|
if [[ -z "$SKIP_STATE_APPLY" ]]; then
|
||||||
|
echo "Applying elastic state..."
|
||||||
|
salt-call state.apply elasticsearch queue=True
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "Generated users/roles files are incomplete; aborting."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -124,6 +124,7 @@ syncesusers:
|
|||||||
- creates:
|
- creates:
|
||||||
- /opt/so/saltstack/local/salt/elasticsearch/files/users
|
- /opt/so/saltstack/local/salt/elasticsearch/files/users
|
||||||
- /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
|
- /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
|
||||||
|
- show_changes: False
|
||||||
|
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user