From b21b545756277fbbccca4fbaf47f0599da765f6a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 23 Jun 2023 09:37:41 -0400
Subject: [PATCH] use cluster-unique password for import encryption

---
 salt/soc/files/bin/salt-relay.sh | 8 ++++++--
 setup/so-functions               | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh
index 832067316..a9a37ba3e 100755
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -4,6 +4,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+. /usr/sbin/so-common
+
 PIPE_OWNER=${PIPE_OWNER:-socore}
 PIPE_GROUP=${PIPE_GROUP:-socore}
 SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
@@ -185,7 +187,8 @@ function send_file() {
   log "Cleanup: $cleanup"
 
   log "encrypting..."
-  response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from")
+  password=$(lookup_pillar_secret import_pass)
+  response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from")
   log Response:$'\n'"$response"
 
   fromgpg="$from.gpg"
@@ -229,7 +232,8 @@ function import_file() {
   filegpg="$file.gpg"
 
   log "decrypting..."
-  decrypt_cmd="gpg --passphrase infected -o $file.tmp --batch --decrypt $filegpg"
+  password=$(lookup_pillar_secret import_pass)
+  decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg"
   $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\""
   decrypt_code=$?
 
diff --git a/setup/so-functions b/setup/so-functions
index ef4e44eaa..d43469edb 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1296,6 +1296,7 @@ generate_passwords(){
   KRATOSKEY=$(get_random_value)
   REDISPASS=$(get_random_value)
   SOCSRVKEY=$(get_random_value 64)
+  IMPORTPASS=$(get_random_value)
 }
 
 generate_interface_vars() {
@@ -2102,6 +2103,7 @@ secrets_pillar(){
 		"  playbook_admin: $PLAYBOOKADMINPASS"\
 		"  playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
 		"  playbook_automation_api_key: "\
+		"  import_pass: $IMPORTPASS"\
 		"  influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
   fi
 }