Continue merge of ECS into Elastic Auth

salt/curator/init.sls

@@ -49,6 +49,7 @@ curconf:
     - source: salt://curator/files/curator.yml
     - user: 934
     - group: 939
+    - mode: 660
     - template: jinja
 
 curcloseddel:

salt/elastalert/init.sls

@@ -99,6 +99,7 @@ elastaconf:
         elastalert_config: {{ elastalert_config.elastalert.config }}
     - user: 933
     - group: 933
+    - mode: 660
     - template: jinja
 
 wait_for_elasticsearch:

salt/filebeat/init.sls

@@ -1,3 +1,4 @@
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -83,6 +84,7 @@ filebeatmoduleconfsync:
     - source: salt://filebeat/etc/module-setup.yml
     - user: root
     - group: root
+    - mode: 660
     - template: jinja
 
 sodefaults_module_conf:

salt/kibana/init.sls

@@ -35,6 +35,7 @@ synckibanaconfig:
     - source: salt://kibana/etc
     - user: 932
     - group: 939
+    - file_mode: 660
     - template: jinja
 
 kibanalogdir:

salt/logstash/init.sls

@@ -78,6 +78,7 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:
     {% endif %}
     - user: 931
     - group: 939
+    - mode: 660
     - makedirs: True
   {% endfor %}
 

salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja

@@ -3,18 +3,22 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}
 output {
- if [metadata][pipeline] {
+  if [metadata][pipeline] {
-   elasticsearch {
+    elasticsearch {
-     id => "filebeat_modules_metadata_pipeline"
+      id => "filebeat_modules_metadata_pipeline"
-     pipeline => "%{[metadata][pipeline]}"
+      pipeline => "%{[metadata][pipeline]}"
-     hosts => "{{ ES }}"
+      hosts => "{{ ES }}"
-     index => "so-%{[event][module]}-%{+YYYY.MM.dd}"
+      user => "{{ ES_USER }}"
-     template_name => "so-common"
+      password => "{{ ES_PASS }}"
-     template => "/templates/so-common-template.json"
+      index => "so-%{[event][module]}-%{+YYYY.MM.dd}"
-     template_overwrite => true
+      template_name => "so-common"
-     ssl => true
+      template => "/templates/so-common-template.json"
-     ssl_certificate_verification => false
+      template_overwrite => true
-   }
+      ssl => true
- }
+      ssl_certificate_verification => false
+    }
+  }
 }

salt/soctopus/init.sls

@@ -44,6 +44,7 @@ playbookrulesdir:
     - name: /opt/so/rules/elastalert/playbook
     - user: 939
     - group: 939
+    - mode: 660
     - makedirs: True
 
 playbookrulessync:

salt/telegraf/init.sls

@@ -38,6 +38,7 @@ tgrafconf:
     - name: /opt/so/conf/telegraf/etc/telegraf.conf
     - user: 939
     - group: 939
+    - mode: 660
     - template: jinja
     - source: salt://telegraf/etc/telegraf.conf