CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor users/roles management via salt due to Salt's clobbering of the inode which breaks Docker mounts

Browse Source
This commit is contained in:
Jason Ertel
2021-06-04 20:01:30 -04:00
parent 416b38fc71
commit e22421ec99
3 changed files with 41 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
salt/common/tools/sbin/so-user
View File

@@ -129,13 +129,12 @@ function updatePassword() {
fi fi
} }
function createElasticTmpFile() { function createElasticFile() {
filename=$1 filename=$1
tmpFile=${filename}.tmp tmpFile=${filename}
truncate -s 0 "$tmpFile" truncate -s 0 "$tmpFile"
chmod 600 "$tmpFile" chmod 600 "$tmpFile"
chown "${esUID}:${esGID}" "$tmpFile" chown "${esUID}:${esGID}" "$tmpFile"
echo "$tmpFile"
} }
function syncElasticSystemUser() { function syncElasticSystemUser() {
@@ -166,26 +165,27 @@ function syncElasticSystemRole() {
} }
function syncElastic() { function syncElastic() {
usersFileTmp=$(createElasticTmpFile "${elasticUsersFile}") createElasticFile "${elasticUsersFile}"
rolesFileTmp=$(createElasticTmpFile "${elasticRolesFile}") createElasticFile "${elasticRolesFile}"
authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json") authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
syncElasticSystemUser "$authPillarJson" "so_elastic_user" "$usersFileTmp" syncElasticSystemUser "$authPillarJson" "so_elastic_user" "$elasticUsersFile"
syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$elasticRolesFile"
syncElasticSystemUser "$authPillarJson" "so_kibana_user" "$usersFileTmp" syncElasticSystemUser "$authPillarJson" "so_kibana_user" "$elasticUsersFile"
syncElasticSystemRole "$authPillarJson" "so_kibana_user" "kibana_system" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_kibana_user" "superuser" "$elasticRolesFile"
syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersFileTmp" syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$elasticUsersFile"
syncElasticSystemRole "$authPillarJson" "so_logstash_user" "logstash_system" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_logstash_user" "superuser" "$elasticRolesFile"
syncElasticSystemUser "$authPillarJson" "so_beats_user" "$usersFileTmp" syncElasticSystemUser "$authPillarJson" "so_beats_user" "$elasticUsersFile"
syncElasticSystemRole "$authPillarJson" "so_beats_user" "beats_system" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_beats_user" "superuser" "$elasticRolesFile"
syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$usersFileTmp" syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$elasticUsersFile"
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$elasticRolesFile"
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_agent" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_agent" "$elasticRolesFile"
syncElasticSystemRole "$authPillarJson" "so_monitor_user" "monitoring_user" "$elasticRolesFile"
if [[ -f "$databasePath" ]]; then if [[ -f "$databasePath" ]]; then
# Generate the new users file # Generate the new users file
@@ -195,7 +195,7 @@ function syncElastic() {
"order by ici.identifier;" | \ "order by ici.identifier;" | \
sqlite3 "$databasePath" | \ sqlite3 "$databasePath" | \
jq -r '.user + ":" + .data.hashed_password' \ jq -r '.user + ":" + .data.hashed_password' \
>> "$usersFileTmp" >> "$elasticUsersFile"
[[ $? != 0 ]] && fail "Unable to read credential hashes from database" [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
# Generate the new users_roles file # Generate the new users_roles file
@@ -205,29 +205,26 @@ function syncElastic() {
"where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
"order by ici.identifier;" | \ "order by ici.identifier;" | \
sqlite3 "$databasePath" \ sqlite3 "$databasePath" \
>> "$rolesFileTmp" >> "$elasticRolesFile"
[[ $? != 0 ]] && fail "Unable to read credential IDs from database" [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
else else
echo "Database file does not exist yet, skipping users export" echo "Database file does not exist yet, skipping users export"
fi fi
# Move the temp files over onto the final files echo "Applying elastic state..."
mv -f "$usersFileTmp" "$elasticUsersFile" salt-call state.apply elasticsearch queue=True
[[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
mv -f "$rolesFileTmp" "$elasticRolesFile"
[[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile"
} }
function syncAll() { function syncAll() {
if [[ -n "$STALE_MIN" ]]; then if [[ -n "$STALE_MIN" ]]; then
staleCount=$(echo "select from identity_credentials where updated_at >= Datetime('now', '-${STALE_MIN} minutes');" \ staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${STALE_MIN} minutes');" \
| sqlite3 "$databasePath") | sqlite3 "$databasePath")
if [[ "$staleCount" == "0" ]]; then if [[ "$staleCount" == "0" ]]; then
return 1 return 1
fi fi
fi fi
syncElastic syncElastic
return 0
} }
function listUsers() { function listUsers() {

20
salt/elasticsearch/init.sls
View File

@@ -173,7 +173,7 @@ eslogdir:
auth_users: auth_users:
file.managed: file.managed:
- name: /opt/so/conf/elasticsearch/users - name: /opt/so/conf/elasticsearch/users.tmp
- source: salt://elasticsearch/files/users - source: salt://elasticsearch/files/users
- user: 930 - user: 930
- group: 930 - group: 930
@@ -181,12 +181,28 @@ auth_users:
auth_users_roles: auth_users_roles:
file.managed: file.managed:
- name: /opt/so/conf/elasticsearch/users_roles - name: /opt/so/conf/elasticsearch/users_roles.tmp
- source: salt://elasticsearch/files/users_roles - source: salt://elasticsearch/files/users_roles
- user: 930 - user: 930
- group: 930 - group: 930
- mode: 600 - mode: 600
auth_users_inode:
require:
- file: auth_users
cmd.run:
- name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:930 /opt/so/conf/elasticsearch/users && chmod 600 /opt/so/conf/elasticsearch/users
- onchanges:
- file: /opt/so/conf/elasticsearch/users.tmp
auth_users_roles_inode:
require:
- file: auth_users_roles
cmd.run:
- name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:930 /opt/so/conf/elasticsearch/users_roles && chmod 600 /opt/so/conf/elasticsearch/users_roles
- onchanges:
- file: /opt/so/conf/elasticsearch/users_roles.tmp
so-elasticsearch: so-elasticsearch:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}

2
salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
View File

@@ -4,7 +4,7 @@
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
{%- endif %} {%- endif %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_pass:pass', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %}
output { output {
if [module] =~ "osquery" and "live_query" not in [dataset] { if [module] =~ "osquery" and "live_query" not in [dataset] {
elasticsearch { elasticsearch {