CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-17 06:22:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10677 from Security-Onion-Solutions/issue/10533

Browse Source 
Issue/10533
This commit is contained in:
Josh Patterson
2023-06-28 15:17:42 -04:00
committed by GitHub
parent add72d7a5c 34db6fb823
commit eef1b40436
6 changed files with 84 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/nginx/defaults.yaml
View File

@@ -1,6 +1,7 @@
nginx: nginx:
enabled: False enabled: False
config: ssl:
replace_cert: False replace_cert: False
config:
throttle_login_burst: 12 throttle_login_burst: 12
throttle_login_rate: 20 throttle_login_rate: 20

77
salt/nginx/enabled.sls
View File

@@ -7,11 +7,79 @@
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'nginx/map.jinja' import NGINXMERGED %}
{% set ca_server = GLOBALS.minion_id %}
include: include:
- nginx.config - nginx.config
- nginx.sostatus - nginx.sostatus
{# if the user has selected to replace the crt and key in the ui #}
{% if NGINXMERGED.ssl.replace_cert %}
managerssl_key:
file.managed:
- name: /etc/pki/managerssl.key
- source: salt://nginx/ssl/ssl.key
- mode: 640
- group: 939
- watch_in:
- docker_container: so-nginx
managerssl_crt:
file.managed:
- name: /etc/pki/managerssl.crt
- source: salt://nginx/ssl/ssl.crt
- mode: 644
- watch_in:
- docker_container: so-nginx
{% else %}
managerssl_key:
x509.private_key_managed:
- name: /etc/pki/managerssl.key
- keysize: 4096
- backup: True
- new: True
{% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
- prereq:
- x509: /etc/pki/managerssl.crt
{%- endif %}
- retry:
attempts: 5
interval: 30
- watch_in:
- docker_container: so-nginx
# Create a cert for the reverse proxy
managerssl_crt:
x509.certificate_managed:
- name: /etc/pki/managerssl.crt
- ca_server: {{ ca_server }}
- signing_policy: managerssl
- private_key: /etc/pki/managerssl.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
- days_valid: 820
- backup: True
- timeout: 30
- retry:
attempts: 5
interval: 30
- watch_in:
- docker_container: so-nginx
{% endif %}
msslkeyperms:
file.managed:
- replace: False
- name: /etc/pki/managerssl.key
- mode: 640
- group: 939
make-rule-dir-nginx: make-rule-dir-nginx:
file.directory: file.directory:
- name: /nsm/rules - name: /nsm/rules
@@ -74,12 +142,17 @@ so-nginx:
- file: nginxconfdir - file: nginxconfdir
- require: - require:
- file: nginxconf - file: nginxconf
{% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
{% if NGINXMERGED.ssl.replace_cert %}
- file: managerssl_key
- file: managerssl_crt
{% else %}
- x509: managerssl_key - x509: managerssl_key
- x509: managerssl_crt - x509: managerssl_crt
{% endif%}
- file: navigatorconfig - file: navigatorconfig
- file: navigatordefaultlayer - file: navigatordefaultlayer
{% endif %} {% endif %}
delete_so-nginx_so-status.disabled: delete_so-nginx_so-status.disabled:
file.uncomment: file.uncomment:

12
salt/nginx/soc_nginx.yaml
View File

@@ -3,27 +3,29 @@ nginx:
description: You can enable or disable Nginx. description: You can enable or disable Nginx.
advanced: True advanced: True
helpLink: nginx.html helpLink: nginx.html
config: ssl:
replace_cert: replace_cert:
description: Enable this if you would like to replace the Security Onion Certificate with your own. description: Enable this if you would like to replace the Security Onion Certificate with your own.
global: True global: True
advanced: True advanced: True
forcedType: bool
title: Replace Default Cert title: Replace Default Cert
helpLink: nginx.html helpLink: nginx.html
ssl__key: ssl__key:
description: If you enabled the replace_cert option, paste your .key file here. description: If you enabled the replace_cert option, paste the contents of your .key file here.
file: True file: True
title: SSL Key File title: SSL/TLS Key File
advanced: True advanced: True
global: True global: True
helpLink: nginx.html helpLink: nginx.html
ssl__crt: ssl__crt:
description: If you enabled the replace_cert option, paste your .crt file here. description: If you enabled the replace_cert option, paste the contents of your .crt file here.
file: True file: True
title: SSL Cert File title: SSL/TLS Cert File
advanced: True advanced: True
global: True global: True
helpLink: nginx.html helpLink: nginx.html
config:
throttle_login_burst: throttle_login_burst:
description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
global: True global: True

0
salt/nginx/config/ssl.crt → salt/nginx/ssl/ssl.crt
View File

0
salt/nginx/config/ssl.key → salt/nginx/ssl/ssl.key
View File

92
salt/ssl/init.sls
View File

@@ -76,12 +76,6 @@ influxdb_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -121,12 +115,6 @@ redis_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -169,12 +157,6 @@ etc_elasticfleet_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -250,12 +232,6 @@ etc_elasticfleetlogstash_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -359,12 +335,6 @@ etc_filebeat_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -436,10 +406,6 @@ registry_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -478,12 +444,6 @@ regkeyperms:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -507,48 +467,6 @@ elasticp12perms:
- mode: 640 - mode: 640
- group: 930 - group: 930
managerssl_key:
x509.private_key_managed:
- name: /etc/pki/managerssl.key
- keysize: 4096
- backup: True
- new: True
{% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
- prereq:
- x509: /etc/pki/managerssl.crt
{%- endif %}
- retry:
attempts: 5
interval: 30
# Create a cert for the reverse proxy
managerssl_crt:
x509.certificate_managed:
- name: /etc/pki/managerssl.crt
- ca_server: {{ ca_server }}
- signing_policy: managerssl
- private_key: /etc/pki/managerssl.key
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
- days_remaining: 0
- days_valid: 820
- backup: True
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30
- retry:
attempts: 5
interval: 30
msslkeyperms:
file.managed:
- replace: False
- name: /etc/pki/managerssl.key
- mode: 640
- group: 939
{% endif %} {% endif %}
@@ -587,12 +505,6 @@ conf_filebeat_crt:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
{% if grains.role not in ['so-heavynode'] %}
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
{% endif %}
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5
@@ -647,10 +559,6 @@ chownfilebeatp8:
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
- unless:
# https://github.com/saltstack/salt/issues/52167
# Will trigger 5 days (432000 sec) from cert expiration
- 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
- timeout: 30 - timeout: 30
- retry: - retry:
attempts: 5 attempts: 5