mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-06 03:17:53 +02:00
Mike Reeves
8225d41661
- Deliver postgres super and app passwords via mounted 0600 secret files (POSTGRES_PASSWORD_FILE, SO_POSTGRES_PASS_FILE) instead of plaintext env vars visible in docker inspect output - Mount a managed pg_hba.conf that only allows local trust and hostssl scram-sha-256 so TCP clients cannot negotiate cleartext sessions - Restrict postgres.key to 0400 and ensure owner/group 939 - Set umask 0077 on so-postgres-backup output - Validate host values in so-stats-show against [A-Za-z0-9._-] before SQL interpolation so a compromised minion cannot inject SQL via a tag value - Coerce postgres:telegraf:retention_days to int before rendering into SQL - Escape single quotes when rendering pillar values into postgresql.conf - Own postgres tooling in /usr/sbin as root:root so a container escape cannot rewrite admin scripts - Gate ES migration TLS verification on esVerifyCert (default false, matching the elastic module's existing pattern)
20 lines
487 B
YAML
20 lines
487 B
YAML
postgres:
|
|
enabled: True
|
|
telegraf:
|
|
retention_days: 14
|
|
config:
|
|
listen_addresses: '*'
|
|
port: 5432
|
|
max_connections: 100
|
|
shared_buffers: 256MB
|
|
ssl: 'on'
|
|
ssl_cert_file: '/conf/postgres.crt'
|
|
ssl_key_file: '/conf/postgres.key'
|
|
ssl_ca_file: '/conf/ca.crt'
|
|
hba_file: '/conf/pg_hba.conf'
|
|
log_destination: 'stderr'
|
|
logging_collector: 'off'
|
|
log_min_messages: 'warning'
|
|
shared_preload_libraries: pg_cron
|
|
cron.database_name: so_telegraf
|