mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-06 03:17:53 +02:00
Mike Reeves
8225d41661
- Deliver postgres super and app passwords via mounted 0600 secret files (POSTGRES_PASSWORD_FILE, SO_POSTGRES_PASS_FILE) instead of plaintext env vars visible in docker inspect output - Mount a managed pg_hba.conf that only allows local trust and hostssl scram-sha-256 so TCP clients cannot negotiate cleartext sessions - Restrict postgres.key to 0400 and ensure owner/group 939 - Set umask 0077 on so-postgres-backup output - Validate host values in so-stats-show against [A-Za-z0-9._-] before SQL interpolation so a compromised minion cannot inject SQL via a tag value - Coerce postgres:telegraf:retention_days to int before rendering into SQL - Escape single quotes when rendering pillar values into postgresql.conf - Own postgres tooling in /usr/sbin as root:root so a container escape cannot rewrite admin scripts - Gate ES migration TLS verification on esVerifyCert (default false, matching the elastic module's existing pattern)
56 lines
1.5 KiB
Plaintext
56 lines
1.5 KiB
Plaintext
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
|
{% if sls.split('.')[0] in allowed_states %}
|
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
|
{% from 'ca/map.jinja' import CA %}
|
|
|
|
postgres_key:
|
|
x509.private_key_managed:
|
|
- name: /etc/pki/postgres.key
|
|
- keysize: 4096
|
|
- backup: True
|
|
- new: True
|
|
{% if salt['file.file_exists']('/etc/pki/postgres.key') -%}
|
|
- prereq:
|
|
- x509: /etc/pki/postgres.crt
|
|
{%- endif %}
|
|
- retry:
|
|
attempts: 5
|
|
interval: 30
|
|
|
|
postgres_crt:
|
|
x509.certificate_managed:
|
|
- name: /etc/pki/postgres.crt
|
|
- ca_server: {{ CA.server }}
|
|
- subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
|
|
- signing_policy: postgres
|
|
- private_key: /etc/pki/postgres.key
|
|
- CN: {{ GLOBALS.hostname }}
|
|
- days_remaining: 7
|
|
- days_valid: 820
|
|
- backup: True
|
|
- timeout: 30
|
|
- retry:
|
|
attempts: 5
|
|
interval: 30
|
|
|
|
postgresKeyperms:
|
|
file.managed:
|
|
- replace: False
|
|
- name: /etc/pki/postgres.key
|
|
- mode: 400
|
|
- user: 939
|
|
- group: 939
|
|
|
|
{% else %}
|
|
|
|
{{sls}}_state_not_allowed:
|
|
test.fail_without_changes:
|
|
- name: {{sls}}_state_not_allowed
|
|
|
|
{% endif %}
|