mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-08 04:18:04 +02:00
Mike Reeves
3fad895d6a
Lays the database-backed pillar foundation for the postsalt branch. Salt
continues to read on-disk SLS first; the new ext_pillar config overlays
values from the so_pillar.* schema in so-postgres.
- salt/postgres/files/schema/pillar/00{1..7}_*.sql: idempotent DDL for
scope/role/role_member/minion/pillar_entry/pillar_entry_history/
drift_log, secret pgcrypto helpers, RLS, pg_cron retention.
- salt/postgres/schema_pillar.sls: applies the SQL files inside the
so-postgres container after it's healthy, configures the master_key
GUC, and runs so-pillar-import once. Gated on
postgres:so_pillar:enabled feature flag (default false).
- salt/salt/master/ext_pillar_postgres.{sls,conf.jinja}: drops
/etc/salt/master.d/ext_pillar_postgres.conf with list-form ext_pillar
queries (global/role/minion/secrets) and ext_pillar_first: False so
bootstrap pillars on disk render before the PG overlay.
- salt/postgres/init.sls + salt/salt/master.sls: include the new states.
Both new state branches are guarded so a default install with the flag
off is a no-op.
44 lines
1.7 KiB
PL/PgSQL
44 lines
1.7 KiB
PL/PgSQL
-- Drift detection + retention via pg_cron. Optional — the schema_pillar.sls
|
|
-- state guards this file behind the postgres:so_pillar:drift_check_enabled
|
|
-- pillar flag because pg_cron may not be loaded on every install.
|
|
|
|
CREATE EXTENSION IF NOT EXISTS pg_cron;
|
|
|
|
-- Retention: trim pillar_entry_history older than a year. Adjustable via the
|
|
-- so_pillar.history_retention_days GUC (default 365 if unset).
|
|
CREATE OR REPLACE FUNCTION so_pillar.fn_history_retain()
|
|
RETURNS void LANGUAGE plpgsql AS $fn$
|
|
DECLARE
|
|
v_days int := COALESCE(current_setting('so_pillar.history_retention_days', true)::int, 365);
|
|
BEGIN
|
|
DELETE FROM so_pillar.pillar_entry_history
|
|
WHERE changed_at < (now() - (v_days::text || ' days')::interval);
|
|
END
|
|
$fn$;
|
|
|
|
-- Drift retention: keep two weeks of drift_log.
|
|
CREATE OR REPLACE FUNCTION so_pillar.fn_drift_retain()
|
|
RETURNS void LANGUAGE plpgsql AS $fn$
|
|
BEGIN
|
|
DELETE FROM so_pillar.drift_log
|
|
WHERE detected_at < (now() - interval '14 days');
|
|
END
|
|
$fn$;
|
|
|
|
-- pg_cron schedules (idempotent — unschedule any existing same-named job first).
|
|
DO $$
|
|
DECLARE
|
|
v_jobid bigint;
|
|
BEGIN
|
|
SELECT jobid INTO v_jobid FROM cron.job WHERE jobname = 'so_pillar_history_retain';
|
|
IF v_jobid IS NOT NULL THEN PERFORM cron.unschedule(v_jobid); END IF;
|
|
PERFORM cron.schedule('so_pillar_history_retain', '15 3 * * *',
|
|
'SELECT so_pillar.fn_history_retain();');
|
|
|
|
SELECT jobid INTO v_jobid FROM cron.job WHERE jobname = 'so_pillar_drift_retain';
|
|
IF v_jobid IS NOT NULL THEN PERFORM cron.unschedule(v_jobid); END IF;
|
|
PERFORM cron.schedule('so_pillar_drift_retain', '20 3 * * *',
|
|
'SELECT so_pillar.fn_drift_retain();');
|
|
END
|
|
$$;
|