mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-09 12:52:38 +02:00
Mike Reeves
8225d41661
- Deliver postgres super and app passwords via mounted 0600 secret files (POSTGRES_PASSWORD_FILE, SO_POSTGRES_PASS_FILE) instead of plaintext env vars visible in docker inspect output - Mount a managed pg_hba.conf that only allows local trust and hostssl scram-sha-256 so TCP clients cannot negotiate cleartext sessions - Restrict postgres.key to 0400 and ensure owner/group 939 - Set umask 0077 on so-postgres-backup output - Validate host values in so-stats-show against [A-Za-z0-9._-] before SQL interpolation so a compromised minion cannot inject SQL via a tag value - Coerce postgres:telegraf:retention_days to int before rendering into SQL - Escape single quotes when rendering pillar values into postgresql.conf - Own postgres tooling in /usr/sbin as root:root so a container escape cannot rewrite admin scripts - Gate ES migration TLS verification on esVerifyCert (default false, matching the elastic module's existing pattern)
16 lines
984 B
Django/Jinja
16 lines
984 B
Django/Jinja
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
https://securityonion.net/license; you may not use this file except in compliance with the
|
|
Elastic License 2.0. #}
|
|
# Managed by Salt — do not edit by hand.
|
|
# Client authentication config: only local (Unix socket) connections and TLS-wrapped TCP
|
|
# connections are accepted. Plain-text `host ...` lines are intentionally omitted so a
|
|
# misconfigured client with sslmode=disable cannot negotiate a cleartext session.
|
|
|
|
# Local connections (Unix socket, container-internal) use peer/trust.
|
|
local all all trust
|
|
|
|
# TCP connections MUST use TLS (hostssl) and authenticate with SCRAM.
|
|
hostssl all all 0.0.0.0/0 scram-sha-256
|
|
hostssl all all ::/0 scram-sha-256
|