mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-09 04:42:40 +02:00
Mike Reeves
8225d41661
- Deliver postgres super and app passwords via mounted 0600 secret files (POSTGRES_PASSWORD_FILE, SO_POSTGRES_PASS_FILE) instead of plaintext env vars visible in docker inspect output - Mount a managed pg_hba.conf that only allows local trust and hostssl scram-sha-256 so TCP clients cannot negotiate cleartext sessions - Restrict postgres.key to 0400 and ensure owner/group 939 - Set umask 0077 on so-postgres-backup output - Validate host values in so-stats-show against [A-Za-z0-9._-] before SQL interpolation so a compromised minion cannot inject SQL via a tag value - Coerce postgres:telegraf:retention_days to int before rendering into SQL - Escape single quotes when rendering pillar values into postgresql.conf - Own postgres tooling in /usr/sbin as root:root so a container escape cannot rewrite admin scripts - Gate ES migration TLS verification on esVerifyCert (default false, matching the elastic module's existing pattern)
46 lines
2.9 KiB
Django/Jinja
46 lines
2.9 KiB
Django/Jinja
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
https://securityonion.net/license; you may not use this file except in compliance with the
|
|
Elastic License 2.0. #}
|
|
|
|
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
|
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
|
|
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
|
|
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
|
|
|
|
{% for module, application_url in GLOBALS.application_urls.items() %}
|
|
{% do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %}
|
|
{% endfor %}
|
|
|
|
{# add all grid heavy nodes to soc.server.modules.elastic.remoteHostUrls #}
|
|
{% for node_type, minions in salt['pillar.get']('elasticsearch:nodes', {}).items() %}
|
|
{% if node_type in ['heavynode'] %}
|
|
{% for m in minions.keys() %}
|
|
{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append('https://' ~ m ~ ':9200') %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
{% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
|
|
|
|
{% if GLOBALS.postgres is defined and GLOBALS.postgres.auth is defined %}
|
|
{% set PG_ADMIN_PASS = salt['pillar.get']('secrets:postgres_pass', '') %}
|
|
{% do SOCDEFAULTS.soc.config.server.modules.update({'postgres': {'hostUrl': GLOBALS.manager_ip, 'port': 5432, 'username': GLOBALS.postgres.auth.users.so_postgres_user.user, 'password': GLOBALS.postgres.auth.users.so_postgres_user.pass, 'adminUser': 'postgres', 'adminPassword': PG_ADMIN_PASS, 'dbname': 'securityonion', 'sslMode': 'require', 'assistantEnabled': true, 'esHostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':9200', 'esUsername': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'esPassword': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass, 'esVerifyCert': false}}) %}
|
|
{% endif %}
|
|
|
|
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
|
|
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
|
|
{% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
|
|
{% if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %}
|
|
{% do tool.update({'link': METRICS_LINK}) %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
|
|
|
|
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
|
|
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
|
|
|
|
{% set SOCDEFAULTS = SOCDEFAULTS.soc %}
|