CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-08 12:27:52 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb71e44614f25b299041dbdb46eb908dd908ac4c
securityonion/salt
T
History
Mike Reeves bb71e44614 Write per-minion telegraf creds to each minion's own pillar file 
pillar/top.sls only distributes postgres.auth to manager-class roles,
so sensors / heavynodes / searchnodes / receivers / fleet / idh /
hypervisor / desktop minions never received the postgres telegraf
password they need to write metrics. Broadcasting the aggregate
postgres.auth pillar to every role would leak the so_postgres admin
password and every other minion's cred.

Fan out per-minion credentials into each minion's own pillar file at
/opt/so/saltstack/local/pillar/minions/<id>.sls. That file is already
distributed by pillar/top.sls exclusively to the matching minion via
`- minions.{{ grains.id }}`, so each minion sees only its own
postgres.telegraf.{user,pass} and nothing else.

- salt/postgres/auth.sls: after writing the manager-scoped aggregate
  pillar, fan the per-minion creds out via so-yaml.py replace for every
  up-minion. Creates the minion pillar file if missing. Requires
  postgres_auth_pillar so the manager pillar lands first.
- salt/telegraf/etc/telegraf.conf: consume postgres:telegraf:user and
  postgres:telegraf:pass directly from the minion's own pillar instead
  of walking postgres:auth:users which isn't visible off the manager.
2026-04-21 09:57:35 -04:00
..
_beacons
_modules
Remove non-Oracle Linux 9 support from salt states
2026-03-16 16:58:39 -04:00
_runners
backup
Move postgres backup script and cron to the postgres states
2026-04-21 09:42:41 -04:00
bpf
update helpLink references for new documentation
2026-03-18 09:46:45 -04:00
ca
Add so-postgres Salt states and integration wiring
2026-04-08 10:58:52 -04:00
common
Fix Telegraf→Postgres table creation and state.apply race
2026-04-17 13:00:12 -04:00
cron
desktop
the great ssl refactor
2025-12-11 17:30:06 -05:00
docker
Change so-postgres final_octet to 47
2026-04-21 09:33:47 -04:00
docker_clean
elastalert
new elastalert options advanced
2026-03-19 17:19:42 -04:00
elastic-fleet-package-registry
ensure bool sliders for each state:enabled annotation
2026-03-19 12:35:38 -04:00
elasticagent
ensure bool sliders for each state:enabled annotation
2026-03-19 12:35:38 -04:00
elasticfleet
enable elastic agent patch release for 9.3.3
2026-04-13 16:27:28 -05:00
elasticsearch
add wait_for_so-elasticsearch state and split elasticsearch cluster configuration out of enabled.sls
2026-04-17 14:43:07 -05:00
firewall
Use TELEGRAFMERGED for telegraf.output and de-jinja pg_hba.conf
2026-04-20 16:06:01 -04:00
global
Move telegraf_output from global pillar to telegraf pillar
2026-04-20 16:03:02 -04:00
healthcheck
host
update helpLink references for new documentation
2026-03-18 09:46:45 -04:00
hydra
ensure bool sliders for each state:enabled annotation
2026-03-19 12:35:38 -04:00
hypervisor
idh
Remove hardcoded path
2026-03-23 16:26:56 -04:00
influxdb
define options in annotation files
2026-04-09 10:18:36 -04:00
kafka
define options in annotation files
2026-04-09 10:18:36 -04:00
kibana
ES 9.3.2
2026-04-06 15:08:30 -05:00
kratos
define options in annotation files
2026-04-09 10:18:36 -04:00
libvirt
logrotate
remove steno
2026-03-06 15:45:36 -05:00
logstash
ensure bool sliders for each state:enabled annotation
2026-03-19 12:35:38 -04:00
manager
Fix soup state.apply args for postgres provisioning
2026-04-20 14:40:32 -04:00
motd
nginx
Merge pull request #15658 from Security-Onion-Solutions/jertel/wip
2026-03-23 09:55:31 -04:00
ntp
update helpLink references for new documentation
2026-03-18 09:46:45 -04:00
orch
Target manager by role grain in telegraf_postgres_sync orch
2026-04-21 09:37:35 -04:00
patch
ensure bool sliders for patch
2026-03-19 14:39:10 -04:00
pcap
cleanup steno. sensor run pcap.cleanup
2026-03-10 16:09:32 -04:00
pipeline
postgres
Write per-minion telegraf creds to each minion's own pillar file
2026-04-21 09:57:35 -04:00
reactor
Drop telegraf push from new-minion orch; highstate covers it
2026-04-21 09:31:45 -04:00
redis
ensure bool sliders for each state:enabled annotation
2026-03-19 12:35:38 -04:00
registry
ensure bool sliders for each state:enabled annotation
2026-03-19 12:35:38 -04:00
repo/client
Remove non-Oracle Linux 9 support from salt states
2026-03-16 16:58:39 -04:00
salt
Fire telegraf user sync on salt/key accept, not salt/auth
2026-04-20 19:54:06 -04:00
sensor
update helpLink references for new documentation
2026-03-18 09:46:45 -04:00
sensoroni
ensure bool sliders sensoroni
2026-03-19 14:41:49 -04:00
setup/virt
soc
Harden postgres secrets, TLS enforcement, and admin tooling
2026-04-20 12:36:17 -04:00
ssl
dont remove ca in ssl.remove
2026-01-07 14:14:57 -05:00
stig
update stig profile v1r3
2026-03-23 14:04:48 -05:00
storage
strelka
ensure bool sliders strelka
2026-03-19 14:46:49 -04:00
suricata
define options in annotation files
2026-04-09 10:18:36 -04:00
systemd
tcpreplay
telegraf
Write per-minion telegraf creds to each minion's own pillar file
2026-04-21 09:57:35 -04:00
utility
vars
Move telegraf_output from global pillar to telegraf pillar
2026-04-20 16:03:02 -04:00
versionlock
update helpLink references for new documentation
2026-03-18 09:46:45 -04:00
vm
zeek
Fix JA4+ license link in soc_zeek.yaml
2026-04-06 10:12:37 -04:00
allowed_states.map.jinja
Add postgres.auth to allowed_states
2026-04-09 12:39:46 -04:00
schedule.sls
top.sls
Add so-postgres Salt states and integration wiring
2026-04-08 10:58:52 -04:00