mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-08 12:27:52 +02:00
Mike Reeves
b69e50542a
- firewall/map.jinja and postgres/telegraf_users.sls now pull the telegraf output selector through TELEGRAFMERGED so the defaults.yaml value (BOTH) is the source of truth and pillar overrides merge in cleanly. pillar.get with a hardcoded fallback was brittle and would disagree with defaults.yaml if the two ever diverged. - Rename salt/postgres/files/pg_hba.conf.jinja to pg_hba.conf and drop template: jinja from config.sls — the file has no jinja besides the comment header.
17 lines
979 B
Plaintext
17 lines
979 B
Plaintext
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
#
|
|
# Managed by Salt — do not edit by hand.
|
|
# Client authentication config: only local (Unix socket) connections and TLS-wrapped TCP
|
|
# connections are accepted. Plain-text `host ...` lines are intentionally omitted so a
|
|
# misconfigured client with sslmode=disable cannot negotiate a cleartext session.
|
|
|
|
# Local connections (Unix socket, container-internal) use peer/trust.
|
|
local all all trust
|
|
|
|
# TCP connections MUST use TLS (hostssl) and authenticate with SCRAM.
|
|
hostssl all all 0.0.0.0/0 scram-sha-256
|
|
hostssl all all ::/0 scram-sha-256
|