diff --git a/Makefile b/Makefile index 67d54de2..12416163 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,7 @@ sd-app: prep-salt ## Provisions SD APP VM sd-whonix: prep-salt ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix - sudo qubesctl --show-output --skip-dom0 --targets sd-whonix-buster-template,sd-whonix state.highstate + sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15,sd-whonix state.highstate sd-viewer: prep-salt ## Provisions SD Submission Viewing VM sudo qubesctl --show-output state.sls sd-viewer diff --git a/dom0/sd-app-files.sls b/dom0/sd-app-files.sls index b4befcd3..f9e2e603 100644 --- a/dom0/sd-app-files.sls +++ b/dom0/sd-app-files.sls @@ -18,3 +18,18 @@ install-securedrop-client-package: - securedrop-client - require: - sls: fpf-apt-test-repo + +install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-app: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-app \ No newline at end of file diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index bba612e6..d3781f3f 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -27,6 +27,12 @@ remove-dom0-sdw-config-files: - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop - /home/{{ gui_user }}/.securedrop_launcher +sd-cleanup-whonix-gw-15: + cmd.run: + - names: + - qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log' + - qvm-run whonix-gw-15 'sudo rm -f /etc/rsyslog.d/sdlog.conf' + sd-cleanup-sys-firewall: cmd.run: - names: diff --git a/dom0/sd-devices-files.sls b/dom0/sd-devices-files.sls index 2813b280..b7320154 100644 --- a/dom0/sd-devices-files.sls +++ b/dom0/sd-devices-files.sls @@ -24,3 +24,19 @@ sd-devices-install-libreoffice: sd-devices-install-package: pkg.installed: - name: securedrop-export + + +sd-devices-install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-devices: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-devices diff --git a/dom0/sd-log-template-files.sls b/dom0/sd-log-template-files.sls index b909e9fd..a0cd5b34 100644 --- a/dom0/sd-log-template-files.sls +++ b/dom0/sd-log-template-files.sls @@ -6,6 +6,16 @@ include: install-securedrop-log-package: pkg.installed: - pkgs: + - redis-server + - redis - securedrop-log - require: - sls: fpf-apt-test-repo + +redis: + service.running: + - enable: True + +securedrop-log: + service.running: + - enable: True diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index d4897cd2..b88de2e4 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -57,3 +57,11 @@ sd-log-private-volume-size: qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB - require: - qvm: sd-log + +# Permit the SecureDrop Proxy to manage Client connections +sd-dom-dom0-securedrop.Log: + file.prepend: + - name: /etc/qubes-rpc/policy/securedrop.Log + - text: | + @tag:sd-workstation sd-log allow + @anyvm @anyvm deny diff --git a/dom0/sd-proxy-template-files.sls b/dom0/sd-proxy-template-files.sls index 4cfc6123..ee0e06aa 100644 --- a/dom0/sd-proxy-template-files.sls +++ b/dom0/sd-proxy-template-files.sls @@ -48,6 +48,13 @@ install-securedrop-proxy-package: - require: - sls: fpf-apt-test-repo +install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + {% import_json "sd/config.json" as d %} install-securedrop-proxy-yaml-config: @@ -58,3 +65,11 @@ install-securedrop-proxy-yaml-config: - context: hostname: {{ d.hidserv.hostname }} - mode: 0644 + +sd-rsyslog-for-sd-proxy: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-proxy \ No newline at end of file diff --git a/dom0/sd-rsyslog.conf.j2 b/dom0/sd-rsyslog.conf.j2 new file mode 100644 index 00000000..b93ab64f --- /dev/null +++ b/dom0/sd-rsyslog.conf.j2 @@ -0,0 +1,3 @@ +[sd-rsyslog] +remotevm = sd-log +localvm = {{ vmname }} diff --git a/dom0/sd-viewer-files.sls b/dom0/sd-viewer-files.sls index 44299dfc..50ff7135 100644 --- a/dom0/sd-viewer-files.sls +++ b/dom0/sd-viewer-files.sls @@ -28,3 +28,18 @@ sd-viewer-install-libreoffice: attempts: 3 interval: 60 - install_recommends: False + +sd-viewer-install-logging: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-viewer: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-viewer \ No newline at end of file diff --git a/dom0/sd-whonix-template-files.sls b/dom0/sd-whonix-template-files.sls new file mode 100644 index 00000000..bc1ebd88 --- /dev/null +++ b/dom0/sd-whonix-template-files.sls @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# sd-whonix-files +# ======== +# +# Installs configuration packages specific to the sd-whonix +# used for network calls. +# +## + +include: + - fpf-apt-test-repo + +sd-whonix-install-logging: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-whonix: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-whonix \ No newline at end of file diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls index 70efef85..da127baa 100644 --- a/dom0/sd-workstation-template-files.sls +++ b/dom0/sd-workstation-template-files.sls @@ -11,6 +11,14 @@ sd-workstation-template-install-kernel-config-packages: - require: - sls: fpf-apt-test-repo + +sd-workstation-install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + # Ensure that paxctld starts immediately. For AppVMs, # use qvm.features.enabled = ["paxctld"] to ensure service start. sd-workstation-template-enable-paxctld: diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index ff3febad..c5acffb8 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -9,6 +9,7 @@ base: - sd-upgrade-templates - sd-dom0-qvm-rpc - sd-sys-whonix-vms + - sd-log - sd-devices - sd-gpg - sd-proxy @@ -16,7 +17,9 @@ base: - sd-app - sd-whonix - sd-remove-unused-templates - - sd-log + + sd-log-buster-template: + - sd-log-template-files sd-devices-buster-template: - sd-devices-files sd-gpg: @@ -33,12 +36,12 @@ base: - sd-sys-firewall-files sd-whonix: - sd-whonix-hidserv-key - sd-log-buster-template: - - sd-log-template-files securedrop-workstation-buster: - sd-workstation-template-files sys-usb: - sd-usb-autoattach-add + whonix-gw-15: + - sd-whonix-template-files # "Placeholder" config to trigger TemplateVM boots, # so upgrades can be applied automatically via cron. diff --git a/scripts/provision-all b/scripts/provision-all index a6003b6e..a3812271 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -17,6 +17,12 @@ sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys- echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate +echo "Setup sd-log-buster-template vm first" +sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.sls sd-log-template-files +# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean) +sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate + + # Format list of all VMs comma-separated, for use as qubesctl target # We run this after dom0's highstate, so that the VMs are available for listing by tag. all_sdw_vms_target="$(qvm-ls --tags sd-workstation --raw-list | perl -npE 's/\n/,/g' | perl -npE 's/,$//' )" diff --git a/tests/base.py b/tests/base.py index 1d7915ab..39f46a2a 100644 --- a/tests/base.py +++ b/tests/base.py @@ -112,3 +112,19 @@ def _fileExists(self, remote_path): return False return True + + def logging_configured(self, vmname=""): + """ + Make sure rsyslog is configured to send in data to sd-log vm. + """ + if not vmname: + vmname = self.vm_name + self.assertTrue(self._fileExists("/etc/sd-rsyslog.conf")) + # Then we check the configuration inside of the file. + file_content = self._get_file_contents("/etc/sd-rsyslog.conf") + static_content = """[sd-rsyslog] +remotevm = sd-log +localvm = {0} +""".format(vmname) + self.assertEqual(file_content, static_content) + self.assertTrue(self._package_is_installed("securedrop-log")) diff --git a/tests/test_app.py b/tests/test_app.py index 591e8467..adb0cd91 100644 --- a/tests/test_app.py +++ b/tests/test_app.py @@ -49,6 +49,9 @@ def test_sd_client_apparmor(self): results = json.loads(self._run(cmd)) self.assertTrue(results['profiles']['/usr/bin/securedrop-client'] == "enforce") + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_App_Tests) diff --git a/tests/test_proxy_vm.py b/tests/test_proxy_vm.py index f79b6955..bd182717 100644 --- a/tests/test_proxy_vm.py +++ b/tests/test_proxy_vm.py @@ -40,6 +40,9 @@ def test_whonix_ws_repo_enabled(self): """ assert self._fileExists(self.whonix_apt_list) + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Proxy_Tests) diff --git a/tests/test_sd_devices.py b/tests/test_sd_devices.py index 3d7d3dfa..b7dd871c 100644 --- a/tests/test_sd_devices.py +++ b/tests/test_sd_devices.py @@ -19,6 +19,9 @@ def test_sd_export_package_installed(self): self.assertTrue(self._package_is_installed("printer-driver-brlaser")) self.assertTrue(self._package_is_installed("securedrop-export")) + def test_logging_configured(self): + self.logging_configured(vmname="sd-devices") + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Devices_Tests) diff --git a/tests/test_sd_whonix.py b/tests/test_sd_whonix.py index f604c1f7..3edd0c74 100644 --- a/tests/test_sd_whonix.py +++ b/tests/test_sd_whonix.py @@ -58,6 +58,9 @@ def test_sd_whonix_repo_enabled(self): """ assert self._fileExists(self.whonix_apt_list) + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Whonix_Tests) diff --git a/tests/test_viewer.py b/tests/test_viewer.py index 16acccce..d64f14d8 100644 --- a/tests/test_viewer.py +++ b/tests/test_viewer.py @@ -19,6 +19,9 @@ def test_sd_viewer_evince_installed(self): def test_sd_viewer_libreoffice_installed(self): self.assertTrue(self._package_is_installed("libreoffice")) + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Viewer_Tests) diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index a1aadbc4..7bbd241e 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -121,6 +121,7 @@ def test_sd_log_config(self): self.assertFalse(vm.template_for_dispvms) self._check_kernel(vm) self._check_service_running(vm, "paxctld") + self._check_service_running(vm, "securedrop-log") self.assertFalse(vm.template_for_dispvms) self.assertTrue('sd-workstation' in vm.tags) # Check the size of the private volume