Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotating ossec key fails due to directory permissions on /var/ossec on mon server #3928

Closed
zenmonkeykstop opened this issue Nov 8, 2018 · 3 comments · Fixed by #3943
Closed

Rotating ossec key fails due to directory permissions on /var/ossec on mon server #3928

zenmonkeykstop opened this issue Nov 8, 2018 · 3 comments · Fixed by #3943
Assignees
@redshiftzero
Labels
bug
Milestone
0.11.0

Comments

@zenmonkeykstop
Copy link
Contributor

Description

If the ossec alert public key is changed on the admin workstation after an initial install, and ./securedrop-admin install is run again, the install/update will fail with an Ansible error related to directory permissions on /var/ossec/.gnupg

Steps to Reproduce

with SD release 0.10.0:

  • install 0.10.0 on app and mon servers via usual flow, including ossec setup
  • change the file ~/Persistent/securedrop/install-files/ansible_base/ossec.pub to a new pubkey
  • run ./securedrop-admin install again

Expected Behavior

Installation completes without error

Actual Behavior

Installation fails, as ossec user on the mon server doesn't have permission to write to /var/ossec/.gnupg
@eloquence eloquence added the bug label Nov 16, 2018
@eloquence eloquence added this to the 0.11.0 milestone Nov 16, 2018
@ultimatecoder
Copy link
Contributor

I have tried re-produce this issue, but I am not able to re-produce. I have replicated the steps mentioned by @zenmonkeykstop here.

Below are description of tasks I performed as part of re-producing this issue:

  • I copied the ossec.pub file to ~/Persistant/securedrop/install_files/ansible-base. I then copied SecureDrop.asc to ~/Persistant/securedrop/install_files/ansible-base.
  • Then I ran securedrop-admin sdconfig and provided answers to questions it asked.
  • Then I ran securedrop-admin install script for the first time. It ran without any errors.
  • I checked the .onion URLs of Journalist interface and Source interface. It worked fine.
  • Then I ran the securedrop-admin tailsconfig. It too ran without any errors.
  • Then I SSH over tor to Monitor server. I was able to ssh to monitor server without any errors. I verified the public key. It was the one I provided as a ossec.pub key to my initial run of securedrop-admin install command.
  • Then I replaced the ~/Persistant/securedrop/install_files/ansible-base/ossec.pub with new public key file.
  • After replacing the ossec.pub file with a new key, I updated the old fingerprint value with the fingerprint value of new file at ~/Persistant/securedrop/install_files/ansible-base/group_vars/all/site-specific
  • And I re-ran the securedrop-admin install command.
  • The command ended without any errors. It actually replaced the old ossec.pub file with new ossec.pub file. Below gist from the log of ansible playbook shows that
PLAY [Configure OSSEC.] *******************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [mon]
ok: [app]

TASK [ossec : Install securedrop-ossec-agent package.] ************************************************************************************************************************************************************
ok: [app]

TASK [ossec : Install OSSEC manager package.] *********************************************************************************************************************************************************************
ok: [mon]

TASK [ossec : Copy the OSSEC GPG public key for sending encrypted alerts.] ****************************************************************************************************************************************
changed: [mon] => (item=ossec.pub)

TASK [ossec : Add the OSSEC GPG public key to the OSSEC manager keyring.] *****************************************************************************************************************************************
changed: [mon] => (item=ossec.pub)

TASK [ossec : Copy script for sending GPG-encrypted OSSEC alerts.] ************************************************************************************************************************************************
changed: [mon]n I

TASK [ossec : Copy script for formatting journalist submission] ***************************************************************************************************************************************************
ok: [mon]

Full log of securedrop-admin install when I ran it second time is here

Note: I have tried to obfuscate sensitive details from the log file. Please guide me if I am still exposing critical information.

@redshiftzero
Copy link
Contributor

I took a look at reproducing this today - @zenmonkeykstop can you confirm that this was the error:

TASK [ossec : Add the OSSEC GPG public key to the OSSEC manager keyring.] ******
failed: [mon-staging] (item=test_journalist_key.pub) => {"changed": false, "cmd": ["gpg", "--homedir", "/var/ossec/.gnupg", "--import", "/var/ossec/test_journalist_key.pub"], "delta": "0:00:00.004148", "end": "2018-11-26 23:55:27.971819", "item": "test_journalist_key.pub", "msg": "non-zero return code", "rc": 2, "start": "2018-11-26 23:55:27.967671", "stderr": "gpg: no writable keyring found: eof\ngpg: error reading `/var/ossec/test_journalist_key.pub': general error\ngpg: import from `/var/ossec/test_journalist_key.pub' failed: general error\ngpg: Total number processed: 0", "stderr_lines": ["gpg: no writable keyring found: eof", "gpg: error reading `/var/ossec/test_journalist_key.pub': general error", "gpg: import from `/var/ossec/test_journalist_key.pub' failed: general error", "gpg: Total number processed: 0"], "stdout": "", "stdout_lines": []}
failed: [mon-staging] (item=test_journalist_key.pub) => {"changed": false, "cmd": ["gpg", "--homedir", "/var/ossec/.gnupg", "--import", "/var/ossec/test_journalist_key.pub"], "delta": "0:00:00.003334", "end": "2018-11-26 23:55:28.084523", "item": "test_journalist_key.pub", "msg": "non-zero return code", "rc": 2, "start": "2018-11-26 23:55:28.081189", "stderr": "gpg: no writable keyring found: eof\ngpg: error reading `/var/ossec/test_journalist_key.pub': general error\ngpg: import from `/var/ossec/test_journalist_key.pub' failed: general error\ngpg: Total number processed: 0", "stderr_lines": ["gpg: no writable keyring found: eof", "gpg: error reading `/var/ossec/test_journalist_key.pub': general error", "gpg: import from `/var/ossec/test_journalist_key.pub' failed: general error", "gpg: Total number processed: 0"], "stdout": "", "stdout_lines": []}

I reproduced this via:

  1. vagrant up /staging/
  2. change path to OSSEC key in staging vars to a new public key (I used test_journalist_key.pub as seen above)
  3. vagrant provision /staging/

redshiftzero added a commit that referenced this issue Nov 27, 2018
@redshiftzero
ossec: set permissions on gpg homedir and contents
1622c63 
In defect #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.

This commit adds Ansible tasks to set the proper permissions
on the gpg homedir and its contents prior to attempting to import
the key
redshiftzero added a commit that referenced this issue Nov 27, 2018
@redshiftzero
ossec: set permissions on gpg homedir and contents
785cdaf 
In defect #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.

This commit adds Ansible tasks to set the proper permissions
on the gpg homedir and its contents prior to attempting to import
the key
@redshiftzero redshiftzero mentioned this issue Nov 27, 2018
Merged
2 tasks
@kushaldas
Copy link
Contributor

@redshiftzero @zenmonkeykstop I could not reproduce it on prod vagrant vms, I changed the keys a few times. No errors at all.

@redshiftzero redshiftzero self-assigned this Nov 27, 2018
kushaldas pushed a commit that referenced this issue Sep 25, 2019
@redshiftzero @kushaldas
ossec: set permissions on gpg homedir and contents
641619e 
In defect #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.

This commit adds Ansible tasks to set the proper permissions
on the gpg homedir and its contents prior to attempting to import
the key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@redshiftzero redshiftzero

Labels
bug
Projects
None yet
Milestone
0.11.0
Development

Successfully merging a pull request may close this issue.

ossec: set permissions on gpg homedir and contents freedomofpress/securedrop
5 participants
@eloquence @kushaldas @zenmonkeykstop @ultimatecoder @redshiftzero