Merge pull request #5330 from rocodes/5265-ossec-gpg-perms

configure OSSEC server gnupg directory permissions in securedrop-osse…

install_files/ansible-base/roles/ossec/tasks/configure_server.yml

@@ -20,44 +20,6 @@
   tags:
     - gpg
 
-- name: Check if GPG homedir already exists.
-  stat:
-    path: /var/ossec/.gnupg
-  register: gpg_homedir_status
-  tags:
-    - gpg
-
-- name: Ensure correct permissions on OSSEC GPG homedir if it exists.
-  file:
-    state: directory
-    path: /var/ossec/.gnupg
-    mode: "0700"
-    owner: ossec
-    group: "{{ ossec_group }}"
-  when: gpg_homedir_status.stat.exists
-  tags:
-    - gpg
-
-- name: Check if .gpg files have been created yet in the GPG homedir.
-  stat:
-    path: "/var/ossec/.gnupg/{{ item }}"
-  with_items: "{{ gpg_keyring_files }}"
-  register: gpg_keyring_status
-  tags:
-    - gpg
-
-- name: Ensure correct permissions on contents of OSSEC GPG homedir.
-  file:
-    state: file
-    path: "/var/ossec/.gnupg/{{ item.item }}"
-    mode: "0600"
-    owner: ossec
-    group: "{{ ossec_group }}"
-  with_items: "{{ gpg_keyring_status.results }}"
-  when: item.stat.exists
-  tags:
-    - gpg
-
 - name: Add the OSSEC GPG public key to the OSSEC manager keyring.
   # multiline format for command module, since this is a long command
   command: >

install_files/securedrop-ossec-server/DEBIAN/postinst

@@ -28,7 +28,12 @@ case "$1" in
 
         chown root:${GROUP} ${OSSEC_HOME}/rules/local_rules.xml
         chmod 440 ${OSSEC_HOME}/rules/local_rules.xml
-
+
+        # Ensure correct gnupg directory permissions and ownership
+        chown -R ossec:${GROUP} ${OSSEC_HOME}/.gnupg
+        find ${OSSEC_HOME}/.gnupg -type f -exec chmod 600 {} \;
+        find ${OSSEC_HOME}/.gnupg -type d -exec chmod 700 {} \;
+
         # Replace localhost with 127.0.0.1 for smtp_server due to
         #  https://github.com/ossec/ossec-hids/issues/1145
         sed -i -e "s/<smtp_server>localhost<\/smtp_server>/<smtp_server>127.0.0.1<\/smtp_server>/g" /var/ossec/etc/ossec.conf