diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml index 7733447c965..1b0e3c86c67 100644 --- a/install_files/ansible-base/roles/ossec/tasks/register.yml +++ b/install_files/ansible-base/roles/ossec/tasks/register.yml @@ -61,6 +61,18 @@ - ossec_is_client - not ossec_agent_already_registered +# DNS lookups do not work with ipv6 due to an ongoing issue with and +# disabled ipv6 stacks. Using ip instead of hostname is a workaround. +# see https://github.com/ossec/ossec-hids/issues/1145 +- name: Replace hostname by monitor IP in config + replace: + dest: "/var/ossec/etc/ossec.conf" + replace: "" + regexp: '//\securedrop-monitor-server-alias\<\/server-hostname\>' + when: + - ossec_is_client + - not ossec_agent_already_registered + # Ossec 3.0 now defaults to requiring a shared secret for agent authentication. # Disabling authentication is broken for authd in ossec 3.0. Registering agents # requires a 32 hex character password with a line feed appended to the diff --git a/install_files/securedrop-ossec-agent/DEBIAN/postinst b/install_files/securedrop-ossec-agent/DEBIAN/postinst index fe8c73abf99..a7cb92fe186 100755 --- a/install_files/securedrop-ossec-agent/DEBIAN/postinst +++ b/install_files/securedrop-ossec-agent/DEBIAN/postinst @@ -18,7 +18,11 @@ set -e case "$1" in configure) - service ossec restart + # Replace monitor server domain name by ip address due to + # https://github.com/ossec/ossec-hids/issues/1145 + mon_ip=$(grep -oP "^\\d+\.\\d+\.\\d+\.\\d+(?=.*securedrop-monitor-server-alias)" /etc/hosts) + sed -i -e "s/securedrop-monitor-server-alias<\/server-hostname>/$mon_ip<\/server-ip>/g" /var/ossec/etc/ossec.conf + service ossec restart ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -28,6 +32,7 @@ case "$1" in echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; + esac # dh_installdeb will replace this with shell code automatically