From f7eb0d37dbd2b118881478ff42c3922b997863d4 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 11 Sep 2018 11:58:02 -0400
Subject: [PATCH] Replace mon server alias with ip in ossec config

Due to issues with ossec 2.8.2+ and disabling of the ipv6 stack, name
lookups can't `getaddrinfo: Name or service not known`. Using ip
addresses in lieu of aliases sidesteps the issue.

- For new installs, ossec.conf will be updated during ansible, as the
config is not templated.
- For existing installs, ossec agent postinst will replace the line in
ossec.conf.
---
 .../ansible-base/roles/ossec/tasks/register.yml      | 12 ++++++++++++
 install_files/securedrop-ossec-agent/DEBIAN/postinst |  7 ++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
index 7733447c965..1b0e3c86c67 100644
--- a/install_files/ansible-base/roles/ossec/tasks/register.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -61,6 +61,18 @@
     - ossec_is_client
     - not ossec_agent_already_registered
 
+# DNS lookups do not work with ipv6 due to an ongoing issue with and
+# disabled ipv6 stacks. Using ip instead of hostname is a workaround.
+# see https://github.com/ossec/ossec-hids/issues/1145
+- name: Replace hostname by monitor IP in config
+  replace:
+    dest: "/var/ossec/etc/ossec.conf"
+    replace: "<server-ip {{ monitor_ip }} }}</server-ip>"
+    regexp: '//\<server-hostname\>securedrop-monitor-server-alias\<\/server-hostname\>'
+  when:
+    - ossec_is_client
+    - not ossec_agent_already_registered
+
 # Ossec 3.0 now defaults to requiring a shared secret for agent authentication.
 # Disabling authentication is broken for authd in ossec 3.0. Registering agents
 # requires a 32 hex character password with a line feed appended to the
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/postinst b/install_files/securedrop-ossec-agent/DEBIAN/postinst
index fe8c73abf99..a7cb92fe186 100755
--- a/install_files/securedrop-ossec-agent/DEBIAN/postinst
+++ b/install_files/securedrop-ossec-agent/DEBIAN/postinst
@@ -18,7 +18,11 @@ set -e
 
 case "$1" in
     configure)
-        service ossec restart
+	    # Replace monitor server domain name by ip address due to
+	    #  https://github.com/ossec/ossec-hids/issues/1145
+	    mon_ip=$(grep -oP "^\\d+\.\\d+\.\\d+\.\\d+(?=.*securedrop-monitor-server-alias)" /etc/hosts)
+	    sed -i -e "s/<server-hostname>securedrop-monitor-server-alias<\/server-hostname>/<server-ip>$mon_ip<\/server-ip>/g" /var/ossec/etc/ossec.conf
+	    service ossec restart
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
@@ -28,6 +32,7 @@ case "$1" in
         echo "postinst called with unknown argument \`$1'" >&2
         exit 1
     ;;
+
 esac
 
 # dh_installdeb will replace this with shell code automatically