New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rotating ossec key fails due to directory permissions on /var/ossec on mon server #3928

Closed
zenmonkeykstop opened this Issue Nov 8, 2018 · 3 comments

Comments

5 participants
@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Nov 8, 2018

Description

If the ossec alert public key is changed on the admin workstation after an initial install, and ./securedrop-admin install is run again, the install/update will fail with an Ansible error related to directory permissions on /var/ossec/.gnupg

Steps to Reproduce

with SD release 0.10.0:

  • install 0.10.0 on app and mon servers via usual flow, including ossec setup
  • change the file ~/Persistent/securedrop/install-files/ansible_base/ossec.pub to a new pubkey
  • run ./securedrop-admin install again

Expected Behavior

Installation completes without error

Actual Behavior

Installation fails, as ossec user on the mon server doesn't have permission to write to /var/ossec/.gnupg

@eloquence eloquence added this to Near Term Backlog in SecureDrop Team Board Nov 15, 2018

@eloquence eloquence added the bug label Nov 16, 2018

@eloquence eloquence added this to the 0.11.0 milestone Nov 16, 2018

@eloquence eloquence moved this from Near Term Backlog to Current Sprint Backlog - 11/16-11/28 in SecureDrop Team Board Nov 16, 2018

@ultimatecoder

This comment has been minimized.

Copy link
Contributor

ultimatecoder commented Nov 25, 2018

I have tried re-produce this issue, but I am not able to re-produce. I have replicated the steps mentioned by @zenmonkeykstop here.

Below are description of tasks I performed as part of re-producing this issue:

  • I copied the ossec.pub file to ~/Persistant/securedrop/install_files/ansible-base. I then copied SecureDrop.asc to ~/Persistant/securedrop/install_files/ansible-base.
  • Then I ran securedrop-admin sdconfig and provided answers to questions it asked.
  • Then I ran securedrop-admin install script for the first time. It ran without any errors.
  • I checked the .onion URLs of Journalist interface and Source interface. It worked fine.
  • Then I ran the securedrop-admin tailsconfig. It too ran without any errors.
  • Then I SSH over tor to Monitor server. I was able to ssh to monitor server without any errors. I verified the public key. It was the one I provided as a ossec.pub key to my initial run of securedrop-admin install command.
  • Then I replaced the ~/Persistant/securedrop/install_files/ansible-base/ossec.pub with new public key file.
  • After replacing the ossec.pub file with a new key, I updated the old fingerprint value with the fingerprint value of new file at ~/Persistant/securedrop/install_files/ansible-base/group_vars/all/site-specific
  • And I re-ran the securedrop-admin install command.
  • The command ended without any errors. It actually replaced the old ossec.pub file with new ossec.pub file. Below gist from the log of ansible playbook shows that
PLAY [Configure OSSEC.] *******************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [mon]
ok: [app]

TASK [ossec : Install securedrop-ossec-agent package.] ************************************************************************************************************************************************************
ok: [app]

TASK [ossec : Install OSSEC manager package.] *********************************************************************************************************************************************************************
ok: [mon]

TASK [ossec : Copy the OSSEC GPG public key for sending encrypted alerts.] ****************************************************************************************************************************************
changed: [mon] => (item=ossec.pub)

TASK [ossec : Add the OSSEC GPG public key to the OSSEC manager keyring.] *****************************************************************************************************************************************
changed: [mon] => (item=ossec.pub)

TASK [ossec : Copy script for sending GPG-encrypted OSSEC alerts.] ************************************************************************************************************************************************
changed: [mon]n I

TASK [ossec : Copy script for formatting journalist submission] ***************************************************************************************************************************************************
ok: [mon]

Full log of securedrop-admin install when I ran it second time is here

Note: I have tried to obfuscate sensitive details from the log file. Please guide me if I am still exposing critical information.

@redshiftzero

This comment has been minimized.

Copy link
Member

redshiftzero commented Nov 27, 2018

I took a look at reproducing this today - @zenmonkeykstop can you confirm that this was the error:

TASK [ossec : Add the OSSEC GPG public key to the OSSEC manager keyring.] ******
failed: [mon-staging] (item=test_journalist_key.pub) => {"changed": false, "cmd": ["gpg", "--homedir", "/var/ossec/.gnupg", "--import", "/var/ossec/test_journalist_key.pub"], "delta": "0:00:00.004148", "end": "2018-11-26 23:55:27.971819", "item": "test_journalist_key.pub", "msg": "non-zero return code", "rc": 2, "start": "2018-11-26 23:55:27.967671", "stderr": "gpg: no writable keyring found: eof\ngpg: error reading `/var/ossec/test_journalist_key.pub': general error\ngpg: import from `/var/ossec/test_journalist_key.pub' failed: general error\ngpg: Total number processed: 0", "stderr_lines": ["gpg: no writable keyring found: eof", "gpg: error reading `/var/ossec/test_journalist_key.pub': general error", "gpg: import from `/var/ossec/test_journalist_key.pub' failed: general error", "gpg: Total number processed: 0"], "stdout": "", "stdout_lines": []}
failed: [mon-staging] (item=test_journalist_key.pub) => {"changed": false, "cmd": ["gpg", "--homedir", "/var/ossec/.gnupg", "--import", "/var/ossec/test_journalist_key.pub"], "delta": "0:00:00.003334", "end": "2018-11-26 23:55:28.084523", "item": "test_journalist_key.pub", "msg": "non-zero return code", "rc": 2, "start": "2018-11-26 23:55:28.081189", "stderr": "gpg: no writable keyring found: eof\ngpg: error reading `/var/ossec/test_journalist_key.pub': general error\ngpg: import from `/var/ossec/test_journalist_key.pub' failed: general error\ngpg: Total number processed: 0", "stderr_lines": ["gpg: no writable keyring found: eof", "gpg: error reading `/var/ossec/test_journalist_key.pub': general error", "gpg: import from `/var/ossec/test_journalist_key.pub' failed: general error", "gpg: Total number processed: 0"], "stdout": "", "stdout_lines": []}

I reproduced this via:

  1. vagrant up /staging/
  2. change path to OSSEC key in staging vars to a new public key (I used test_journalist_key.pub as seen above)
  3. vagrant provision /staging/

redshiftzero added a commit that referenced this issue Nov 27, 2018

ossec: set permissions on gpg homedir and contents
In defect #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.

This commit adds Ansible tasks to set the proper permissions
on the gpg homedir and its contents prior to attempting to import
the key

redshiftzero added a commit that referenced this issue Nov 27, 2018

ossec: set permissions on gpg homedir and contents
In defect #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.

This commit adds Ansible tasks to set the proper permissions
on the gpg homedir and its contents prior to attempting to import
the key
@kushaldas

This comment has been minimized.

Copy link
Contributor

kushaldas commented Nov 27, 2018

@redshiftzero @zenmonkeykstop I could not reproduce it on prod vagrant vms, I changed the keys a few times. No errors at all.

@redshiftzero redshiftzero moved this from Current Sprint Backlog - 11/16-11/28 to Ready for review in SecureDrop Team Board Nov 27, 2018

@redshiftzero redshiftzero self-assigned this Nov 27, 2018

SecureDrop Team Board automation moved this from Ready for review to Done Nov 27, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment