ossec: set permissions on gpg homedir and contents #3943
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In defect #3928, problems with the permissions on the OSSEC gpg keyring resulted in an error when attempting to import the OSSEC public key. This commit adds Ansible tasks to set the proper permissions on the gpg homedir and its contents prior to attempting to import the key
emkll
approved these changes
Nov 27, 2018
There was a problem hiding this comment.
I've successfully reproduced the error in the associated ticket on a physical 0.10.0 instance. I've checked out this branch and ran the install command, the ossec key gets updated without the permissions error 🎉 .
Also did further testing as follows:
- A clean install with prod VMs, OSSEC notifications flow in as expected, encrypted to the proper key. updating the key did not produce any errors and notifications are sent with the correct key.
- Staging VMs and ran local test suite, and only failing tests are the ones described in PaX flags are unset during install time #3916 (PaX flags on grub-related binaries)
- Keyring file permissions lgtm (given restriction to the ossec user), and are consistent with current state (https://github.com/freedomofpress/securedrop/blob/develop/install_files/ossec-server/DEBIAN/postinst#L194).
|
thanks for review! |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
In bug #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.
This commit adds Ansible tasks to set the expected permissions
on the gpg homedir and its contents prior to attempting to import
the key
Fixes #3928.
note: some of this syntax i.e.
with_itemswill need to get changed as part of #3891Testing
Follow STR in Rotating ossec key fails due to directory permissions on /var/ossec on mon server #3928 and ensure the error does not occur
Test that fresh installs continue to work with this change
Verify that the permissions I claim to be "the expected permissions" are indeed the right permissions
Deployment
People are hitting this bug in prod when running
securedrop-admin install, this will resolve as part of the workstation update in 0.11Checklist
[heads up did not get a chance to run tests locally, relying on CI and manual testing]
If you made changes to the system configuration:
If you made non-trivial code changes: