Securedrop install - ossec public key to manager error [was Server "prereq...?"]

Support
1

dear all,
we have implemented SASL for our alerts and proceeded with the actual installation. it installed a lot of stuff with little trouble including our ossec config. there is now just this error:

TASK [Gathering Facts] ************************************************************************************
ok: [mon]

TASK [ossec-server : Install OSSEC manager package.] ******************************************************
changed: [mon]

TASK [ossec-server : Install procmail.] *******************************************************************
changed: [mon]

TASK [ossec-server : Copy the OSSEC GPG public key for sending encrypted alerts.] *************************
changed: [mon]

TASK [ossec-server : Add the OSSEC GPG public key to the OSSEC manager keyring.] **************************
[WARNING]: Consider using ā€˜becomeā€™, ā€˜become_methodā€™, and ā€˜become_userā€™ rather than running su

fatal: [mon]: FAILED! => {ā€œchangedā€: false, ā€œcmdā€: [ā€œsuā€, ā€œ-sā€, ā€œ/bin/bashā€, ā€œ-cā€, ā€œgpg --homedir /var/ossec/.gnupg --import /var/ossec//home/amnesia/Persistent/securedrop/install_files/ansible-base/ossec.pubā€, ā€œossecā€], ā€œdeltaā€: ā€œ0:00:00.014561ā€, ā€œendā€: ā€œ2018-03-01 04:26:04.545201ā€, ā€œfailedā€: true, ā€œrcā€: 2, ā€œstartā€: ā€œ2018-03-01 04:26:04.530640ā€, ā€œstderrā€: ā€œgpg: keyring /var/ossec/.gnupg/secring.gpg' created\ngpg: keyring/var/ossec/.gnupg/pubring.gpgā€™ created\ngpg: canā€™t open /var/ossec//home/amnesia/Persistent/securedrop/install_files/ansible-base/ossec.pub': No such file or directory\ngpg: Total number processed: 0", "stderr_lines": ["gpg: keyring/var/ossec/.gnupg/secring.gpgā€™ createdā€, ā€œgpg: keyring /var/ossec/.gnupg/pubring.gpg' created", "gpg: can't open/var/ossec//home/amnesia/Persistent/securedrop/install_files/ansible-base/ossec.pubā€™: No such file or directoryā€, ā€œgpg: Total number processed: 0ā€], ā€œstdoutā€: ā€œā€, ā€œstdout_linesā€: []}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-prod.retry

PLAY RECAP ************************************************************************************************
app : ok=65 changed=41 unreachable=0 failed=0
localhost : ok=23 changed=0 unreachable=0 failed=0
mon : ok=69 changed=44 unreachable=0 failed=1

TASK: common : Perform safe upgrade to ensure all the packages are updated. - 112.06s
TASK: tor-hidden-services : Copy torrc config file. -------------------- 56.33s
TASK: grsecurity : Check if reboot is required due to inactive grsecurity lock. ā€“ 23.54s
TASK: grsecurity : Install the grsecurity-patched kernel from the FPF repo. ā€“ 21.45s
TASK: grsecurity : Remove generic kernel packages. --------------------- 15.06s
TASK: ossec-server : Install OSSEC manager package. -------------------- 11.90s
TASK: install-fpf-repo : Setup FPF apt repo. ---------------------------- 9.68s
TASK: common : Set sysctl flags for net.ipv4 config. -------------------- 8.81s
TASK: ossec-server : Install procmail. ---------------------------------- 8.27s
TASK: common : Install tmux. -------------------------------------------- 7.24s

Playbook finished: Thu Mar 1 09:26:03 2018, 82 total tasks. 0:05:21 elapsed.

Traceback (most recent call last):
File ā€œ./securedrop-adminā€, line 329, in
args.func(args)
File ā€œ./securedrop-adminā€, line 215, in install_securedrop
ā€™ā€“ask-become-passā€™], cwd=ANSIBLE_PATH)
File ā€œ/usr/lib/python2.7/subprocess.pyā€, line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ā€˜[ā€™/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-prod.ymlā€™, ā€˜ā€“ask-become-passā€™]ā€™ returned non-zero exit status 2

so what is going with this mon server key error? where should i be checking? how do we proceed using the retry script? assuming i sort the error iā€™d like to retry properly. thanks.

2

Hi @hacker

so when you exported the GPG public key that your OSSEC service will be encrypting emails to, did you name it ossec.pub? And is it placed in home/amnesia/Persistent/securedrop/install_files/ansible-base/? According to this stacktrace, it is expecting a file home/amnesia/Persistent/securedrop/install_files/ansible-base/ossec.pub and it is not found.

You can make modifications to the variables used by Ansible in ~/Persistent/securedrop/install_files/ansible-base/group_vars/all/site-specific.

You can always re-run the ansible scripts after making edits o the site-specific file by running ./securedrop-admin from the ~/Persistent/securedrop/ directory.

Best,
Freddy

3

dear bmeson,

yes, the file stored on the admin machine is at that path and named ossec.pub as far as i can tell. should we check for it on the mon machine somehow? this path with ā€œā€¦ossec//home/ā€¦ā€ looks odd. is that full path correct? i can double check the ossec.pub file and path in the ā€˜site-specificā€™ file again but that part seems ok. any help is greatly appreciated. thanks.

                                   - hacker

ā€“

4

Can you tell me what the value of this line is: ossec_alert_gpg_public_key
It should be in this file
~/Persistent/securedrop/install_files/ansible-base$ less group_vars/all/site-specific.

Thanks

5

sure. the line in that file on the admin machine is set to:

ossec_alert_gpg_public_key: /home/amnesia/Persistent/securedrop/install_files/ansible-base/ossec.pub

                                                        - hacker
6

Hi @hacker.

So the file path is already relative to ~/Persistent/securedrop/install_files/ansible-base/. If you have ossec.pub in that directory (which it sounds like you do) I would just make that line reflect this:
ossec_alert_gpg_public_key: ossec.pub. Then rerun the ./securedrop-admin install command.

Best,
Freddy Martinez

7

dear freddy,
thanks for the help. that got us finished with the installation and ready for a site / test. i ran the ā€˜tailsconfigā€™ script as a part of the post-install instructions. there is one more error we noticed:

TASK [tails-config : Assemble ATHS info into torrc additions.] ********************************************
changed: [localhost]

TASK [tails-config : Look up Source Interface URL.] *******************************************************
ok: [localhost]

TASK [tails-config : Look up Journalist Interface URL.] ***************************************************
ok: [localhost]

TASK [tails-config : Create desktop shortcut parent directories.] *****************************************
ok: [localhost] => (item=/home/amnesia/Persistent/.securedrop)
failed: [localhost] (item=/live/persistence/TailsData_unlocked/dotfiles) => {ā€œfailedā€: true, ā€œitemā€: ā€œ/live/persistence/TailsData_unlocked/dotfilesā€, ā€œmsgā€: ā€œThere was an issue creating /live/persistence/TailsData_unlocked/dotfiles as requested: [Errno 13] Permission denied: ā€˜/live/persistence/TailsData_unlocked/dotfilesā€™ā€, ā€œpathā€: ā€œ/live/persistence/TailsData_unlocked/dotfilesā€, ā€œstateā€: ā€œabsentā€}
ok: [localhost] => (item=/home/amnesia/Desktop)
failed: [localhost] (item=/live/persistence/TailsData_unlocked/dotfiles/Desktop) => {ā€œfailedā€: true, ā€œitemā€: ā€œ/live/persistence/TailsData_unlocked/dotfiles/Desktopā€, ā€œmsgā€: ā€œThere was an issue creating /live/persistence/TailsData_unlocked/dotfiles as requested: [Errno 13] Permission denied: ā€˜/live/persistence/TailsData_unlocked/dotfilesā€™ā€, ā€œpathā€: ā€œ/live/persistence/TailsData_unlocked/dotfiles/Desktopā€, ā€œstateā€: ā€œabsentā€}
ok: [localhost] => (item=/home/amnesia/.local/share/applications)
failed: [localhost] (item=/live/persistence/TailsData_unlocked/dotfiles/.local/share/applications) => {ā€œfailedā€: true, ā€œitemā€: ā€œ/live/persistence/TailsData_unlocked/dotfiles/.local/share/applicationsā€, ā€œmsgā€: ā€œThere was an issue creating /live/persistence/TailsData_unlocked/dotfiles as requested: [Errno 13] Permission denied: ā€˜/live/persistence/TailsData_unlocked/dotfilesā€™ā€, ā€œpathā€: ā€œ/live/persistence/TailsData_unlocked/dotfiles/.local/share/applicationsā€, ā€œstateā€: ā€œabsentā€}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-tails.retry

PLAY RECAP ************************************************************************************************
localhost : ok=18 changed=4 unreachable=0 failed=1

TASK: tails-config : Remove deprecated network hook config files. ------- 1.09s
TASK: tails-config : Remove deprecated Document Interface desktop icons. ā€” 0.77s
TASK: tails-config : Create desktop shortcut parent directories. -------- 0.60s
TASK: tails-config : Check for persistence volume. ---------------------- 0.57s
TASK: Gathering Facts --------------------------------------------------- 0.54s
TASK: tails-config : Copy SecureDrop logo for desktop icons to dotfiles directory. ā€” 0.34s
TASK: tails-config : Copy SecureDrop network hook for Tor config. ------- 0.24s
TASK: tails-config : Assemble ATHS info into torrc additions. ----------- 0.22s
TASK: tails-config : Migrate Document Interface ATHS file (upgrade only). ā€” 0.20s
TASK: tails-config : Find Tor ATHS info for SecureDrop interfaces. ------ 0.20s

Playbook finished: Tue Mar 13 09:35:49 2018, 20 total tasks. 0:00:05 elapsed.

Traceback (most recent call last):
File ā€œ./securedrop-adminā€, line 329, in
args.func(args)
File ā€œ./securedrop-adminā€, line 265, in run_tails_config
cwd=ANSIBLE_PATH)
File ā€œ/usr/lib/python2.7/subprocess.pyā€, line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ā€˜[ā€™/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-tails.ymlā€™, ā€˜ā€“ask-become-passā€™, ā€˜-iā€™, ā€˜/dev/nullā€™]ā€™ returned non-zero exit status 2

is the anything you would suggest for this? weā€™re ready to make the landing site now and finish testing functionality.

                                                                           - hacker
8

Hi @hacker

It looks like you need to have Persistence enabled in the Tails drive. The first time you setup Persistence and enable all of the boxes, you have to reboot the Tails drive to set the options. However you probably already did that.

Next ensure that you have Persistence enabled in Tails and an administrator password set when you boot that Tails drive. The bellow seems to indicate that either one was not set: both need to be.

failed: [localhost] (item=/live/persistence/TailsData_unlocked/dotfiles/.local/share/applications) => {ā€œfailedā€: true, ā€œitemā€: ā€œ/live/persistence/TailsData_unlocked/dotfiles/.local/share/applicationsā€, ā€œmsgā€: ā€œThere was an issue creating /live/persistence/TailsData_unlocked/dotfiles as requested: [Errno 13] Permission denied:

Please give it a shot and let us know the results.

Freddy

9

dear all,
ok i am confused. i am pretty certain the admin server persistent folder is still enabled. i also still have a simple admin password set for the current session that iā€™ve been using. is there anything specifically i should check or double check without rebooting and unlocking/setting that in another session? iā€™ll do it but if thatā€™s a fix i donā€™t get how there is a problem now. iā€™ve been using both the folder and password with no issue.
by ā€˜localhostā€™ the script is indicating the admin machine right? i donā€™t get how that could have reverted or broke. again we ran into this during the post-installation ā€˜tails_configā€™ script. these are desktop shortcuts its trying to make so should i test by creating some in the folder manually or something else? should i reboot and try this anyway? thanks for the help.
- hacker

10

Hi @hacker

Well if the Dotfiles setting is not set correctly in this ā€œSetup Persistenceā€ step, this step may fail. The actual device name shouldnā€™t be QEMU harddisk it will say something else. This was the SecureDrop documentation I was linking to earlierā€¦

DotFiles
DotFiles.png1022Ɨ765 100 KB

11

dear freddy,
ok i checked our ā€˜dot filesā€™ in the wizard and they were not enabled as you had suggested. i changed that and took the time to upgrade tails too. i ran the ā€˜./securedrop-admin tailsconfigā€™ and it ended cleanly announcing ā€˜Securedrop was auto configured successfully.ā€™ when finished.

so we noticed our ssh keys/aliases are not working the same way. i thought we needed new keys or something bad happened. is this normal? the enable part you were telling us about was initially unclear or overlooked.
- hacker

12

dear all,
we enabled the dot files and others then rebooted. we ran ā€˜tailsconfigā€™ and upgraded tails too.
weā€™re unable to ā€˜ssh appā€™ to set journalist accounts up. it might have something to do with the ATHS/auth-cookie? is the ā€˜./tails-filesā€™ mentioned explained further? any suggestions welcome.
- hacker

https://docs.securedrop.org/en/stable/configure_admin_workstation_post_install.html#auto-connect-to-the-authenticated-tor-hidden-services

15

Hi @hacker

weā€™re unable to ā€˜ssh appā€™ to set journalist accounts up. it might have something to do with the ATHS/auth-cookie? is the ā€˜./tails-filesā€™ mentioned explained further? any suggestions welcome.

When you boot your Tails administrator drive, do you see ā€œJournalist Interfaceā€ and ā€œSource Interfaceā€ shortcuts on the desktop? They should also have the SecureDrop logo. If so, that is good news, please try to connect to them.

If you are not able to connect to them, try the following:

amnesia@amnesia:~$ cd ~/Persistent/securedrop/install_files/ansible-base/
amnesia@amnesia:~/Persistent/securedrop/install_files/ansible-base$ ls *ths*
app-journalist-aths  app-source-ths  app-ssh-aths  mon-ssh-aths

Those four files should be present. When you run ./securedrop-admin tailsconfig it adds the ATHS cookies into /etc/tor/torrc/ . You can verify this by running the following command; it should output ā€œ4ā€:

grep "onion" /etc/tor/torrc | wc -l

If you have gotten this far, please attempt to run ssh app again and tell us the output. When you are logging into app service using SSH, can you login to the Journalist Interface at the same time? What happens? If you are able to access the Journalist Interface but login to SSH, you may be having transient issues with the Tor service. You may need to reboot into single user mode and restart the the Tor service using sudo /etc/init.d/tor restart and monitoring the logs in /var/log/syslog.

Best,
Freddy Martinez

16

dear freddy,
thanks for the reply. after typing ā€œls thsā€ the four files appear as you said. when we look at the torrc_additions file it has one line commenting on what it is but no entries. running ā€˜ssh appā€™ again prompts us for a password but nothing we try worksā€¦ the journalist interface and source links and shortcuts appear normally with our logo etc.
- hacker

17

Hi @hacker,

Okay we are getting close!

the journalist interface and source links and shortcuts appear normally with our logo

Are you able to connect with them? Yes? If so, I think its because of the missing Persistence settings that we have fixed. If thatā€™s the case, then navigate to ~/Persistent/securedrop/ and then run ./securedrop-admin tailsconfig one more time. It should not error out and you should be able to SSH back into the app and mon server.

Note: after SecureDrop installation finishes, you will not be able to use SSH over the LAN and you will not be able to login using a password as you could before.

Give the tailsconfig another attempt and let us know if it throws an error again.

Best,
Freddy

18

dear freddy,

yes the shortcuts go their respective sites. we ran tailsconfig again and it finishes with no apparent errors:

PLAY RECAP *********************************************************************
localhost : ok=29 changed=1 unreachable=0 failed=0

TASK: tails-config : Create SecureDrop interface desktop icons. --------- 4.20s
TASK: tails-config : Remove deprecated network hook config files. ------- 0.99s
TASK: tails-config : Remove deprecated Document Interface desktop icons. ā€” 0.79s
TASK: tails-config : Create SSH alias ----------------------------------- 0.72s
TASK: tails-config : Create desktop shortcut parent directories. -------- 0.62s
TASK: Gathering Facts --------------------------------------------------- 0.53s
TASK: tails-config : Copy NetworkManager hook for managing SecureDrop interfaces. ā€” 0.45s
TASK: tails-config : Check for persistence volume. ---------------------- 0.41s
TASK: tails-config : Set normal user ownership on subset of directories. ā€” 0.37s
TASK: tails-config : Copy SecureDrop network hook for Tor config. ------- 0.23s

Playbook finished: Mon Mar 19 23:45:35 2018, 30 total tasks. 0:00:11 elapsed.

what do we do next? the ssh alias prompts us for a password but it again does not allow us to login.
- hacker

19

Hi @hacker

Can you confirm that you did this step ssh-copy-id on the app and mon server from the documentation?

If not, you might have to copy the ssh public keys to the app and mon server into authorized_keys after booting into single user modeā€¦

Best,
Freddy

20

Hi @hacker

Checking on this again. How are things looking?

Best,
Freddy Martinez

21

hi freddy,
thanks for checking back with us. we had to step away from this for a bit. is it possible to get some help or steps to check and possibly re-copy whatever current keys we have on admin to both app and mon in single user? we think that will indeed help us move to 2FA and tests.

we did ā€œssh-copy-idā€ once however we panicked and did it again with mixed results thinking the original was somehow lost iirc. ā€œssh appā€ was working further back before we got to the ā€œadmin workstation post installā€ section and reacted to ssh then not working in the next section(s.) i hope that makes sense.

                                                                               - hacker
22

How do we boot into single user mode and copy the keys? I think that is what we have to do. thanks.
- Hacker