Securedrop install - ossec public key to manager error [was Server "prereq...?"]


#23

Hi @hacker,

So you want to boot the server into “single user mode” and add the line "single to the end of the line that reads linux.

.

For both the app and mon server, compare and contrast the SSH keys found in Tails, the file is located at /home/amnesia/.ssh/id_rsa.pub/. Make sure that contents match /home/<user>/.ssh/authorized_keys/whereuser` is the username you created when you installed Ubuntu for both servers.

You may also need to create a encrypted USB device to move the id_rsa.pub from the Tails drive to the Ubuntu servers. If you do need to move files, first mount the USB device and copy the files over:

mkdir /mnt/temporary/
sudo mount /dev/sdb1 /mnt/temporary
sudo cp /home/<user>/.ssh/authorized_keys{,.backup}
sudo cp /mnt/temporary/id_rsa.pub /home/<user>/.ssh/authorized_keys
sudo eject /mnt/temporay
sudo rmdir /mnt/temporary

If you do have to copy files, please double check your file permissions before restarting SSH. We can help with this if there are questions.

Best
Freddy


#24

@hacker Coincidentally, I also had this problem. I followed the instructions I posted above and I was able to recover access!

On the problem of fixing permissions, make sure you run these two commands where <user> is the Ubuntu user you configured.

sudo su <user>
sudo chmod 600 ~/.ssh/authorized_keys

Please let me know if you run into further issues.

Freddy


#25

dear freddy,

thanks. we were able to ssh and proceed to the sanity check/tests and are nearing the end. we successfully sent test documents to our journalist account! one issue we ran into is using our private submission gpg key/decrypting on the SVS. the public key is still on the transfer device so we’re wondering what happened. is there a location where the private key should be and what are our options if it is not there? thanks again for all your help. we really have appreciated it.
- hacker


#26

on the SVS, you should have both the public and private key in your gpg keyring. If you do not, you will not be able to decrypt documents. First I would open a terminal and compare the output of the gpg - k command versus the output of gpg -K:

I have a public key (denoted by the pub line) here:

pub   rsa4096/0x76BEA26769ACD5C5 2017-09-18 [SC] [expires: 2018-09-18]
      Key fingerprint = 4C43 A308 CEFA E01B D916  D0F5 76BE A267 69AC D5C5
uid                   [ultimate] Freddy Martinez <freddy@freedom.press>

For that same key, I also have a corresponding sec line as shown by gpg -K

sec#  rsa4096/0x[REDACTED] 2017-09-18 [SC] [expires: 2018-09-18]
      Key fingerprint = REDACTED REDACTED 
uid                   [ultimate] Freddy Martinez <freddy@freedom.press>

Can you confirm this is the case? Please do not post your fingerprints here. But if you can confirm this, then we can proceed with the debugging steps.

Best,
Freddy


#27

dear freddy,
we see a lot of keys including developers, administrators and our own public key with -k. we do not get any results with the gpg -K command. can we generate a new keypair?
-hacker


#28

Hi @hacker

It looks like the GPG private key is not on the Secure Viewing Station. I would ensure that the SVS has all of the Persistent volume enabled with all of the options checked. Then I would ensure you walk through generate a new SVS key following our documentation. Then I would move the SVS GPG public key (with the new fingerprint) to the admin USB device and run ./securedrop-admin sdconfig and replace the values there with the new values. After, you need to run ./securedrop-admin install again.

Please let me know if that helps.


#29

dear freddy,
we had ‘Personal Data’ checked/enabled on our SVS but not the other persistence options. we enabled them all and generated a new key. it survived a reboot as well as the Persistence options so we exported the new public key and moved a copy to /Persistent/securedrop/install_files/ansible-base on our admin machine with the transfer device.
we renamed the first public key there SecureDrop.old and replaced it with the new SecureDrop.asc. we then edited the site-specific file with our new submission key fingerprint. we ran the sdconfig script and install scripts and made some more submissions. we have run gpg --decrypt on all of the files from the SVS and are getting failure with a key ID that does not appear to match the new key ID. it seems like it is still using the old key. is the another step or file we ought to remove?
- hacker


#30

dear freddy,

while checking our admin machine we noticed the keyring on it still has our old public key. is it supposed to be removed and the new public key imported there prior to running the playbook or config again? how should we make this change and does it affect the keys used on our servers? will our onion address change?

                                                                       - hacker

#31

Hi @hacker,

I am confused about this statement:

while checking our admin machine we noticed the keyring on it still has our old public key.

You can always do gpg import new_public.asc on the admin workstation but you need to be checking the keyring on the SVS. From the SVS, create your public key and transfer it to the Admin Workstation using an encrypted USB.

is it supposed to be removed and the new public key imported there prior to running the playbook or config again?

You should have the new public key and fingerprint in the same directory as the old key but update to the new filename and fingerprint when you run ~/.securedrop-admin sdconfig. (Please ensure you are on the latest SecureDrop release on your workstation before running sdconfig, but you can always re-run the command at any time).

cd ~/Persistent/securedrop
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.7.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint shown here matches what you see on the screen of your Admin Workstation. Once you have verified the signature and fingerprint, you can update to the latest release:

git checkout 0.7.0

Finally, you can re-run ./securedrop-admin install.

how should we make this change and does it affect the keys used on our servers? will our onion address change?

It should only change the GPG key that is used to encrypt documents but none of your other keys should be change.

Feel free to send me the output of the Ansible run to debug this further if you face additional difficulties.

I also apologize for the very long response time, I was on vacation.


#32

dear freddy,
we are using the 0.7.0 release. we did these steps and it still uses our old key. i meant that importing the key to our admin machine was not clear but we eventually did that too. now from the SVS to the site-specific fingerprint it is all a new key but still we cannot decrypt test submissions. the playbook just doesn’t seem to be swapping in our new public key as expected.

the SVS error when decrypting is:

"Couldn’t decrypt file: xxxxxxxxxxx.gpg

Decryption failed. You probably do not have the decryprtion key."

                                                    - hacker

#33

@hacker I think I understand.

First, I would confirm that on the app server the .asc file is properly updated. You can check by SSHing into the server (or dropping it into single user mode) and checking out the file in /var/lib/securedrop/. It should be the new file, but you can confirm that by doing a ls -lah *.asc to look at the file attributes. If that fails, please provide the output of ./securedrop-admin sdconfig and ./securedrop-admin install. You can run the file with the -v flag for verbosity.

Secondly, can you try decrypting the documents using the GPG CLI? You can run gpg --try-all-secrets. I think you did confirm the secret key is on the SVS correct?

Best,
Freddy Martinez


#34

@hacker

we renamed the first public key there SecureDrop.old and replaced it with the new SecureDrop.asc

I haven’t tested this workflow but did you just create a file SecureDrop.asc with the same name as the previous file? Have you tried making a filenamed NewSecureDrop.asc?

The reason I ask is because I found don’t know how this is handled by the SecureDrop Ansible code. I did find this documentation:

Note 1: If the file is already present on the remote server and if the source file’s content is different, then on running the task, the destination file will be modified. You can control this by setting the force parameter. The default is set to yes’. So it modifies the file by default. If you don’t want the file to be modified if the source file is different, then you can set it to ‘No’. The following task will only copy the file if the file does not exist on the remote server.

I suspect the SecureDrop team tries to not use use the force flag but I do not know. It might be worth creating a file that is not named SecureDrop.asc and testing that it is transfered to the app server (into the /var/lib/securedrop/ directory)


#35

dear freddy,
we had the same result i’m afraid. we had a “fatal” error running the install which is attached below. we also were not able to access /var/lib/securedrop on the app server. we weren’t able to sudo or su to get around it.

                                                                                      - hacker

TASK [ossec-agent : Register OSSEC agent.] *************************************
fatal: [app]: FAILED! => {“changed”: true, “cmd”: ["/var/ossec/bin/agent-auth", “-m”, “10.20.3.2”, “-p”, “1515”, “-A”, “app”], “delta”: “0:02:07.232727”, “end”: “2018-06-01 02:36:50.206015”, “failed”: true, “rc”: 1, “start”: “2018-06-01 02:34:42.973288”, “stderr”: “2018/06/01 02:34:42 ossec-authd: INFO: Started (pid: 8774).\n2018/06/01 02:36:50 ossec-authd: Unable to connect to 10.20.3.2:1515”, “stderr_lines”: [“2018/06/01 02:34:42 ossec-authd: INFO: Started (pid: 8774).”, “2018/06/01 02:36:50 ossec-authd: Unable to connect to 10.20.3.2:1515”], “stdout”: “”, “stdout_lines”: []}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-prod.retry

PLAY RECAP *********************************************************************
app : ok=56 changed=3 unreachable=0 failed=1
localhost : ok=23 changed=0 unreachable=0 failed=0
mon : ok=74 changed=5 unreachable=0 failed=0

TASK: ossec-agent : Register OSSEC agent. ----------------------------- 130.08s
TASK: common : Set sysctl flags for net.ipv4 config. ------------------- 51.35s
TASK: common : Install tmux. ------------------------------------------- 43.46s
TASK: grsecurity : Install the grsecurity-patched kernel from the FPF repo. – 26.02s
TASK: common : Perform safe upgrade to ensure all the packages are updated. – 14.38s
TASK: common : Add security.list apt configuration. -------------------- 13.58s
TASK: tor-hidden-services : Copy torrc config file. -------------------- 12.50s
TASK: common : Configure DNS server IP. -------------------------------- 12.36s
TASK: common : Create cron job for running cron-apt updates nightly. — 12.36s
TASK: common : Add disabled kernels modules to modprobe.d blacklist. — 11.42s

Playbook finished: Fri Jun 1 06:36:49 2018, 107 total tasks. 0:10:03 elapsed.

Traceback (most recent call last):
File “./securedrop-admin”, line 329, in
args.func(args)
File “./securedrop-admin”, line 215, in install_securedrop
’–ask-become-pass’], cwd=ANSIBLE_PATH)
File “/usr/lib/python2.7/subprocess.py”, line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ‘[’/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-prod.yml’, ‘–ask-become-pass’]’ returned non-zero exit status 2


#36

@hacker So as you may know, Tor is flaky and sometimes will time out on SD runs (one time it took me about 3 hours of just trying to rerun the playbook to run because of Tor). Did you rerun the playbook? Can you attach the full output from the run? Maybe try redirecting the output to a file by using a pipe >? You may also need to set a longer history in the ~/.bashrc for the terminal.

There are two ways to debug the fingerprint being used: by dropping the app server into single user mode or checking the .onion/metadata route. Just add /metadata/ to your source interface URL and you will get more information.


#37

dear freddy,
we ran it all again. we got the same ossec registration error and can’t decrypt. i think we have to use single user mode because as stated our permission was denied when we checked /var/lib/securedrop over ssh. we did try the .onion/metadata route and it displayed the old key fingerprint. we are unsure of the exact syntax you thought it might take to force [-f] a new key during the playbook [sdconfig / install.] do you think transferring it in single user mode is the best action in this scenerio then?
- hacker


#38

Hi hacker,

If you ssh to a server, you can use sudo su to elevate your privileges to access and inspect the contents of /var/lib/securedrop . I don’t suggest you modify these files by hand, you should use the installer to update your SecureDrop instance’s configuration.

The private key was not changed because the task to copy/update the submission key (and everything related to the configuration of the SecureDrop web application) occurs after ossec setup/registration process. Because the ossec registration fails, the install stopped and the keys aren’t changed.

From the error you’ve pasted above, this might have something to do with the firewall rules. Can you double-check that your hardware firewall allows port 1515 from the application server to the monitor server, as per the documentation (and also ensuring that the ip of the app and monitor server are consistent with the site-specific file on the admin workstation).


#39

+1 to @mickael’s comment. A very common issue with the firewall ports is that people transport the 1515 and 1514 rules. I would review this link https://docs.securedrop.org/en/release-0.7/network_firewall.html#set-up-the-firewall-rules


#40

dear freddy et. al.,

just for clarity what do you mean here?:

we checked the firewall for these ports and it looked normal. we noticed the order of our ossec rules there were in opposite order so we moved one below the other to match the screenshot [fwiw.]

the “Aliases/Ports” section is also correct. there was one notification at the top referring to a memory error of some sort and our logs had a bunch of Blocked attempts from other subnets but not much else.

lastly we checked the site-specific file and the ip addresses are correct there. we ran sdconfig again and the install script getting an ossec registration error once more as we posted earlier.
- hacker


#41

Hi @hacker

Sorry I meant transpose the rules. However, you are correct to move the rules, they are applied from the top to the bottom so you can see strange behavior if the screenshots do not match.

That being said, I don’t think the problem is actually on the firewall rules; if it ran one time it should work again. I think the full ansible output is needed here, I suspect the problem actually happens earlier and we are not seeing the full picture. Can you provide it?

  • Freddy

#42

dear freddy et al.,

ok thanks. we have results of the ‘sdconfig’ pasted below. i’ll post the ‘install’ in a follow-up. we [hopefully] removed secret details as was suggested before.

-hacker

amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin sdconfig
INFO: Configuring SecureDrop site-specific information
[WARNING]: provided hosts list is empty, only localhost is available

PLAY [Display message about upcoming interactive prompts.] *********************

TASK [debug] *******************************************************************
ok: [localhost] => {
“msg”: “You will need to fill out the following prompts in order to configure your SecureDrop instance. After entering all prompts, the variables will be validated and any failures displayed. See the docs for more information https://docs.securedrop.org/en/stable
}

PLAY [Prompt for required site-specific information.] **************************

TASK [debug] *******************************************************************
ok: [localhost] => {
“msg”: “Validating user-entered variables…”
}

TASK [Create group_vars/all/ directory.] ***************************************
ok: [localhost]

TASK [Initialize site-specific vars file.] *************************************
ok: [localhost]

TASK [Save site-specific information as local vars file.] **********************
ok: [localhost] => (item={u’var_value’: u’XXXXXX’, u’var_name’: u’ssh_users’})
ok: [localhost] => (item={u’var_value’: u’10.20.2.2’, u’var_name’: u’app_ip’})
ok: [localhost] => (item={u’var_value’: u’10.20.3.2’, u’var_name’: u’monitor_ip’})
ok: [localhost] => (item={u’var_value’: u’app’, u’var_name’: u’app_hostname’})
ok: [localhost] => (item={u’var_value’: u’mon’, u’var_name’: u’monitor_hostname’})
ok: [localhost] => (item={u’var_value’: u’8.8.8.8’, u’var_name’: u’dns_server’})
ok: [localhost] => (item={u’var_value’: u’/home/amnesia/Persistent/securedrop/install_files/ansible-base/XXXXXX_securedrop.png’, u’var_name’: u’securedrop_header_image’})
ok: [localhost] => (item={u’var_value’: u’NewAppKey.asc’, u’var_name’: u’securedrop_app_gpg_public_key’})
ok: [localhost] => (item={u’var_value’: u’XXXXXX’, u’var_name’: u’securedrop_app_gpg_fingerprint’})
ok: [localhost] => (item={u’var_value’: u’ossec.pub’, u’var_name’: u’ossec_alert_gpg_public_key’})
ok: [localhost] => (item={u’var_value’: u’XXXXXX’, u’var_name’: u’ossec_gpg_fpr’})
ok: [localhost] => (item={u’var_value’: u’ossec-alert@XXXXXX’, u’var_name’: u’ossec_alert_email’})
ok: [localhost] => (item={u’var_value’: u’XXXXXX’, u’var_name’: u’smtp_relay’})
ok: [localhost] => (item={u’var_value’: 25, u’var_name’: u’smtp_relay_port’})
ok: [localhost] => (item={u’var_value’: u’XXXXXX’, u’var_name’: u’sasl_domain’})
ok: [localhost] => (item={u’var_value’: u’ossec’, u’var_name’: u’sasl_username’})
ok: [localhost] => (item={u’var_value’: u’XXXXXX’, u’var_name’: u’sasl_password’})
ok: [localhost] => (item={u’var_value’: False, u’var_name’: u’securedrop_app_https_on_source_interface’})

PLAY [Validate site-specific information.] *************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Include site-specific vars.] *********************************************
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop/install_files/ansible-base/group_vars/all/site-specific)

TASK [validate : Validate Admin username (specified in vars).] *****************
ok: [localhost] => (item=amnesia) => {
“changed”: false,
“item”: “amnesia”,
“msg”: “All assertions passed”
}
ok: [localhost] => (item=root) => {
“changed”: false,
“item”: “root”,
“msg”: “All assertions passed”
}

TASK [validate : include] ******************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost

TASK [validate : Validate GPG fingerprints.] ***********************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm GPG public key files exist locally.] ******************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm public key file and fingerprint match.] ***************
ok: [localhost]

TASK [validate : Validate GPG fingerprints.] ***********************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm GPG public key files exist locally.] ******************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm public key file and fingerprint match.] ***************
ok: [localhost]

TASK [validate : Validate OSSEC Admin email address.] **************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Validate SASL username for OSSEC config.] *********************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Validate SASL password for OSSEC config.] *********************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Ensure mail config vars are defined.] *************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Determine query strategy for mail config checks.] *************
ok: [localhost]

TASK [validate : Perform SMTP lookup check.] ***********************************
ok: [localhost]

TASK [validate : Validate SMTP relay connection.] ******************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Perform SASL lookup check.] ***********************************
ok: [localhost]

TASK [validate : Validate SASL domain.] ****************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm host OS is Tails.] ************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Check for persistence volume.] ********************************
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/persistence.conf)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/openssh-client)
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop)

TASK [validate : Confirm persistence volume is configured.] ********************
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/live/persistence/TailsData_unlocked/openssh-client’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/live/persistence/TailsData_unlocked/openssh-client”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/home/amnesia/Persistent/securedrop’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/home/amnesia/Persistent/securedrop”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}

PLAY RECAP *********************************************************************
localhost : ok=28 changed=0 unreachable=0 failed=0

TASK: Save site-specific information as local vars file. ---------------- 2.92s
TASK: validate : Confirm public key file and fingerprint match. --------- 1.09s
TASK: validate : Confirm public key file and fingerprint match. --------- 1.08s
TASK: validate : Perform SMTP lookup check. ----------------------------- 1.00s
TASK: Gathering Facts --------------------------------------------------- 0.91s
TASK: validate : Perform SASL lookup check. ----------------------------- 0.55s
TASK: validate : Check for persistence volume. -------------------------- 0.49s
TASK: Initialize site-specific vars file. ------------------------------- 0.35s
TASK: Create group_vars/all/ directory. --------------------------------- 0.27s
TASK: validate : include ------------------------------------------------ 0.09s

Playbook finished: Fri Jun 15 07:36:11 2018, 27 total tasks. 0:00:09 elapsed.