Securedrop install - ossec public key to manager error [was Server "prereq...?"]


#43

dear freddy,

here is the install run:

amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin install
INFO: Now installing SecureDrop on remote servers.
INFO: You will be prompted for the sudo password on the servers.
INFO: The sudo password is only necessary during initial installation.
SUDO password:
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and
make sure become_method is ‘sudo’ (default).
This feature will be removed in a
future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.

PLAY [Migrate site-specific information in vars files.] ************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Copy deprecated prod-specific.yml vars file.] ****************************
ok: [localhost]

TASK [validate : Validate Admin username (specified in vars).] *****************
ok: [localhost] => (item=amnesia) => {
“changed”: false,
“item”: “amnesia”,
“msg”: “All assertions passed”
}
ok: [localhost] => (item=root) => {
“changed”: false,
“item”: “root”,
“msg”: “All assertions passed”
}

TASK [validate : include] ******************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost

TASK [validate : Validate GPG fingerprints.] ***********************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm GPG public key files exist locally.] ******************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm public key file and fingerprint match.] ***************
ok: [localhost]

TASK [validate : Validate GPG fingerprints.] ***********************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm GPG public key files exist locally.] ******************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm public key file and fingerprint match.] ***************
ok: [localhost]

TASK [validate : Validate OSSEC Admin email address.] **************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Validate SASL username for OSSEC config.] *********************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Validate SASL password for OSSEC config.] *********************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Ensure mail config vars are defined.] *************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Determine query strategy for mail config checks.] *************
ok: [localhost]

TASK [validate : Perform SMTP lookup check.] ***********************************
ok: [localhost]

TASK [validate : Validate SMTP relay connection.] ******************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Perform SASL lookup check.] ***********************************
ok: [localhost]

TASK [validate : Validate SASL domain.] ****************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Confirm host OS is Tails.] ************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}

TASK [validate : Check for persistence volume.] ********************************
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/persistence.conf)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/openssh-client)
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop)

TASK [validate : Confirm persistence volume is configured.] ********************
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/live/persistence/TailsData_unlocked/openssh-client’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/live/persistence/TailsData_unlocked/openssh-client”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/home/amnesia/Persistent/securedrop’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/home/amnesia/Persistent/securedrop”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}

PLAY [Add FPF apt repository and install base packages.] ***********************

TASK [Gathering Facts] *********************************************************
ok: [app]
ok: [mon]

TASK [common : Copy sudoers file.] *********************************************
ok: [mon]
ok: [app]

TASK [common : Create shell accounts for SecureDrop admins.] *******************
ok: [mon] => (item=XXXXXX)
ok: [app] => (item=XXXXXX)

TASK [common : Set SecureDrop bash profile additions.] *************************
ok: [mon]
ok: [app]

TASK [common : Clean up local bashrc config for admin accounts.] ***************
ok: [mon] => (item=XXXXXX)
ok: [app] => (item=XXXXXX)

TASK [common : Read /etc/hosts file to filter duplicate entries.] **************
ok: [mon]
ok: [app]

TASK [common : Remove duplicate entries from /etc/hosts.] **********************
ok: [mon]
ok: [app]

TASK [common : Add local IPv4 addresses for SecureDrop servers to /etc/hosts.] ***
ok: [mon] => (item={u’ip’: u’10.20.2.2’, u’hostname’: u’app’})
ok: [app] => (item={u’ip’: u’10.20.3.2’, u’hostname’: u’mon securedrop-monitor-server-alias’})

TASK [common : Configure DNS server IP.] ***************************************
ok: [mon]
ok: [app]

TASK [common : Install tmux.] **************************************************
ok: [mon]
ok: [app]

TASK [common : Install ntp for ntpd.] ******************************************
ok: [mon]
ok: [app]

TASK [common : Install cron-apt for unattended security upgrades.] *************
ok: [mon]
ok: [app]

TASK [common : Copy cron-apt config file.] *************************************
ok: [mon]
ok: [app]

TASK [common : Add security.list apt configuration.] ***************************
ok: [mon]
ok: [app]

TASK [common : Configure cron-apt to update the security.list repos.] **********
ok: [mon]
ok: [app]

TASK [common : Configure cron-apt to upgrade the packages in the security.list repos.] ***
ok: [mon]
ok: [app]

TASK [common : Remove default cron-apt config file for downloading all updates.] ***
ok: [mon]
ok: [app]

TASK [common : Create cron job for running cron-apt updates nightly.] **********
ok: [mon]
ok: [app]

TASK [common : Update apt cache.] **********************************************
ok: [mon]
ok: [app]

TASK [common : Check whether tor will be upgraded.] ****************************
ok: [mon]
ok: [app]

TASK [common : Hold tor package to prevent upgrade breaking SSH connection.] ***

TASK [common : Perform safe upgrade to ensure all the packages are updated.] ***
changed: [mon]
changed: [app]

TASK [common : Remove hold on tor package, to permit automatic upgrades.] ******
ok: [mon]
ok: [app]

TASK [common : Check if reboot is required due to security updates.] ***********
ok: [mon]
ok: [app]

TASK [common : Set sysctl flags for net.ipv4 config.] **************************
ok: [mon] => (item={u’name’: u’net.ipv4.tcp_max_syn_backlog’, u’value’: u’4096’})
ok: [app] => (item={u’name’: u’net.ipv4.tcp_max_syn_backlog’, u’value’: u’4096’})
ok: [mon] => (item={u’name’: u’net.ipv4.tcp_syncookies’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.tcp_syncookies’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.rp_filter’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.rp_filter’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.accept_source_route’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.accept_source_route’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.accept_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.secure_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.accept_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.rp_filter’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.secure_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.accept_source_route’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.accept_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.rp_filter’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.secure_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.icmp_echo_ignore_broadcasts’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.accept_source_route’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.ip_forward’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.accept_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.send_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.secure_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.send_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv6.conf.all.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.icmp_echo_ignore_broadcasts’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv6.conf.default.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.ip_forward’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv6.conf.lo.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.send_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.send_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv6.conf.all.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv6.conf.default.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv6.conf.lo.disable_ipv6’, u’value’: u’1’})

TASK [common : Check current swap status.] *************************************
ok: [mon]
ok: [app]

TASK [common : Disable swap space.] ********************************************
ok: [mon]
ok: [app]

TASK [common : Remove blacklisted kernel modules.] *****************************
ok: [mon] => (item=btusb)
ok: [app] => (item=btusb)
ok: [mon] => (item=bluetooth)
ok: [app] => (item=bluetooth)
ok: [mon] => (item=iwlmvm)
ok: [app] => (item=iwlmvm)
ok: [mon] => (item=iwlwifi)
ok: [app] => (item=iwlwifi)

TASK [common : Add disabled kernels modules to modprobe.d blacklist.] **********
ok: [mon] => (item=btusb)
ok: [app] => (item=btusb)
ok: [mon] => (item=bluetooth)
ok: [app] => (item=bluetooth)
ok: [mon] => (item=iwlmvm)
ok: [mon] => (item=iwlwifi)
ok: [app] => (item=iwlmvm)
ok: [app] => (item=iwlwifi)

TASK [tor-hidden-services : Install Tor project GPG signing key.] **************
ok: [mon]
ok: [app]

TASK [tor-hidden-services : Setup Tor apt repo.] *******************************
ok: [mon]
ok: [app]

TASK [tor-hidden-services : Update apt cache.] *********************************

TASK [tor-hidden-services : Install Tor and Tor keyring packages.] *************
ok: [mon] => (item=[u’deb.torproject.org-keyring’, u’tor’])
ok: [app] => (item=[u’deb.torproject.org-keyring’, u’tor’])

TASK [tor-hidden-services : Create parent directory for Tor hidden services.] ***
ok: [mon]
ok: [app]

TASK [tor-hidden-services : Create directories for Tor hidden services.] *******
ok: [mon] => (item={u’service’: u’ssh’, u’filename’: u’mon-ssh-aths’})
ok: [app] => (item={u’service’: u’ssh’, u’filename’: u’app-ssh-aths’})
ok: [app] => (item={u’service’: u’source’, u’filename’: u’app-source-ths’})
ok: [app] => (item={u’service’: u’journalist’, u’filename’: u’app-journalist-aths’})

TASK [tor-hidden-services : Copy torrc config file.] ***************************
ok: [mon]
ok: [app]

TASK [tor-hidden-services : Ensure tor is running.] ****************************
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started.

This feature will be removed in version 2.7. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started.

This feature will be removed in version 2.7. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [mon]
ok: [app]

TASK [install-fpf-repo : Install SecureDrop apt repo GPG signing key.] *********
ok: [mon]
ok: [app]

TASK [install-fpf-repo : Setup FPF apt repo.] **********************************
ok: [mon]
ok: [app]

TASK [install-fpf-repo : Install the securedrop-keyring package for managing the apt gpg key.] ***
ok: [mon]
ok: [app]

TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] ***
ok: [mon]
ok: [app]

TASK [grsecurity : Install paxctl.] ********************************************
ok: [mon]
ok: [app]

TASK [grsecurity : Check paxctl headers on grub binaries.] *********************
ok: [mon] => (item=/usr/sbin/grub-probe)
ok: [app] => (item=/usr/sbin/grub-probe)
ok: [mon] => (item=/usr/sbin/grub-mkdevicemap)
ok: [app] => (item=/usr/sbin/grub-mkdevicemap)
ok: [mon] => (item=/usr/bin/grub-script-check)
ok: [app] => (item=/usr/bin/grub-script-check)

TASK [grsecurity : Adjust paxctl headers on grub binaries.] ********************
[WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: item.stdout != ‘- PaX flags: --------E— [{{
item.item }}]’ or item.rc != 0

[WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: item.stdout != ‘- PaX flags: --------E— [{{
item.item }}]’ or item.rc != 0

TASK [grsecurity : Remove MOTD pam module from SSH logins.] ********************
ok: [mon]
ok: [app]

TASK [grsecurity : Install the grsecurity-patched kernel from the FPF repo.] ***
ok: [mon]
ok: [app]

TASK [grsecurity : Get grsec kernel string from grub config.] ******************
ok: [mon]
ok: [app]

TASK [grsecurity : Check initial default grub entry for next boot.] ************
ok: [mon]
ok: [app]

TASK [grsecurity : Set grsec kernel as default for next boot.] *****************
ok: [mon]
ok: [app]

TASK [grsecurity : Check customized default grub entry for next boot.] *********
changed: [mon]
changed: [app]

TASK [grsecurity : Remove generic kernel packages.] ****************************
ok: [mon] => (item=[u’linux-signed-generic’, u’linux-signed-generic-lts-utopic’, u’linux-signed-image-generic’, u’linux-signed-image-generic-lts-utopic’, u’linux-image-*generic’, u’linux-headers-*’])
ok: [app] => (item=[u’linux-signed-generic’, u’linux-signed-generic-lts-utopic’, u’linux-signed-image-generic’, u’linux-signed-image-generic-lts-utopic’, u’linux-image-*generic’, u’linux-headers-*’])

TASK [grsecurity : Mark GRUB2 as manually installed so its not removed.] *******
changed: [mon]
changed: [app]

TASK [grsecurity : Clean old apt packages.] ************************************
[WARNING]: Consider using apt module rather than running apt-get

ok: [mon]
ok: [app]

TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] ***
ok: [mon]
ok: [app]

TASK [grsecurity : Set sysctl flags for grsecurity.] ***************************
ok: [mon] => (item={u’name’: u’kernel.grsecurity.rwxmap_logging’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’kernel.grsecurity.rwxmap_logging’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’kernel.grsecurity.grsec_lock’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’kernel.grsecurity.grsec_lock’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’vm.heap_stack_gap’, u’value’: u’1048576’})
ok: [app] => (item={u’name’: u’vm.heap_stack_gap’, u’value’: u’1048576’})

PLAY [Configure SecureDrop Monitor Server.] ************************************

TASK [Gathering Facts] *********************************************************
ok: [mon]

TASK [ossec-server : Install OSSEC manager package.] ***************************
ok: [mon]

TASK [ossec-server : Install procmail.] ****************************************
ok: [mon]

TASK [ossec-server : Copy the OSSEC GPG public key for sending encrypted alerts.] ***
ok: [mon]

TASK [ossec-server : Add the OSSEC GPG public key to the OSSEC manager keyring.] ***
[WARNING]: Consider using ‘become’, ‘become_method’, and ‘become_user’ rather
than running su

ok: [mon]

TASK [ossec-server : Copy script for sending GPG-encrypted OSSEC alerts.] ******
ok: [mon]

TASK [ossec-server : Create procmail log file.] ********************************
ok: [mon]

TASK [ossec-server : Update permissions on procmail log file.] *****************
ok: [mon]

TASK [ossec-server : Copy procmail config file.] *******************************
ok: [mon]

TASK [ossec-server : Create Postfix certificate directory (if using custom certificate).] ***

TASK [ossec-server : Remove Postfix certificate directory (if not using custom certificate).] ***
ok: [mon]

TASK [ossec-server : Copy custom Postfix certificate (if provided).] ***********

TASK [ossec-server : Install postfix.] *****************************************
ok: [mon] => (item=[u’procmail’, u’postfix’, u’mailutils’])

TASK [ossec-server : Copy postfix /etc/aliases file to route root mail alerts to OSSEC.] ***
ok: [mon]

TASK [ossec-server : Create mapping for outbound address.] *********************

TASK [ossec-server : Configure SASL password for SMTP relay.] ******************
ok: [mon]

TASK [ossec-server : Configure Postfix to strip SMTP headers.] *****************
ok: [mon]

TASK [ossec-server : Copy Postfix config file.] ********************************
ok: [mon]

TASK [ossec-server : Configure Postfix service.] *******************************
ok: [mon]

TASK [ossec-server : Check whether Application Server is registered as OSSEC agent.] ***
ok: [mon]

TASK [ossec-server : Initialize host fact for OSSEC registration state.] *******
ok: [mon]

TASK [ossec-server : Set host fact for OSSEC registration state.] **************
[WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: ossec_list_agents_result.stdout == “{{
app_hostname }}-{{ app_ip }} is available.”

TASK [ossec-server : Create OSSEC manager SSL key.] ****************************
ok: [mon]

TASK [ossec-server : Create OSSEC manager SSL certificate.] ********************
ok: [mon]

TASK [ossec-server : Start authd.] *********************************************
changed: [mon]

RUNNING HANDLER [ossec-server : restart ossec-server] **************************
changed: [mon]

PLAY [Configure SecureDrop Application Server.] ********************************

TASK [Gathering Facts] *********************************************************
ok: [app]

TASK [ossec-agent : Install securedrop-ossec-agent package.] *******************
ok: [app]

TASK [ossec-agent : Check whether iptables rules exist.] ***********************
ok: [app]

TASK [ossec-agent : Add firewall exemption for OSSEC agent registration.] ******
ok: [app] => (item=-A OUTPUT -d 10.20.3.2 -p tcp --dport 1515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT)
ok: [app] => (item=-A INPUT -s 10.20.3.2 -p tcp --sport 1515 -m state --state ESTABLISHED,RELATED -j ACCEPT)

TASK [ossec-agent : Register OSSEC agent.] *************************************
fatal: [app]: FAILED! => {“changed”: true, “cmd”: ["/var/ossec/bin/agent-auth", “-m”, “10.20.3.2”, “-p”, “1515”, “-A”, “app”], “delta”: “0:02:07.297429”, “end”: “2018-06-15 03:46:24.842212”, “failed”: true, “rc”: 1, “start”: “2018-06-15 03:44:17.544783”, “stderr”: “2018/06/15 03:44:17 ossec-authd: INFO: Started (pid: 3526).\n2018/06/15 03:46:24 ossec-authd: Unable to connect to 10.20.3.2:1515”, “stderr_lines”: [“2018/06/15 03:44:17 ossec-authd: INFO: Started (pid: 3526).”, “2018/06/15 03:46:24 ossec-authd: Unable to connect to 10.20.3.2:1515”], “stdout”: “”, “stdout_lines”: []}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-prod.retry

PLAY RECAP *********************************************************************
app : ok=56 changed=3 unreachable=0 failed=1
localhost : ok=23 changed=0 unreachable=0 failed=0
mon : ok=74 changed=5 unreachable=0 failed=0

TASK: ossec-agent : Register OSSEC agent. ----------------------------- 130.33s
TASK: common : Set sysctl flags for net.ipv4 config. ------------------- 50.43s
TASK: grsecurity : Install the grsecurity-patched kernel from the FPF repo. – 25.42s
TASK: common : Configure DNS server IP. -------------------------------- 12.40s
TASK: common : Create cron job for running cron-apt updates nightly. — 12.31s
TASK: tor-hidden-services : Copy torrc config file. -------------------- 12.06s
TASK: common : Add security.list apt configuration. -------------------- 12.02s
TASK: common : Add disabled kernels modules to modprobe.d blacklist. — 11.66s
TASK: Gathering Facts -------------------------------------------------- 10.95s
TASK: common : Remove blacklisted kernel modules. ---------------------- 10.74s

Playbook finished: Fri Jun 15 07:46:25 2018, 107 total tasks. 0:09:26 elapsed.

Traceback (most recent call last):
File “./securedrop-admin”, line 329, in
args.func(args)
File “./securedrop-admin”, line 215, in install_securedrop
’–ask-become-pass’], cwd=ANSIBLE_PATH)
File “/usr/lib/python2.7/subprocess.py”, line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ‘[’/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-prod.yml’, ‘–ask-become-pass’]’ returned non-zero exit status 2


#44

dear all,
this may be totally unrelated but the last line here has looked wrong to me a couple times now. could we change the /etc/host file on our app server manually so the hostname for mon is just “…: u’mon’})” it looks like a default answer didn’t get removed somewhere along the way.
- hacker


#45

@hacker I am super confused so I am going to tag @mickael for additional review.

First: Yes your /etc/hosts should match mon but you should also update /etc/hostname. They hostname should only ever be mon. Once you update both of those files, the server should be rebooted.

Second: I am seeing the OSSEC error being suspiciously like an error that we fixed months ago in the 0.5.2 release so I want to confirm that you are on the latest git tags which is why I asked about this earlier:

cd ~/Persistent/securedrop
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.7.0

The TL:DR is that this looks strange and I am not sure whats going on. It looks like a old bug but I don’t know. Maybe some SecureDrop Engineers know a bit more than me. One possibility to confirm that its not a hardware firewall misconfigurations would be to try to use netcat to confirm that the packets are arriving on that port from the app server to the mon server.

Freddy


#46

hi @hacker

Any updates on this?

Best
Freddy


#47

dear freddy,

yes. thanks for checking on us. the hostname were checked/corrected and servers rebooted. same with rule placement shuffle in the firewall. we then followed your instructions regarding the 0.7.0 tags and so on.

everything seemed to be as it should i think. several items listed for the fetch --tags part. we didn’t try the last thing you mentioned yet however. we’re not exactly certain how best to proceed.

                                      - hacker

#48

dear all,
we have resolved this issue. we may need to troubleshoot alerts but the problem was related to a bug that was fixed last december we think. thanks to freddy and everyone in the forum for guiding us through mistakes and answering our [seemingly] endless questions. it was a big help.
- hacker