dear freddy,
here is the install run:
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin install
INFO: Now installing SecureDrop on remote servers.
INFO: You will be prompted for the sudo password on the servers.
INFO: The sudo password is only necessary during initial installation.
SUDO password:
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and
make sure become_method is ‘sudo’ (default).
This feature will be removed in a
future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
PLAY [Migrate site-specific information in vars files.] ************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [Copy deprecated prod-specific.yml vars file.] ****************************
ok: [localhost]
TASK [validate : Validate Admin username (specified in vars).] *****************
ok: [localhost] => (item=amnesia) => {
“changed”: false,
“item”: “amnesia”,
“msg”: “All assertions passed”
}
ok: [localhost] => (item=root) => {
“changed”: false,
“item”: “root”,
“msg”: “All assertions passed”
}
TASK [validate : include] ******************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost
TASK [validate : Validate GPG fingerprints.] ***********************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Confirm GPG public key files exist locally.] ******************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Confirm public key file and fingerprint match.] ***************
ok: [localhost]
TASK [validate : Validate GPG fingerprints.] ***********************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Confirm GPG public key files exist locally.] ******************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Confirm public key file and fingerprint match.] ***************
ok: [localhost]
TASK [validate : Validate OSSEC Admin email address.] **************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Validate SASL username for OSSEC config.] *********************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Validate SASL password for OSSEC config.] *********************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Ensure mail config vars are defined.] *************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Determine query strategy for mail config checks.] *************
ok: [localhost]
TASK [validate : Perform SMTP lookup check.] ***********************************
ok: [localhost]
TASK [validate : Validate SMTP relay connection.] ******************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Perform SASL lookup check.] ***********************************
ok: [localhost]
TASK [validate : Validate SASL domain.] ****************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Confirm host OS is Tails.] ************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”
}
TASK [validate : Check for persistence volume.] ********************************
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/persistence.conf)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/openssh-client)
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop)
TASK [validate : Confirm persistence volume is configured.] ********************
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/live/persistence/TailsData_unlocked/openssh-client’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/live/persistence/TailsData_unlocked/openssh-client”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
ok: [localhost] => (item={’_ansible_parsed’: True, u’stat’: {u’isuid’: False, u’uid’: 115, u’exists’: True, u’attr_flags’: u’’, u’woth’: False, u’isreg’: True, u’device_type’: 0, u’mtime’: 1521260530.5721693, u’block_size’: 4096, u’inode’: 13, u’isgid’: False, u’size’: 560, u’executable’: False, u’charset’: u’unknown’, u’readable’: False, u’version’: None, u’pw_name’: u’tails-persistence-setup’, u’gid’: 122, u’ischr’: False, u’wusr’: True, u’writeable’: False, u’mimetype’: u’unknown’, u’blocks’: 8, u’xoth’: False, u’islnk’: False, u’nlink’: 1, u’issock’: False, u’rgrp’: False, u’gr_name’: u’tails-persistence-setup’, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’xusr’: False, u’atime’: 1521260530.5721693, u’isdir’: False, u’ctime’: 1521260530.5721693, u’isblk’: False, u’wgrp’: False, u’xgrp’: False, u’dev’: 65024, u’roth’: False, u’isfifo’: False, u’mode’: u’0600’, u’rusr’: True, u’attributes’: []}, ‘_ansible_item_result’: True, ‘_ansible_no_log’: False, u’changed’: False, ‘item’: u’/home/amnesia/Persistent/securedrop’, u’invocation’: {u’module_args’: {u’checksum_algorithm’: u’sha1’, u’get_checksum’: True, u’follow’: False, u’path’: u’/live/persistence/TailsData_unlocked/persistence.conf’, u’get_md5’: True, u’get_mime’: True, u’get_attributes’: True}}}) => {
“changed”: false,
“item”: {
“changed”: false,
“invocation”: {
“module_args”: {
“checksum_algorithm”: “sha1”,
“follow”: false,
“get_attributes”: true,
“get_checksum”: true,
“get_md5”: true,
“get_mime”: true,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”
}
},
“item”: “/home/amnesia/Persistent/securedrop”,
“stat”: {
“atime”: 1521260530.5721693,
“attr_flags”: “”,
“attributes”: [],
“block_size”: 4096,
“blocks”: 8,
“charset”: “unknown”,
“ctime”: 1521260530.5721693,
“dev”: 65024,
“device_type”: 0,
“executable”: false,
“exists”: true,
“gid”: 122,
“gr_name”: “tails-persistence-setup”,
“inode”: 13,
“isblk”: false,
“ischr”: false,
“isdir”: false,
“isfifo”: false,
“isgid”: false,
“islnk”: false,
“isreg”: true,
“issock”: false,
“isuid”: false,
“mimetype”: “unknown”,
“mode”: “0600”,
“mtime”: 1521260530.5721693,
“nlink”: 1,
“path”: “/live/persistence/TailsData_unlocked/persistence.conf”,
“pw_name”: “tails-persistence-setup”,
“readable”: false,
“rgrp”: false,
“roth”: false,
“rusr”: true,
“size”: 560,
“uid”: 115,
“version”: null,
“wgrp”: false,
“woth”: false,
“writeable”: false,
“wusr”: true,
“xgrp”: false,
“xoth”: false,
“xusr”: false
}
},
“msg”: “All assertions passed”
}
PLAY [Add FPF apt repository and install base packages.] ***********************
TASK [Gathering Facts] *********************************************************
ok: [app]
ok: [mon]
TASK [common : Copy sudoers file.] *********************************************
ok: [mon]
ok: [app]
TASK [common : Create shell accounts for SecureDrop admins.] *******************
ok: [mon] => (item=XXXXXX)
ok: [app] => (item=XXXXXX)
TASK [common : Set SecureDrop bash profile additions.] *************************
ok: [mon]
ok: [app]
TASK [common : Clean up local bashrc config for admin accounts.] ***************
ok: [mon] => (item=XXXXXX)
ok: [app] => (item=XXXXXX)
TASK [common : Read /etc/hosts file to filter duplicate entries.] **************
ok: [mon]
ok: [app]
TASK [common : Remove duplicate entries from /etc/hosts.] **********************
ok: [mon]
ok: [app]
TASK [common : Add local IPv4 addresses for SecureDrop servers to /etc/hosts.] ***
ok: [mon] => (item={u’ip’: u’10.20.2.2’, u’hostname’: u’app’})
ok: [app] => (item={u’ip’: u’10.20.3.2’, u’hostname’: u’mon securedrop-monitor-server-alias’})
TASK [common : Configure DNS server IP.] ***************************************
ok: [mon]
ok: [app]
TASK [common : Install tmux.] **************************************************
ok: [mon]
ok: [app]
TASK [common : Install ntp for ntpd.] ******************************************
ok: [mon]
ok: [app]
TASK [common : Install cron-apt for unattended security upgrades.] *************
ok: [mon]
ok: [app]
TASK [common : Copy cron-apt config file.] *************************************
ok: [mon]
ok: [app]
TASK [common : Add security.list apt configuration.] ***************************
ok: [mon]
ok: [app]
TASK [common : Configure cron-apt to update the security.list repos.] **********
ok: [mon]
ok: [app]
TASK [common : Configure cron-apt to upgrade the packages in the security.list repos.] ***
ok: [mon]
ok: [app]
TASK [common : Remove default cron-apt config file for downloading all updates.] ***
ok: [mon]
ok: [app]
TASK [common : Create cron job for running cron-apt updates nightly.] **********
ok: [mon]
ok: [app]
TASK [common : Update apt cache.] **********************************************
ok: [mon]
ok: [app]
TASK [common : Check whether tor will be upgraded.] ****************************
ok: [mon]
ok: [app]
TASK [common : Hold tor package to prevent upgrade breaking SSH connection.] ***
TASK [common : Perform safe upgrade to ensure all the packages are updated.] ***
changed: [mon]
changed: [app]
TASK [common : Remove hold on tor package, to permit automatic upgrades.] ******
ok: [mon]
ok: [app]
TASK [common : Check if reboot is required due to security updates.] ***********
ok: [mon]
ok: [app]
TASK [common : Set sysctl flags for net.ipv4 config.] **************************
ok: [mon] => (item={u’name’: u’net.ipv4.tcp_max_syn_backlog’, u’value’: u’4096’})
ok: [app] => (item={u’name’: u’net.ipv4.tcp_max_syn_backlog’, u’value’: u’4096’})
ok: [mon] => (item={u’name’: u’net.ipv4.tcp_syncookies’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.tcp_syncookies’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.rp_filter’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.rp_filter’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.accept_source_route’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.accept_source_route’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.accept_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.secure_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.accept_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.rp_filter’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.secure_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.accept_source_route’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.accept_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.rp_filter’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.secure_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.icmp_echo_ignore_broadcasts’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.accept_source_route’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.ip_forward’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.accept_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.all.send_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.secure_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv4.conf.default.send_redirects’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv6.conf.all.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.icmp_echo_ignore_broadcasts’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’net.ipv6.conf.default.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.ip_forward’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’net.ipv6.conf.lo.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.all.send_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv4.conf.default.send_redirects’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’net.ipv6.conf.all.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv6.conf.default.disable_ipv6’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’net.ipv6.conf.lo.disable_ipv6’, u’value’: u’1’})
TASK [common : Check current swap status.] *************************************
ok: [mon]
ok: [app]
TASK [common : Disable swap space.] ********************************************
ok: [mon]
ok: [app]
TASK [common : Remove blacklisted kernel modules.] *****************************
ok: [mon] => (item=btusb)
ok: [app] => (item=btusb)
ok: [mon] => (item=bluetooth)
ok: [app] => (item=bluetooth)
ok: [mon] => (item=iwlmvm)
ok: [app] => (item=iwlmvm)
ok: [mon] => (item=iwlwifi)
ok: [app] => (item=iwlwifi)
TASK [common : Add disabled kernels modules to modprobe.d blacklist.] **********
ok: [mon] => (item=btusb)
ok: [app] => (item=btusb)
ok: [mon] => (item=bluetooth)
ok: [app] => (item=bluetooth)
ok: [mon] => (item=iwlmvm)
ok: [mon] => (item=iwlwifi)
ok: [app] => (item=iwlmvm)
ok: [app] => (item=iwlwifi)
TASK [tor-hidden-services : Install Tor project GPG signing key.] **************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Setup Tor apt repo.] *******************************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Update apt cache.] *********************************
TASK [tor-hidden-services : Install Tor and Tor keyring packages.] *************
ok: [mon] => (item=[u’deb.torproject.org-keyring’, u’tor’])
ok: [app] => (item=[u’deb.torproject.org-keyring’, u’tor’])
TASK [tor-hidden-services : Create parent directory for Tor hidden services.] ***
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Create directories for Tor hidden services.] *******
ok: [mon] => (item={u’service’: u’ssh’, u’filename’: u’mon-ssh-aths’})
ok: [app] => (item={u’service’: u’ssh’, u’filename’: u’app-ssh-aths’})
ok: [app] => (item={u’service’: u’source’, u’filename’: u’app-source-ths’})
ok: [app] => (item={u’service’: u’journalist’, u’filename’: u’app-journalist-aths’})
TASK [tor-hidden-services : Copy torrc config file.] ***************************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Ensure tor is running.] ****************************
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started.
This feature will be removed in version 2.7. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started.
This feature will be removed in version 2.7. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [mon]
ok: [app]
TASK [install-fpf-repo : Install SecureDrop apt repo GPG signing key.] *********
ok: [mon]
ok: [app]
TASK [install-fpf-repo : Setup FPF apt repo.] **********************************
ok: [mon]
ok: [app]
TASK [install-fpf-repo : Install the securedrop-keyring package for managing the apt gpg key.] ***
ok: [mon]
ok: [app]
TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] ***
ok: [mon]
ok: [app]
TASK [grsecurity : Install paxctl.] ********************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Check paxctl headers on grub binaries.] *********************
ok: [mon] => (item=/usr/sbin/grub-probe)
ok: [app] => (item=/usr/sbin/grub-probe)
ok: [mon] => (item=/usr/sbin/grub-mkdevicemap)
ok: [app] => (item=/usr/sbin/grub-mkdevicemap)
ok: [mon] => (item=/usr/bin/grub-script-check)
ok: [app] => (item=/usr/bin/grub-script-check)
TASK [grsecurity : Adjust paxctl headers on grub binaries.] ********************
[WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: item.stdout != ‘- PaX flags: --------E— [{{
item.item }}]’ or item.rc != 0
[WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: item.stdout != ‘- PaX flags: --------E— [{{
item.item }}]’ or item.rc != 0
TASK [grsecurity : Remove MOTD pam module from SSH logins.] ********************
ok: [mon]
ok: [app]
TASK [grsecurity : Install the grsecurity-patched kernel from the FPF repo.] ***
ok: [mon]
ok: [app]
TASK [grsecurity : Get grsec kernel string from grub config.] ******************
ok: [mon]
ok: [app]
TASK [grsecurity : Check initial default grub entry for next boot.] ************
ok: [mon]
ok: [app]
TASK [grsecurity : Set grsec kernel as default for next boot.] *****************
ok: [mon]
ok: [app]
TASK [grsecurity : Check customized default grub entry for next boot.] *********
changed: [mon]
changed: [app]
TASK [grsecurity : Remove generic kernel packages.] ****************************
ok: [mon] => (item=[u’linux-signed-generic’, u’linux-signed-generic-lts-utopic’, u’linux-signed-image-generic’, u’linux-signed-image-generic-lts-utopic’, u’linux-image-*generic’, u’linux-headers-*’])
ok: [app] => (item=[u’linux-signed-generic’, u’linux-signed-generic-lts-utopic’, u’linux-signed-image-generic’, u’linux-signed-image-generic-lts-utopic’, u’linux-image-*generic’, u’linux-headers-*’])
TASK [grsecurity : Mark GRUB2 as manually installed so its not removed.] *******
changed: [mon]
changed: [app]
TASK [grsecurity : Clean old apt packages.] ************************************
[WARNING]: Consider using apt module rather than running apt-get
ok: [mon]
ok: [app]
TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] ***
ok: [mon]
ok: [app]
TASK [grsecurity : Set sysctl flags for grsecurity.] ***************************
ok: [mon] => (item={u’name’: u’kernel.grsecurity.rwxmap_logging’, u’value’: u’0’})
ok: [app] => (item={u’name’: u’kernel.grsecurity.rwxmap_logging’, u’value’: u’0’})
ok: [mon] => (item={u’name’: u’kernel.grsecurity.grsec_lock’, u’value’: u’1’})
ok: [app] => (item={u’name’: u’kernel.grsecurity.grsec_lock’, u’value’: u’1’})
ok: [mon] => (item={u’name’: u’vm.heap_stack_gap’, u’value’: u’1048576’})
ok: [app] => (item={u’name’: u’vm.heap_stack_gap’, u’value’: u’1048576’})
PLAY [Configure SecureDrop Monitor Server.] ************************************
TASK [Gathering Facts] *********************************************************
ok: [mon]
TASK [ossec-server : Install OSSEC manager package.] ***************************
ok: [mon]
TASK [ossec-server : Install procmail.] ****************************************
ok: [mon]
TASK [ossec-server : Copy the OSSEC GPG public key for sending encrypted alerts.] ***
ok: [mon]
TASK [ossec-server : Add the OSSEC GPG public key to the OSSEC manager keyring.] ***
[WARNING]: Consider using ‘become’, ‘become_method’, and ‘become_user’ rather
than running su
ok: [mon]
TASK [ossec-server : Copy script for sending GPG-encrypted OSSEC alerts.] ******
ok: [mon]
TASK [ossec-server : Create procmail log file.] ********************************
ok: [mon]
TASK [ossec-server : Update permissions on procmail log file.] *****************
ok: [mon]
TASK [ossec-server : Copy procmail config file.] *******************************
ok: [mon]
TASK [ossec-server : Create Postfix certificate directory (if using custom certificate).] ***
TASK [ossec-server : Remove Postfix certificate directory (if not using custom certificate).] ***
ok: [mon]
TASK [ossec-server : Copy custom Postfix certificate (if provided).] ***********
TASK [ossec-server : Install postfix.] *****************************************
ok: [mon] => (item=[u’procmail’, u’postfix’, u’mailutils’])
TASK [ossec-server : Copy postfix /etc/aliases file to route root mail alerts to OSSEC.] ***
ok: [mon]
TASK [ossec-server : Create mapping for outbound address.] *********************
TASK [ossec-server : Configure SASL password for SMTP relay.] ******************
ok: [mon]
TASK [ossec-server : Configure Postfix to strip SMTP headers.] *****************
ok: [mon]
TASK [ossec-server : Copy Postfix config file.] ********************************
ok: [mon]
TASK [ossec-server : Configure Postfix service.] *******************************
ok: [mon]
TASK [ossec-server : Check whether Application Server is registered as OSSEC agent.] ***
ok: [mon]
TASK [ossec-server : Initialize host fact for OSSEC registration state.] *******
ok: [mon]
TASK [ossec-server : Set host fact for OSSEC registration state.] **************
[WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: ossec_list_agents_result.stdout == “{{
app_hostname }}-{{ app_ip }} is available.”
TASK [ossec-server : Create OSSEC manager SSL key.] ****************************
ok: [mon]
TASK [ossec-server : Create OSSEC manager SSL certificate.] ********************
ok: [mon]
TASK [ossec-server : Start authd.] *********************************************
changed: [mon]
RUNNING HANDLER [ossec-server : restart ossec-server] **************************
changed: [mon]
PLAY [Configure SecureDrop Application Server.] ********************************
TASK [Gathering Facts] *********************************************************
ok: [app]
TASK [ossec-agent : Install securedrop-ossec-agent package.] *******************
ok: [app]
TASK [ossec-agent : Check whether iptables rules exist.] ***********************
ok: [app]
TASK [ossec-agent : Add firewall exemption for OSSEC agent registration.] ******
ok: [app] => (item=-A OUTPUT -d 10.20.3.2 -p tcp --dport 1515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT)
ok: [app] => (item=-A INPUT -s 10.20.3.2 -p tcp --sport 1515 -m state --state ESTABLISHED,RELATED -j ACCEPT)
TASK [ossec-agent : Register OSSEC agent.] *************************************
fatal: [app]: FAILED! => {“changed”: true, “cmd”: ["/var/ossec/bin/agent-auth", “-m”, “10.20.3.2”, “-p”, “1515”, “-A”, “app”], “delta”: “0:02:07.297429”, “end”: “2018-06-15 03:46:24.842212”, “failed”: true, “rc”: 1, “start”: “2018-06-15 03:44:17.544783”, “stderr”: “2018/06/15 03:44:17 ossec-authd: INFO: Started (pid: 3526).\n2018/06/15 03:46:24 ossec-authd: Unable to connect to 10.20.3.2:1515”, “stderr_lines”: [“2018/06/15 03:44:17 ossec-authd: INFO: Started (pid: 3526).”, “2018/06/15 03:46:24 ossec-authd: Unable to connect to 10.20.3.2:1515”], “stdout”: “”, “stdout_lines”: []}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-prod.retry
PLAY RECAP *********************************************************************
app : ok=56 changed=3 unreachable=0 failed=1
localhost : ok=23 changed=0 unreachable=0 failed=0
mon : ok=74 changed=5 unreachable=0 failed=0
TASK: ossec-agent : Register OSSEC agent. ----------------------------- 130.33s
TASK: common : Set sysctl flags for net.ipv4 config. ------------------- 50.43s
TASK: grsecurity : Install the grsecurity-patched kernel from the FPF repo. – 25.42s
TASK: common : Configure DNS server IP. -------------------------------- 12.40s
TASK: common : Create cron job for running cron-apt updates nightly. — 12.31s
TASK: tor-hidden-services : Copy torrc config file. -------------------- 12.06s
TASK: common : Add security.list apt configuration. -------------------- 12.02s
TASK: common : Add disabled kernels modules to modprobe.d blacklist. — 11.66s
TASK: Gathering Facts -------------------------------------------------- 10.95s
TASK: common : Remove blacklisted kernel modules. ---------------------- 10.74s
Playbook finished: Fri Jun 15 07:46:25 2018, 107 total tasks. 0:09:26 elapsed.
Traceback (most recent call last):
File “./securedrop-admin”, line 329, in
args.func(args)
File “./securedrop-admin”, line 215, in install_securedrop
’–ask-become-pass’], cwd=ANSIBLE_PATH)
File “/usr/lib/python2.7/subprocess.py”, line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ‘[’/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-prod.yml’, ‘–ask-become-pass’]’ returned non-zero exit status 2