Merge pull request #618 from freedomofpress/583-host-to-ghost

Remove special casing for sd-whonix

dom0/sd-clean-whonix.sls

@@ -14,7 +14,6 @@ remove-securedrop-log-package-from-whonix:
 sd-cleanup-whonix-gw-15:
   cmd.run:
     - names:
-      - sudo rm -f /etc/rsyslog.d/sdlog.conf
       - sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list
       - sudo systemctl restart rsyslog
       - sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C

dom0/sd-logging-setup.sls

@@ -62,41 +62,33 @@ sd-gpg-remove-rsyslog-qubes-plugin:
     - require:
       - file: sd-gpg-remove-rsyslog-qubes-plugin
 
-{% elif grains['id'] == "sd-whonix" %}
-# We can not place the file on the template under /etc/rsyslog.d/ because of whonix
-# template. This sdlog.conf file is the same from the securedrop-log package, to
-# make sure that rsyslogd use our logging plugin.
-sd-rsyslog-sdlog-conf-for-sd-whonix:
-  file.managed:
-    - name: /rw/config/sdlog.conf
-    - source: "salt://sdlog.conf"
-
-# Because whonix-gw-15 template is not allowing to create the config file on
-# package install time, we do it via rc.local call.
-sd-rc-enable-logging-for-sd-whonix:
-  file.blockreplace:
-    - name: /rw/config/rc.local
-    - append_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        # Add sd-rsyslog.conf file for syslog
-        ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf
-        cat <<EOF > /etc/sd-rsyslog.conf
-        [sd-rsyslog]
-        remotevm = sd-log
-        localvm = {{ grains['id'] }}
-        EOF
-        systemctl restart rsyslog
-  cmd.run:
-    - name: /rw/config/rc.local
-    - require:
-      - file: sd-rc-enable-logging-for-sd-whonix
-
 {% else %}
 # For all other VMs, configure to send to sd-log
 configure-rsyslog-for-sd:
   file.managed:
     - name: /etc/sd-rsyslog.conf
     - source: "salt://sd-rsyslog.conf.j2"
 {% endif %}
+
+# Remove outdated configuration that was previously used to configure the
+# sd-whonix VM name for logging purposes, see:
+# https://github.com/freedomofpress/securedrop-workstation/issues/583
+#
+# Can be removed in a future release once all production workstations have
+# been updated.
+{% if grains['id'] == "sd-whonix" %}
+sd-whonix-cleanup-rc-local:
+  file.replace:
+    - names:
+      - /rw/config/rc.local
+    - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
+    - flags:
+      - MULTILINE
+      - DOTALL
+    - repl: ''
+    - backup: no
+
+sd-whonix-cleanup-sdlog-conf:
+  file.absent:
+    - name: /rw/config/sdlog.conf
+{% endif %}

tests/base.py

@@ -105,11 +105,9 @@ def _fileExists(self, remote_path):
 
         return True
 
-    def logging_configured(self, vmname=False):
+    def logging_configured(self):
         """
         Make sure rsyslog is configured to send in data to sd-log vm.
-        Takes an optional 'vmname' argument, in case hostname
-        returned by system is an insufficient identifier, e.g. Whonix.
         """
         self.assertTrue(self._package_is_installed("securedrop-log"))
         self.assertTrue(self._fileExists("/usr/sbin/sd-rsyslog"))
@@ -120,10 +118,6 @@ def logging_configured(self, vmname=False):
         static_content = """[sd-rsyslog]
 remotevm = sd-log
 """
-        # A hardcoded vmname should only be present if required,
-        # since securedrop-log will default to value of `hostname`.
-        if vmname:
-            static_content += "localvm = {}\n".format(self.vm_name)
         self.assertEqual(file_content, static_content)
         # Check for evidence of misconfigured logging in syslog,
         # fail if matching events found

tests/test_sd_whonix.py

@@ -55,7 +55,7 @@ def test_sd_whonix_repo_enabled(self):
         assert self._fileExists(self.whonix_apt_list)
 
     def test_logging_configured(self):
-        self.logging_configured(vmname=True)
+        self.logging_configured()
 
     def test_sd_whonix_verify_tor_config(self):
         # User must be debian-tor for v3 Onion, due to restrictive