Merge pull request #487 from freedomofpress/476-simplify-logging-host…

…name-config

Distinguishes between TemplateVM & AppVM in log collection

dom0/sd-app-files.sls

@@ -10,21 +10,12 @@
 ##
 include:
   - fpf-apt-test-repo
+  - sd-logging-setup
 
 # FPF repo is setup in "securedrop-workstation" template
-install-securedrop-client-and-securedrop-log-package:
+install-securedrop-client-package:
   pkg.installed:
     - pkgs:
       - securedrop-client
-      - securedrop-log
     - require:
       - sls: fpf-apt-test-repo
-
-
-sd-rsyslog-for-sd-app:
-  file.managed:
-    - name: /etc/sd-rsyslog.conf
-    - source: "salt://sd-rsyslog.conf.j2"
-    - template: jinja
-    - context:
-        vmname: sd-app

dom0/sd-devices-files.sls

@@ -10,6 +10,7 @@
 ##
 include:
   - fpf-apt-test-repo
+  - sd-logging-setup
 
 # Libreoffice needs to be installed here to convert to pdf to allow printing
 sd-devices-install-libreoffice:
@@ -24,19 +25,5 @@ sd-devices-install-libreoffice:
 sd-devices-install-package:
   pkg.installed:
     - name: securedrop-export
-
-
-sd-devices-install-securedrop-log-package:
-  pkg.installed:
-    - pkgs:
-      - securedrop-log
     - require:
       - sls: fpf-apt-test-repo
-
-sd-rsyslog-for-sd-devices:
-  file.managed:
-    - name: /etc/sd-rsyslog.conf
-    - source: "salt://sd-rsyslog.conf.j2"
-    - template: jinja
-    - context:
-        vmname: sd-devices

dom0/sd-log.sls

@@ -37,6 +37,8 @@ sd-log:
     - features:
       - enable:
         - service.paxctld
+        - service.redis
+        - service.securedrop-log
     - require:
       - qvm: sd-log-buster-template
 
@@ -57,11 +59,3 @@ sd-log-private-volume-size:
         qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB
     - require:
       - qvm: sd-log
-
-# Permit the SecureDrop Proxy to manage Client connections
-sd-dom-dom0-securedrop.Log:
-  file.prepend:
-    - name: /etc/qubes-rpc/policy/securedrop.Log
-    - text: |
-        @tag:sd-workstation sd-log allow
-        @anyvm @anyvm deny

dom0/sd-logging-setup.sls

@@ -0,0 +1,102 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+include:
+  - fpf-apt-test-repo
+
+{% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "whonix-gw-15"] %}
+# Install securedrop-log package in TemplateVMs only
+install-securedrop-log-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+{% endif %}
+
+{% if grains['id'] == "sd-log-buster-template" %}
+install-redis-for-sd-log-template:
+  pkg.installed:
+    - pkgs:
+      - redis-server
+      - redis
+remove-sd-rsyslog-config-for-logserver:
+  file.absent:
+    - name: /etc/rsyslog.d/sdlog.conf
+
+{% elif grains['id'] == "sd-log" %}
+# Only for the "sd-log" AppVM, configure /rw/config to disable
+# custom log config, and also start the necessary services.
+sd-log-remove-rsyslog-qubes-plugin:
+  file.blockreplace:
+    - name: /rw/config/rc.local
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        # Removes sdlog.conf file for rsyslog
+        rm -f /etc/rsyslog.d/sdlog.conf
+        systemctl restart rsyslog
+        systemctl start redis
+        systemctl start securedrop-log
+  cmd.run:
+    - name: /rw/config/rc.local
+    - require:
+      - file: sd-log-remove-rsyslog-qubes-plugin
+
+{% elif grains['id'] == "sd-gpg" %}
+# For sd-gpg, we disable logging altogether, since access
+# to the keyring will be logged in sd-app
+sd-gpg-remove-rsyslog-qubes-plugin:
+  file.blockreplace:
+    - name: /rw/config/rc.local
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        # Removes sdlog.conf file for rsyslog
+        rm -f /etc/rsyslog.d/sdlog.conf
+        systemctl restart rsyslog
+  cmd.run:
+    - name: /rw/config/rc.local
+    - require:
+      - file: sd-gpg-remove-rsyslog-qubes-plugin
+
+{% elif grains['id'] == "sd-whonix" %}
+# We can not place the file on the template under /etc/rsyslog.d/ because of whonix
+# template. This sdlog.conf file is the same from the securedrop-log package, to
+# make sure that rsyslogd use our logging plugin.
+sd-rsyslog-sdlog-conf-for-sd-whonix:
+  file.managed:
+    - name: /rw/config/sdlog.conf
+    - source: "salt://sdlog.conf"
+
+# Because whonix-gw-15 template is not allowing to create the config file on
+# package install time, we do it via rc.local call.
+sd-rc-enable-logging-for-sd-whonix:
+  file.blockreplace:
+    - name: /rw/config/rc.local
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        # Add sd-rsyslog.conf file for syslog
+        ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf
+        cat <<EOF > /etc/sd-rsyslog.conf
+        [sd-rsyslog]
+        remotevm = sd-log
+        localvm = {{ grains['id'] }}
+        EOF
+        systemctl restart rsyslog
+  cmd.run:
+    - name: /rw/config/rc.local
+    - require:
+      - file: sd-rc-enable-logging-for-sd-whonix
+
+{% else %}
+# For all other VMs, configure to send to sd-log
+configure-rsyslog-for-sd:
+  file.managed:
+    - name: /etc/sd-rsyslog.conf
+    - source: "salt://sd-rsyslog.conf.j2"
+{% endif %}

dom0/sd-proxy-template-files.sls

@@ -2,6 +2,7 @@
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 include:
   - fpf-apt-test-repo
+  - sd-logging-setup
 
 sd-proxy-do-not-open-here-script:
   file.managed:
@@ -41,11 +42,10 @@ sd-proxy-configure-mimetypes:
 
 # Depends on FPF-controlled apt repo, already present
 # in underlying "securedrop-workstation" base template.
-install-securedrop-proxy-and-securedrop-log-package:
+install-securedrop-proxy-package:
   pkg.installed:
     - pkgs:
       - securedrop-proxy
-      - securedrop-log
     - require:
       - sls: fpf-apt-test-repo
 
@@ -60,11 +60,3 @@ install-securedrop-proxy-yaml-config:
     - context:
         hostname: {{ d.hidserv.hostname }}
     - mode: 0644
-
-sd-rsyslog-for-sd-proxy:
-  file.managed:
-    - name: /etc/sd-rsyslog.conf
-    - source: "salt://sd-rsyslog.conf.j2"
-    - template: jinja
-    - context:
-        vmname: sd-proxy

dom0/sd-rsyslog.conf.j2

@@ -1,3 +1,2 @@
 [sd-rsyslog]
 remotevm = sd-log
-localvm = {{ vmname }}

dom0/sd-viewer-files.sls

@@ -12,6 +12,7 @@
 
 include:
   - fpf-apt-test-repo
+  - sd-logging-setup
 
 sd-viewer-install-mimetype-handler-package:
   pkg.installed:
@@ -28,18 +29,3 @@ sd-viewer-install-libreoffice:
         attempts: 3
         interval: 60
     - install_recommends: False
-
-sd-viewer-install-logging:
-  pkg.installed:
-    - pkgs:
-      - securedrop-log
-    - require:
-      - sls: fpf-apt-test-repo
-
-sd-rsyslog-for-sd-viewer:
-  file.managed:
-    - name: /etc/sd-rsyslog.conf
-    - source: "salt://sd-rsyslog.conf.j2"
-    - template: jinja
-    - context:
-        vmname: sd-viewer

dom0/sd-workstation-template-files.sls

@@ -11,14 +11,6 @@ sd-workstation-template-install-kernel-config-packages:
     - require:
       - sls: fpf-apt-test-repo
 
-
-sd-workstation-install-securedrop-log-package:
-  pkg.installed:
-    - pkgs:
-      - securedrop-log
-    - require:
-      - sls: fpf-apt-test-repo
-
 # Ensure that paxctld starts immediately. For AppVMs,
 # use qvm.features.enabled = ["paxctld"] to ensure service start.
 sd-workstation-template-enable-paxctld: