diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls index 6cc89a95..ca628492 100644 --- a/dom0/sd-logging-setup.sls +++ b/dom0/sd-logging-setup.sls @@ -43,7 +43,7 @@ sd-log-remove-rsyslog-qubes-plugin: cmd.run: - name: /rw/config/rc.local -{% elif grains['id'] == "sd-whonix" %} +{% elif grains['id'] in ["sd-whonix", "sd-proxy", "sd-proxy-buster-template"] %} # We can not place the file on the template under /etc/rsyslog.d/ because of whonix # template. This sdlog.conf file is the same from the securedrop-log package, to # make sure that rsyslogd use our logging plugin. @@ -62,13 +62,15 @@ sd-rc-enable-logging: - marker_end: "### END securedrop-workstation ###" - content: | # Add sd-rsyslog.conf file for syslog - ln -sf /rw/config/sd-rsyslog.conf /etc/sd-rsyslog.conf - if [ ! -f /etc/rsyslog.d/sdlog.conf ]; then - ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf - fi + ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf + cat < /etc/sd-rsyslog.conf + [sd-rsyslog] + remotevm = sd-log + localvm = {{ grains['id'] }} + EOF systemctl restart rsyslog cmd.run: - - name: ln -sf /rw/config/sd-rsyslog.conf /etc/sd-rsyslog.conf && systemctl restart rsyslog + - name: /rw/config/rc.local {% else %} # For all other VMs, configure to send to sd-log diff --git a/dom0/sd-viewer-files.sls b/dom0/sd-viewer-files.sls index 50ff7135..666b4b76 100644 --- a/dom0/sd-viewer-files.sls +++ b/dom0/sd-viewer-files.sls @@ -12,6 +12,7 @@ include: - fpf-apt-test-repo + - sd-logging-setup sd-viewer-install-mimetype-handler-package: pkg.installed: @@ -35,11 +36,3 @@ sd-viewer-install-logging: - securedrop-log - require: - sls: fpf-apt-test-repo - -sd-rsyslog-for-sd-viewer: - file.managed: - - name: /etc/sd-rsyslog.conf - - source: "salt://sd-rsyslog.conf.j2" - - template: jinja - - context: - vmname: sd-viewer \ No newline at end of file diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index 43f99805..afa61392 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -30,6 +30,8 @@ base: - sd-logging-setup sd-proxy-buster-template: - sd-proxy-template-files + sd-proxy: + - sd-logging-setup sd-app: - sd-app-config sd-viewer-buster-template: @@ -40,6 +42,7 @@ base: - sd-sys-firewall-files sd-whonix: - sd-whonix-hidserv-key + - sd-logging-setup securedrop-workstation-buster: - sd-workstation-template-files sys-usb: diff --git a/tests/base.py b/tests/base.py index 6f5445d7..04f56089 100644 --- a/tests/base.py +++ b/tests/base.py @@ -113,15 +113,27 @@ def _fileExists(self, remote_path): return True - def logging_configured(self): + def logging_configured(self, vmname=False): """ Make sure rsyslog is configured to send in data to sd-log vm. + Takes an optional 'vmname' argument, in case hostname + returned by system is an insufficient identifier, e.g. Whonix. """ + self.assertTrue(self._package_is_installed("securedrop-log")) + self.assertTrue(self._fileExists("/usr/sbin/sd-rsyslog")) + self.assertTrue(self._fileExists("/etc/rsyslog.d/sdlog.conf")) self.assertTrue(self._fileExists("/etc/sd-rsyslog.conf")) # Then we check the configuration inside of the file. - file_content = self._get_file_contents("/etc/sd-rsyslog.conf") + # Using .strip() so trailing whitespace doesn't cause failures + file_content = self._get_file_contents("/etc/sd-rsyslog.conf").strip() static_content = """[sd-rsyslog] -remotevm = sd-log -""" +remotevm = sd-log""" + # A hardcoded vmname should only be present if required, + # since securedrop-log will default to value of `hostname`. + if vmname: + static_content += "localvm = {}".format(self.vm_name) self.assertEqual(file_content, static_content) - self.assertTrue(self._package_is_installed("securedrop-log")) + # Check for evidence of misconfigured logging in syslog, + # fail if matching events found + cmd_output = self._run("sudo grep -F \"action 'action-0-omprog' suspended (module 'omprog')\" /var/log/syslog | wc -l").strip() + self.assertTrue(cmd_output == "0") diff --git a/tests/test_log_vm.py b/tests/test_log_vm.py index 078c0545..33a68d48 100644 --- a/tests/test_log_vm.py +++ b/tests/test_log_vm.py @@ -31,6 +31,26 @@ def test_redis_service_running(self): results = self._run("sudo systemctl is-active redis") assert results == "active" + def test_logs_are_flowing(self): + cmd_output = self._run("ls -1 /home/user/QubesIncomingLogs") + log_dirs = cmd_output.split("\n") + # Confirm AppVMs are sending logs + self.assertTrue("sd-app" in log_dirs) + self.assertTrue("sd-whonix" in log_dirs) + # sd-viewr will only submit logs if a submission has been opened + # self.assertTrue("sd-viewer" in log_dirs) + # sd-devices will only submit logs if an export was performed + # self.assertTrue("sd-devices" in log_dirs) + # sd-proxy will only submit logs if a user logged in to the Client + self.assertTrue("sd-proxy" in log_dirs) + + def test_log_dirs_properly_named(self): + # Rerunning this command to keep test output readable + cmd_output = self._run("ls -1 /home/user/QubesIncomingLogs") + log_dirs = cmd_output.split("\n") + # Confirm we don't have 'host' entries from Whonix VMs + self.assertFalse("host" in log_dirs) + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Log_Tests) diff --git a/tests/test_proxy_vm.py b/tests/test_proxy_vm.py index 305da97d..2a680e5c 100644 --- a/tests/test_proxy_vm.py +++ b/tests/test_proxy_vm.py @@ -41,7 +41,7 @@ def test_whonix_ws_repo_enabled(self): assert self._fileExists(self.whonix_apt_list) def test_logging_configured(self): - self.logging_configured() + self.logging_configured(vmname=True) def test_mime_types(self): with open("sd-proxy/mimeapps.list", "r") as f: diff --git a/tests/test_sd_whonix.py b/tests/test_sd_whonix.py index 3edd0c74..15bccb8e 100644 --- a/tests/test_sd_whonix.py +++ b/tests/test_sd_whonix.py @@ -59,7 +59,7 @@ def test_sd_whonix_repo_enabled(self): assert self._fileExists(self.whonix_apt_list) def test_logging_configured(self): - self.logging_configured() + self.logging_configured(vmname=True) def load_tests(loader, tests, pattern):