From 344dda21b388f5be776623353136f9adcaa55aaf Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Mon, 10 Feb 2020 20:30:16 +0530 Subject: [PATCH 1/5] Fixes #440 install securedrop-log and setup Also add related tests. --- Makefile | 5 +++-- dom0/sd-app-files.sls | 15 +++++++++++++ dom0/sd-clean-all.sls | 7 ++++++ dom0/sd-clean-default-dispvm.sls | 6 ++++++ dom0/sd-devices-files.sls | 16 ++++++++++++++ dom0/sd-log-template-files.sls | 10 +++++++++ dom0/sd-log.sls | 8 +++++++ dom0/sd-proxy-template-files.sls | 15 +++++++++++++ dom0/sd-rsyslog.conf.j2 | 3 +++ dom0/sd-viewer-files.sls | 15 +++++++++++++ dom0/sd-whonix-rsyslog-enable.sls | 30 ++++++++++++++++++++++++++ dom0/sd-whonix-template-files.sls | 22 +++++++++++++++++++ dom0/sd-workstation-template-files.sls | 8 +++++++ dom0/sd-workstation.top | 10 ++++++--- scripts/provision-all | 5 +++++ tests/base.py | 16 ++++++++++++++ tests/test_app.py | 3 +++ tests/test_proxy_vm.py | 3 +++ tests/test_sd_devices.py | 3 +++ tests/test_sd_whonix.py | 3 +++ tests/test_viewer.py | 3 +++ tests/test_vms_exist.py | 1 + 22 files changed, 202 insertions(+), 5 deletions(-) create mode 100644 dom0/sd-clean-default-dispvm.sls create mode 100644 dom0/sd-rsyslog.conf.j2 create mode 100644 dom0/sd-whonix-rsyslog-enable.sls create mode 100644 dom0/sd-whonix-template-files.sls diff --git a/Makefile b/Makefile index 1f51b163..09e3ae7d 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,7 @@ sd-app: prep-salt ## Provisions SD APP VM sd-whonix: prep-salt ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix - sudo qubesctl --show-output --skip-dom0 --targets sd-whonix-buster-template,sd-whonix state.highstate + sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15,sd-whonix state.highstate sd-viewer: prep-salt ## Provisions SD Submission Viewing VM sudo qubesctl --show-output state.sls sd-viewer @@ -111,9 +111,10 @@ remove-sd-log: assert-dom0 ## Destroys SD logging VM @./scripts/destroy-vm sd-log clean: assert-dom0 prep-salt ## Destroys all SD VMs + sudo qubesctl --show-output state.sls sd-clean-default-dispvm + $(MAKE) destroy-all sudo qubesctl --show-output state.sls sd-clean-all sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true - $(MAKE) destroy-all $(MAKE) clean-salt test: assert-dom0 ## Runs all application tests (no integration tests yet) diff --git a/dom0/sd-app-files.sls b/dom0/sd-app-files.sls index b4befcd3..f9e2e603 100644 --- a/dom0/sd-app-files.sls +++ b/dom0/sd-app-files.sls @@ -18,3 +18,18 @@ install-securedrop-client-package: - securedrop-client - require: - sls: fpf-apt-test-repo + +install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-app: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-app \ No newline at end of file diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index bed1b72e..88edd42b 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -10,6 +10,13 @@ set-fedora-as-default-dispvm: include: - sd-usb-autoattach-remove +sd-cleanup-whonix-gw-15: + cmd.run: + - names: + - qvm-run whonix-gw-15 'sudo rm -f /etc/rsyslog.d/sdlog.conf' + - qvm-run whonix-gw-15 'sudo systemctl restart rsyslog' + - qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log' + remove-dom0-sdw-config-files: file.absent: - names: diff --git a/dom0/sd-clean-default-dispvm.sls b/dom0/sd-clean-default-dispvm.sls new file mode 100644 index 00000000..4acecc0f --- /dev/null +++ b/dom0/sd-clean-default-dispvm.sls @@ -0,0 +1,6 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +set-fedora-as-default-dispvm: + cmd.run: + - name: qvm-check fedora-30-dvm && qubes-prefs default_dispvm fedora-30-dvm || qubes-prefs default_dispvm '' diff --git a/dom0/sd-devices-files.sls b/dom0/sd-devices-files.sls index 2813b280..b7320154 100644 --- a/dom0/sd-devices-files.sls +++ b/dom0/sd-devices-files.sls @@ -24,3 +24,19 @@ sd-devices-install-libreoffice: sd-devices-install-package: pkg.installed: - name: securedrop-export + + +sd-devices-install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-devices: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-devices diff --git a/dom0/sd-log-template-files.sls b/dom0/sd-log-template-files.sls index b909e9fd..a0cd5b34 100644 --- a/dom0/sd-log-template-files.sls +++ b/dom0/sd-log-template-files.sls @@ -6,6 +6,16 @@ include: install-securedrop-log-package: pkg.installed: - pkgs: + - redis-server + - redis - securedrop-log - require: - sls: fpf-apt-test-repo + +redis: + service.running: + - enable: True + +securedrop-log: + service.running: + - enable: True diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index d4897cd2..b88de2e4 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -57,3 +57,11 @@ sd-log-private-volume-size: qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB - require: - qvm: sd-log + +# Permit the SecureDrop Proxy to manage Client connections +sd-dom-dom0-securedrop.Log: + file.prepend: + - name: /etc/qubes-rpc/policy/securedrop.Log + - text: | + @tag:sd-workstation sd-log allow + @anyvm @anyvm deny diff --git a/dom0/sd-proxy-template-files.sls b/dom0/sd-proxy-template-files.sls index 4cfc6123..ee0e06aa 100644 --- a/dom0/sd-proxy-template-files.sls +++ b/dom0/sd-proxy-template-files.sls @@ -48,6 +48,13 @@ install-securedrop-proxy-package: - require: - sls: fpf-apt-test-repo +install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + {% import_json "sd/config.json" as d %} install-securedrop-proxy-yaml-config: @@ -58,3 +65,11 @@ install-securedrop-proxy-yaml-config: - context: hostname: {{ d.hidserv.hostname }} - mode: 0644 + +sd-rsyslog-for-sd-proxy: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-proxy \ No newline at end of file diff --git a/dom0/sd-rsyslog.conf.j2 b/dom0/sd-rsyslog.conf.j2 new file mode 100644 index 00000000..b93ab64f --- /dev/null +++ b/dom0/sd-rsyslog.conf.j2 @@ -0,0 +1,3 @@ +[sd-rsyslog] +remotevm = sd-log +localvm = {{ vmname }} diff --git a/dom0/sd-viewer-files.sls b/dom0/sd-viewer-files.sls index 44299dfc..50ff7135 100644 --- a/dom0/sd-viewer-files.sls +++ b/dom0/sd-viewer-files.sls @@ -28,3 +28,18 @@ sd-viewer-install-libreoffice: attempts: 3 interval: 60 - install_recommends: False + +sd-viewer-install-logging: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + +sd-rsyslog-for-sd-viewer: + file.managed: + - name: /etc/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-viewer \ No newline at end of file diff --git a/dom0/sd-whonix-rsyslog-enable.sls b/dom0/sd-whonix-rsyslog-enable.sls new file mode 100644 index 00000000..a6173726 --- /dev/null +++ b/dom0/sd-whonix-rsyslog-enable.sls @@ -0,0 +1,30 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# Enables securedrop-log rsyslog plugin in sd-whonix +## + +sd-rsyslog-for-sd-whonix: + file.managed: + - name: /rw/config/sd-rsyslog.conf + - source: "salt://sd-rsyslog.conf.j2" + - template: jinja + - context: + vmname: sd-whonix + + +sd-rc-enable-logging: + file.blockreplace: + - name: /rw/config/rc.local + - append_if_not_found: True + - marker_start: "### BEGIN securedrop-workstation ###" + - marker_end: "### END securedrop-workstation ###" + - content: | + # Add sd-rsyslog.conf file for syslog + ln -sf /rw/config/sd-rsyslog.conf /etc/sd-rsyslog.conf + systemctl restart rsyslog + cmd.run: + - name: ln -sf /rw/config/sd-rsyslog.conf /etc/sd-rsyslog.conf && systemctl restart rsyslog + + diff --git a/dom0/sd-whonix-template-files.sls b/dom0/sd-whonix-template-files.sls new file mode 100644 index 00000000..adb7cc60 --- /dev/null +++ b/dom0/sd-whonix-template-files.sls @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# sd-whonix-template-files +# ======== +# +# Installs configuration packages specific to the sd-whonix +# used for network calls. +# +## + +include: + - fpf-apt-test-repo + +sd-whonix-install-logging: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls index 70efef85..da127baa 100644 --- a/dom0/sd-workstation-template-files.sls +++ b/dom0/sd-workstation-template-files.sls @@ -11,6 +11,14 @@ sd-workstation-template-install-kernel-config-packages: - require: - sls: fpf-apt-test-repo + +sd-workstation-install-securedrop-log-package: + pkg.installed: + - pkgs: + - securedrop-log + - require: + - sls: fpf-apt-test-repo + # Ensure that paxctld starts immediately. For AppVMs, # use qvm.features.enabled = ["paxctld"] to ensure service start. sd-workstation-template-enable-paxctld: diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index e60f6ab6..e4d73589 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -10,6 +10,7 @@ base: - sd-upgrade-templates - sd-dom0-qvm-rpc - sd-sys-whonix-vms + - sd-log - sd-devices - sd-gpg - sd-proxy @@ -17,7 +18,9 @@ base: - sd-app - sd-whonix - sd-remove-unused-templates - - sd-log + + sd-log-buster-template: + - sd-log-template-files sd-devices-buster-template: - sd-devices-files sd-gpg: @@ -34,12 +37,13 @@ base: - sd-sys-firewall-files sd-whonix: - sd-whonix-hidserv-key - sd-log-buster-template: - - sd-log-template-files + - sd-whonix-rsyslog-enable securedrop-workstation-buster: - sd-workstation-template-files sys-usb: - sd-usb-autoattach-add + whonix-gw-15: + - sd-whonix-template-files # "Placeholder" config to trigger TemplateVM boots, # so upgrades can be applied automatically via cron. diff --git a/scripts/provision-all b/scripts/provision-all index a6003b6e..95498f42 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -17,6 +17,11 @@ sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys- echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate +echo "Setup sd-log-buster-template vm first" +sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.sls sd-log-template-files +# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean) +sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate sd-whonix-template-files + # Format list of all VMs comma-separated, for use as qubesctl target # We run this after dom0's highstate, so that the VMs are available for listing by tag. all_sdw_vms_target="$(qvm-ls --tags sd-workstation --raw-list | perl -npE 's/\n/,/g' | perl -npE 's/,$//' )" diff --git a/tests/base.py b/tests/base.py index 1d7915ab..39f46a2a 100644 --- a/tests/base.py +++ b/tests/base.py @@ -112,3 +112,19 @@ def _fileExists(self, remote_path): return False return True + + def logging_configured(self, vmname=""): + """ + Make sure rsyslog is configured to send in data to sd-log vm. + """ + if not vmname: + vmname = self.vm_name + self.assertTrue(self._fileExists("/etc/sd-rsyslog.conf")) + # Then we check the configuration inside of the file. + file_content = self._get_file_contents("/etc/sd-rsyslog.conf") + static_content = """[sd-rsyslog] +remotevm = sd-log +localvm = {0} +""".format(vmname) + self.assertEqual(file_content, static_content) + self.assertTrue(self._package_is_installed("securedrop-log")) diff --git a/tests/test_app.py b/tests/test_app.py index 591e8467..adb0cd91 100644 --- a/tests/test_app.py +++ b/tests/test_app.py @@ -49,6 +49,9 @@ def test_sd_client_apparmor(self): results = json.loads(self._run(cmd)) self.assertTrue(results['profiles']['/usr/bin/securedrop-client'] == "enforce") + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_App_Tests) diff --git a/tests/test_proxy_vm.py b/tests/test_proxy_vm.py index f79b6955..bd182717 100644 --- a/tests/test_proxy_vm.py +++ b/tests/test_proxy_vm.py @@ -40,6 +40,9 @@ def test_whonix_ws_repo_enabled(self): """ assert self._fileExists(self.whonix_apt_list) + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Proxy_Tests) diff --git a/tests/test_sd_devices.py b/tests/test_sd_devices.py index 3d7d3dfa..b7dd871c 100644 --- a/tests/test_sd_devices.py +++ b/tests/test_sd_devices.py @@ -19,6 +19,9 @@ def test_sd_export_package_installed(self): self.assertTrue(self._package_is_installed("printer-driver-brlaser")) self.assertTrue(self._package_is_installed("securedrop-export")) + def test_logging_configured(self): + self.logging_configured(vmname="sd-devices") + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Devices_Tests) diff --git a/tests/test_sd_whonix.py b/tests/test_sd_whonix.py index f604c1f7..3edd0c74 100644 --- a/tests/test_sd_whonix.py +++ b/tests/test_sd_whonix.py @@ -58,6 +58,9 @@ def test_sd_whonix_repo_enabled(self): """ assert self._fileExists(self.whonix_apt_list) + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Whonix_Tests) diff --git a/tests/test_viewer.py b/tests/test_viewer.py index 16acccce..d64f14d8 100644 --- a/tests/test_viewer.py +++ b/tests/test_viewer.py @@ -19,6 +19,9 @@ def test_sd_viewer_evince_installed(self): def test_sd_viewer_libreoffice_installed(self): self.assertTrue(self._package_is_installed("libreoffice")) + def test_logging_configured(self): + self.logging_configured() + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Viewer_Tests) diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index a1aadbc4..7bbd241e 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -121,6 +121,7 @@ def test_sd_log_config(self): self.assertFalse(vm.template_for_dispvms) self._check_kernel(vm) self._check_service_running(vm, "paxctld") + self._check_service_running(vm, "securedrop-log") self.assertFalse(vm.template_for_dispvms) self.assertTrue('sd-workstation' in vm.tags) # Check the size of the private volume From 855f9530d655c8f100a22110a6bcdeacfea9c457 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Mon, 17 Feb 2020 14:14:16 +0530 Subject: [PATCH 2/5] now the package is installed properly --- scripts/provision-all | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/provision-all b/scripts/provision-all index 95498f42..5020ef91 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -18,9 +18,11 @@ echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate echo "Setup sd-log-buster-template vm first" -sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.sls sd-log-template-files +sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.highstate # Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean) -sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate sd-whonix-template-files +sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate +sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-whonix-template-files + # Format list of all VMs comma-separated, for use as qubesctl target # We run this after dom0's highstate, so that the VMs are available for listing by tag. From c243d7b57546d78ede2b45599b17bf5a7cdfc91d Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Tue, 18 Feb 2020 16:29:32 +0530 Subject: [PATCH 3/5] Makes sure that sdlog.conf file is in sd-whonix --- dom0/sd-clean-all.sls | 6 +++++- dom0/sd-whonix-rsyslog-enable.sls | 7 +++++++ dom0/sdlog.conf | 4 ++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 dom0/sdlog.conf diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index 88edd42b..e5762d6e 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -14,8 +14,12 @@ sd-cleanup-whonix-gw-15: cmd.run: - names: - qvm-run whonix-gw-15 'sudo rm -f /etc/rsyslog.d/sdlog.conf' - - qvm-run whonix-gw-15 'sudo systemctl restart rsyslog' + - qvm-run whonix-gw-15 'sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list' - qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log' + - qvm-run whonix-gw-15 'sudo systemctl restart rsyslog' + - qvm-run whonix-gw-15 'sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C' + + remove-dom0-sdw-config-files: file.absent: diff --git a/dom0/sd-whonix-rsyslog-enable.sls b/dom0/sd-whonix-rsyslog-enable.sls index a6173726..897116d3 100644 --- a/dom0/sd-whonix-rsyslog-enable.sls +++ b/dom0/sd-whonix-rsyslog-enable.sls @@ -13,6 +13,10 @@ sd-rsyslog-for-sd-whonix: - context: vmname: sd-whonix +sd-rsyslog-sdlog-conf-for-sd-whonix: + file.managed: + - name: /rw/config/sdlog.conf + - source: "salt://sdlog.conf" sd-rc-enable-logging: file.blockreplace: @@ -23,6 +27,9 @@ sd-rc-enable-logging: - content: | # Add sd-rsyslog.conf file for syslog ln -sf /rw/config/sd-rsyslog.conf /etc/sd-rsyslog.conf + if [ ! -f /etc/rsyslog.d/sdlog.conf ]; then + ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf + fi systemctl restart rsyslog cmd.run: - name: ln -sf /rw/config/sd-rsyslog.conf /etc/sd-rsyslog.conf && systemctl restart rsyslog diff --git a/dom0/sdlog.conf b/dom0/sdlog.conf new file mode 100644 index 00000000..be8cac7f --- /dev/null +++ b/dom0/sdlog.conf @@ -0,0 +1,4 @@ +module(load="omprog") +action(type="omprog" + binary="/usr/sbin/sd-rsyslog" + template="RSYSLOG_TraditionalFileFormat") From 232c56f44a34d393b89b0578364e955da62f1576 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 19 Feb 2020 15:58:21 +0530 Subject: [PATCH 4/5] Cleans up with comments and better way to remove package `make clean` now cleans whonix-gw-15 with proper removal of `securedrop-log` package using Salt states. --- Makefile | 1 + dom0/sd-app-files.sls | 9 ++------- dom0/sd-clean-all.sls | 2 +- dom0/sd-clean-whonix.sls | 11 +++++++++++ dom0/sd-log-template-files.sls | 2 +- dom0/sd-proxy-template-files.sls | 9 ++------- dom0/sd-whonix-rsyslog-enable.sls | 6 ++++++ scripts/provision-all | 4 ++-- 8 files changed, 26 insertions(+), 18 deletions(-) create mode 100644 dom0/sd-clean-whonix.sls diff --git a/Makefile b/Makefile index 09e3ae7d..eb647fd6 100644 --- a/Makefile +++ b/Makefile @@ -113,6 +113,7 @@ remove-sd-log: assert-dom0 ## Destroys SD logging VM clean: assert-dom0 prep-salt ## Destroys all SD VMs sudo qubesctl --show-output state.sls sd-clean-default-dispvm $(MAKE) destroy-all + sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix sudo qubesctl --show-output state.sls sd-clean-all sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true $(MAKE) clean-salt diff --git a/dom0/sd-app-files.sls b/dom0/sd-app-files.sls index f9e2e603..420f7889 100644 --- a/dom0/sd-app-files.sls +++ b/dom0/sd-app-files.sls @@ -12,20 +12,15 @@ include: - fpf-apt-test-repo # FPF repo is setup in "securedrop-workstation" template -install-securedrop-client-package: +install-securedrop-client-and-securedrop-log-package: pkg.installed: - pkgs: - securedrop-client - - require: - - sls: fpf-apt-test-repo - -install-securedrop-log-package: - pkg.installed: - - pkgs: - securedrop-log - require: - sls: fpf-apt-test-repo + sd-rsyslog-for-sd-app: file.managed: - name: /etc/sd-rsyslog.conf diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index e5762d6e..52e38e86 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -15,9 +15,9 @@ sd-cleanup-whonix-gw-15: - names: - qvm-run whonix-gw-15 'sudo rm -f /etc/rsyslog.d/sdlog.conf' - qvm-run whonix-gw-15 'sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list' - - qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log' - qvm-run whonix-gw-15 'sudo systemctl restart rsyslog' - qvm-run whonix-gw-15 'sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C' + - qvm-run whonix-gw-15 'sudo apt-key del 22245C81E3BAEB4138B36061310F561200F4AD77' diff --git a/dom0/sd-clean-whonix.sls b/dom0/sd-clean-whonix.sls new file mode 100644 index 00000000..591264d7 --- /dev/null +++ b/dom0/sd-clean-whonix.sls @@ -0,0 +1,11 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# removes securedrop-log rsyslog plugin in whonix-gw-15 +## + +remove-securedrop-log-package-from-whonix: + pkg.removed: + - pkgs: + - securedrop-log \ No newline at end of file diff --git a/dom0/sd-log-template-files.sls b/dom0/sd-log-template-files.sls index a0cd5b34..04ebe571 100644 --- a/dom0/sd-log-template-files.sls +++ b/dom0/sd-log-template-files.sls @@ -3,7 +3,7 @@ include: - fpf-apt-test-repo -install-securedrop-log-package: +sd-log-install-securedrop-log-package: pkg.installed: - pkgs: - redis-server diff --git a/dom0/sd-proxy-template-files.sls b/dom0/sd-proxy-template-files.sls index ee0e06aa..8128ff3b 100644 --- a/dom0/sd-proxy-template-files.sls +++ b/dom0/sd-proxy-template-files.sls @@ -41,20 +41,15 @@ sd-proxy-configure-mimetypes: # Depends on FPF-controlled apt repo, already present # in underlying "securedrop-workstation" base template. -install-securedrop-proxy-package: +install-securedrop-proxy-and-securedrop-log-package: pkg.installed: - pkgs: - securedrop-proxy - - require: - - sls: fpf-apt-test-repo - -install-securedrop-log-package: - pkg.installed: - - pkgs: - securedrop-log - require: - sls: fpf-apt-test-repo + {% import_json "sd/config.json" as d %} install-securedrop-proxy-yaml-config: diff --git a/dom0/sd-whonix-rsyslog-enable.sls b/dom0/sd-whonix-rsyslog-enable.sls index 897116d3..c668a7da 100644 --- a/dom0/sd-whonix-rsyslog-enable.sls +++ b/dom0/sd-whonix-rsyslog-enable.sls @@ -13,11 +13,17 @@ sd-rsyslog-for-sd-whonix: - context: vmname: sd-whonix + +# We can not place the file on the template under /etc/rsyslog.d/ because of whonix +# template. This sdlog.conf file is the same from the securedrop-log package, to +# make sure that rsyslogd use our logging plugin. sd-rsyslog-sdlog-conf-for-sd-whonix: file.managed: - name: /rw/config/sdlog.conf - source: "salt://sdlog.conf" +# Because whonix-gw-15 template is not allowing to create the config file on +# package install time, we do it via rc.local call. sd-rc-enable-logging: file.blockreplace: - name: /rw/config/rc.local diff --git a/scripts/provision-all b/scripts/provision-all index 5020ef91..2955af37 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -21,8 +21,8 @@ echo "Setup sd-log-buster-template vm first" sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.highstate # Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean) sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate -sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-whonix-template-files - +#sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-whonix-template-files +qvm-shutdown --wait whonix-gw-15 # Format list of all VMs comma-separated, for use as qubesctl target # We run this after dom0's highstate, so that the VMs are available for listing by tag. From 3b186c1bbcba5c30c9798f34b42aac67133018d2 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 19 Feb 2020 20:39:30 +0530 Subject: [PATCH 5/5] Moves all whonix cleanup to one file --- dom0/sd-clean-all.sls | 10 ---------- dom0/sd-clean-whonix.sls | 11 ++++++++++- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index 52e38e86..09c307ef 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -10,16 +10,6 @@ set-fedora-as-default-dispvm: include: - sd-usb-autoattach-remove -sd-cleanup-whonix-gw-15: - cmd.run: - - names: - - qvm-run whonix-gw-15 'sudo rm -f /etc/rsyslog.d/sdlog.conf' - - qvm-run whonix-gw-15 'sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list' - - qvm-run whonix-gw-15 'sudo systemctl restart rsyslog' - - qvm-run whonix-gw-15 'sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C' - - qvm-run whonix-gw-15 'sudo apt-key del 22245C81E3BAEB4138B36061310F561200F4AD77' - - remove-dom0-sdw-config-files: file.absent: diff --git a/dom0/sd-clean-whonix.sls b/dom0/sd-clean-whonix.sls index 591264d7..50400d29 100644 --- a/dom0/sd-clean-whonix.sls +++ b/dom0/sd-clean-whonix.sls @@ -8,4 +8,13 @@ remove-securedrop-log-package-from-whonix: pkg.removed: - pkgs: - - securedrop-log \ No newline at end of file + - securedrop-log + +sd-cleanup-whonix-gw-15: + cmd.run: + - names: + - sudo rm -f /etc/rsyslog.d/sdlog.conf + - sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list + - sudo systemctl restart rsyslog + - sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C + - sudo apt-key del 22245C81E3BAEB4138B36061310F561200F4AD77