Replace mon server alias with ip in ossec config

Due to issues with ossec 2.8.2+ and disabling of the ipv6 stack, name lookups can't `getaddrinfo: Name or service not known`. Using ip addresses in lieu of aliases sidesteps the issue. - For new installs, ossec.conf will be updated during ansible, as the config is not templated. - For existing installs, ossec agent postinst will replace the line in ossec.conf.
freedomofpress · Sep 11, 2018 · 146b813 · 146b813
1 parent dae110f
commit 146b813
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -61,6 +61,18 @@
     - ossec_is_client
     - not ossec_agent_already_registered
 
+# DNS lookups do not work with ipv6 due to an ongoing issue with and
+# disabled ipv6 stacks. Using ip instead of hostname is a workaround.
+# see https://github.com/ossec/ossec-hids/issues/1145
+- name: Replace hostname by monitor IP in config
+  replace:
+    dest: "/var/ossec/etc/ossec.conf"
+    replace: "<server-ip {{ monitor_ip }} }}</server-ip>"
+    regexp: '//\<server-hostname\>securedrop-monitor-server-alias\<\/server-hostname\>'
+  when:
+    - ossec_is_client
+    - not ossec_agent_already_registered
+
 # Ossec 3.0 now defaults to requiring a shared secret for agent authentication.
 # Disabling authentication is broken for authd in ossec 3.0. Registering agents
 # requires a 32 hex character password with a line feed appended to the

diff --git a/install_files/securedrop-ossec-agent/DEBIAN/postinst b/install_files/securedrop-ossec-agent/DEBIAN/postinst
@@ -18,7 +18,11 @@ set -e
 
 case "$1" in
     configure)
-        service ossec restart
+	    # Replace monitor server domain name by ip address due to
+	    #  https://github.com/ossec/ossec-hids/issues/1145
+	    mon_ip=$(grep -oP "^\\d+\.\\d+\.\\d+\.\\d+(?=.*securedrop-monitor-server-alias)" /etc/hosts)
+	    sed -i -e "s/<server-hostname>securedrop-monitor-server-alias<\/server-hostname>/<server-ip>$mon_ip<\/server-ip>/g" /var/ossec/etc/ossec.conf
+	    service ossec restart
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
@@ -28,6 +32,7 @@ case "$1" in
         echo "postinst called with unknown argument \`$1'" >&2
         exit 1
     ;;
+
 esac
 
 # dh_installdeb will replace this with shell code automatically