From 1622c63e36888efc1c726d828a0d715c74ed21bb Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Mon, 26 Nov 2018 16:41:19 -0800
Subject: [PATCH] ossec: set permissions on gpg homedir and contents

In defect #3928, problems with the permissions on the OSSEC gpg
keyring resulted in an error when attempting to import the OSSEC
public key.

This commit adds Ansible tasks to set the proper permissions
on the gpg homedir and its contents prior to attempting to import
the key
---
 .../roles/ossec/defaults/main.yml             |  6 +++
 .../roles/ossec/tasks/configure_server.yml    | 38 +++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/install_files/ansible-base/roles/ossec/defaults/main.yml b/install_files/ansible-base/roles/ossec/defaults/main.yml
index c0704bfaa47..b5efb39e361 100644
--- a/install_files/ansible-base/roles/ossec/defaults/main.yml
+++ b/install_files/ansible-base/roles/ossec/defaults/main.yml
@@ -21,3 +21,9 @@ ossec_is_client: False
 journalist_alert_gpg_public_key: ""
 journalist_gpg_fpr: ""
 journalist_alert_email: ""
+
+# These files should be created once an OSSEC key is imported.
+gpg_keyring_files:
+  - pubring.gpg
+  - secring.gpg
+  - trustdb.gpg
\ No newline at end of file
diff --git a/install_files/ansible-base/roles/ossec/tasks/configure_server.yml b/install_files/ansible-base/roles/ossec/tasks/configure_server.yml
index c37790542f0..2a966e9b40b 100644
--- a/install_files/ansible-base/roles/ossec/tasks/configure_server.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/configure_server.yml
@@ -20,6 +20,44 @@
   tags:
     - gpg
 
+- name: Check if GPG homedir already exists.
+  stat:
+    path: /var/ossec/.gnupg
+  register: gpg_homedir_status
+  tags:
+    - gpg
+
+- name: Ensure correct permissions on OSSEC GPG homedir if it exists.
+  file:
+    state: directory
+    path: /var/ossec/.gnupg
+    mode: "0700"
+    owner: ossec
+    group: "{{ ossec_group }}"
+  when: gpg_homedir_status.stat.exists
+  tags:
+    - gpg
+
+- name: Check if .gpg files have been created yet in the GPG homedir.
+  stat:
+    path: "/var/ossec/.gnupg/{{ item }}"
+  with_items: "{{ gpg_keyring_files }}"
+  register: gpg_keyring_status
+  tags:
+    - gpg
+
+- name: Ensure correct permissions on contents of OSSEC GPG homedir.
+  file:
+    state: file
+    path: "/var/ossec/.gnupg/{{ item.item }}"
+    mode: "0600"
+    owner: ossec
+    group: "{{ ossec_group }}"
+  with_items: "{{ gpg_keyring_status.results }}"
+  when: item.stat.exists
+  tags:
+    - gpg
+
 - name: Add the OSSEC GPG public key to the OSSEC manager keyring.
   # multiline format for command module, since this is a long command
   command: >