Partial implementation of OSSEC iptables fix

WIP committed by @msheiny during collaboration. Branch adopted by @conorsch for tackling #2478.
freedomofpress · Jan 22, 2018 · 41d9ddf · 41d9ddf
1 parent 7e9ea67
commit 41d9ddf
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 47 deletions.
diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -21,6 +21,19 @@ tor_instances:
   - service: journalist
     filename: app-journalist-aths
 
-agent_auth_rules:
-  - "-A OUTPUT -d {{ monitor_ip  }} -p tcp --dport 1515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
-  - "-A INPUT -s {{ monitor_ip }} -p tcp --sport 1515 -m state --state ESTABLISHED,RELATED -j ACCEPT"
+authd_iprules:
+  - chain: OUTPUT
+    dest: "{{ monitor_ip  }}"
+    proto: tcp
+    dest_port: 1515
+    match: state
+    cstate: "NEW,ESTABLISHED,RELATED"
+    jump: ACCEPT
+
+  - chain: INPUT
+    source: "{{ monitor_ip  }}"
+    proto: tcp
+    source_port: 1515
+    match: state
+    cstate: "ESTABLISHED,RELATED"
+    jump: ACCEPT
diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -17,6 +17,19 @@ tor_instances:
   - service: ssh
     filename: mon-ssh-aths
 
-authd_rules:
-  - "-A INPUT -s {{ app_hostname }} -p tcp --dport 1515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
-  - "-A OUTPUT -d {{ app_hostname }} -p tcp --sport 1515 -m state --state ESTABLISHED,RELATED -j ACCEPT"
+authd_iprules:
+  - chain: INPUT
+    dest: "{{ app_hostname  }}"
+    proto: tcp
+    dest_port: 1515
+    match: state
+    cstate: "NEW,ESTABLISHED,RELATED"
+    jump: ACCEPT
+
+  - chain: OUTPUT
+    source: "{{ app_hostname }}"
+    proto: tcp
+    source_port: 1515
+    match: state
+    cstate: "ESTABLISHED,RELATED"
+    jump: ACCEPT
diff --git a/install_files/ansible-base/roles/ossec-agent/defaults/main.yml b/install_files/ansible-base/roles/ossec-agent/defaults/main.yml
@@ -2,3 +2,5 @@
 # Override capability for installing locally built deb packages in the staging
 # environment. By default, packages are installed via the FPF apt repo.
 install_local_packages: False
+
+ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml b/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
@@ -7,32 +7,32 @@
   tags:
     - apt
 
-  # Check for the IPv4 rules file on disk. On the first run of this playbook,
-  # the file won't exist yet. Only add iptables rules if the file already exists.
-- name: Check whether iptables rules exist.
-  stat:
-    path: /etc/network/iptables/rules_v4
-  register: iptables_rules_check_result
-
-- name: Add firewall exemption for OSSEC agent registration.
-  lineinfile:
-    dest: /etc/network/iptables/rules_v4
-    # last line in the initial *filter stanza (which must come before any rules)
-    # rules will be applied before the default rules defined in rules_v4 file
-    insertafter: "^:LOGNDROP"
-    regexp: "{{ item }}"
-    line: "{{ item }}"
-  notify: reload iptables rules
-  with_items: "{{ agent_auth_rules }}"
-  when: hostvars[groups.securedrop_monitor_server.0].ossec_agent_already_registered == false and
-        iptables_rules_check_result.stat.exists == true
+- name: Add firewall exemption for OSSEC agent registration (both servers)
+  iptables:
+    chain: "{{ item[0].chain }}"
+    destination: "{{ item[0].dest|default(omit) }}"
+    destination_port: "{{ item[0].dest_port|default(omit) }}"
+    protocol: "{{ item[0].proto }}"
+    ctstate: "{{ item[0].cstate }}"
+    jump: "{{ item[0].jump }}"
+    match: "{{ item[0].match }}"
+    source: "{{ item[0].source|default(omit) }}"
+    source_port: "{{ item[0].source_port|default(omit) }}"
+    state: present
+  delegate_to: "{{ item[1] }}"
+  with_nested:
+    - "{{ authd_iprules }}"
+    - "{{ groups['all'] }}"
+  when: not ossec_agent_already_registered
   tags:
     - iptables
     - ossec_auth
 
+- debug: var="{{ groups['securedrop_monitor_server'] + groups['securedrop_application_server'] }}"
+
 - name: Register OSSEC agent.
   command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
-  when: hostvars[groups.securedrop_monitor_server.0].ossec_agent_already_registered == false
+  when: not ossec_agent_already_registered
   tags:
     - ossec_auth
 
@@ -42,17 +42,23 @@
   # connect to the ossec server. The monitor server's OSSEC server needs to
   # restart after the agent connects to correctly display the agent status.
 - name: Remove firewall exemption for OSSEC agent registration.
-  lineinfile:
-    state: absent
-    dest: /etc/network/iptables/rules_v4
-    line: "{{ item }}"
-  register: removed_ossec_exemptions
-  notify:
-    - reload iptables rules
-    - restart ossec
-  with_items: "{{ agent_auth_rules }}"
-  when: hostvars[groups.securedrop_monitor_server.0].ossec_agent_already_registered == false and
-        iptables_rules_check_result.stat.exists == true
+  iptables:
+    chain: "{{ item[0].chain }}"
+    destination: "{{ item[0].dest|default(omit) }}"
+    destination_port: "{{ item[0].dest_port|default(omit) }}"
+    protocol: "{{ item[0].proto }}"
+    ctstate: "{{ item[0].cstate }}"
+    jump: "{{ item[0].jump }}"
+    match: "{{ item[0].match }}"
+    source: "{{ item[0].source|default(omit) }}"
+    source_port: "{{ item[0].source_port|default(omit) }}"
+    state: present
+  delegate_to: "{{ item[1] }}"
+  with_nested:
+    - "{{ authd_iprules }}"
+    - "{{ groups['securedrop_monitor_server'] + groups['securedrop_application_server'] }}"
+  when: not ossec_agent_already_registered
+  notify: restart ossec
   tags:
     - iptables
     - ossec_auth
diff --git a/install_files/ansible-base/roles/ossec-server/defaults/main.yml b/install_files/ansible-base/roles/ossec-server/defaults/main.yml
@@ -27,3 +27,5 @@ postfix_hostname: ossec.server
 # but unnecessary in staging contexts, where SASL authentication
 # will always fail, due to lack of site-specific credentials.
 ossec_server_enable_postfix: True
+
+ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/authd.yml b/install_files/ansible-base/roles/ossec-server/tasks/authd.yml
@@ -7,16 +7,6 @@
   tags:
     - ossec_auth
 
-  # Store a boolean host fact that states whether the Application Server
-  # is already registered with the Monitor Server. If it is, we can skip several tasks.
-  # To make the conditional templating simpler, we'll default to false for the fact value,
-  # and overwrite it with "true" only if the Application Server is actually registered.
-- name: Initialize host fact for OSSEC registration state.
-  set_fact:
-    ossec_agent_already_registered: false
-  tags:
-    - ossec_auth
-
 - name: Set host fact for OSSEC registration state.
   set_fact:
     ossec_agent_already_registered: true