From 785cdaf4a0e8c5a94ceb49e66213b51a22695141 Mon Sep 17 00:00:00 2001 From: redshiftzero Date: Mon, 26 Nov 2018 16:41:19 -0800 Subject: [PATCH] ossec: set permissions on gpg homedir and contents In defect #3928, problems with the permissions on the OSSEC gpg keyring resulted in an error when attempting to import the OSSEC public key. This commit adds Ansible tasks to set the proper permissions on the gpg homedir and its contents prior to attempting to import the key --- .../roles/ossec/defaults/main.yml | 6 +++ .../roles/ossec/tasks/configure_server.yml | 38 +++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/install_files/ansible-base/roles/ossec/defaults/main.yml b/install_files/ansible-base/roles/ossec/defaults/main.yml index c0704bfaa4..f4c1fb63c8 100644 --- a/install_files/ansible-base/roles/ossec/defaults/main.yml +++ b/install_files/ansible-base/roles/ossec/defaults/main.yml @@ -21,3 +21,9 @@ ossec_is_client: False journalist_alert_gpg_public_key: "" journalist_gpg_fpr: "" journalist_alert_email: "" + +# These files should be created once an OSSEC key is imported. +gpg_keyring_files: + - pubring.gpg + - secring.gpg + - trustdb.gpg diff --git a/install_files/ansible-base/roles/ossec/tasks/configure_server.yml b/install_files/ansible-base/roles/ossec/tasks/configure_server.yml index c37790542f..2a966e9b40 100644 --- a/install_files/ansible-base/roles/ossec/tasks/configure_server.yml +++ b/install_files/ansible-base/roles/ossec/tasks/configure_server.yml @@ -20,6 +20,44 @@ tags: - gpg +- name: Check if GPG homedir already exists. + stat: + path: /var/ossec/.gnupg + register: gpg_homedir_status + tags: + - gpg + +- name: Ensure correct permissions on OSSEC GPG homedir if it exists. + file: + state: directory + path: /var/ossec/.gnupg + mode: "0700" + owner: ossec + group: "{{ ossec_group }}" + when: gpg_homedir_status.stat.exists + tags: + - gpg + +- name: Check if .gpg files have been created yet in the GPG homedir. + stat: + path: "/var/ossec/.gnupg/{{ item }}" + with_items: "{{ gpg_keyring_files }}" + register: gpg_keyring_status + tags: + - gpg + +- name: Ensure correct permissions on contents of OSSEC GPG homedir. + file: + state: file + path: "/var/ossec/.gnupg/{{ item.item }}" + mode: "0600" + owner: ossec + group: "{{ ossec_group }}" + with_items: "{{ gpg_keyring_status.results }}" + when: item.stat.exists + tags: + - gpg + - name: Add the OSSEC GPG public key to the OSSEC manager keyring. # multiline format for command module, since this is a long command command: >