From 2c79f0b9e212c9d80a88333a271bd8a37c5cfe43 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 21 Aug 2018 14:09:02 -0400
Subject: [PATCH 1/5] Bump ossec version strings to 3.0.0

Ossec 3.0.0 contains several bug and security fixes, as such we should
upgrade securedrop ossec agents and servers to this release.
---
 .../group_vars/securedrop_application_server.yml         | 4 ++--
 .../group_vars/securedrop_monitor_server.yml             | 4 ++--
 .../roles/build-ossec-deb-pkg/defaults/main.yml          | 2 +-
 .../roles/build-ossec-deb-pkg/library/ossec_urls.py      | 6 +++---
 install_files/ossec-agent/etc/ossec-init.conf            | 4 ++--
 .../usr/share/doc/ossec-agent/changelog.Debian           | 9 ++++++++-
 install_files/ossec-server/etc/ossec-init.conf           | 4 ++--
 .../usr/share/doc/ossec-server/changelog.Debian          | 7 +++++++
 install_files/securedrop-ossec-agent/DEBIAN/control      | 2 +-
 .../share/doc/securedrop-ossec-agent/changelog.Debian    | 8 +++++++-
 install_files/securedrop-ossec-server/DEBIAN/control     | 2 +-
 .../share/doc/securedrop-ossec-server/changelog.Debian   | 6 ++++++
 molecule/builder/tests/vars.yml                          | 2 +-
 13 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
index d67388af6f..6a59efb49e 100644
--- a/install_files/ansible-base/group_vars/securedrop_application_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -8,9 +8,9 @@ ip_info:
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-config-0.1.1+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-ossec-agent-2.8.2+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-ossec-agent-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
-  - "ossec-agent-2.8.2-amd64.deb"
+  - "ossec-agent-3.0.0-amd64.deb"
 
 # Configuring the tor hidden services
 tor_instances:
diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
index dffeefa55e..83443764d8 100644
--- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -8,8 +8,8 @@ ip_info:
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-config-0.1.1+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-ossec-server-2.8.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - ossec-server-2.8.2-amd64.deb
+  - "securedrop-ossec-server-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
+  - ossec-server-3.0.0-amd64.deb
 
 # Configure the tor hidden services. The Monitor server has only one,
 # for SSH, since no web interfaces.
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
index cf2986740e..0070365ae7 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
@@ -2,7 +2,7 @@
 build_ossec_deb_pkg_dependencies: []
 
 ossec_server_hostname: ossec-server
-ossec_version: 2.8.2
+ossec_version: 3.0.0
 # Parent directory for performing build operations. All files related
 # to build, including source tarball, will be created inside this dir.
 build_path: /tmp/build
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py b/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
index 2b654fa596..3f6563322b 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
@@ -14,7 +14,7 @@
   ossec_version:
     description:
       - version number of release to download
-    default: "2.8.2"
+    default: "3.0.0"
     required: no
 notes:
   - The OSSEC version to download is hardcoded to avoid surprises.
@@ -23,7 +23,7 @@
 '''
 EXAMPLES = '''
 - ossec_urls:
-    ossec_version: "2.8.2"
+    ossec_version: "3.0.0"
 '''
 
 import re  # noqa: E402
@@ -92,7 +92,7 @@ def parse_checksums(self):
 def main():
     module = AnsibleModule(  # noqa: F405
         argument_spec=dict(
-            ossec_version=dict(default="2.8.2"),
+            ossec_version=dict(default="3.0.0"),
         ),
         supports_check_mode=False
     )
diff --git a/install_files/ossec-agent/etc/ossec-init.conf b/install_files/ossec-agent/etc/ossec-init.conf
index b01bce268b..ce14078df3 100644
--- a/install_files/ossec-agent/etc/ossec-init.conf
+++ b/install_files/ossec-agent/etc/ossec-init.conf
@@ -1,4 +1,4 @@
 DIRECTORY="/var/ossec"
-VERSION="v2.8.2"
-DATE="Thu Jun 11 11:39:25 PDT 2015"
+VERSION="v3.0.0"
+DATE="Tue Aug 21 10:52:11 PDT 2018"
 TYPE="agent"
diff --git a/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian b/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian
index ebe47b6ad3..5e490fa285 100644
--- a/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian
+++ b/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian
@@ -1,3 +1,10 @@
+ossec-agent (3.0.0) unstable; urgency=low
+
+  [ SecureDrop Team ]
+  * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.0.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Tue, 21 Aug 2018 10:43:47 -0700
+
 ossec-agent (2.8.2) unstable; urgency=low
 
   [ SecureDrop Team ]
@@ -8,6 +15,6 @@ ossec-agent (2.8.2) unstable; urgency=low
 ossec-agent (2.8.1) unstable; urgency=low
 
   [ James Dolan ]
-  * Initial release 
+  * Initial release
 
  -- James Dolan <securedrop@pressfreedomfoundation.org>  Fri, 14 Mar 2014 15:46:57 -0700
diff --git a/install_files/ossec-server/etc/ossec-init.conf b/install_files/ossec-server/etc/ossec-init.conf
index c8e3340bb1..ead135f99f 100644
--- a/install_files/ossec-server/etc/ossec-init.conf
+++ b/install_files/ossec-server/etc/ossec-init.conf
@@ -1,4 +1,4 @@
 DIRECTORY="/var/ossec"
-VERSION="v2.8.2"
-DATE="Thu Jun 11 11:39:25 PDT 2015"
+VERSION="v3.0.0"
+DATE="Tue Aug 21 10:52:11 PDT 2018"
 TYPE="server"
diff --git a/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian b/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian
index cfb8ce5d30..bb4890c3bc 100644
--- a/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian
+++ b/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian
@@ -1,3 +1,10 @@
+ossec-server (3.0.0) unstable; urgency=low
+
+  [ SecureDrop Team ]
+  * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.0.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Tue, 21 Aug 2018 10:43:47 -0700
+
 ossec-server (2.8.2) unstable; urgency=low
 
   [ SecureDrop Team ]
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control b/install_files/securedrop-ossec-agent/DEBIAN/control
index 5be8bc2c90..4620500443 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.10.0~rc1
+Version: 3.0.0+0.10.0~rc1
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent
diff --git a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian b/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
index f0b53e5caa..680b313a00 100644
--- a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
+++ b/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
@@ -1,5 +1,11 @@
+securedrop-ossec-agent (3.0.0) unstable; urgency=low
+
+  * Upgrade to ossec 3.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Tue, 21 Aug 2018 11:43:47 -0700
+
 securedrop-ossec-agent (2.8.1) unstable; urgency=low
 
-  * Initial release 
+  * Initial release
 
  -- James Dolan <securedrop@pressfreedomfoundation.org>  Fri, 14 Mar 2014 15:46:57 -0700
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control b/install_files/securedrop-ossec-server/DEBIAN/control
index 773e2abd39..b3249770d7 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control
+++ b/install_files/securedrop-ossec-server/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 2.8.2+0.10.0~rc1
+Version: 3.0.0+0.10.0~rc1
 Architecture: amd64
 Depends: ossec-server,securedrop-keyring,securedrop-config
 Replaces: ossec-server
diff --git a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian b/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
index dd0ee56582..fb2d4dcb77 100644
--- a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
+++ b/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
@@ -1,3 +1,9 @@
+securedrop-ossec-agent (3.0.0) unstable; urgency=low
+
+  * Upgrade to ossec 3.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Tue, 21 Aug 2018 11:44:17 -0700
+
 securedrop-ossec-server (0.2.1-1) unstable; urgency=low
 
   * Initial release
diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
index d4e7f7885d..907ff6464c 100644
--- a/molecule/builder/tests/vars.yml
+++ b/molecule/builder/tests/vars.yml
@@ -1,6 +1,6 @@
 ---
 securedrop_version: "0.10.0~rc1"
-ossec_version: "2.8.2"
+ossec_version: "3.0.0"
 keyring_version: "0.1.2"
 config_version: "0.1.1"
 grsec_version: "4.4.144"

From 7ef26132e83e70912a77e854c7a5a6a5b5b70832 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 21 Aug 2018 15:49:41 -0400
Subject: [PATCH 2/5] Use GPG to verify ossec tarballs

As of 2.9.3, ossec source tarballs are now signed with a GPG key,
instead of providing checksums. The following should now verify source
code tarballs when packages are built/
---
 .../build-ossec-deb-pkg/defaults/main.yml     |  2 +
 .../files/OSSEC-ARCHIVE-KEY.asc               | 52 +++++++++++++++++++
 .../build-ossec-deb-pkg/library/ossec_urls.py | 44 ++++------------
 .../roles/build-ossec-deb-pkg/tasks/main.yml  | 42 +++++++--------
 4 files changed, 83 insertions(+), 57 deletions(-)
 create mode 100644 install_files/ansible-base/roles/build-ossec-deb-pkg/files/OSSEC-ARCHIVE-KEY.asc

diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
index 0070365ae7..4af8d2c3ba 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
@@ -21,3 +21,5 @@ ossec_build_rsync_generic_opts:
 # See explanation from b291059d556d6cdb11c8ab8d68eab96436cb9f69
 ossec_build_rsync_ansible_hack_opt:
   - "--rsync-path='sudo rsync'"
+
+ossec_source_checksum: sha256:a271d665ed502b3df4ff055a177159dfc0bc8a69dd44eab1f7c57fe8fff42a98
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/files/OSSEC-ARCHIVE-KEY.asc b/install_files/ansible-base/roles/build-ossec-deb-pkg/files/OSSEC-ARCHIVE-KEY.asc
new file mode 100644
index 0000000000..04ef9cf163
--- /dev/null
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/files/OSSEC-ARCHIVE-KEY.asc
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBE15UXUBEAChQfKBpWvjFhqplrnqHNqUuk5hubtcsn95ftpYlj8p8n8mFzn/
+a62yhRV28sT76+ZCrcxYfcZJtiGEXbU0nkzKPh9WOpmG46kyX24dcsVFe/BJ1FrE
+7XGJrr56g1BdrM6rvblFEjF//No9MmNxVt8fJRNMqbLgRjsvUCRJ10nN1KwSgusk
+AyPSTn2KuI1opRf+9chxvtk2zFSFbUo6NFZREis3Aib5oxpddzxO2c93JuDSJKYb
+6zitesjptfT4lIo7+1xU+XVDe7upXbl+OX56RyHLSV+HIA9k7wkcBsXoAnqN5C4N
+/yhZzFK7sEzWbPjiFSpKInv+DnFI+Mua/Img3++dhgtCeVj9XL23vSIqDFOnanoa
+iSwRNr5eiZJfkYIbbb0r1azCZ3+Cx07OLRFn4PjbqnPpsZTRTRJy7qoRLUrpeREn
+I5YlRHeWE+vJYHFTDcpd7GDtghhx5ZDpq0E1obpbOpdio0M8pdU4X0V+RvOFqbbw
+oysfw2ZkNdfS1z9TpYJfPgPrcPMZo1Ar6oucEXvvbHSsmcR7f3LNo/Z8KK7FpLXi
+V37tNcoXfnDkLNe8ZmeIRO/oUI0FS7fjnNOThkm5yQAK5elfnHCsvPsOCu0+dwZs
+5Nl3yMnZHoEq+xxDMHJ1nxCVdVCmQk/4I7jKixCmKDPyi6+Ts/7Oahmg8wARAQAB
+tCRTY290dCBSLiBTaGlubiA8c2NvdHRAYXRvbWljb3JwLmNvbT6JAjgEEwECACIF
+Ak15UXUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEO4bDmstg4e3SKAP
+/A4kXvRa67+U5a0Is1mcNiCeVl/e8eEI+3n5pfScYaXb5EnGBxXhZlhD+7XhoUl1
+91WWGvItinW05KNNOr19LLilWFfqLMOihIxKVpAaoS2QP8nDVormplstq/9rFSnt
+X2OwO3giMk+ojqH9ong+aG/NudmUlDyXTxaSe+ik5olijv+O5riIyStidBV6SJuE
+G1cAOYc4qXughxit8yQ/QhXiQygWCyfnGhYD5fMOF9VXUooEIStQypeqDaKS0VOZ
+DkSUTyKJGq4kE+LFDJGVTNKhnoLPXMWhNeG5GQzIHaD7N/JW6d2+FJIoPX77unty
+7TPBpDNnHFJQmjteQBNJP2dQu0nN5VL32AK3sevcu/hC0gt//pdX5QKRXFZwoS5b
+vWs/HykJqv2j41Ia/uxfCa++AzOiatBKVO2V/4TRSacKTyqagA1OLsoFNjX6BQxh
+7+tymzqqrlnF9xrZbxgm6d711J/ysfLJNSgus8UzUSiZgOJZqYYfOZDAU2Q2ruYB
+5m4xO+SAO3UZ0hXi/4RlYF88rvRH412RfPeL42Gvombxja/XUrhFrCdUctdtD9UK
+Hbrkg2RpgOWwUng9THZ4u99Xhot+u+j1DwV4n3FZ3Uq/AyXYB2GPuRfBKy6ZScu4
+9ABpQv4ewk1M5DDeGWL0Wu3rlIAPQtl6zmQfzgVJjuBjuQINBE15UXUBEACcxvD2
+d1IYgBnOTiD3wCunkWYvDL8EGy01+aGZ9bbJV4lqM/WCcp9X0QcdMJwaC86m0J3S
+BjPvQ6PW7JJWlA+14Alkyt2yTk6gZDijFGCRBkJ7NISoUgE+hiLqhmVsxa9nEDAX
+pU1LP5dCztHJgHp/2PE2BGjsTSjTF1+0Lp5jpAlV2VOBQN90xi07TQizv+UCcmbQ
+LG/YeDH88wQpCpV3BNdCLMAQA/M6KUVFooQH2GlsIcxjG5SaohVUcYVh5ZyR0eLp
+FnDFGvgauQTIYBCT87XRoLy6ioB6QGja+eg89Q0nwqY+DYc4/bYg32X/6coCpnIU
+FDnYy0MUYAoOevoxIwF5+yAGzY63p2VOP0lhW8jXy6h7MR+qGNMNPae3GbnDUO2/
+Q1o3IZJy+elmqlUnIkj88o4+WbpgPQ5FOxnSPltdiwd9ntvVqr5WzSlN4EsEDg6L
+B/2KuLDg8J8tP2V32XcI6lDbdKiQBvYSaWZBY4wus6m7VH5ALvt7K9dtbR+46lSs
+lS9aNQzUttDYJs3/uvvQRfHwdeRgRkR6qCPtfoiI6ceV7e30aOGlwR+Vj8hlTVga
+EyKXiA8JH9xOUFdrKjxjNPKmukilekKhST+WQsCssdDqeYgrVRIrTvYN9gm4FXSQ
+XjIkzoMssBIj4affSbfV/nszf2NlfsXq/oaJzQARAQABiQIfBBgBAgAJBQJNeVF1
+AhsMAAoJEO4bDmstg4e3zqAP/Rk3VKTqDLZFEV2PvarRR2Zai0Wtu7PTBtSzNp0f
+CGxioTkJg2Wesidjbv9OFPQQ/eywuFz0LbEuCTLVivzdJHIHYL1VjnFaNqI2Sf4L
+4DRIInaW49D1HgfzZb6KZuEpoLpHSRRDTmQ/fpuSKxEXfl3pHb3Nu3yBdbCHxrsN
+IvBnbvUV5/uHYWhZA5M9AanvKxMwMbgNn9EyydvvGEuAk+QFLHg4ab7t8DqDFFkd
+jvQQ64axouMmNUWpPP51+xljyoPj4n+6EPBz9sQ4kaHbMREescHZQPA696EDw2dx
+kjiMwUEnX3JYDSZHDabAow0S5/YTBuLNBSDCO8EvFTk8wQQhQi+LgHJP5aLTYApI
+/4QDgu6ECmcKaQjLcXFOv2BATeD53KXLZsq9OEH5Evy+AVDB/2R29vR/4seNXtUL
+EZDmBTvV6r3ZRucldYRkcQVed6J8nliMgYSD4dNMC/FaNJxtBD7stiyv93UlK4dR
+tlacBeslB21zon5/FR+BhsmAYrjM7zl2m2Fo9OPZgDLdVu7J+mtZuhYYkn4QtzHm
+UnH72clVgzOB/ovQvBSwXiO1YjizL21C1UYJv1bm9K0PZJk6jNZ81w6FVow9iZ3B
+twPqoczPIOB/ANwsg6tuTG79/TTRYUkQag1x69wxMYBAoEmmt3fC64Fb00io7P7T
+C/gz
+=L8tQ
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py b/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
index 3f6563322b..4d9031fdcf 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
@@ -26,12 +26,12 @@
     ossec_version: "3.0.0"
 '''
 
-import re  # noqa: E402
+import re  # noqa: F401
 
 
 HAS_REQUESTS = True
 try:
-    import requests
+    import requests  # noqa: F401
 except ImportError:
     HAS_REQUESTS = False
 
@@ -39,54 +39,32 @@
 class OSSECURLs():
 
     def __init__(self, ossec_version):
+        self.REPO_URL = "https://github.com/ossec/ossec-hids"
         self.ossec_version = ossec_version
-
-        checksums = self.parse_checksums()
-
         self.ansible_facts = dict(
             ossec_version=self.ossec_version,
             ossec_tarball_filename=self.ossec_tarball_filename,
             ossec_tarball_url=self.ossec_tarball_url,
-            ossec_checksum_filename=self.ossec_checksum_filename,
-            ossec_checksum_url=self.ossec_checksum_url,
+            ossec_signature_filename=self.ossec_signature_filename,
+            ossec_signature_url=self.ossec_signature_url,
             )
 
-        self.ansible_facts.update(checksums)
-
     @property
     def ossec_tarball_filename(self):
         return "ossec-hids-{}.tar.gz".format(self.ossec_version)
 
     @property
     def ossec_tarball_url(self):
-        return "https://github.com/ossec/ossec-hids/archive/{}.tar.gz".format(
-                self.ossec_version)
+        return self.REPO_URL + "/archive/{}.tar.gz".format(self.ossec_version)
 
     @property
-    def ossec_checksum_url(self):
-        return "https://github.com/ossec/ossec-hids/releases/download/{}/{}".format(  # noqa: E501
-                self.ossec_version, self.ossec_checksum_filename)
+    def ossec_signature_url(self):
+        return self.REPO_URL + "/releases/download/{}/{}".format(
+                self.ossec_version, self.ossec_signature_filename)
 
     @property
-    def ossec_checksum_filename(self):
-        return "{}-checksum.txt".format(self.ossec_tarball_filename)
-
-    def parse_checksums(self):
-        r = requests.get(self.ossec_checksum_url)
-        checksum_regex = re.compile(r'''
-                                    ^MD5\(
-                                    '''
-                                    + re.escape(self.ossec_tarball_filename) +
-                                    r'''\)=\s+(?P<ossec_md5_checksum>[0-9a-f]{32})\s+
-                                    SHA1\(
-                                    '''
-                                    + re.escape(self.ossec_tarball_filename) +
-                                    r'''\)=\s+(?P<ossec_sha1_checksum>[0-9a-f]{40})$
-                                    ''', re.VERBOSE | re.MULTILINE
-                                    )
-        checksum_list = r.content.rstrip()
-        results = re.match(checksum_regex, checksum_list).groupdict()
-        return results
+    def ossec_signature_filename(self):
+        return "ossec-hids-{}.tar.gz.asc".format(self.ossec_version)
 
 
 def main():
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
index 2ea76383a6..52bd1c1066 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
@@ -31,30 +31,23 @@
   get_url:
     url: "{{ ossec_tarball_url }}"
     dest: "{{ build_path }}/{{ ossec_tarball_filename }}"
+    checksum: "{{ ossec_source_checksum }}"
 
-- name: Gather checksum info for downloaded tarball.
-  stat:
-    path: "{{ build_path }}/{{ ossec_tarball_filename }}"
-    get_md5: yes
-  register: ossec_download
-
-- name: Fail if MD5 and SHA1 checksums for tarball are not correct.
-  fail:
-    msg: >
-      The checksums for {{ ossec_tarball_filename }} do not match.
-      Both MD5 and SHA1 checksums were inspected. The checksums
-      used for the inspection where:
-        MD5: {{ ossec_md5_checksum }}
-        SHA1: {{ ossec_sha1_checksum }}
-
-      The checksums found were:
-        MD5: {{ ossec_download.stat.md5 }}
-        SHA1: {{ ossec_download.stat.checksum }}
-
-      Try rerunning the playbook to download the files again.
-  when: not (ossec_download.stat.exists and
-             ossec_download.stat.md5 == "{{ ossec_md5_checksum }}" and
-             ossec_download.stat.checksum == "{{ ossec_sha1_checksum }}")
+- name: Download OSSEC signature.
+  get_url:
+    url: "{{ ossec_signature_url }}"
+    dest: "{{ build_path }}/{{ ossec_signature_filename }}"
+
+- name: Copy OSSEC archive GPG key.
+  copy: src=../files/OSSEC-ARCHIVE-KEY.asc dest=/tmp/OSSEC-ARCHIVE-KEY.asc
+
+- name: Import OSSEC archive GPG key.
+  shell: "gpg --import /tmp/OSSEC-ARCHIVE-KEY.asc"
+
+- name: Verify signature of OSSEC tarball.
+  shell: "gpg --verify {{ build_path }}/{{ ossec_signature_filename }}"
+  register: ossec_verification_return_code
+  failed_when: ossec_verification_return_code.rc != 0
 
 - name: Install apt dependencies for building OSSEC packages.
   apt:
@@ -97,7 +90,7 @@
 - name: Copy OSSEC DEBIAN package scripts to build directory.
   command: cp -R {{ repo_src_path }}/DEBIAN {{ ossec_build_dir }}
 
-- name: Copy OSEC DEBIAN/control template to build directory.
+- name: Copy OSSEC DEBIAN/control template to build directory.
   template:
     src: "{{ purpose }}_control.j2"
     dest: "{{ ossec_build_dir }}/DEBIAN/control"
@@ -126,6 +119,7 @@
     # config testing after the build is completed.
     # - "{{ ossec_build_dir }}"
     - /var/ossec
+    - /tmp/OSSEC-ARCHIVE-KEY.asc
 
 - name: Fetch newly built Debian packages back to localhost.
   fetch:

From 36a989a5c8f1da5d85aa8d84939f883123848b97 Mon Sep 17 00:00:00 2001
From: Mickael E <mickael@freedom.press>
Date: Fri, 7 Sep 2018 12:52:07 -0400
Subject: [PATCH 3/5] Update ossec registration logic for 3.0

- Generate and use shared secret which is required for agent registration
- agent-auth now returns 0 when registration failure occurs
---
 .../roles/ossec/tasks/register.yml            | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
index 8b46df4a31..7733447c96 100644
--- a/install_files/ansible-base/roles/ossec/tasks/register.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -61,6 +61,31 @@
     - ossec_is_client
     - not ossec_agent_already_registered
 
+# Ossec 3.0 now defaults to requiring a shared secret for agent authentication.
+# Disabling authentication is broken for authd in ossec 3.0. Registering agents
+# requires a 32 hex character password with a line feed appended to the
+# password file (see: https://github.com/ossec/ossec-hids/issues/1472)
+- name: Generate authd shared secret
+  set_fact :
+    ossec_registration_secret: "{{ lookup('pipe', 'head -c 32 /dev/urandom | md5sum | tr -d \" -\" | sed \"$d\"') }}"
+  delegate_to: localhost
+  delegate_facts: True
+  when:
+    - not ossec_agent_already_registered
+
+- name: Copy authd shared secret
+  copy:
+    content: "{{ hostvars['localhost']['ossec_registration_secret'] }}"
+    dest: /var/ossec/etc/authd.pass
+    mode: 440
+  when:
+    - not ossec_agent_already_registered
+
+- name: Append carriage return to auth file
+  command: sed -ie 's/$/\n/' /var/ossec/etc/authd.pass
+  when:
+    - not ossec_agent_already_registered
+
 - name: Start authd.
   shell: /var/ossec/bin/ossec-authd -i {{ app_ip }} -p 1515 >/dev/null 2>&1 &
   async: 0
@@ -86,11 +111,14 @@
   with_items: "{{ authd_iprules }}"
   when: not ossec_agent_already_registered
 
+# agent-auth now returns 0 if registration fails (https://github.com/ossec/ossec-hids/issues/1491)
 - name: Register OSSEC agent.
-  command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
+  command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }} -P /var/ossec/etc/authd.pass
+  register: ossec_agent_registration_result
   when:
     - ossec_is_client
     - not ossec_agent_already_registered
+  failed_when: "'INFO: Valid key created. Finished.' not in ossec_agent_registration_result.stdout"
 
 # If the OSSEC agent auth iptable rule exemptions are in place remove them and
 # restart OSSEC. This order does matter. The app server's

From 04468a51fdbdc68bcec5b882cbd59f4a3c7f4e11 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 11 Sep 2018 11:58:02 -0400
Subject: [PATCH 4/5] Replace mon server alias and smtp_server with ip

Due to issues with ossec 2.8.2+ and disabling of the ipv6 stack, name
lookups can't `getaddrinfo: Name or service not known`. Using ip
addresses in lieu of aliases sidesteps the issue.

- Since ossec.conf is not templated, securedrop-ossec agent and server will replace
these values as part of the postinst.
---
 install_files/securedrop-ossec-agent/DEBIAN/postinst  | 7 ++++++-
 install_files/securedrop-ossec-server/DEBIAN/postinst | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/install_files/securedrop-ossec-agent/DEBIAN/postinst b/install_files/securedrop-ossec-agent/DEBIAN/postinst
index fe8c73abf9..a7cb92fe18 100755
--- a/install_files/securedrop-ossec-agent/DEBIAN/postinst
+++ b/install_files/securedrop-ossec-agent/DEBIAN/postinst
@@ -18,7 +18,11 @@ set -e
 
 case "$1" in
     configure)
-        service ossec restart
+	    # Replace monitor server domain name by ip address due to
+	    #  https://github.com/ossec/ossec-hids/issues/1145
+	    mon_ip=$(grep -oP "^\\d+\.\\d+\.\\d+\.\\d+(?=.*securedrop-monitor-server-alias)" /etc/hosts)
+	    sed -i -e "s/<server-hostname>securedrop-monitor-server-alias<\/server-hostname>/<server-ip>$mon_ip<\/server-ip>/g" /var/ossec/etc/ossec.conf
+	    service ossec restart
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
@@ -28,6 +32,7 @@ case "$1" in
         echo "postinst called with unknown argument \`$1'" >&2
         exit 1
     ;;
+
 esac
 
 # dh_installdeb will replace this with shell code automatically
diff --git a/install_files/securedrop-ossec-server/DEBIAN/postinst b/install_files/securedrop-ossec-server/DEBIAN/postinst
index 7c9dd576b2..93042b0688 100755
--- a/install_files/securedrop-ossec-server/DEBIAN/postinst
+++ b/install_files/securedrop-ossec-server/DEBIAN/postinst
@@ -29,6 +29,10 @@ case "$1" in
         chown root:${GROUP} ${OSSEC_HOME}/rules/local_rules.xml
         chmod 440 ${OSSEC_HOME}/rules/local_rules.xml
 
+        # Replace localhost with 127.0.0.1 for smtp_server due to
+        #  https://github.com/ossec/ossec-hids/issues/1145
+        sed -i -e "s/<smtp_server>localhost<\/smtp_server>/<smtp_server>127.0.0.1<\/smtp_server>/g" /var/ossec/etc/ossec.conf
+
         # Restart OSSEC to load the new configs.
         service ossec restart
     ;;

From bddc30d5541325812981e566a7828c7df173f3d3 Mon Sep 17 00:00:00 2001
From: Mickael E <mickael@freedom.press>
Date: Tue, 2 Oct 2018 17:02:48 -0400
Subject: [PATCH 5/5] Remove client.keys

An empty client.keys was overwriting /var/ossec/etc/client.keys with an empty one, breaking the registration between client and server. Removing the empty client.keys prior to building will ensure the keys are preserved during an upgrade.
---
 .../ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
index 52bd1c1066..0228a6fced 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
@@ -84,6 +84,11 @@
     - "{{ ossec_build_dir }}"
     - "{{ ossec_build_dir }}/var"
 
+- name: Remove client.keys to avoid overwriting existing client.keys
+  file:
+    state: absent
+    dest: /var/ossec/etc/client.keys
+
 - name: Copy /var/ossec/ to OSSEC build directory.
   command: cp -R /var/ossec {{ ossec_build_dir }}/var/