freedomofpress · msheiny · Oct 3, 2018 · Aug 21, 2018 · Aug 21, 2018 · Sep 7, 2018
@@ -8,9 +8,9 @@ ip_info:
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-config-0.1.1+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-ossec-agent-2.8.2+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-ossec-agent-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
-  - "ossec-agent-2.8.2-amd64.deb"
+  - "ossec-agent-3.0.0-amd64.deb"
 
 # Configuring the tor hidden services
 tor_instances:

@@ -8,8 +8,8 @@ ip_info:
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-config-0.1.1+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-ossec-server-2.8.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - ossec-server-2.8.2-amd64.deb
+  - "securedrop-ossec-server-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
+  - ossec-server-3.0.0-amd64.deb
 
 # Configure the tor hidden services. The Monitor server has only one,
 # for SSH, since no web interfaces.

@@ -2,7 +2,7 @@
 build_ossec_deb_pkg_dependencies: []
 
 ossec_server_hostname: ossec-server
-ossec_version: 2.8.2
+ossec_version: 3.0.0
 # Parent directory for performing build operations. All files related
 # to build, including source tarball, will be created inside this dir.
 build_path: /tmp/build
@@ -21,3 +21,5 @@ ossec_build_rsync_generic_opts:
 # See explanation from b291059d556d6cdb11c8ab8d68eab96436cb9f69
 ossec_build_rsync_ansible_hack_opt:
   - "--rsync-path='sudo rsync'"
+
+ossec_source_checksum: sha256:a271d665ed502b3df4ff055a177159dfc0bc8a69dd44eab1f7c57fe8fff42a98
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBE15UXUBEAChQfKBpWvjFhqplrnqHNqUuk5hubtcsn95ftpYlj8p8n8mFzn/
+a62yhRV28sT76+ZCrcxYfcZJtiGEXbU0nkzKPh9WOpmG46kyX24dcsVFe/BJ1FrE
+7XGJrr56g1BdrM6rvblFEjF//No9MmNxVt8fJRNMqbLgRjsvUCRJ10nN1KwSgusk
+AyPSTn2KuI1opRf+9chxvtk2zFSFbUo6NFZREis3Aib5oxpddzxO2c93JuDSJKYb
+6zitesjptfT4lIo7+1xU+XVDe7upXbl+OX56RyHLSV+HIA9k7wkcBsXoAnqN5C4N
+/yhZzFK7sEzWbPjiFSpKInv+DnFI+Mua/Img3++dhgtCeVj9XL23vSIqDFOnanoa
+iSwRNr5eiZJfkYIbbb0r1azCZ3+Cx07OLRFn4PjbqnPpsZTRTRJy7qoRLUrpeREn
+I5YlRHeWE+vJYHFTDcpd7GDtghhx5ZDpq0E1obpbOpdio0M8pdU4X0V+RvOFqbbw
+oysfw2ZkNdfS1z9TpYJfPgPrcPMZo1Ar6oucEXvvbHSsmcR7f3LNo/Z8KK7FpLXi
+V37tNcoXfnDkLNe8ZmeIRO/oUI0FS7fjnNOThkm5yQAK5elfnHCsvPsOCu0+dwZs
+5Nl3yMnZHoEq+xxDMHJ1nxCVdVCmQk/4I7jKixCmKDPyi6+Ts/7Oahmg8wARAQAB
+tCRTY290dCBSLiBTaGlubiA8c2NvdHRAYXRvbWljb3JwLmNvbT6JAjgEEwECACIF
+Ak15UXUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEO4bDmstg4e3SKAP
+/A4kXvRa67+U5a0Is1mcNiCeVl/e8eEI+3n5pfScYaXb5EnGBxXhZlhD+7XhoUl1
+91WWGvItinW05KNNOr19LLilWFfqLMOihIxKVpAaoS2QP8nDVormplstq/9rFSnt
+X2OwO3giMk+ojqH9ong+aG/NudmUlDyXTxaSe+ik5olijv+O5riIyStidBV6SJuE
+G1cAOYc4qXughxit8yQ/QhXiQygWCyfnGhYD5fMOF9VXUooEIStQypeqDaKS0VOZ
+DkSUTyKJGq4kE+LFDJGVTNKhnoLPXMWhNeG5GQzIHaD7N/JW6d2+FJIoPX77unty
+7TPBpDNnHFJQmjteQBNJP2dQu0nN5VL32AK3sevcu/hC0gt//pdX5QKRXFZwoS5b
+vWs/HykJqv2j41Ia/uxfCa++AzOiatBKVO2V/4TRSacKTyqagA1OLsoFNjX6BQxh
+7+tymzqqrlnF9xrZbxgm6d711J/ysfLJNSgus8UzUSiZgOJZqYYfOZDAU2Q2ruYB
+5m4xO+SAO3UZ0hXi/4RlYF88rvRH412RfPeL42Gvombxja/XUrhFrCdUctdtD9UK
+Hbrkg2RpgOWwUng9THZ4u99Xhot+u+j1DwV4n3FZ3Uq/AyXYB2GPuRfBKy6ZScu4
+9ABpQv4ewk1M5DDeGWL0Wu3rlIAPQtl6zmQfzgVJjuBjuQINBE15UXUBEACcxvD2
+d1IYgBnOTiD3wCunkWYvDL8EGy01+aGZ9bbJV4lqM/WCcp9X0QcdMJwaC86m0J3S
+BjPvQ6PW7JJWlA+14Alkyt2yTk6gZDijFGCRBkJ7NISoUgE+hiLqhmVsxa9nEDAX
+pU1LP5dCztHJgHp/2PE2BGjsTSjTF1+0Lp5jpAlV2VOBQN90xi07TQizv+UCcmbQ
+LG/YeDH88wQpCpV3BNdCLMAQA/M6KUVFooQH2GlsIcxjG5SaohVUcYVh5ZyR0eLp
+FnDFGvgauQTIYBCT87XRoLy6ioB6QGja+eg89Q0nwqY+DYc4/bYg32X/6coCpnIU
+FDnYy0MUYAoOevoxIwF5+yAGzY63p2VOP0lhW8jXy6h7MR+qGNMNPae3GbnDUO2/
+Q1o3IZJy+elmqlUnIkj88o4+WbpgPQ5FOxnSPltdiwd9ntvVqr5WzSlN4EsEDg6L
+B/2KuLDg8J8tP2V32XcI6lDbdKiQBvYSaWZBY4wus6m7VH5ALvt7K9dtbR+46lSs
+lS9aNQzUttDYJs3/uvvQRfHwdeRgRkR6qCPtfoiI6ceV7e30aOGlwR+Vj8hlTVga
+EyKXiA8JH9xOUFdrKjxjNPKmukilekKhST+WQsCssdDqeYgrVRIrTvYN9gm4FXSQ
+XjIkzoMssBIj4affSbfV/nszf2NlfsXq/oaJzQARAQABiQIfBBgBAgAJBQJNeVF1
+AhsMAAoJEO4bDmstg4e3zqAP/Rk3VKTqDLZFEV2PvarRR2Zai0Wtu7PTBtSzNp0f
+CGxioTkJg2Wesidjbv9OFPQQ/eywuFz0LbEuCTLVivzdJHIHYL1VjnFaNqI2Sf4L
+4DRIInaW49D1HgfzZb6KZuEpoLpHSRRDTmQ/fpuSKxEXfl3pHb3Nu3yBdbCHxrsN
+IvBnbvUV5/uHYWhZA5M9AanvKxMwMbgNn9EyydvvGEuAk+QFLHg4ab7t8DqDFFkd
+jvQQ64axouMmNUWpPP51+xljyoPj4n+6EPBz9sQ4kaHbMREescHZQPA696EDw2dx
+kjiMwUEnX3JYDSZHDabAow0S5/YTBuLNBSDCO8EvFTk8wQQhQi+LgHJP5aLTYApI
+/4QDgu6ECmcKaQjLcXFOv2BATeD53KXLZsq9OEH5Evy+AVDB/2R29vR/4seNXtUL
+EZDmBTvV6r3ZRucldYRkcQVed6J8nliMgYSD4dNMC/FaNJxtBD7stiyv93UlK4dR
+tlacBeslB21zon5/FR+BhsmAYrjM7zl2m2Fo9OPZgDLdVu7J+mtZuhYYkn4QtzHm
+UnH72clVgzOB/ovQvBSwXiO1YjizL21C1UYJv1bm9K0PZJk6jNZ81w6FVow9iZ3B
+twPqoczPIOB/ANwsg6tuTG79/TTRYUkQag1x69wxMYBAoEmmt3fC64Fb00io7P7T
+C/gz
+=L8tQ
+-----END PGP PUBLIC KEY BLOCK-----
@@ -14,7 +14,7 @@
   ossec_version:
     description:
       - version number of release to download
-    default: "2.8.2"
+    default: "3.0.0"
     required: no
 notes:
   - The OSSEC version to download is hardcoded to avoid surprises.
@@ -23,76 +23,54 @@
 '''
 EXAMPLES = '''
 - ossec_urls:
-    ossec_version: "2.8.2"
+    ossec_version: "3.0.0"
 '''
 
-import re  # noqa: E402
+import re  # noqa: F401
 
 
 HAS_REQUESTS = True
 try:
-    import requests
+    import requests  # noqa: F401
 except ImportError:
     HAS_REQUESTS = False
 
 
 class OSSECURLs():
 
     def __init__(self, ossec_version):
+        self.REPO_URL = "https://github.com/ossec/ossec-hids"
         self.ossec_version = ossec_version
-
-        checksums = self.parse_checksums()
-
         self.ansible_facts = dict(
             ossec_version=self.ossec_version,
             ossec_tarball_filename=self.ossec_tarball_filename,
             ossec_tarball_url=self.ossec_tarball_url,
-            ossec_checksum_filename=self.ossec_checksum_filename,
-            ossec_checksum_url=self.ossec_checksum_url,
+            ossec_signature_filename=self.ossec_signature_filename,
+            ossec_signature_url=self.ossec_signature_url,
             )
 
-        self.ansible_facts.update(checksums)
-
     @property
     def ossec_tarball_filename(self):
         return "ossec-hids-{}.tar.gz".format(self.ossec_version)
 
     @property
     def ossec_tarball_url(self):
-        return "https://github.com/ossec/ossec-hids/archive/{}.tar.gz".format(
-                self.ossec_version)
+        return self.REPO_URL + "/archive/{}.tar.gz".format(self.ossec_version)
 
     @property
-    def ossec_checksum_url(self):
-        return "https://github.com/ossec/ossec-hids/releases/download/{}/{}".format(  # noqa: E501
-                self.ossec_version, self.ossec_checksum_filename)
+    def ossec_signature_url(self):
+        return self.REPO_URL + "/releases/download/{}/{}".format(
+                self.ossec_version, self.ossec_signature_filename)
 
     @property
-    def ossec_checksum_filename(self):
-        return "{}-checksum.txt".format(self.ossec_tarball_filename)
-
-    def parse_checksums(self):
-        r = requests.get(self.ossec_checksum_url)
-        checksum_regex = re.compile(r'''
-                                    ^MD5\(
-                                    '''
-                                    + re.escape(self.ossec_tarball_filename) +
-                                    r'''\)=\s+(?P<ossec_md5_checksum>[0-9a-f]{32})\s+
-                                    SHA1\(
-                                    '''
-                                    + re.escape(self.ossec_tarball_filename) +
-                                    r'''\)=\s+(?P<ossec_sha1_checksum>[0-9a-f]{40})$
-                                    ''', re.VERBOSE | re.MULTILINE
-                                    )
-        checksum_list = r.content.rstrip()
-        results = re.match(checksum_regex, checksum_list).groupdict()
-        return results
+    def ossec_signature_filename(self):
+        return "ossec-hids-{}.tar.gz.asc".format(self.ossec_version)
 
 
 def main():
     module = AnsibleModule(  # noqa: F405
         argument_spec=dict(
-            ossec_version=dict(default="2.8.2"),
+            ossec_version=dict(default="3.0.0"),
         ),
         supports_check_mode=False
     )

@@ -31,30 +31,23 @@
   get_url:
     url: "{{ ossec_tarball_url }}"
     dest: "{{ build_path }}/{{ ossec_tarball_filename }}"
+    checksum: "{{ ossec_source_checksum }}"
 
-- name: Gather checksum info for downloaded tarball.
-  stat:
-    path: "{{ build_path }}/{{ ossec_tarball_filename }}"
-    get_md5: yes
-  register: ossec_download
-
-- name: Fail if MD5 and SHA1 checksums for tarball are not correct.
-  fail:
-    msg: >
-      The checksums for {{ ossec_tarball_filename }} do not match.
-      Both MD5 and SHA1 checksums were inspected. The checksums
-      used for the inspection where:
-        MD5: {{ ossec_md5_checksum }}
-        SHA1: {{ ossec_sha1_checksum }}
-
-      The checksums found were:
-        MD5: {{ ossec_download.stat.md5 }}
-        SHA1: {{ ossec_download.stat.checksum }}
-
-      Try rerunning the playbook to download the files again.
-  when: not (ossec_download.stat.exists and
-             ossec_download.stat.md5 == "{{ ossec_md5_checksum }}" and
-             ossec_download.stat.checksum == "{{ ossec_sha1_checksum }}")
+- name: Download OSSEC signature.
+  get_url:
+    url: "{{ ossec_signature_url }}"
+    dest: "{{ build_path }}/{{ ossec_signature_filename }}"
+
+- name: Copy OSSEC archive GPG key.
+  copy: src=../files/OSSEC-ARCHIVE-KEY.asc dest=/tmp/OSSEC-ARCHIVE-KEY.asc
+
+- name: Import OSSEC archive GPG key.
+  shell: "gpg --import /tmp/OSSEC-ARCHIVE-KEY.asc"
+
+- name: Verify signature of OSSEC tarball.
+  shell: "gpg --verify {{ build_path }}/{{ ossec_signature_filename }}"
+  register: ossec_verification_return_code
+  failed_when: ossec_verification_return_code.rc != 0
 
 - name: Install apt dependencies for building OSSEC packages.
   apt:
@@ -91,13 +84,18 @@
     - "{{ ossec_build_dir }}"
     - "{{ ossec_build_dir }}/var"
 
+- name: Remove client.keys to avoid overwriting existing client.keys
+  file:
+    state: absent
+    dest: /var/ossec/etc/client.keys
+
 - name: Copy /var/ossec/ to OSSEC build directory.
   command: cp -R /var/ossec {{ ossec_build_dir }}/var/
 
 - name: Copy OSSEC DEBIAN package scripts to build directory.
   command: cp -R {{ repo_src_path }}/DEBIAN {{ ossec_build_dir }}
 
-- name: Copy OSEC DEBIAN/control template to build directory.
+- name: Copy OSSEC DEBIAN/control template to build directory.
   template:
     src: "{{ purpose }}_control.j2"
     dest: "{{ ossec_build_dir }}/DEBIAN/control"
@@ -126,6 +124,7 @@
     # config testing after the build is completed.
     # - "{{ ossec_build_dir }}"
     - /var/ossec
+    - /tmp/OSSEC-ARCHIVE-KEY.asc
 
 - name: Fetch newly built Debian packages back to localhost.
   fetch:

@@ -61,6 +61,31 @@
     - ossec_is_client
     - not ossec_agent_already_registered
 
+# Ossec 3.0 now defaults to requiring a shared secret for agent authentication.
+# Disabling authentication is broken for authd in ossec 3.0. Registering agents
+# requires a 32 hex character password with a line feed appended to the
+# password file (see: https://github.com/ossec/ossec-hids/issues/1472)
+- name: Generate authd shared secret
+  set_fact :
+    ossec_registration_secret: "{{ lookup('pipe', 'head -c 32 /dev/urandom | md5sum | tr -d \" -\" | sed \"$d\"') }}"
+  delegate_to: localhost
+  delegate_facts: True
+  when:
+    - not ossec_agent_already_registered
+
+- name: Copy authd shared secret
+  copy:
+    content: "{{ hostvars['localhost']['ossec_registration_secret'] }}"
+    dest: /var/ossec/etc/authd.pass
+    mode: 440
+  when:
+    - not ossec_agent_already_registered
+
+- name: Append carriage return to auth file
+  command: sed -ie 's/$/\n/' /var/ossec/etc/authd.pass
+  when:
+    - not ossec_agent_already_registered
+
 - name: Start authd.
   shell: /var/ossec/bin/ossec-authd -i {{ app_ip }} -p 1515 >/dev/null 2>&1 &
   async: 0
@@ -86,11 +111,14 @@
   with_items: "{{ authd_iprules }}"
   when: not ossec_agent_already_registered
 
+# agent-auth now returns 0 if registration fails (https://github.com/ossec/ossec-hids/issues/1491)
 - name: Register OSSEC agent.
-  command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
+  command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }} -P /var/ossec/etc/authd.pass
+  register: ossec_agent_registration_result
   when:
     - ossec_is_client
     - not ossec_agent_already_registered
+  failed_when: "'INFO: Valid key created. Finished.' not in ossec_agent_registration_result.stdout"
 
 # If the OSSEC agent auth iptable rule exemptions are in place remove them and
 # restart OSSEC. This order does matter. The app server's

@@ -1,4 +1,4 @@
 DIRECTORY="/var/ossec"
-VERSION="v2.8.2"
-DATE="Thu Jun 11 11:39:25 PDT 2015"
+VERSION="v3.0.0"
+DATE="Tue Aug 21 10:52:11 PDT 2018"
 TYPE="agent"
@@ -1,3 +1,10 @@
+ossec-agent (3.0.0) unstable; urgency=low
+
+  [ SecureDrop Team ]
+  * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.0.0
+
+ -- SecureDrop Team <[email protected]>  Tue, 21 Aug 2018 10:43:47 -0700
+
 ossec-agent (2.8.2) unstable; urgency=low
 
   [ SecureDrop Team ]
@@ -8,6 +15,6 @@ ossec-agent (2.8.2) unstable; urgency=low
 ossec-agent (2.8.1) unstable; urgency=low
 
   [ James Dolan ]
-  * Initial release 
+  * Initial release
 
  -- James Dolan <[email protected]>  Fri, 14 Mar 2014 15:46:57 -0700
@@ -1,4 +1,4 @@
 DIRECTORY="/var/ossec"
-VERSION="v2.8.2"
-DATE="Thu Jun 11 11:39:25 PDT 2015"
+VERSION="v3.0.0"
+DATE="Tue Aug 21 10:52:11 PDT 2018"
 TYPE="server"
@@ -1,3 +1,10 @@
+ossec-server (3.0.0) unstable; urgency=low
+
+  [ SecureDrop Team ]
+  * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.0.0
+
+ -- SecureDrop Team <[email protected]>  Tue, 21 Aug 2018 10:43:47 -0700
+
 ossec-server (2.8.2) unstable; urgency=low
 
   [ SecureDrop Team ]

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.10.0~rc1
+Version: 3.0.0+0.10.0~rc1
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent

@@ -18,7 +18,11 @@ set -e
 
 case "$1" in
     configure)
-        service ossec restart
+	    # Replace monitor server domain name by ip address due to
+	    #  https://github.com/ossec/ossec-hids/issues/1145
+	    mon_ip=$(grep -oP "^\\d+\.\\d+\.\\d+\.\\d+(?=.*securedrop-monitor-server-alias)" /etc/hosts)
+	    sed -i -e "s/<server-hostname>securedrop-monitor-server-alias<\/server-hostname>/<server-ip>$mon_ip<\/server-ip>/g" /var/ossec/etc/ossec.conf
+	    service ossec restart
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
@@ -28,6 +32,7 @@ case "$1" in
         echo "postinst called with unknown argument \`$1'" >&2
         exit 1
     ;;
+
 esac
 
 # dh_installdeb will replace this with shell code automatically

@@ -1,5 +1,11 @@
+securedrop-ossec-agent (3.0.0) unstable; urgency=low
+
+  * Upgrade to ossec 3.0
+
+ -- SecureDrop Team <[email protected]>  Tue, 21 Aug 2018 11:43:47 -0700
+
 securedrop-ossec-agent (2.8.1) unstable; urgency=low
 
-  * Initial release 
+  * Initial release
 
  -- James Dolan <[email protected]>  Fri, 14 Mar 2014 15:46:57 -0700