Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated logs playbook to clean up unencrypted tarballs #4596

Merged
merged 1 commit into from
Jul 8, 2019
Merged

Updated logs playbook to clean up unencrypted tarballs #4596

merged 1 commit into from
Jul 8, 2019

Conversation

zenmonkeykstop
Copy link
Contributor

Status

Ready for review

Description of Changes

Fixes #4593

Updates securedrop-logs.yml to delete unencrypted tarballs from the servers and Admin Workstation.

Testing

On a VM or HW production instance, via the Admin Workstation:

  • verify that ./securedrop-admin logs completes without error
  • verify that the unencrypted tarballs do not exist in ~/Persistent/securedrop/install_files/ansible-base
  • verify that the unencrypted tarballs do not exist in the server admin home directory for either the Application or Monitor Server.
  • if you have access to the necessary key, verify that the encrypted tarballs can be decrypted.

Deployment

Deployed when workstation USBs are updated.

Checklist

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

@zenmonkeykstop zenmonkeykstop force-pushed the 4593-admin-logs-cleanup branch from 9f808ed to d51530e Compare July 7, 2019 19:37
@codecov-io
Copy link

Codecov Report

Merging #4596 into develop will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #4596   +/-   ##
========================================
  Coverage    82.63%   82.63%           
========================================
  Files           45       45           
  Lines         3116     3116           
  Branches       337      337           
========================================
  Hits          2575     2575           
  Misses         455      455           
  Partials        86       86

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d53ab5c...d51530e. Read the comment docs.

kushaldas
kushaldas suggested changes Jul 8, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything else works, but I think it is encrypted with a different key.

$ gpg -d securedrop-logs-app-20190708T063445.tar.gz.gpg > sd-logs.tar.gz
gpg: encrypted with 4096-bit RSA key, ID EECE0DDC6DCB11EF, created 2015-03-16
      "Freedom of the Press Foundation <[email protected]>"

@zenmonkeykstop
Copy link
Contributor Author

@kushaldas I didn't change the encryption key - it should be the one with fingerprint 734F6E707434ECA6C007E1AE82BD6C9616DABB79

@kushaldas
Copy link
Contributor

kushaldas commented Jul 8, 2019
edited
Loading

@kushaldas I didn't change the encryption key - it should be the one with fingerprint 734F6E707434ECA6C007E1AE82BD6C9616DABB79

I think we found a bug, @conorsch according to my system that is not the support key, but, the other key we use. Can you please confirm? I was wrong, thank you @emkll.

kushaldas
kushaldas approved these changes Jul 8, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • verify that ./securedrop-admin logs completes without error
  • verify that the unencrypted tarballs do not exist in ~/Persistent/securedrop/install_files/ansible-base
  • verify that the unencrypted tarballs do not exist in the server admin home directory for either the Application or Monitor Server.
  • if you have access to the necessary key, verify that the encrypted tarballs can be decrypted.

Approved. 🌈

@kushaldas kushaldas merged commit 87e0828 into freedomofpress:develop Jul 8, 2019
@redshiftzero redshiftzero mentioned this pull request Jul 8, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@conorsch conorsch Awaiting requested review from conorsch

@emkll emkll Awaiting requested review from emkll

@heartsucker heartsucker Awaiting requested review from heartsucker

@msheiny msheiny Awaiting requested review from msheiny

@redshiftzero redshiftzero Awaiting requested review from redshiftzero

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

securedrop-admin logs command should clean up logs from admin workstation and server after task completion
3 participants
@zenmonkeykstop @codecov-io @kushaldas