Skip to content

Commit 57cb87a

Browse files
zenmonkeykstopzenmonkeykstop
authored
Merge pull request #5330 from rocodes/5265-ossec-gpg-perms
configure OSSEC server gnupg directory permissions in securedrop-osse…
2 parents cf7d1ef + c639a03 commit 57cb87a

2 files changed

Lines changed: 6 additions & 39 deletions

File tree

install_files/ansible-base/roles/ossec/tasks/configure_server.yml

Lines changed: 0 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -20,44 +20,6 @@
2020
tags:
2121
- gpg
2222

23-
- name: Check if GPG homedir already exists.
24-
stat:
25-
path: /var/ossec/.gnupg
26-
register: gpg_homedir_status
27-
tags:
28-
- gpg
29-
30-
- name: Ensure correct permissions on OSSEC GPG homedir if it exists.
31-
file:
32-
state: directory
33-
path: /var/ossec/.gnupg
34-
mode: "0700"
35-
owner: ossec
36-
group: "{{ ossec_group }}"
37-
when: gpg_homedir_status.stat.exists
38-
tags:
39-
- gpg
40-
41-
- name: Check if .gpg files have been created yet in the GPG homedir.
42-
stat:
43-
path: "/var/ossec/.gnupg/{{ item }}"
44-
with_items: "{{ gpg_keyring_files }}"
45-
register: gpg_keyring_status
46-
tags:
47-
- gpg
48-
49-
- name: Ensure correct permissions on contents of OSSEC GPG homedir.
50-
file:
51-
state: file
52-
path: "/var/ossec/.gnupg/{{ item.item }}"
53-
mode: "0600"
54-
owner: ossec
55-
group: "{{ ossec_group }}"
56-
with_items: "{{ gpg_keyring_status.results }}"
57-
when: item.stat.exists
58-
tags:
59-
- gpg
60-
6123
- name: Add the OSSEC GPG public key to the OSSEC manager keyring.
6224
# multiline format for command module, since this is a long command
6325
command: >

install_files/securedrop-ossec-server/DEBIAN/postinst

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,12 @@ case "$1" in
2828

2929
chown root:${GROUP} ${OSSEC_HOME}/rules/local_rules.xml
3030
chmod 440 ${OSSEC_HOME}/rules/local_rules.xml
31-
31+
32+
# Ensure correct gnupg directory permissions and ownership
33+
chown -R ossec:${GROUP} ${OSSEC_HOME}/.gnupg
34+
find ${OSSEC_HOME}/.gnupg -type f -exec chmod 600 {} \;
35+
find ${OSSEC_HOME}/.gnupg -type d -exec chmod 700 {} \;
36+
3237
# Replace localhost with 127.0.0.1 for smtp_server due to
3338
# https://github.com/ossec/ossec-hids/issues/1145
3439
sed -i -e "s/<smtp_server>localhost<\/smtp_server>/<smtp_server>127.0.0.1<\/smtp_server>/g" /var/ossec/etc/ossec.conf

0 commit comments

Comments
 (0)