-
Notifications
You must be signed in to change notification settings - Fork 46
/
sd-logging-setup.sls
102 lines (94 loc) · 3.23 KB
/
sd-logging-setup.sls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
include:
- fpf-apt-test-repo
{% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "whonix-gw-15"] %}
# Install securedrop-log package in TemplateVMs only
install-securedrop-log-package:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo
{% endif %}
{% if grains['id'] == "sd-log-buster-template" %}
install-redis-for-sd-log-template:
pkg.installed:
- pkgs:
- redis-server
- redis
remove-sd-rsyslog-config-for-logserver:
file.absent:
- name: /etc/rsyslog.d/sdlog.conf
{% elif grains['id'] == "sd-log" %}
# Only for the "sd-log" AppVM, configure /rw/config to disable
# custom log config, and also start the necessary services.
sd-log-remove-rsyslog-qubes-plugin:
file.blockreplace:
- name: /rw/config/rc.local
- append_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
# Removes sdlog.conf file for rsyslog
rm -f /etc/rsyslog.d/sdlog.conf
systemctl restart rsyslog
systemctl start redis
systemctl start securedrop-log
cmd.run:
- name: /rw/config/rc.local
- require:
- file: sd-log-remove-rsyslog-qubes-plugin
{% elif grains['id'] == "sd-gpg" %}
# For sd-gpg, we disable logging altogether, since access
# to the keyring will be logged in sd-app
sd-gpg-remove-rsyslog-qubes-plugin:
file.blockreplace:
- name: /rw/config/rc.local
- append_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
# Removes sdlog.conf file for rsyslog
rm -f /etc/rsyslog.d/sdlog.conf
systemctl restart rsyslog
cmd.run:
- name: /rw/config/rc.local
- require:
- file: sd-gpg-remove-rsyslog-qubes-plugin
{% elif grains['id'] == "sd-whonix" %}
# We can not place the file on the template under /etc/rsyslog.d/ because of whonix
# template. This sdlog.conf file is the same from the securedrop-log package, to
# make sure that rsyslogd use our logging plugin.
sd-rsyslog-sdlog-conf-for-sd-whonix:
file.managed:
- name: /rw/config/sdlog.conf
- source: "salt://sdlog.conf"
# Because whonix-gw-15 template is not allowing to create the config file on
# package install time, we do it via rc.local call.
sd-rc-enable-logging-for-sd-whonix:
file.blockreplace:
- name: /rw/config/rc.local
- append_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
# Add sd-rsyslog.conf file for syslog
ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf
cat <<EOF > /etc/sd-rsyslog.conf
[sd-rsyslog]
remotevm = sd-log
localvm = {{ grains['id'] }}
EOF
systemctl restart rsyslog
cmd.run:
- name: /rw/config/rc.local
- require:
- file: sd-rc-enable-logging-for-sd-whonix
{% else %}
# For all other VMs, configure to send to sd-log
configure-rsyslog-for-sd:
file.managed:
- name: /etc/sd-rsyslog.conf
- source: "salt://sd-rsyslog.conf.j2"
{% endif %}