Skip to content

Instantly share code, notes, and snippets.

@ultimatecoder
Created November 25, 2018 00:02
Show Gist options
  • Save ultimatecoder/7f0402628963f7cb6b74c7a5c66f8ed5 to your computer and use it in GitHub Desktop.
Save ultimatecoder/7f0402628963f7cb6b74c7a5c66f8ed5 to your computer and use it in GitHub Desktop.
Log of running `securedrop-admin install` command second time after installation
mnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin install
INFO: Now installing SecureDrop on remote servers.
INFO: You will be prompted for the sudo password on the servers.
INFO: The sudo password is only necessary during initial installation.
SUDO password:
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This feature will be removed in a
future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: default callback, does not support setting 'options', it will work for now, but this will be required in the future and should be updated, see the 2.4 porting guide for details.. This
feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [Ensure validation is run before prod install] ***************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [localhost]
TASK [validate : Confirm host OS is Tails.] ***********************************************************************************************************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [validate : Check for persistence volume.] *******************************************************************************************************************************************************************
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/persistence.conf)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/openssh-client)
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop)
TASK [validate : Confirm persistence volume is configured.] *******************************************************************************************************************************************************
ok: [localhost] => (item={'_ansible_parsed': True, u'stat': {u'isuid': False, u'uid': 115, u'exists': True, u'attr_flags': u'', u'woth': False, u'isreg': True, u'device_type': 0, u'mtime': 1543069060.69599, u'block_size': 4096, u'inode': 14, u'isgid': False, u'size': 359, u'executable': False, u'roth': False, u'charset': u'unknown', u'readable': False, u'version': None, u'pw_name': u'tails-persistence-setup', u'gid': 122, u'ischr': False, u'wusr': True, u'writeable': False, u'isdir': False, u'blocks': 8, u'xoth': False, u'rusr': True, u'nlink': 1, u'issock': False, u'rgrp': False, u'gr_name': u'tails-persistence-setup', u'path': u'/live/persistence/TailsData_unlocked/persistence.conf', u'xusr': False, u'atime': 1543069028.495991, u'mimetype': u'unknown', u'ctime': 1543069060.69599, u'isblk': False, u'xgrp': False, u'dev': 65024, u'wgrp': False, u'isfifo': False, u'mode': u'0600', u'islnk': False, u'attributes': []}, u'changed': False, '_ansible_no_log': False, 'item': u'/live/persistence/TailsData_unlocked/persistence.conf', '_ansible_item_result': True, 'failed': False, u'invocation': {u'module_args': {u'checksum_algorithm': u'sha1', u'get_checksum': True, u'follow': False, u'path': u'/live/persistence/TailsData_unlocked/persistence.conf', u'get_md5': True, u'get_mime': True, u'get_attributes': True}}, '_ansible_ignore_errors': None}) => {
"changed": false,
"item": {
"changed": false,
"failed": false,
"invocation": {
"module_args": {
"checksum_algorithm": "sha1",
"follow": false,
"get_attributes": true,
"get_checksum": true,
"get_md5": true,
"get_mime": true,
"path": "/live/persistence/TailsData_unlocked/persistence.conf"
}
},
"item": "/live/persistence/TailsData_unlocked/persistence.conf",
"stat": {
"atime": 1543069028.495991,
"attr_flags": "",
"attributes": [],
"block_size": 4096,
"blocks": 8,
"charset": "unknown",
"ctime": 1543069060.69599,
"dev": 65024,
"device_type": 0,
"executable": false,
"exists": true,
"gid": 122,
"gr_name": "tails-persistence-setup",
"inode": 14,
"isblk": false,
"ischr": false,
"isdir": false,
"isfifo": false,
"isgid": false,
"islnk": false,
"isreg": true,
"issock": false,
"isuid": false,
"mimetype": "unknown",
"mode": "0600",
"mtime": 1543069060.69599,
"nlink": 1,
"path": "/live/persistence/TailsData_unlocked/persistence.conf",
"pw_name": "tails-persistence-setup",
"readable": false,
"rgrp": false,
"roth": false,
"rusr": true,
"size": 359,
"uid": 115,
"version": null,
"wgrp": false,
"woth": false,
"writeable": false,
"wusr": true,
"xgrp": false,
"xoth": false,
"xusr": false
}
},
"msg": "All assertions passed"
}
ok: [localhost] => (item={'_ansible_parsed': True, u'stat': {u'isuid': False, u'uid': 115, u'exists': True, u'attr_flags': u'', u'woth': False, u'isreg': True, u'device_type': 0, u'mtime': 1543069060.69599, u'block_size': 4096, u'inode': 14, u'isgid': False, u'size': 359, u'executable': False, u'roth': False, u'charset': u'unknown', u'readable': False, u'version': None, u'pw_name': u'tails-persistence-setup', u'gid': 122, u'ischr': False, u'wusr': True, u'writeable': False, u'isdir': False, u'blocks': 8, u'xoth': False, u'rusr': True, u'nlink': 1, u'issock': False, u'rgrp': False, u'gr_name': u'tails-persistence-setup', u'path': u'/live/persistence/TailsData_unlocked/persistence.conf', u'xusr': False, u'atime': 1543069028.495991, u'mimetype': u'unknown', u'ctime': 1543069060.69599, u'isblk': False, u'xgrp': False, u'dev': 65024, u'wgrp': False, u'isfifo': False, u'mode': u'0600', u'islnk': False, u'attributes': []}, u'changed': False, '_ansible_no_log': False, 'item': u'/live/persistence/TailsData_unlocked/openssh-client', '_ansible_item_result': True, 'failed': False, u'invocation': {u'module_args': {u'checksum_algorithm': u'sha1', u'get_checksum': True, u'follow': False, u'path': u'/live/persistence/TailsData_unlocked/persistence.conf', u'get_md5': True, u'get_mime': True, u'get_attributes': True}}, '_ansible_ignore_errors': None}) => {
"changed": false,
"item": {
"changed": false,
"failed": false,
"invocation": {
"module_args": {
"checksum_algorithm": "sha1",
"follow": false,
"get_attributes": true,
"get_checksum": true,
"get_md5": true,
"get_mime": true,
"path": "/live/persistence/TailsData_unlocked/persistence.conf"
}
},
"item": "/live/persistence/TailsData_unlocked/openssh-client",
"stat": {
"atime": 1543069028.495991,
"attr_flags": "",
"attributes": [],
"block_size": 4096,
"blocks": 8,
"charset": "unknown",
"ctime": 1543069060.69599,
"dev": 65024,
"device_type": 0,
"executable": false,
"exists": true,
"gid": 122,
"gr_name": "tails-persistence-setup",
"inode": 14,
"isblk": false,
"ischr": false,
"isdir": false,
"isfifo": false,
"isgid": false,
"islnk": false,
"isreg": true,
"issock": false,
"isuid": false,
"mimetype": "unknown",
"mode": "0600",
"mtime": 1543069060.69599,
"nlink": 1,
"path": "/live/persistence/TailsData_unlocked/persistence.conf",
"pw_name": "tails-persistence-setup",
"readable": false,
"rgrp": false,
"roth": false,
"rusr": true,
"size": 359,
"uid": 115,
"version": null,
"wgrp": false,
"woth": false,
"writeable": false,
"wusr": true,
"xgrp": false,
"xoth": false,
"xusr": false
}
},
"msg": "All assertions passed"
}
ok: [localhost] => (item={'_ansible_parsed': True, u'stat': {u'isuid': False, u'uid': 115, u'exists': True, u'attr_flags': u'', u'woth': False, u'isreg': True, u'device_type': 0, u'mtime': 1543069060.69599, u'block_size': 4096, u'inode': 14, u'isgid': False, u'size': 359, u'executable': False, u'roth': False, u'charset': u'unknown', u'readable': False, u'version': None, u'pw_name': u'tails-persistence-setup', u'gid': 122, u'ischr': False, u'wusr': True, u'writeable': False, u'isdir': False, u'blocks': 8, u'xoth': False, u'rusr': True, u'nlink': 1, u'issock': False, u'rgrp': False, u'gr_name': u'tails-persistence-setup', u'path': u'/live/persistence/TailsData_unlocked/persistence.conf', u'xusr': False, u'atime': 1543069028.495991, u'mimetype': u'unknown', u'ctime': 1543069060.69599, u'isblk': False, u'xgrp': False, u'dev': 65024, u'wgrp': False, u'isfifo': False, u'mode': u'0600', u'islnk': False, u'attributes': []}, u'changed': False, '_ansible_no_log': False, 'item': u'/home/amnesia/Persistent/securedrop', '_ansible_item_result': True, 'failed': False, u'invocation': {u'module_args': {u'checksum_algorithm': u'sha1', u'get_checksum': True, u'follow': False, u'path': u'/live/persistence/TailsData_unlocked/persistence.conf', u'get_md5': True, u'get_mime': True, u'get_attributes': True}}, '_ansible_ignore_errors': None}) => {
"changed": false,
"item": {
"changed": false,
"failed": false,
"invocation": {
"module_args": {
"checksum_algorithm": "sha1",
"follow": false,
"get_attributes": true,
"get_checksum": true,
"get_md5": true,
"get_mime": true,
"path": "/live/persistence/TailsData_unlocked/persistence.conf"
}
},
"item": "/home/amnesia/Persistent/securedrop",
"stat": {
"atime": 1543069028.495991,
"attr_flags": "",
"attributes": [],
"block_size": 4096,
"blocks": 8,
"charset": "unknown",
"ctime": 1543069060.69599,
"dev": 65024,
"device_type": 0,
"executable": false,
"exists": true,
"gid": 122,
"gr_name": "tails-persistence-setup",
"inode": 14,
"isblk": false,
"ischr": false,
"isdir": false,
"isfifo": false,
"isgid": false,
"islnk": false,
"isreg": true,
"issock": false,
"isuid": false,
"mimetype": "unknown",
"mode": "0600",
"mtime": 1543069060.69599,
"nlink": 1,
"path": "/live/persistence/TailsData_unlocked/persistence.conf",
"pw_name": "tails-persistence-setup",
"readable": false,
"rgrp": false,
"roth": false,
"rusr": true,
"size": 359,
"uid": 115,
"version": null,
"wgrp": false,
"woth": false,
"writeable": false,
"wusr": true,
"xgrp": false,
"xoth": false,
"xusr": false
}
},
"msg": "All assertions passed"
}
PLAY [Add FPF apt repository and install base packages.] **********************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [app]
ok: [mon]
TASK [Check if install has been done before] **********************************************************************************************************************************************************************
ok: [app -> None]
ok: [mon -> None]
TASK [Include restrict role early when using ssh over localnet] ***************************************************************************************************************************************************
TASK [Seek for existing tor aths ssh files] ***********************************************************************************************************************************************************************
TASK [Delete any aths ssh files found] ****************************************************************************************************************************************************************************
TASK [Force a reboot conditionally, when tor_over_ssh status changed] *********************************************************************************************************************************************
TASK [Provide helpful user message and end early] *****************************************************************************************************************************************************************
TASK [install-fpf-repo : Install SecureDrop apt repo GPG signing key.] ********************************************************************************************************************************************
ok: [mon] => (item=fpf-signing-key.pub)
ok: [app] => (item=fpf-signing-key.pub)
TASK [install-fpf-repo : Setup FPF apt repo.] *********************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [install-fpf-repo : Install the securedrop-keyring package for managing the apt gpg key.] ********************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] **********************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Install paxctl.] *******************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Check paxctl headers on grub binaries.] ********************************************************************************************************************************************************
ok: [mon] => (item=/usr/sbin/grub-probe)
ok: [app] => (item=/usr/sbin/grub-probe)
ok: [mon] => (item=/usr/sbin/grub-mkdevicemap)
ok: [app] => (item=/usr/sbin/grub-mkdevicemap)
ok: [mon] => (item=/usr/bin/grub-script-check)
ok: [app] => (item=/usr/bin/grub-script-check)
TASK [grsecurity : Adjust paxctl headers on grub binaries.] *******************************************************************************************************************************************************
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: item.stdout != '- PaX flags: --------E--- [{{ item.item }}]' or item.rc != 0
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: item.stdout != '- PaX flags: --------E--- [{{ item.item }}]' or item.rc != 0
TASK [grsecurity : Remove MOTD pam module from SSH logins.] *******************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Install the grsecurity-patched kernel from the FPF repo.] **************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Get grsec kernel string from grub config.] *****************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Check initial default grub entry for next boot.] ***********************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Set grsec kernel as default for next boot.] ****************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Check customized default grub entry for next boot.] ********************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Remove generic kernel packages.] ***************************************************************************************************************************************************************
ok: [mon] => (item=linux-signed-generic)
ok: [app] => (item=linux-signed-generic)
ok: [mon] => (item=linux-signed-generic-lts-utopic)
ok: [app] => (item=linux-signed-generic-lts-utopic)
ok: [mon] => (item=linux-signed-image-generic)
ok: [mon] => (item=linux-signed-image-generic-lts-utopic)
ok: [app] => (item=linux-signed-image-generic)
ok: [mon] => (item=linux-image-generic-lts-xenial)
ok: [app] => (item=linux-signed-image-generic-lts-utopic)
ok: [mon] => (item=linux-image-.*generic)
ok: [app] => (item=linux-image-generic-lts-xenial)
ok: [mon] => (item=linux-headers-.*)
[WARNING]: Consider using apt module rather than running apt-get
ok: [app] => (item=linux-image-.*generic)
ok: [app] => (item=linux-headers-.*)
TASK [grsecurity : Get list of all installed kernels.] ************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Validate that all installed kernels are grsecurity-hardened.] **********************************************************************************************************************************
ok: [app] => (item=linux-image-3.14.79-grsec) => {
"changed": false,
"item": "linux-image-3.14.79-grsec",
"msg": "All assertions passed"
}
ok: [mon] => (item=linux-image-3.14.79-grsec) => {
"changed": false,
"item": "linux-image-3.14.79-grsec",
"msg": "All assertions passed"
}
ok: [app] => (item=linux-image-4.4.135-grsec) => {
"changed": false,
"item": "linux-image-4.4.135-grsec",
"msg": "All assertions passed"
}
ok: [mon] => (item=linux-image-4.4.135-grsec) => {
"changed": false,
"item": "linux-image-4.4.135-grsec",
"msg": "All assertions passed"
}
ok: [app] => (item=linux-image-4.4.144-grsec) => {
"changed": false,
"item": "linux-image-4.4.144-grsec",
"msg": "All assertions passed"
}
ok: [mon] => (item=linux-image-4.4.144-grsec) => {
"changed": false,
"item": "linux-image-4.4.144-grsec",
"msg": "All assertions passed"
}
TASK [grsecurity : Mark GRUB2 as manually installed so its not removed.] ******************************************************************************************************************************************
changed: [mon]
changed: [app]
TASK [grsecurity : Clean old apt packages.] ***********************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] **********************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [grsecurity : Set sysctl flags for grsecurity.] **************************************************************************************************************************************************************
ok: [mon] => (item={u'name': u'kernel.grsecurity.rwxmap_logging', u'value': u'0'})
ok: [app] => (item={u'name': u'kernel.grsecurity.rwxmap_logging', u'value': u'0'})
ok: [mon] => (item={u'name': u'kernel.grsecurity.grsec_lock', u'value': u'1'})
ok: [app] => (item={u'name': u'kernel.grsecurity.grsec_lock', u'value': u'1'})
ok: [mon] => (item={u'name': u'vm.heap_stack_gap', u'value': u'1048576'})
ok: [app] => (item={u'name': u'vm.heap_stack_gap', u'value': u'1048576'})
TASK [common : Install ntp for ntpd.] *****************************************************************************************************************************************************************************
ok: [mon] => (item=[u'ntp', u'ntpdate'])
ok: [app] => (item=[u'ntp', u'ntpdate'])
TASK [common : Test DNS lookups.] *********************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Verify DNS server was configured correctly during OS install.] *************************************************************************************************************************************
ok: [app] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [mon] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [common : Ensure the system clock is set accurately.] ********************************************************************************************************************************************************
fatal: [mon]: FAILED! => {"changed": false, "cmd": ["ntpdate", "ntp.ubuntu.com"], "delta": "0:00:00.047241", "end": "2018-11-24 23:23:59.632641", "msg": "non-zero return code", "rc": 1, "start": "2018-11-24 23:23:59.585400", "stderr": "24 Nov 23:23:59 ntpdate[5625]: the NTP socket is in use, exiting", "stderr_lines": ["24 Nov 23:23:59 ntpdate[5625]: the NTP socket is in use, exiting"], "stdout": "", "stdout_lines": []}
...ignoring
fatal: [app]: FAILED! => {"changed": false, "cmd": ["ntpdate", "ntp.ubuntu.com"], "delta": "0:00:00.049007", "end": "2018-11-24 23:24:00.391247", "msg": "non-zero return code", "rc": 1, "start": "2018-11-24 23:24:00.342240", "stderr": "24 Nov 23:24:00 ntpdate[5929]: the NTP socket is in use, exiting", "stderr_lines": ["24 Nov 23:24:00 ntpdate[5929]: the NTP socket is in use, exiting"], "stdout": "", "stdout_lines": []}
...ignoring
TASK [common : See if ntpd is already running.] *******************************************************************************************************************************************************************
TASK [common : Copy sudoers file.] ********************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Create shell accounts for SecureDrop admins.] ******************************************************************************************************************************************************
ok: [mon] => (item=securedrop_admin)
ok: [app] => (item=securedrop_admin)
TASK [common : Set SecureDrop bash profile additions.] ************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Clean up local bashrc config for admin accounts.] **************************************************************************************************************************************************
ok: [mon] => (item=securedrop_admin)
ok: [app] => (item=securedrop_admin)
TASK [common : Read /etc/hosts file to filter duplicate entries.] *************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Remove duplicate entries from /etc/hosts.] *********************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Add local IPv4 addresses for SecureDrop servers to /etc/hosts.] ************************************************************************************************************************************
ok: [mon] => (item={u'ip': u'<my-app-server-ip>', u'hostname': u'app'})
ok: [app] => (item={u'ip': u'<my-monitor-server-ip>', u'hostname': u'mon securedrop-monitor-server-alias'})
TASK [common : Configure DNS server IP.] **************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Install tmux.] *************************************************************************************************************************************************************************************
ok: [app]
ok: [mon]
TASK [common : Install cron-apt for unattended security upgrades.] ************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Copy cron-apt config file.] ************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Add security.list apt configuration.] **************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Configure cron-apt to update the security.list repos.] *********************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Configure cron-apt to remove vanilla kernels if they are installed.] *******************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Configure cron-apt to upgrade the packages in the security.list repos.] ****************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Remove default cron-apt config file for downloading all updates.] **********************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Create cron job for running cron-apt updates nightly.] *********************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Update apt cache.] *********************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Install aptitude.] *********************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Check whether tor will be upgraded.] ***************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Hold tor package to prevent upgrade breaking SSH connection.] **************************************************************************************************************************************
TASK [common : Perform safe upgrade to ensure all the packages are updated.] **************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Remove hold on tor package, to permit automatic upgrades.] *****************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Check if reboot is required due to security updates.] **********************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Set sysctl flags for net.ipv4 config.] *************************************************************************************************************************************************************
ok: [mon] => (item={u'name': u'net.ipv4.tcp_max_syn_backlog', u'value': u'4096'})
ok: [app] => (item={u'name': u'net.ipv4.tcp_max_syn_backlog', u'value': u'4096'})
ok: [mon] => (item={u'name': u'net.ipv4.tcp_syncookies', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv4.tcp_syncookies', u'value': u'1'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.all.rp_filter', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv4.conf.all.rp_filter', u'value': u'1'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.all.accept_source_route', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.conf.all.accept_source_route', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.all.accept_redirects', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.conf.all.accept_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.all.secure_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.default.rp_filter', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv4.conf.all.secure_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.default.accept_source_route', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.conf.default.rp_filter', u'value': u'1'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.default.accept_redirects', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.conf.default.accept_source_route', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.default.secure_redirects', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.conf.default.accept_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.icmp_echo_ignore_broadcasts', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv4.conf.default.secure_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.ip_forward', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.all.send_redirects', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.icmp_echo_ignore_broadcasts', u'value': u'1'})
ok: [mon] => (item={u'name': u'net.ipv4.conf.default.send_redirects', u'value': u'0'})
ok: [app] => (item={u'name': u'net.ipv4.ip_forward', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv6.conf.all.disable_ipv6', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv4.conf.all.send_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv6.conf.default.disable_ipv6', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv4.conf.default.send_redirects', u'value': u'0'})
ok: [mon] => (item={u'name': u'net.ipv6.conf.lo.disable_ipv6', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv6.conf.all.disable_ipv6', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv6.conf.default.disable_ipv6', u'value': u'1'})
ok: [app] => (item={u'name': u'net.ipv6.conf.lo.disable_ipv6', u'value': u'1'})
TASK [common : Check current swap status.] ************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Disable swap space.] *******************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [common : Remove blacklisted kernel modules.] ****************************************************************************************************************************************************************
ok: [mon] => (item=btusb)
ok: [app] => (item=btusb)
ok: [mon] => (item=bluetooth)
ok: [app] => (item=bluetooth)
ok: [mon] => (item=iwlmvm)
ok: [app] => (item=iwlmvm)
ok: [mon] => (item=iwlwifi)
ok: [app] => (item=iwlwifi)
TASK [common : Add disabled kernels modules to modprobe.d blacklist.] *********************************************************************************************************************************************
ok: [mon] => (item=btusb)
ok: [app] => (item=btusb)
ok: [app] => (item=bluetooth)
ok: [mon] => (item=bluetooth)
ok: [app] => (item=iwlmvm)
ok: [mon] => (item=iwlmvm)
ok: [mon] => (item=iwlwifi)
ok: [app] => (item=iwlwifi)
TASK [tor-hidden-services : Remove Tor project GPG signing key.] **************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Setup Tor apt repo.] ******************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Install Tor and Tor keyring packages.] ************************************************************************************************************************************************
ok: [mon] => (item={u'state': u'present', u'name': u'tor'})
ok: [app] => (item={u'state': u'present', u'name': u'tor'})
ok: [mon] => (item={u'state': u'absent', u'name': u'deb.torproject.org-keyring'})
ok: [app] => (item={u'state': u'absent', u'name': u'deb.torproject.org-keyring'})
TASK [tor-hidden-services : Extract tor version] ******************************************************************************************************************************************************************
TASK [tor-hidden-services : Dump Tor version to file (for reporting)] *********************************************************************************************************************************************
TASK [tor-hidden-services : Create parent directory for Tor hidden services.] *************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Create directories for Tor hidden services.] ******************************************************************************************************************************************
ok: [mon] => (item={'service': u'ssh', 'filename': u'mon-ssh-aths'})
ok: [app] => (item={'service': 'ssh', 'filename': 'app-ssh-aths'})
ok: [app] => (item={u'service': u'source', u'filename': u'app-source-ths'})
ok: [app] => (item={u'service': u'journalist', u'filename': u'app-journalist-aths'})
TASK [tor-hidden-services : Copy torrc config file.] **************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [tor-hidden-services : Ensure tor is running.] ***************************************************************************************************************************************************************
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started. This feature will be removed in version 2.7. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started. This feature will be removed in version 2.7. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
ok: [mon]
ok: [app]
PLAY [Configure OSSEC.] *******************************************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [ossec : Install securedrop-ossec-agent package.] ************************************************************************************************************************************************************
ok: [app]
TASK [ossec : Install OSSEC manager package.] *********************************************************************************************************************************************************************
ok: [mon]
TASK [ossec : Copy the OSSEC GPG public key for sending encrypted alerts.] ****************************************************************************************************************************************
changed: [mon] => (item=ossec.pub)
TASK [ossec : Add the OSSEC GPG public key to the OSSEC manager keyring.] *****************************************************************************************************************************************
changed: [mon] => (item=ossec.pub)
TASK [ossec : Copy script for sending GPG-encrypted OSSEC alerts.] ************************************************************************************************************************************************
changed: [mon]
TASK [ossec : Copy script for formatting journalist submission] ***************************************************************************************************************************************************
ok: [mon]
TASK [ossec : Create OSSEC manager SSL key.] **********************************************************************************************************************************************************************
ok: [mon]
TASK [ossec : Create OSSEC manager SSL certificate.] **************************************************************************************************************************************************************
ok: [mon]
TASK [ossec : Check whether Application Server is registered as OSSEC agent.] *************************************************************************************************************************************
ok: [mon]
TASK [ossec : Set host fact for OSSEC registration state.] ********************************************************************************************************************************************************
ok: [app]
ok: [mon]
TASK [ossec : Find existing ossec remote IDs] *********************************************************************************************************************************************************************
ok: [mon]
TASK [ossec : Overload agent already registered status to force reinstall] ****************************************************************************************************************************************
TASK [ossec : Build list of existing remote IDs] ******************************************************************************************************************************************************************
ok: [mon] => (item={u'uid': 1003, u'woth': False, u'mtime': 1543102107.534535, u'inode': 395489, u'isgid': False, u'size': 7, u'isuid': False, u'isreg': True, u'gid': 999, u'ischr': False, u'wusr': True, u'xoth': False, u'islnk': False, u'nlink': 1, u'issock': False, u'rgrp': True, u'path': u'/var/ossec/queue/rids/1024', u'xusr': False, u'atime': 1543098210.206275, u'isdir': False, u'ctime': 1543102107.534535, u'isblk': False, u'wgrp': False, u'xgrp': False, u'dev': 64769, u'roth': True, u'isfifo': False, u'mode': u'0644', u'rusr': True})
TASK [ossec : Stop ossec now for clean-up] ************************************************************************************************************************************************************************
TASK [ossec : Purge existing ossec server existing agents] ********************************************************************************************************************************************************
TASK [ossec : Erase existing client-side key] *********************************************************************************************************************************************************************
TASK [ossec : Generate authd shared secret] ***********************************************************************************************************************************************************************
TASK [ossec : Copy authd shared secret] ***************************************************************************************************************************************************************************
TASK [ossec : Append carriage return to auth file] ****************************************************************************************************************************************************************
TASK [ossec : Start authd.] ***************************************************************************************************************************************************************************************
TASK [ossec : Add firewall exemption for OSSEC agent registration (both servers)] *********************************************************************************************************************************
TASK [ossec : Register OSSEC agent.] ******************************************************************************************************************************************************************************
TASK [ossec : Remove firewall exemption for OSSEC agent registration.] ********************************************************************************************************************************************
ok: [app] => (item={u'chain': u'OUTPUT', u'proto': u'tcp', u'cstate': u'NEW,ESTABLISHED,RELATED', u'jump': u'ACCEPT', u'dest': u'<my-monitor-server-ip>', u'match': u'state', u'dest_port': 1515})
ok: [mon] => (item={u'chain': u'INPUT', u'proto': u'tcp', u'cstate': u'NEW,ESTABLISHED,RELATED', u'jump': u'ACCEPT', u'source': u'app', u'match': u'state', u'dest_port': 1515})
ok: [mon] => (item={u'chain': u'OUTPUT', u'proto': u'tcp', u'cstate': u'ESTABLISHED,RELATED', u'jump': u'ACCEPT', u'dest': u'app', u'source_port': 1515, u'match': u'state'})
ok: [app] => (item={u'chain': u'INPUT', u'proto': u'tcp', u'cstate': u'ESTABLISHED,RELATED', u'jump': u'ACCEPT', u'source': u'<my-monitor-server-ip>', u'source_port': 1515, u'match': u'state'})
TASK [ossec : Check if authd process is running on Monitor Server.] ***********************************************************************************************************************************************
ok: [mon]
TASK [ossec : Kill authd process (if running) on Monitor Server.] *************************************************************************************************************************************************
PLAY [Configure mailing utilities.] *******************************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Install mailing utilities.] ***********************************************************************************************************************************************************************
ok: [mon] => (item=[u'procmail', u'postfix', u'mailutils'])
TASK [postfix : Copy postfix /etc/aliases file to route root mail alerts to OSSEC.] *******************************************************************************************************************************
ok: [mon]
TASK [postfix : Create mapping for outbound address.] *************************************************************************************************************************************************************
TASK [postfix : Configure SASL password for SMTP relay.] **********************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Configure Postfix to strip SMTP headers.] *********************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Copy Postfix config file.] ************************************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Configure Postfix service.] ***********************************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Create procmail log file.] ************************************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Update permissions on procmail log file.] *********************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Copy procmail config file.] ***********************************************************************************************************************************************************************
ok: [mon]
TASK [postfix : Create Postfix certificate directory (if using custom certificate).] ******************************************************************************************************************************
TASK [postfix : Remove Postfix certificate directory (if not using custom certificate).] **************************************************************************************************************************
ok: [mon]
TASK [postfix : Copy custom Postfix certificate (if provided).] ***************************************************************************************************************************************************
PLAY [Configure SecureDrop Application Server.] *******************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [app]
TASK [app : Install securedrop-app-code package from FPF repo.] ***************************************************************************************************************************************************
ok: [app]
TASK [app : Install SecureDrop Application Server dependencies.] **************************************************************************************************************************************************
ok: [app] => (item=[u'gnupg2', u'haveged', u'python', u'python-pip', u'secure-delete', u'sqlite3', u'apparmor-utils', u'redis-server', u'supervisor', u'libpython2.7-dev'])
TASK [app : Copy the SecureDrop Application GPG public key to the Application Server.] ****************************************************************************************************************************
ok: [app]
TASK [app : Import the SecureDrop Application GPG public key to the Application Server keyring.] ******************************************************************************************************************
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su
ok: [app]
TASK [app : Check whether SecureDrop config.py file already exists.] **********************************************************************************************************************************************
ok: [app]
TASK [app : Copy starter config.py template if missing.] **********************************************************************************************************************************************************
TASK [app : Set ownership and permissions on config.py.] **********************************************************************************************************************************************************
ok: [app]
TASK [app : Generate 32-byte value for "source secret key".] ******************************************************************************************************************************************************
TASK [app : Add 32-byte value for "source secret key" to config.py.] **********************************************************************************************************************************************
TASK [app : Generate 32-byte value for "journalist secret key".] **************************************************************************************************************************************************
TASK [app : Add 32-byte value for "journalist secret key" to config.py.] ******************************************************************************************************************************************
TASK [app : Generate 32-byte value for "scrypt id pepper".] *******************************************************************************************************************************************************
TASK [app : Add 32-byte value for "scrypt id pepper" to config.py.] ***********************************************************************************************************************************************
TASK [app : Generate 32-byte value for "scrypt gpg pepper".] ******************************************************************************************************************************************************
TASK [app : Add 32-byte value for "scrypt gpg pepper" to config.py.] **********************************************************************************************************************************************
TASK [app : Declare Application GPG fingerprint in config.py.] ****************************************************************************************************************************************************
ok: [app]
TASK [app : Check whether sqlite database exists.] ****************************************************************************************************************************************************************
ok: [app]
TASK [app : Initialize sqlite database.] **************************************************************************************************************************************************************************
TASK [app : Add DEFAULT_LOCALE to config.py if missing.] **********************************************************************************************************************************************************
ok: [app]
TASK [app : Update SUPPORTED_LOCALES in config.py] ****************************************************************************************************************************************************************
ok: [app]
TASK [app : Create SSL certificates directory for HTTPS.] *********************************************************************************************************************************************************
TASK [app : Copy SSL certificate files.] **************************************************************************************************************************************************************************
TASK [app : Import apache packages vars for distro.] **************************************************************************************************************************************************************
ok: [app]
TASK [app : Install apache packages.] *****************************************************************************************************************************************************************************
ok: [app] => (item=[u'apache2-mpm-worker', u'libapache2-mod-wsgi', u'libapache2-mod-xsendfile'])
TASK [app : Copy Apache configuration file.] **********************************************************************************************************************************************************************
ok: [app]
TASK [app : Remove deprecated Apache configuration file.] *********************************************************************************************************************************************************
ok: [app]
TASK [app : Copy Apache ports and site configs.] ******************************************************************************************************************************************************************
ok: [app] => (item=ports.conf)
ok: [app] => (item=sites-available/journalist.conf)
ok: [app] => (item=sites-available/source.conf)
TASK [app : Enable required Apache modules.] **********************************************************************************************************************************************************************
ok: [app] => (item=access_compat)
ok: [app] => (item=authn_core)
ok: [app] => (item=alias)
ok: [app] => (item=authz_core)
ok: [app] => (item=authz_host)
ok: [app] => (item=authz_user)
ok: [app] => (item=deflate)
ok: [app] => (item=filter)
ok: [app] => (item=dir)
ok: [app] => (item=headers)
ok: [app] => (item=mime)
ok: [app] => (item=mpm_event)
ok: [app] => (item=negotiation)
ok: [app] => (item=reqtimeout)
ok: [app] => (item=rewrite)
ok: [app] => (item=ssl)
ok: [app] => (item=wsgi)
ok: [app] => (item=xsendfile)
TASK [app : Disable blacklisted Apache modules.] ******************************************************************************************************************************************************************
ok: [app] => (item=auth_basic)
ok: [app] => (item=authn_file)
ok: [app] => (item=autoindex)
ok: [app] => (item=env)
ok: [app] => (item=status)
TASK [app : Disable default Apache sites.] ************************************************************************************************************************************************************************
ok: [app] => (item=000-default.conf)
ok: [app] => (item=default-ssl.conf)
ok: [app] => (item=default.conf)
TASK [app : Remove default Apache site directory /var/www/html/.] *************************************************************************************************************************************************
ok: [app]
TASK [app : Remove old config files] ******************************************************************************************************************************************************************************
ok: [app] => (item=sites-available/document.conf)
ok: [app] => (item=sites-enabled/document.conf)
TASK [app : Enable SecureDrop Apache sites.] **********************************************************************************************************************************************************************
ok: [app] => (item=journalist)
ok: [app] => (item=source)
TASK [app : Configure supervisor for SecureDrop worker.] **********************************************************************************************************************************************************
ok: [app]
TASK [app : Create directory for SecureDrop worker logs.] *********************************************************************************************************************************************************
ok: [app]
TASK [app : Remove cron job to clean SecureDrop tmp dir daily (old manage.py syntax).] ****************************************************************************************************************************
ok: [app]
TASK [app : Add cron job to clean SecureDrop tmp dir daily (new manage.py syntax).] *******************************************************************************************************************************
ok: [app]
TASK [app : Add cron job to update the number of submissions in the past 24h] *************************************************************************************************************************************
ok: [app]
TASK [app : Read haveged defaults file to filter duplicate entries.] **********************************************************************************************************************************************
ok: [app]
TASK [app : Remove duplicate entries from haveged defaults file.] *************************************************************************************************************************************************
ok: [app]
TASK [app : Increase haveged's low entropy watermark to minimize "flag for reply" flow.] **************************************************************************************************************************
ok: [app]
PLAY [Lock down firewall configuration for Application and Monitor Servers.] **************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Wait for all Tor hidden services hostname files.] **********************************************************************************************************************************
ok: [mon] => (item={'service': u'ssh', 'filename': u'mon-ssh-aths'})
ok: [app] => (item={'service': 'ssh', 'filename': 'app-ssh-aths'})
ok: [app] => (item={u'service': u'source', u'filename': u'app-source-ths'})
ok: [app] => (item={u'service': u'journalist', u'filename': u'app-journalist-aths'})
TASK [restrict-direct-access : Collect Tor hidden service hostnames.] *********************************************************************************************************************************************
ok: [mon] => (item={'service': u'ssh', 'filename': u'mon-ssh-aths'})
ok: [app] => (item={'service': 'ssh', 'filename': 'app-ssh-aths'})
ok: [app] => (item={u'service': u'source', u'filename': u'app-source-ths'})
ok: [app] => (item={u'service': u'journalist', u'filename': u'app-journalist-aths'})
TASK [restrict-direct-access : Write Tor hidden service hostname files to Admin Workstation.] *********************************************************************************************************************
ok: [app -> localhost] => (item={'_ansible_parsed': True, 'stderr_lines': [], '_ansible_item_result': True, u'end': u'2018-11-24 23:35:20.188563', '_ansible_no_log': False, u'stdout': u'<app-server>.onion app-server-cookie # client: admin', u'cmd': [u'cat', u'/var/lib/tor/services/ssh/hostname'], u'rc': 0, 'item': {'service': u'ssh', 'filename': u'app-ssh-aths'}, u'delta': u'0:00:00.005688', u'stderr': u'', u'changed': False, u'invocation': {u'module_args': {u'creates': None, u'executable': None, u'_uses_shell': False, u'_raw_params': u'cat /var/lib/tor/services/ssh/hostname', u'removes': None, u'warn': True, u'chdir': None, u'stdin': None}}, 'stdout_lines': [u'<app-server>.onion app-server-cookie # client: admin'], u'start': u'2018-11-24 23:35:20.182875', '_ansible_ignore_errors': None, 'failed': False})
ok: [mon -> localhost] => (item={'_ansible_parsed': True, 'stderr_lines': [], '_ansible_item_result': True, u'end': u'2018-11-24 23:35:19.396527', '_ansible_no_log': False, u'stdout': u'<mon-server>.onion mon-server-cookie # client: admin', u'cmd': [u'cat', u'/var/lib/tor/services/ssh/hostname'], u'rc': 0, 'item': {'service': u'ssh', 'filename': u'mon-ssh-aths'}, u'delta': u'0:00:00.004158', u'stderr': u'', u'changed': False, u'invocation': {u'module_args': {u'creates': None, u'executable': None, u'_uses_shell': False, u'_raw_params': u'cat /var/lib/tor/services/ssh/hostname', u'removes': None, u'warn': True, u'chdir': None, u'stdin': None}}, 'stdout_lines': [u'<mon-server>.onion mon-server-cookie # client: admin'], u'start': u'2018-11-24 23:35:19.392369', '_ansible_ignore_errors': None, 'failed': False})
ok: [app -> localhost] => (item={'_ansible_parsed': True, 'stderr_lines': [], '_ansible_item_result': True, u'end': u'2018-11-24 23:35:23.419019', '_ansible_no_log': False, u'stdout': u'<app-source>.onion', u'cmd': [u'cat', u'/var/lib/tor/services/source/hostname'], u'rc': 0, 'item': {u'service': u'source', u'filename': u'app-source-ths'}, u'delta': u'0:00:00.005800', u'stderr': u'', u'changed': False, u'invocation': {u'module_args': {u'creates': None, u'executable': None, u'_uses_shell': False, u'_raw_params': u'cat /var/lib/tor/services/source/hostname', u'removes': None, u'warn': True, u'chdir': None, u'stdin': None}}, 'stdout_lines': [u'<app-source>.onion'], u'start': u'2018-11-24 23:35:23.413219', '_ansible_ignore_errors': None, 'failed': False})
ok: [app -> localhost] => (item={'_ansible_parsed': True, 'stderr_lines': [], '_ansible_item_result': True, u'end': u'2018-11-24 23:35:26.496135', '_ansible_no_log': False, u'stdout': u'<app-journalist>.onion app-journalist-cookie # client: journalist', u'cmd': [u'cat', u'/var/lib/tor/services/journalist/hostname'], u'rc': 0, 'item': {u'service': u'journalist', u'filename': u'app-journalist-aths'}, u'delta': u'0:00:00.005888', u'stderr': u'', u'changed': False, u'invocation': {u'module_args': {u'creates': None, u'executable': None, u'_uses_shell': False, u'_raw_params': u'cat /var/lib/tor/services/journalist/hostname', u'removes': None, u'warn': True, u'chdir': None, u'stdin': None}}, 'stdout_lines': [u'<app-journalist>.onion app-journalist-cookie # client: journalist'], u'start': u'2018-11-24 23:35:26.490247', '_ansible_ignore_errors': None, 'failed': False})
TASK [restrict-direct-access : Check whether Diffie-Hellman groups have been updated] *****************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Remove weak DH moduli] *************************************************************************************************************************************************************
TASK [restrict-direct-access : Install updated DH moduli] *********************************************************************************************************************************************************
TASK [restrict-direct-access : Copy SSH client config file.] ******************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Copy SSH server config file.] ******************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Copy pam common-auth config file.] *************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Ensure sshd is running.] ***********************************************************************************************************************************************************
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started. This feature will be removed in version 2.7. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
[DEPRECATION WARNING]: state=running is deprecated. Please use state=started. This feature will be removed in version 2.7. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Gather localhost facts first] ******************************************************************************************************************************************************
ok: [mon -> localhost]
ok: [app -> localhost]
TASK [restrict-direct-access : Copy load_iptables if-up script.] **************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Create iptables directory.] ********************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Determine local platform specific routing info] ************************************************************************************************************************************
ok: [app]
ok: [mon]
TASK [restrict-direct-access : Record admin network interface] ****************************************************************************************************************************************************
ok: [app]
ok: [mon]
TASK [restrict-direct-access : Hacky work-around for Mac/Linux interface structure divergence] ********************************************************************************************************************
ok: [app]
ok: [mon]
TASK [restrict-direct-access : Compute admin network CIDR] ********************************************************************************************************************************************************
ok: [app -> localhost]
ok: [mon -> localhost]
TASK [restrict-direct-access : Copy IPv4 iptables rules.] *********************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [restrict-direct-access : Copy IPv6 iptables rules.] *********************************************************************************************************************************************************
ok: [mon]
ok: [app]
PLAY [Reboot Application and Monitor Servers.] ********************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [reboot-if-first-install : Read iptables rule set.] **********************************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [reboot-if-first-install : Check for existence of reboot file] ***********************************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [reboot-if-first-install : Delete reboot file from intereferring with future runs] ***************************************************************************************************************************
ok: [mon]
ok: [app]
TASK [reboot-if-first-install : Store whether this is a first-time installation.] *********************************************************************************************************************************
ok: [app]
ok: [mon]
TASK [reboot-if-first-install : include] **************************************************************************************************************************************************************************
PLAY RECAP ********************************************************************************************************************************************************************************************************
app : ok=117 changed=1 unreachable=0 failed=0
localhost : ok=4 changed=0 unreachable=0 failed=0
mon : ok=108 changed=4 unreachable=0 failed=0
TASK: app : Enable required Apache modules. ---------------------------- 60.53s
TASK: common : Set sysctl flags for net.ipv4 config. ------------------- 52.79s
TASK: grsecurity : Install the grsecurity-patched kernel from the FPF repo. -- 29.22s
TASK: app : Copy Apache ports and site configs. ------------------------ 29.03s
TASK: grsecurity : Remove generic kernel packages. --------------------- 26.49s
TASK: restrict-direct-access : Wait for all Tor hidden services hostname files. -- 24.60s
TASK: common : Install tmux. ------------------------------------------- 19.02s
TASK: app : Disable blacklisted Apache modules. ------------------------ 16.30s
TASK: ossec : Copy the OSSEC GPG public key for sending encrypted alerts. -- 15.92s
TASK: app : Copy Apache configuration file. ---------------------------- 13.79s
Playbook finished: Sat Nov 24 23:36:57 2018, 182 total tasks. 0:15:31 elapsed.
TASK: app : Enable required Apache modules. ---------------------------- 60.53s
TASK: common : Set sysctl flags for net.ipv4 config. ------------------- 52.79s
TASK: grsecurity : Install the grsecurity-patched kernel from the FPF repo. -- 29.22s
TASK: app : Copy Apache ports and site configs. ------------------------ 29.03s
TASK: grsecurity : Remove generic kernel packages. --------------------- 26.49s
TASK: restrict-direct-access : Wait for all Tor hidden services hostname files. -- 24.60s
TASK: common : Install tmux. ------------------------------------------- 19.02s
TASK: app : Disable blacklisted Apache modules. ------------------------ 16.30s
TASK: ossec : Copy the OSSEC GPG public key for sending encrypted alerts. -- 15.92s
TASK: app : Copy Apache configuration file. ---------------------------- 13.79s
Playbook finished: Sat Nov 24 23:36:57 2018, 182 total tasks. 0:15:31 elapsed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment