You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GPG creates temporary files in /var/lib/securedrop/keys/ of the format /var/lib/securedrop/keys/.#xxxx.app.yyyy. This results in false positive ossec alerts, as below. We mostly don't encounter this anymore since we've moved to sq, except for in some cases (source deletion).
Steps to Reproduce
loaddata.py --gpg and observe temporary files in that directory, then delete sources
Expected Behavior
No OSSEC alert
Actual Behavior
OSSEC HIDS Notification.
$date
Received From: (app) $app_ip->syscheck
Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
Portion of the log(s):
File '/var/lib/securedrop/keys/.#[redacted].app.[redacted]' was deleted. Unable to retrieve checksum.
--END OF NOTIFICATION
Comments
These alerts can be suppressed (if we feel okay suppressing alerts in /var/lib/securedrop/keys/.# that match this specific pattern) or ignored case-by-case by admins.
The text was updated successfully, but these errors were encountered:
rocodes
changed the title
Suppress ossec alerts for temporary PID files created during source deletion
Suppress ossec alerts for temporary PID files created by GPG
May 7, 2024
Description
[Thanks @legoktm for investigation]
GPG creates temporary files in
/var/lib/securedrop/keys/
of the format/var/lib/securedrop/keys/.#xxxx.app.yyyy
. This results in false positive ossec alerts, as below. We mostly don't encounter this anymore since we've moved to sq, except for in some cases (source deletion).Steps to Reproduce
loaddata.py --gpg
and observe temporary files in that directory, then delete sourcesExpected Behavior
No OSSEC alert
Actual Behavior
Comments
These alerts can be suppressed (if we feel okay suppressing alerts in
/var/lib/securedrop/keys/.#
that match this specific pattern) or ignored case-by-case by admins.The text was updated successfully, but these errors were encountered: