Suppress ossec alerts for temporary PID files created by GPG

[rocodes]

Description

[Thanks @legoktm for investigation]

GPG creates temporary files in /var/lib/securedrop/keys/ of the format /var/lib/securedrop/keys/.#xxxx.app.yyyy. This results in false positive ossec alerts, as below. We mostly don't encounter this anymore since we've moved to sq, except for in some cases (source deletion).

Steps to Reproduce

loaddata.py --gpg and observe temporary files in that directory, then delete sources

Expected Behavior

No OSSEC alert

Actual Behavior

OSSEC HIDS Notification.
$date

Received From: (app) $app_ip->syscheck
Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
Portion of the log(s):

File '/var/lib/securedrop/keys/.#[redacted].app.[redacted]' was deleted. Unable to retrieve checksum.

--END OF NOTIFICATION

Comments

These alerts can be suppressed (if we feel okay suppressing alerts in /var/lib/securedrop/keys/.# that match this specific pattern) or ignored case-by-case by admins.