New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSSEC Rules: Remove syscheck alert when bulk tmp file deleted #2152
Conversation
1049080
to
4238271
Compare
@redshiftzero Kindly rebase for me, now that #2143 is merged? There aren't any conflicts, but coverage checks are failing, due to develop being out of sync. |
When bulk downloads occur on the SecureDrop journalist interface, a temporary file is created in /var/lib/securedrop/tmp. When this file is cleaned up, it triggers an integrity checking alert. If SecureDrop is getting heavy use, this can fire many times per day. This commit modifies the syscheck options on the app server to exclude any files named tmp_securedrop_bulk_* in /var/lib/securedrop/tmp from integrity checking (via syscheck).
4238271
to
d9b722d
Compare
Rebased! |
Testing now, starting with reproducing the alerts on current develop. |
After copious manual testing, I've failed to reproduce the original alert in staging VMs. The testing steps provided in the PR submission failed to generate the original alert, and manual interaction with the webserver (to generate tmp files via bulk downloads) failed to do so as well. Was provisioned on latest develop. Going to step away from this PR and circle back, in case I'm missing something obvious. My best guest at present is that I'm not waiting nearly long enough before and after running |
Ah my bad @conorsh - you're probably right that FYI to determine if |
Thanks for confirmation, @redshiftzero. Tackling this again now, and will be more patient between commands. Will try to get a rough estimate of what a full refresh of the system integrity checks (on VMs) clocks in at, and report back. |
Ahh, finally making progress. One can check when
Have now reproduced the original alert we're trying to silence, so proceeding with testing the patch in this PR. |
Finally able to confirm the changes in this PR behave as intended, and alerts are no longer fired when tmp files are removed as a result of bulk downloads. Thanks, @redshiftzero! I did notice the alert being triggered after switching to this PR branch (from develop) and rebuilding and reinstalling the deb packages. That strikes me as odd, since the deb packages should appropriately bounce the services. After a reboot of the staging machines, however, the feature behaved as advertised, and prod updates involve a reboot as well, so I'm satisfied. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After copious manual testing, I can confirm that @redshiftzero was spot-on with these changes. Should go a long way in cutting down on alert noise. Let's get it in!
Status
Ready for review
Description of Changes
Fixes #1691.
Changes proposed in this pull request:
When bulk downloads occur on the SecureDrop journalist interface,
a temporary file is created in
/var/lib/securedrop/tmp
. Whenthis file is cleaned up, an integrity checking alert fires.
If SecureDrop is getting heavy use, this alert can fire many times per
day.
This commit modifies the
syscheck
options on the app serverto exclude any files named
tmp_securedrop_bulk_*
in/var/lib/securedrop/tmp
from the integrity checking.Testing
Note: In the testing instructions that follow, I'm indicating the hostname via the string prior to the shell prompt.
A. Reproduce the alert
Provision staging locally.
Create test file:
app-staging# echo "test" > /var/lib/securedrop/tmp/tmp_securedrop_bulk_dl_FDkPe4
Establish
syscheck
baseline:mon-staging# /var/ossec/bin/agent_control -r -a
Remove test file:
app-staging# rm /var/lib/securedrop/tmp/tmp_securedrop_bulk_dl_FDkPe4
Watch the OSSEC alerts log (or watch your email if you have prod-like secrets configured in
site-specific
):mon-staging# tail -f /var/ossec/logs/alerts/alerts.log
And now
syscheck
again to rerun integrity checking:mon-staging# /var/ossec/bin/agent_control -r -a
An alert will appear in
/var/ossec/logs/alerts/alerts.log
:B. Verify the fix in this PR
The patch is in
ossec.conf
on the agent (the Application server), so you can either:a. reprovision staging with the patch applied, or
b. you can just manually apply the patch to
/var/ossec/etc/ossec.conf
onmon-staging
. Note that you will then need to bounce the service (i.e.mon-staging# service ossec restart
).Follow steps 2-5 from section A above, except now no alert will fire.
Deployment
As
ossec.conf
is delivered via thesecuredrop-ossec-agent
deb package, the change should be deployed without issue.Checklist
If you made changes to the system configuration: