Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

silences OSSEC alerts from fwupd running without udisks2 #6107

Merged
merged 1 commit into from
Sep 24, 2021
Merged

silences OSSEC alerts from fwupd running without udisks2 #6107

merged 1 commit into from
Sep 24, 2021

Conversation

cfm
Copy link
Member

@cfm cfm commented Sep 23, 2021

Status

Ready for review

Description of Changes

Fixes #6097 by adding OSSEC rules to ignore (classify as level 0) errors logged by fwupd in the absence of udisks2.

Testing

  1. Staging environment: Confirm Level: 0 returned for both log messages cited in fwupd generates OSSEC alerts from syslog #6097:
$ molecule login -s libvirt-staging-focal -h mon-staging
vagrant@mon-staging:~$ echo "Aug 10 14:30:51 mon fwupd[134620]: 14:30:51:0528 FuPluginLinuxSwap    could not parse /proc/swaps: failed to call org.freedesktop.UDisks2.Manager.GetBlockDevices(): The name org.freedesktop.UDisks2 was not provided by any .service files" | sudo /var/ossec/bin/ossec-logtest
2021/09/23 23:33:33 ossec-testrule: INFO: Reading local decoder file.
2021/09/23 23:33:33 ossec-testrule: INFO: Started (pid: 132681).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Aug 10 14:30:51 mon fwupd[134620]: 14:30:51:0528 FuPluginLinuxSwap    could not parse /proc/swaps: failed to call org.freedesktop.UDisks2.Manager.GetBlockDevices(): The name org.freedesktop.UDisks2 was not provided by any .service files'
       hostname: 'mon'
       program_name: 'fwupd'
       log: '14:30:51:0528 FuPluginLinuxSwap    could not parse /proc/swaps: failed to call org.freedesktop.UDisks2.Manager.GetBlockDevices(): The name org.freedesktop.UDisks2 was not provided by any .service files'

**Phase 2: Completed decoding.
       decoder: 'fwupd'

**Phase 3: Completed filtering (rules).
       Rule id: '100113'
       Level: '0'
       Description: 'fwupd error missing UDisks2'
vagrant@mon-staging:~$ echo "Sep 18 13:32:22 mon fwupd[134454]: 13:32:22:0632 FuEngine             failed to get chassis type: no structure with type 03" | sudo /var/ossec/bin/ossec-logtest
2021/09/23 23:34:17 ossec-testrule: INFO: Reading local decoder file.
2021/09/23 23:34:17 ossec-testrule: INFO: Started (pid: 132684).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Sep 18 13:32:22 mon fwupd[134454]: 13:32:22:0632 FuEngine             failed to get chassis type: no structure with type 03'
       hostname: 'mon'
       program_name: 'fwupd'
       log: '13:32:22:0632 FuEngine             failed to get chassis type: no structure with type 03'

**Phase 2: Completed decoding.
       decoder: 'fwupd'

**Phase 3: Completed filtering (rules).
       Rule id: '100114'
       Level: '0'
       Description: 'fwupd error missing structure'
  1. Production environment: I do not currently have access to a hardware production environment I can test against (as suggested by Disables OSSEC email for fwupd #5882) but hope to have this capability next week.

Deployment

No deployment considerations.

Checklist

If you made changes to the system configuration:

@cfm cfm added this to the 2.1.0 milestone Sep 23, 2021
@cfm cfm requested a review from conorsch September 23, 2021 23:42
@cfm cfm requested a review from a team as a code owner September 23, 2021 23:42
@cfm cfm added this to Ready for Review in SecureDrop Team Board Sep 23, 2021
@kushaldas kushaldas self-assigned this Sep 24, 2021
@kushaldas kushaldas moved this from Ready for Review to Under Review in SecureDrop Team Board Sep 24, 2021
kushaldas
kushaldas approved these changes Sep 24, 2021
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rules are correct and the logs are coming in with level 0 on staging server.

Approved.

@kushaldas kushaldas merged commit d447413 into develop Sep 24, 2021
SecureDrop Team Board automation moved this from Under Review to Done Sep 24, 2021
@cfm cfm mentioned this pull request Oct 8, 2021
Closed
26 tasks
@eloquence eloquence mentioned this pull request Dec 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@conorsch conorsch Awaiting requested review from conorsch

Assignees

@kushaldas kushaldas

Labels
None yet
Projects
No open projects
SecureDrop Team Board
Done
Milestone
2.1.0
Development

Successfully merging this pull request may close these issues.

fwupd generates OSSEC alerts from syslog
2 participants
@cfm @kushaldas