securedrop
securedrop copied to clipboard
Suppress ossec alerts for temporary PID files created by GPG
Description
[Thanks @legoktm for investigation]
GPG creates temporary files in /var/lib/securedrop/keys/
of the format /var/lib/securedrop/keys/.#xxxx.app.yyyy
. This results in false positive ossec alerts, as below. We mostly don't encounter this anymore since we've moved to sq, except for in some cases (source deletion).
Steps to Reproduce
loaddata.py --gpg
and observe temporary files in that directory, then delete sources
Expected Behavior
No OSSEC alert
Actual Behavior
OSSEC HIDS Notification.
$date
Received From: (app) $app_ip->syscheck
Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
Portion of the log(s):
File '/var/lib/securedrop/keys/.#[redacted].app.[redacted]' was deleted. Unable to retrieve checksum.
--END OF NOTIFICATION
Comments
These alerts can be suppressed (if we feel okay suppressing alerts in /var/lib/securedrop/keys/.#
that match this specific pattern) or ignored case-by-case by admins.