fix(ossec): run "disconnected submissions" checks from systemd timers…

…; report on saved output This should prevent OSSEC from having to sudo to run these commands directly, which adds noise to "/var/log/auth.log" and thus OSSEC's own daily "Successful Logins" report.
freedomofpress · Oct 16, 2023 · 45499e0 · 45499e0
1 parent b9a8d5f
commit 45499e0
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 4 deletions.
diff --git a/...p/debian/app-code/lib/systemd/system/securedrop-check-disconnected-db-submissions.service b/...p/debian/app-code/lib/systemd/system/securedrop-check-disconnected-db-submissions.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=job to check for disconnected submissions in the database
+
+[Service]
+ExecStart=bash -c "/var/www/securedrop/manage.py check-disconnected-db-submissions > /var/lib/securedrop/disconnected_db_submissions.txt"
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+User=www-data
+WorkingDirectory=/var/www/securedrop
diff --git a/...rop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-db-submissions.timer b/...rop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-db-submissions.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=check for disconnected submissions in the database
+
+[Timer]
+# We want to run this 1 hour before reboot, or 23h after the last reboot
+OnBootSec=23h
+
+[Install]
+WantedBy=timers.target
diff --git a/...p/debian/app-code/lib/systemd/system/securedrop-check-disconnected-fs-submissions.service b/...p/debian/app-code/lib/systemd/system/securedrop-check-disconnected-fs-submissions.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=job to check for disconnected submissions on the filesystem
+
+[Service]
+ExecStart=bash -c "/var/www/securedrop/manage.py check-disconnected-fs-submissions > /var/lib/securedrop/disconnected_fs_submissions.txt"
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+User=www-data
+WorkingDirectory=/var/www/securedrop
diff --git a/...rop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-fs-submissions.timer b/...rop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-fs-submissions.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=check for disconnected submissions on the filesystem
+
+[Timer]
+# We want to run this 1 hour before reboot, or 23h after the last reboot
+OnBootSec=23h
+
+[Install]
+WantedBy=timers.target
diff --git a/securedrop/debian/ossec-agent/var/ossec/etc/ossec.conf b/securedrop/debian/ossec-agent/var/ossec/etc/ossec.conf
@@ -52,6 +52,8 @@
     <ignore>/var/lib/securedrop/db.sqlite</ignore>
 
     <ignore>/var/lib/securedrop/submissions_today.txt</ignore>
+    <ignore>/var/lib/securedrop/disconnected_db_submissions.txt</ignore>
+    <ignore>/var/lib/securedrop/disconnected_fs_submissions.txt</ignore>
 
     <ignore type="sregex">/var/lib/securedrop/shredder/tmp</ignore>
 
@@ -128,13 +130,13 @@
 
   <localfile>
     <log_format>command</log_format>
-    <command>sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-db-submissions</command>
+    <command>cat /var/lib/securedrop/disconnected_db_submissions.txt</command>
     <frequency>90000</frequency>
   </localfile>
 
   <localfile>
     <log_format>command</log_format>
-    <command>sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-fs-submissions</command>
+    <command>cat /var/lib/securedrop/disconnected_fs_submissions.txt</command>
     <frequency>90000</frequency>
   </localfile>
 

diff --git a/securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml b/securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml
@@ -248,15 +248,15 @@
   <rule id="400800" level="1" >
     <if_sid>530</if_sid>
     <options>alert_by_email</options> <!-- force email to be sent -->
-    <match>ossec: output: 'sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-db-submissions'</match>
+    <match>ossec: output: 'cat /var/lib/securedrop/disconnected_db_submissions.txt'</match>
     <regex>There are submissions in the database with no corresponding files\.</regex>
     <description>Indicates that submissions in the database are missing their corresponding files.</description>
   </rule>
 
   <rule id="400801" level="1" >
     <if_sid>530</if_sid>
     <options>alert_by_email</options> <!-- force email to be sent -->
-    <match>ossec: output: 'sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-fs-submissions'</match>
+    <match>ossec: output: 'cat /var/lib/securedrop/disconnected_fs_submissions.txt'</match>
     <regex>There are files in the submission area with no corresponding records in the database\.</regex>
     <description>Indicates that there are files in the submission area without corresponding submissions in the database.</description>
   </rule>