-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds details about OSSEC rule addition #199
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left two suggestion to fix an encoding issue.
I'm assuming that the encoding mismatch happened when copy-pasting the command output and that fixing it in the docs would avoid confusion.
Also worth reviewing: I think both were some flavor of double quotes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kushaldas thanks for preparing these docs, I think there's a bit of duplication with existing sections (perhaps be can update the existing sections and/or link to them, to avoid duplication). See inline for comments
docs/development/updating_ossec.rst
Outdated
|
||
There are two main files involved in this. | ||
|
||
- `install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml` the rules file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the natural order (as you presented it below) is decoder file and then rules file. Perhaps inverting the order makes sense here, along with a sentence to briefly describe what they do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reading this for the first time, i also would have found it useful to see a short description for each item listed, regardless of order
docs/development/updating_ossec.rst
Outdated
|
||
You can then add a test for the `molecule/testinfra/mon/test_ossec_ruleset.py` | ||
file. Here the test loops over different log lines mentioned in | ||
`log_events_without_ossec_alerts` variable in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's also log_events_with_ossec_alerts
to tests that the alerts are correctly generated
docs/development/updating_ossec.rst
Outdated
|
||
In the above example, we are creating a new `decoder` based on the | ||
`program_name` value. We can find this `program_name` value using the | ||
`/var/ossec/bin/ossec-logtest` command, you can paste the login as input to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the section above (L26, there may be some duplicate information here. Perhaps folding it in or maintaining a reference to it makes sense here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to including a reference to the section on how to use ossec-logtest, but it would also be useful to include the command used to obtain the output you copy-pasted below.
hey I'm going to pick up this review to help get it over the finish line! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Just some minor changes requested before we merge. Thanks for the docs improvements kushal :)
docs/development/updating_ossec.rst
Outdated
|
||
In the above example, we are creating a new `decoder` based on the | ||
`program_name` value. We can find this `program_name` value using the | ||
`/var/ossec/bin/ossec-logtest` command, you can paste the login as input to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to including a reference to the section on how to use ossec-logtest, but it would also be useful to include the command used to obtain the output you copy-pasted below.
docs/development/updating_ossec.rst
Outdated
</group> | ||
|
||
|
||
Verify the configuration change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we reword to:
Verify new OSSEC rule
docs/development/updating_ossec.rst
Outdated
Verify the configuration change | ||
-------------------------------- | ||
|
||
On the monitor server you can use the following command as `root` to verify the changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
verify the changes -> verify the new rule
for more clarity?
docs/development/updating_ossec.rst
Outdated
|
||
There are two main files involved in this. | ||
|
||
- `install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml` the rules file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reading this for the first time, i also would have found it useful to see a short description for each item listed, regardless of order
I believe I've addressed all the substantive review feedback here. @creviera, would you be willing to re-review and resolve the individual review threads as you see fit? If you think this needs a deeper overhaul (à la freedomofpress/securedrop-dev-docs#153), I think I'd benefit from having a brief conversation about the goals and structure of this page before tinkering further with this pull request in its current form. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like everyone's review comments were addressed :-)
Status
Ready for review
Description of Changes
Adds steps for adding new OSSEC rules. This is focused on the developers.
Testing
This is based on the wiki page at https://github.com/freedomofpress/securedrop/wiki/How-to-add-new-ossec-rules%3F
Release
Checklist (Optional)
make docs-lint
) passed locallymake docs-linkcheck
) passedmake docs
) docs at http://localhost:8000After merge