Disable fwupd-refresh.timer, triggers OSSEC warnings

For various reasons, the timer to run `fwupdmgr refresh` ocassionally triggers OSSEC alerts, which admins can't do anything about. We currently don't use fwupd for firmware updates, so the daily refresh of metadata is useless and should be safe to disable. If in the future we do want admins to install updates with fwupd, they can run refresh manually as part of the process. Fixes #6204.
freedomofpress · Apr 13, 2022 · 96a6c28 · 96a6c28
1 parent f0dd9a8
commit 96a6c28
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/install_files/securedrop-app-code/debian/postinst b/install_files/securedrop-app-code/debian/postinst
@@ -187,6 +187,9 @@ case "$1" in
         gpg2 --homedir=/var/lib/securedrop/keys --batch --import < /var/lib/securedrop/keys/secring.gpg
     fi
 
+    # Disable fwupd-refresh (#6204)
+    systemctl is-enabled fwupd-refresh.timer && systemctl disable fwupwd-refresh.timer
+
     chown -R www-data:www-data /var/lib/securedrop /var/www/securedrop
 
     chown -R www-data:www-data /var/www/securedrop