Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade OSSEC version #2136

Closed
conorsch opened this issue Aug 16, 2017 · 5 comments
Closed

Upgrade OSSEC version #2136

conorsch opened this issue Aug 16, 2017 · 5 comments
Assignees
@emkll
Labels
feature OSSEC

Comments

@conorsch
Copy link
Contributor

Feature request

Description

Upgrade OSSEC to the latest stable version, currently 2.9.2 (the servers currently run 2.8.2). As of #1668 we have the OSSEC build logic integrated in this repository, so we can make changes to the OSSEC version in line with the standard release process.

We also need to resolve #1756 as part of the upgrade.

User Stories

As an Admin for SecureDrop, I want my alerts to be informative and actionable, and as bug-free as possible.

As a developer for SecureDrop, I want to use the latest tooling available to provide a reliable and secure monitoring story for Admins.
@conorsch conorsch mentioned this issue Aug 16, 2017
Closed
@ageis ageis mentioned this issue Aug 17, 2017
Open
@conorsch conorsch mentioned this issue Nov 1, 2017
Open
@ageis
Copy link
Contributor

ageis commented Nov 4, 2017
edited
Loading

I'd also like to suggest what I believe is a slight improvement here, concerning Syscheck settings in /var/ossec/etc/internal_options.conf:

# Syscheck checking/usage speed. To avoid large cpu/memory
# usage, you can specify how much to sleep after generating
# the checksum of X files. The default is to sleep 2 seconds
# after reading 15 files.
syscheck.sleep=2
syscheck.sleep_after=15

^ These defaults are pretty slow and basically means that take Syscheck will take a while to complete depending how many files are on the system. Something like sleeping for 1 second after every 64 or 128 files seems more sane to me especially since we are not very resource-constrained.

@ghost ghost added feature OSSEC labels Dec 7, 2017
@conorsch conorsch mentioned this issue Dec 13, 2017
Closed
@redshiftzero redshiftzero added this to the 0.6 milestone Jan 8, 2018
@emkll emkll self-assigned this Jan 22, 2018
@emkll
Copy link
Contributor

emkll commented Jan 24, 2018
edited
Loading

As of this comment, the latest version is now 2.9.3. The 2.9.x family currently has issues with ipv4 only hosts (see ossec/ossec-hids#917). A fix has been merged (see ossec/ossec-hids#1259) but not included in the 2.9.3 release (per https://github.com/ossec/ossec-hids/blob/v2.9.3/src/os_net/os_net.c#L70).

As expected, authd fails to bind to port when the host is running in ipv4-only:

root@mon-staging:/var/ossec# ./bin/ossec-authd -d -i 10.0.1.2
2018/01/24 17:27:48 ossec-authd: DEBUG: Starting ...
2018/01/24 17:27:48 ossec-authd: INFO: Started (pid: 5341).
2018/01/24 17:27:48 ossec-authd: DEBUG: Returning CTX for server.
2018/01/24 17:27:48 getaddrinfo: Name or service not known
2018/01/24 17:27:48 ossec-authd: Unable to bind to port 1515

Since there are no CVEs associated with the version we are running, I suggest we wait for the next release.

@emkll emkll modified the milestones: 0.6, 0.7 Feb 8, 2018
@phamvuong phamvuong mentioned this issue Feb 16, 2018
Open
@redshiftzero redshiftzero removed this from the 0.7 milestone Apr 5, 2018
@conorsch conorsch mentioned this issue May 8, 2018
Open
@emkll
Copy link
Contributor

emkll commented Jun 28, 2018

It seems like the bug described above appears to be fixed in 2.9.4 released last week. We should consider upgrading these packages in the next SecureDrop release.

@redshiftzero redshiftzero added this to the 0.9 milestone Jun 28, 2018
@redshiftzero
Copy link
Contributor

Thanks for checking on this @emkll, added to 0.9 milestone

@redshiftzero
Copy link
Contributor

Closing this in favor of #3701, which we should try to do in 0.9.0

@eloquence eloquence removed this from the 0.9 milestone Aug 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emkll emkll

Labels
feature OSSEC
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@eloquence @conorsch @ageis @redshiftzero @emkll