[Focal] Ossec-agent does not reconnect on reboot, Apache/Python error does not result in OSSEC alert

[emkll]

Description

Two configuration issues for ossec under Ubuntu Focal:

1. When the system restarts, ossec-agent is started, but it does not connect to mon on startup (which is exactly the same error as reported in upstreamossec-hids/1946:

2021/02/08 16:39:16 ossec-agentd: INFO: Trying to connect to server 10.20.3.2, port 1514.
2021/02/08 16:39:16 ossec-agentd(1216): ERROR: Unable to connect to ' 10.20.3.2'.

2. When the python process throws an exception, that error is written to the Apache2 error logs. Ossec should then send out an alert

Steps to Reproduce

• Install SecureDrop from develop on Focal prod hardware

• observe `/var/ossec/logs/ossec.log for the error in the Description, restart the ossec service and observe that error no longer appearing in the logs

• Trigger the test ossec alert (Journalist Interface -> admin -> Instance Configuration -> Send test ossec alert
• view /var/ossec/logs/alerts/alerts.log no error was triggered

Expected Behavior

1. ossec-agent should start on boot and should forward alerts to mon
   2.Application/apache error should trigger an ossec alert

Actual Behavior

1. ossec-agent does not start correctly, the following error is observed:

2021/02/08 16:39:16 ossec-agentd: INFO: Trying to connect to server 10.20.3.2, port 1514.
2021/02/08 16:39:16 ossec-agentd(1216): ERROR: Unable to connect to ' 10.20.3.2'.

Restarting the ossec service after boot resolves.

2. Application/apache error does not trigger an ossec alert

Comments

1. Changing the ossec service file for the agent to start ossec after the network starts (cb93415) did not resolve
2. Perhaps upstream updated the Apache, otherwise we should update in

   securedrop/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml

   Line 203 in 2de09b4

   <group name="Apache logs">

This is what an apache2 error looks like in Ubuntu Focal:

      [Fri Feb 05 20:20:04.989770 2021] [wsgi:error] [pid 853:tid 1311750398493023] [remote 127.0.0.1:47034] ERROR:flask.app:This is a test OSSEC alert

[kushaldas]

I could reproduce this. I also noticed a new error:

2021/02/10 11:27:19 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Queue not found'.
2021/02/10 11:27:19 ossec-agentd: INFO: Unable to connect to the active response queue (disabled)

Not seeing anything on the mon server on the port 1514 when the system boots up. But, only when we restart the service.

Debugging more.

[kushaldas]

Commit (9d54ddd) is fixing the problem 1. ossec services will now start after the network is up.

[emkll]

Thanks @kushaldas for the changes! Looks like with those changes, the logs are correctly send to mon, and an OSSEC alert is raised 🎉 :

[Wed Feb 10 20:19:05.505528 2021] [wsgi:error] [pid 807:tid 126394263918336] [remote 127.0.0.1:59230] ERROR:flask.app:This is a test OSSEC alert