Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fwupd produces multiple alerts #6204

Closed
eloquence opened this issue Dec 21, 2021 · 6 comments · Fixed by #6401
Closed

fwupd produces multiple alerts #6204

eloquence opened this issue Dec 21, 2021 · 6 comments · Fixed by #6401
Milestone
2.4.0

Comments

@eloquence
Copy link
Member

Example notification:

OSSEC HIDS Notification.
2021 Dec 20 19:06:01

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Dec 20 19:06:01 app fwupd[135559]: message repeated 2 times: [ 19:06:01:0220 GLib                 g_bytes_get_data: assertion 'bytes != NULL' failed]

We don't currently support fwupd and have previously silenced its alerts: #5882, #6107
@eloquence
Copy link
Member Author

What's the correct long-term solution here - should/can we uninstall fwupd for now?

@conorsch
Copy link
Contributor

Perhaps we can disable fwupd via systemd, via the postinst for securedrop-config. These messages are new, I only see them starting a few days ago.

@eloquence eloquence changed the title fwupd produces GLib alerts fwupd produces multiple alerts Mar 31, 2022
@eloquence
Copy link
Member Author

New alerts which can also be found in our test instance:



OSSEC HIDS Notification.
2022 Mar 30 12:04:23

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 30 12:04:21 app fwupd[134379]: 12:04:21:0953 FuPluginTpm          failed to load eventlog: Failed to open file "/sys/kernel/security/tpm0/binary_bios_measurements": No such file or directory



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2022 Mar 30 12:04:23

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 30 12:04:22 app fwupd[134379]: 12:04:22:0151 FuEngine             failed to record HSI attributes: failed to get historical attr: json-glib version too old



 --END OF NOTIFICATION

I would suggest that we tackle this more systematically for 2.4.0 or soon after, to ensure the OSSEC signal/noise ratio doesn't drop too low.

@elfranne
Copy link

the binary_bios_measurements has been fixed upstream (v1.7.6):
fwupd/fwupd#4290

@legoktm
Copy link
Member

legoktm commented Apr 13, 2022

When I run sudo fwupdmgr get-devices on a NUC10 or NUC11, I get:

WARNING: UEFI capsule updates not available or enabled in firmware setup
  See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.

(it does list the internal Kingston SSD, so we can at least get updates for that)

After reading the linked wiki page, I spent a while digging through the BIOS settings and didn't see anything that obviously would enable UEFI capsule updates.

I think it would be better if we leave fwupd installed in case we do ever need to ask admins to install a firmware update via it, but we can disable the fwupd-refresh.timer that just downloads new metadata every day, sometimes triggering OSSEC alerts. If we did want people to use fwupd for whatever reason, they'd need to run fwupdmgr refresh manually.

Something like systemctl is-enabled fwupd-refresh.timer && systemctl disable fwupwd-refresh.timer should do it.

@eloquence
Copy link
Member Author

That would be a nice change to get into 2.4.0 IMO, those OSSEC alerts have been catching a number of diligent admins by surprise.

@legoktm legoktm added this to the 2.4.0 milestone Apr 13, 2022
legoktm added a commit that referenced this issue Apr 13, 2022
@legoktm
Disable fwupd-refresh.timer, triggers OSSEC warnings
96a6c28 
For various reasons, the timer to run `fwupdmgr refresh` ocassionally
triggers OSSEC alerts, which admins can't do anything about.

We currently don't use fwupd for firmware updates, so the daily refresh
of metadata is useless and should be safe to disable. If in the future
we do want admins to install updates with fwupd, they can run refresh
manually as part of the process.

Fixes #6204.
@legoktm legoktm mentioned this issue Apr 13, 2022
Merged
10 tasks
legoktm added a commit that referenced this issue Apr 13, 2022
@legoktm
Disable fwupd-refresh.timer, triggers OSSEC warnings
e72ccd6 
For various reasons, the timer to run `fwupdmgr refresh` ocassionally
triggers OSSEC alerts, which admins can't do anything about.

We currently don't use fwupd for firmware updates, so the daily refresh
of metadata is useless and should be safe to disable. If in the future
we do want admins to install updates with fwupd, they can run refresh
manually as part of the process.

Fixes #6204.
legoktm added a commit that referenced this issue Apr 14, 2022
@legoktm
Disable fwupd-refresh.timer, triggers OSSEC warnings
22dca80 
For various reasons, the timer to run `fwupdmgr refresh` ocassionally
triggers OSSEC alerts, which admins can't do anything about.

We currently don't use fwupd for firmware updates, so the daily refresh
of metadata is useless and should be safe to disable. If in the future
we do want admins to install updates with fwupd, they can run refresh
manually as part of the process.

Fixes #6204.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.4.0
Development

Successfully merging a pull request may close this issue.

Disable fwupd-refresh.timer, triggers OSSEC warnings freedomofpress/securedrop
4 participants
@legoktm @eloquence @conorsch @elfranne