Ubuntu Pro CLI tool cannot parse our kernel versions

[cfm]

Description

Ubuntu Pro's pro utility runs some kind of nightly version check (or phones home?), but it chokes on our X.Y.Z-grsec-securedrop kernel versions.

Steps to Reproduce

Long-running QA instance with SecureDrop 2.5.2 and Ubuntu 20.04.6; no specific reproduction.

Expected Behavior

Not applicable

Actual Behavior

OSSEC alert:

OSSEC HIDS Notification.
2023 Mar 20 02:07:03

Received From: mon->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 20 02:07:02 mon python3[267258]: failed to process /proc/version_signature.



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2023 Mar 20 02:07:03

Received From: mon->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 20 02:07:02 mon python3[267258]: Failed to parse kernel: 5.15.89-grsec-securedrop



 --END OF NOTIFICATION

Or manually:

sdadmin@mon:~$ pro status
failed to process /proc/version_signature.
Failed to parse kernel: 5.15.89-grsec-securedrop
SERVICE          AVAILABLE  DESCRIPTION
esm-apps         yes        Expanded Security Maintenance for Applications
esm-infra        yes        Expanded Security Maintenance for Infrastructure
fips             yes        NIST-certified core packages
fips-updates     yes        NIST-certified core packages with priority security updates
livepatch        yes        Canonical Livepatch service
usg              yes        Security compliance and audit tools

This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro

Comments

At a minimum, we should silence this alert in securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml. It might be worth time-boxing an investigation of the pro utility itself to see if it's phoning home, in which case we should consider removing ubuntu-advantage-tools during installation.

[legoktm]

The kernel version parsing code is https://github.com/canonical/ubuntu-pro-client/blob/main/uaclient/system.py#L27 - this is basically the same problem as #6762 and will eventually be fixed by freedomofpress/kernel-builder#33

in which case we should consider removing ubuntu-advantage-tools during installation.

this seems sensible regardless.

[zenmonkeykstop]

Note that the approach of removing ubuntu-advantage-tools is infeasible due to dependencies in core Ubuntu packages. As per @legoktm's comment here: #6779 (comment) , it should be possible to disable and mask the timer triggering the pro tool, thereby preventing these errors.

[legoktm]

From the discussion so far (with @nathandyer), we've identified two main areas where this comes into play.

1. The ua-timer.service unit, which invokes timer.py, which I believe runs the uaclient stuff. Grepping for version_signature only finds hits in uaclient.
2. an apt hook, 20apt-esm-hook.conf, which from reviewing the source code, appears to just be parsing the apt cache to see what, if any, updates are behind the paywall. it's not really phoning home, just hitting a few more apt repositories.

MaskingDisabling the systemd timer is trivial, we already do it for fwupd so I'll submit a PR shortly. Removing the apt hook is less so, we don't want to interfere with files other packages "own". So we would want to find a config setting to turn it off, or install a higher-numbered config file that somehow clobbers this one. Unclear if we need to go that far, it looks like part 1 should take care of the OSSEC notifications; I've applied to it to my prod instance and can report back tomorrow to see if they've stopped.

Source code link: https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/?h=applied/ubuntu/focal-updates