Add OSSEC rule to indicate to admins what ansible-apt-key alert means #2224
Conversation
When the playbooks run, an alert fires due to Ansible apt-key. We should have a test to check that this alert indeed fires.
|
Reviewing now. |
| G5SR00+00VHzBVE6fDg027e#012N2sAnjNLOYbRSBxBnELUDKC7Vjaz/sAM | ||
| iEwEExECAAwFAkqg7nQFgwll/3cACgkQ#0123nqvbpTAnH+GJA | ||
| level: "13" | ||
| rule_id: "400001" |
There was a problem hiding this comment.
Beautiful job on the new test vars! The additions even pass YAML linting standards. 🥇
docs/development/updating_ossec.rst
Outdated
| part of each SecureDrop release. This upgrade will occur automatically. | ||
|
|
||
| .. note:: This also means that any changes made locally by administrators to | ||
| their OSSEC rules will not persist after a SecureDrop update. |
There was a problem hiding this comment.
In the note::, the leading "This" refers to statements made in the preceding paragraph text, which somewhat defeats the purpose of using a Note. How about:
The use of automatic upgrades for release deployment means that any changes made locally by administrators to their OSSEC rules will not persist after a SecureDrop update.
There was a problem hiding this comment.
Fair! Let me know when you're done reviewing / when it's cool for me to force push without being annoying and I'll fix this.
|
Confirmed that the testinfra tests fail when run against staging machines provisioned on latest The docs additions are solid. We'll certainly have to flesh out the docs more in the coming releases—some of the info such as useful logfiles should be ported from the OSSEC guide to the writing alerts guide—but these additions are great to have in as soon as possible. One question: won't only the first Ansible-related alert get a custom message, and all the other events will continue to fire? It appears as if only the apt_key module events will get a custom message, and all the rest will operate as before. If that's the case, then perhaps we should leave #2156 open, since it's still very much a problem. For example, during testing just now, running the playbooks against staging creates dozens of alerts—if we detect an Ansible playbook run, I'd prefer to silence the subsequent alerts, as well. |
|
What you say re: this PR only addressing the first Ansible-related alert is true. I agree in that case that #2156 should stay open until we silence the other alerts (if they are not providing useful information). Edited PR description accordingly. |
|
Excellent, thanks for the clarification, @redshiftzero. |
And add failing test for Ansible OSSEC alert described in ticket #2156
Noting that admins may not actually understand what Ansible playbooks are now that we abstract that away from the user now.
redshiftzero
force-pushed
the
ossec-ansible-alert
branch
from
7d8af79 to
471f9bc
Compare
|
FYI I made that docs change @conorsch |
Status
Ready for review
Description of Changes
This PR:
Testing
rule_id)Deployment
Rules should be deployed via the SecureDrop OSSEC deb packages without issue.
Checklist
If you made changes to the system configuration:
If you made changes to documentation: