Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.7.0] ossec: resolve journalist notification racing with reboots #3384

Merged
merged 4 commits into from May 9, 2018
Merged

[0.7.0] ossec: resolve journalist notification racing with reboots #3384

merged 4 commits into from May 9, 2018

Conversation

ghost
Copy link

@ghost ghost commented May 9, 2018

Status

Ready for review

Description of Changes

Backport #3374

Mitigates: #3368

The app server is rebooted every 24h and will send a notification at
boot time. The ossec server is also rebooted and will immediately send
the email to the journalist, regardless of when the previous mail was
sent (mail frequency is not a feature of ossec-maild). Always running
the localfile command at boot time is an undocumented OSSEC behavior
ossec/ossec-hids#1415 in 2.8.2 as well as
2.9.3.

This guarantees exactly one mail will be sent daily.

Setting the 25 hours frequency element is a safeguard:

  • against the following race a) command runs because the 24h period
    expires, b) the server reboots shortly after because it reboots
    every 24h, c) command runs again after the server is rebooted,
    causing two notifications to be sent in a row

  • in case the server does not reboot for some reason, the notification
    will still be sent every 25h

Fixes: #3367

Testing

  • Reboot the app server and verify the notification is sent

Deployment

N/A

Checklist

If you made changes to documentation:

  • Doc linting (make docs-lint) passed locally

Loic Dachary added 4 commits May 9, 2018 21:45
ossec: resolve journalist notification racing with reboots
f403619 
The app server is rebooted every 24h and will send a notification at
boot time. The ossec server is also rebooted and will immediately send
the email to the journalist, regardless of when the previous mail was
sent (mail frequency is not a feature of ossec-maild). Always running
the localfile command at boot time is an undocumented OSSEC behavior
ossec/ossec-hids#1415 in 2.8.2 as well as
2.9.3.

This guarantees exactly one mail will be sent daily.

Setting the 25 hours frequency element is a safeguard:

* against the following race a) command runs because the 24h period
  expires, b) the server reboots shortly after because it reboots
  every 24h, c) command runs again after the server is rebooted,
  causing two notifications to be sent in a row

* in case the server does not reboot for some reason, the notification
  will still be sent every 25h

Fixes: #3367
(cherry picked from commit 91552eb)
ossec: never send more than one journalist notification per 24h
ec1fdcd 
Relates to: #3368

(cherry picked from commit 3df6409)
testinfra: fake payload are ok to verify journalist encryption
51d6e23 
(cherry picked from commit 81e9687)
make journalist notifications resilient to double ossec alerts
a12c651 
Under some circumstances daily journalist notifications may be grouped
with other ossec alerts. In all cases where this transient error was
observed, a well formed journalist notification alert was also
included in the payload. By changing the regular expression we make
the script resilient to payloads that contain unrelated content.

Mitigates #3368

(cherry picked from commit 0e5694b)
@ghost ghost added this to the 0.7 milestone May 9, 2018
@ghost ghost requested review from conorsch and msheiny as code owners May 9, 2018 19:48
@ghost ghost requested a review from emkll May 9, 2018 19:49
emkll
emkll approved these changes May 9, 2018
View reviewed changes
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for porting @dachary , changes are consistent with #3374

@ghost
Copy link
Author

ghost commented May 9, 2018

I would merge it if I had permissions but it appears I don't have permission to merge in release/0.7

@codecov-io
Copy link

Codecov Report

Merging #3384 into release/0.7 will decrease coverage by 0.01%.
The diff coverage is n/a.

Impacted file tree graph

@@               Coverage Diff               @@
##           release/0.7    #3384      +/-   ##
===============================================
- Coverage        85.81%   85.79%   -0.02%     
===============================================
  Files               34       34              
  Lines             2157     2154       -3     
  Branches           238      238              
===============================================
- Hits              1851     1848       -3     
  Misses             250      250              
  Partials            56       56
Impacted Files Coverage Δ
journalist_app/admin.py 87.33% <0%> (-0.25%) ⬇️
i18n_tool.py 96.15% <0%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3b1be65...a12c651. Read the comment docs.

@emkll emkll merged commit de205de into freedomofpress:release/0.7 May 9, 2018
This was referenced May 10, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conorsch conorsch Awaiting requested review from conorsch

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
bug goals: journalist experience ops/deployment
Projects
None yet
Milestone
0.7
Development

Successfully merging this pull request may close these issues.
2 participants
@codecov-io @emkll