Disable do-release-upgrade OSSEC notification

[redshiftzero]

Status

Ready for review

Description of Changes

Fixes #3205

Changes proposed in this pull request:

• Currently admins are getting weekly alerts encouraging them to upgrade to Xenial, but upgrading to Xenial actually breaks SecureDrop. This addition to the postinst scripts of the securedrop OSSEC packages will suppress that notification.

Testing

These instructions assume that you are testing this in staging VMs.

Setup

Make sure you're getting OSSEC emails

First, since the alert does not appear in vagrant VMs, and it actually only appears once per week, we should address both of those things as setup.

git checkout develop
make build-debs

Now make sure you have prod like creds and modify your staging.yml group vars to enable postfix (i.e. apply this diff):

vagrant up /staging/

Now ensure OSSEC alerts are flowing.

Make the do-release-upgrade alert happen, and frequently

On each machine, SSH in and in /etc/update-manager/release-upgrades replace Prompt=never with Prompt=lts (this is what is set on hardware).

Also delete the flag file at /var/lib/ubuntu-release-upgrader/release-upgrade-available if it exists.

Finally for easy testing, in /etc/crontab run the weekly job every 5 mins:

*/5 * * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly)

At this point you should be getting the alert about do-release-upgrade to your OSSEC email address every 5 minutes. Wait and verify this is the case.

Note: I only ever get the alert from mon on both hardware and prod VMs. However I think it is best to apply this change to both hosts to ensure this alert doesn't pop up in the future for anyone.

Test the fix

git checkout  resolve-do-release-notification
make build-debs
vagrant provision /staging/

• Verify on each server that /etc/update-manager/release-upgrades now has Prompt=never

At this point, the alert will continue to fire, because the weekly job is running /usr/lib/ubuntu-release-upgrader/release-upgrade-motd, and the logic there is to only update the "do we need to do an upgrade" status every 24 hours. This is tracked via the flag file that we deleted earlier, so you need to do one of the following:

1. Wait 24+ hours to wait for the alert to go away
2. Edit /usr/lib/ubuntu-release-upgrader/release-upgrade-motd to expire the flag file more rapidly OR
3. Delete the stamp file at /var/lib/ubuntu-release-upgrader/release-upgrade-available so the check (the actual checking for a new release is done in /usr/lib/ubuntu-release-upgrader/check-new-release) is performed again (this is what I did)

Once one of these three things is done:

• Verify the alert no longer appears

Deployment

Will be automatically deployed when SD OSSEC packages update

Checklist

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

[redshiftzero]

Apologies for the novella in the testing plan here, but it's a little annoying to test this so I erred on the side of more detailed. Let me know if anything is confusing

[codecov-io]

Codecov Report

Merging #3546 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #3546   +/-   ##
========================================
  Coverage    85.12%   85.12%           
========================================
  Files           37       37           
  Lines         2367     2367           
  Branches       260      260           
========================================
  Hits          2015     2015           
  Misses         289      289           
  Partials        63       63

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fdb54d3...d23134b. Read the comment docs.

[msheiny]

❤️ the detailed test plan .. stepping thru now

[msheiny]

Just a quick observation.. i think it would make more sense to drop this in securedrop-config since that package already goes on both servers. thoughts @redshiftzero ?

[redshiftzero]

Ahhh, yep - that is probably better

[msheiny]

👍 k i can make that change locally and test against it and commit when all is well

[redshiftzero]

👍

[msheiny]

This was a pain in the butt to test... thanks for the detailed guidance @redshiftzero . I did tweak my testing to utilize the upgrade testing scenario.. i really want to get that on virtualbox for ya. I think it'll help out your local debugging a ton

[msheiny]

on a side note.. you dont have to wait for cron to fire... if you execute the same cron command as root with the same arguments.. just verify no output is shown.. like this:

$ cd /
$ SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  run-parts --report /etc/cron.weekly

[redshiftzero]

Thanks for the review! and definitely, looking forward to getting that upgrade testing on VirtualBox 😍

[msheiny]

Apologies for the novella in the testing plan here, but it's a little annoying to test this so I erred on the side of more detailed. Let me know if anything is confusing

Just to be clear.. i super appreciated the full testing plan :)

[redshiftzero]

mergin' and backportin'...