Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ossec service files to start after the local network is online #5783

Merged
merged 2 commits into from
Feb 11, 2021
Merged

Update ossec service files to start after the local network is online #5783

merged 2 commits into from
Feb 11, 2021

Conversation

emkll
Copy link
Contributor

@emkll emkll commented Feb 10, 2021

Status

Ready for review

Description of Changes

Fixes #5778

Updates the ossec service files to start after the network is online

Testing

Xenial testing

  • make build-debs
  • molecule converge -s libvirt-staging
  • ssh into app and run sudo su to trigger ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert:
** Alert 1612988276.2414638: - syslog,sudo                             
2021 Feb 10 20:17:56 (app-staging) 10.0.1.2->/var/log/auth.log           
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: vagrant                                                            Feb 10 20:17:56 app-staging sudo:  vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/su
  • log into journalist interface, navigate to admin -> instance config and click on send ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert
** Alert 1612988346.2416758: mail  - Apache logs
2021 Feb 10 20:19:06 (app-staging) 10.0.1.2->/var/log/apache2/journalist-error.log                           
Rule: 400700 (level 7) -> 'Apache application error.'                    
[Wed Feb 10 20:19:05.505528 2021] [wsgi:error] [pid 807:tid 126394263918336] [remote 127.0.0.1:59230] ERROR:flask.app:This is a test OSSEC alert

Focal testing

  • make build-debs focal
  • molecule converge -s libvirt-staging-focal
  • ssh into app and run sudo su to trigger ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert:
** Alert 1612988276.2414638: - syslog,sudo                             
2021 Feb 10 20:17:56 (app-staging) 10.0.1.2->/var/log/auth.log           
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: vagrant                                                            Feb 10 20:17:56 app-staging sudo:  vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/su
  • log into journalist interface, navigate to admin -> instance config and click on send ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert
** Alert 1612988346.2416758: mail  - Apache logs
2021 Feb 10 20:19:06 (app-staging) 10.0.1.2->/var/log/apache2/journalist-error.log                           
Rule: 400700 (level 7) -> 'Apache application error.'                    
[Wed Feb 10 20:19:05.505528 2021] [wsgi:error] [pid 807:tid 126394263918336] [remote 127.0.0.1:59230] ERROR:flask.app:This is a test OSSEC alert

Deployment

These changes will be to new and existing instances via the ossec-agent package

Checklist

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

@emkll emkll requested a review from kushaldas February 10, 2021 20:32
@emkll emkll requested a review from conorsch as a code owner February 10, 2021 20:32
@emkll
Copy link
Contributor Author

emkll commented Feb 10, 2021

@kushaldas I rebased the branch and opened this PR with your commit to reduce back and forth, please consider this PR approved from my perspective, based on visual review and functional testing. Please take a sprin through the test plan and approve/comment/merge, and ensure that you can't reproduce the second issue from #5778

@conorsch conorsch mentioned this pull request Feb 10, 2021
Merged
15 tasks
@kushaldas kushaldas self-assigned this Feb 11, 2021
kushaldas
kushaldas approved these changes Feb 11, 2021
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing

Xenial testing

  • make build-debs
  • molecule converge -s libvirt-staging
  • ssh into app and run sudo su to trigger ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert:
** Alert 1612988276.2414638: - syslog,sudo                             
2021 Feb 10 20:17:56 (app-staging) 10.0.1.2->/var/log/auth.log           
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: vagrant                                                            Feb 10 20:17:56 app-staging sudo:  vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/su
  • log into journalist interface, navigate to admin -> instance config and click on send ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert
** Alert 1612988346.2416758: mail  - Apache logs
2021 Feb 10 20:19:06 (app-staging) 10.0.1.2->/var/log/apache2/journalist-error.log                           
Rule: 400700 (level 7) -> 'Apache application error.'                    
[Wed Feb 10 20:19:05.505528 2021] [wsgi:error] [pid 807:tid 126394263918336] [remote 127.0.0.1:59230] ERROR:flask.app:This is a test OSSEC alert

Focal testing

  • make build-debs focal
  • molecule converge -s libvirt-staging-focal
  • ssh into app and run sudo su to trigger ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert:
** Alert 1612988276.2414638: - syslog,sudo                             
2021 Feb 10 20:17:56 (app-staging) 10.0.1.2->/var/log/auth.log           
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: vagrant                                                            Feb 10 20:17:56 app-staging sudo:  vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/su
  • log into journalist interface, navigate to admin -> instance config and click on send ossec alert
  • email is received or /var/ossec/log/alerts/alert.log contains alert
** Alert 1612988346.2416758: mail  - Apache logs
2021 Feb 10 20:19:06 (app-staging) 10.0.1.2->/var/log/apache2/journalist-error.log                           
Rule: 400700 (level 7) -> 'Apache application error.'                    
[Wed Feb 10 20:19:05.505528 2021] [wsgi:error] [pid 807:tid 126394263918336] [remote 127.0.0.1:59230] ERROR:flask.app:This is a test OSSEC alert

All tests passed and things look good after a few restarts.

@kushaldas kushaldas merged commit b5b0ff3 into develop Feb 11, 2021
@emkll emkll mentioned this pull request Feb 11, 2021
Merged
1 task
@rmol rmol deleted the 5778-ossec-reconnect branch June 23, 2021 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@conorsch conorsch Awaiting requested review from conorsch

Assignees

@kushaldas kushaldas

Labels
release blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Focal] Ossec-agent does not reconnect on reboot, Apache/Python error does not result in OSSEC alert
2 participants
@emkll @kushaldas