localfile command frequency is ignored when logcollector restarts #1415
Comments
|
This problem only exists on startup? If Frequency isn't something that's recorded at shutdown. I don't think it would be difficult to track this state between shutdown and startup, but it wasn't really on my roadmap. |
Yes. |
|
@ddpbsd thanks for the confirmation. Knowing it works this way is helpful: I thought maybe I missed something ;-) |
ghost
mentioned this issue
eloquence
pushed a commit
to freedomofpress/securedrop-docs
that referenced
this issue
Sep 9, 2020
The app server is rebooted every 24h and will send a notification at boot time. The ossec server is also rebooted and will immediately send the email to the journalist, regardless of when the previous mail was sent (mail frequency is not a feature of ossec-maild). Always running the localfile command at boot time is an undocumented OSSEC behavior ossec/ossec-hids#1415 in 2.8.2 as well as 2.9.3. This guarantees exactly one mail will be sent daily. Setting the 25 hours frequency element is a safeguard: * against the following race a) command runs because the 24h period expires, b) the server reboots shortly after because it reboots every 24h, c) command runs again after the server is rebooted, causing two notifications to be sent in a row * in case the server does not reboot for some reason, the notification will still be sent every 25h Fixes: freedomofpress/securedrop#3367 (cherry picked from commit 16716d5)
eloquence
pushed a commit
to freedomofpress/securedrop-docs
that referenced
this issue
Sep 11, 2020
The app server is rebooted every 24h and will send a notification at boot time. The ossec server is also rebooted and will immediately send the email to the journalist, regardless of when the previous mail was sent (mail frequency is not a feature of ossec-maild). Always running the localfile command at boot time is an undocumented OSSEC behavior ossec/ossec-hids#1415 in 2.8.2 as well as 2.9.3. This guarantees exactly one mail will be sent daily. Setting the 25 hours frequency element is a safeguard: * against the following race a) command runs because the 24h period expires, b) the server reboots shortly after because it reboots every 24h, c) command runs again after the server is rebooted, causing two notifications to be sent in a row * in case the server does not reboot for some reason, the notification will still be sent every 25h Fixes: freedomofpress/securedrop#3367 (cherry picked from commit 16716d5)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When restarted, logcollector will run the command below unconditionally, effectively ignoring the frequency element:
<localfile> <log_format>full_command</log_format> <command>head -1 /var/lib/securedrop/submissions_today.txt | grep '^[0-9]*$'</command> <frequency>86400</frequency> </localfile>When logcollector starts, the
logff[i]->sizefield is set to zeroelse if(strcmp(logff[i].logformat, "command") == 0) { logff[i].file = NULL; logff[i].fp = NULL; logff[i].size = 0;and the daemon loop checks this field to compare it with the current time
/* Checking which file is available */ for(i = 0; i <= max_file; i++) { if(!logff[i].fp) { /* Run the command. */ if(logff[i].command && (f_check %2)) { curr_time = time(0); if((curr_time - logff[i].size) >= logff[i].ign) { logff[i].size = curr_time; logff[i].read(i, &r, 0); } } continue; }The text was updated successfully, but these errors were encountered: