Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress OSSEC alerts asking SecureDrop administrators to upgrade to Xenial #3205

Closed
2 tasks done
eloquence opened this issue Mar 29, 2018 · 4 comments · Fixed by #3546 or #3703
Closed
2 tasks done

Suppress OSSEC alerts asking SecureDrop administrators to upgrade to Xenial #3205

eloquence opened this issue Mar 29, 2018 · 4 comments · Fixed by #3546 or #3703
Assignees
@redshiftzero
Labels
bug ops/deployment OSSEC
Milestone
0.8

Comments

@eloquence
Copy link
Member

eloquence commented Mar 29, 2018
edited
Loading

Per the original report in #1530, administrators may under some circumstances receive OSSEC alerts asking them to upgrade their SecureDrop servers to Ubuntu Xenial. Doing so would be a very bad idea as Ubuntu Xenial is not in fact supported yet (see #3204). We should therefore investigate whether administrators are still receiving such alerts under any circumstances.

Tasks:

  • Verify whether these alerts are still sent
  • If appropriate, suppress them
@eloquence eloquence mentioned this issue Mar 29, 2018
Closed
@eloquence eloquence added this to the 0.7 milestone Apr 5, 2018
@redshiftzero redshiftzero modified the milestones: 0.7, 0.8 May 3, 2018
@anxiousnix
Copy link
Contributor

I can confirm that these alerts are still being sent to at least a couple admins. One such admin received this within the past 24 hours:

Subject: Cron root@mon test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
/etc/cron.weekly/update-notifier-common:
New release '16.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

@msheiny
Copy link
Contributor

msheiny commented Jun 13, 2018

I confirm receipt of this alert as well

@eloquence eloquence added the bug label Jun 13, 2018
@eloquence
Copy link
Member Author

eloquence commented Jun 13, 2018
edited
Loading

We've agreed to tackle this as a stretch goal for the 0.8.0 release (i.e. ensuring a robust release is the top priority, but if early QA results are positive, we may attempt a fix). If it doesn't make it, we'll include a note in the release announcement warning admins to ignore this alert.

@redshiftzero
Copy link
Contributor

In prod/staging VMs one won't get this alert by default. Note that I did see it on hardware - every week. To enable it on VMs in /etc/update-manager/release-upgrades change Prompt=never to Prompt=lts for parity with hardware (thanks to @conorsch for pointing me to this file). Now /etc/cron.weekly/update-notifier-common should report to the user that do-release-upgrade is needed (if you still don't get the alert, you should remove the stamp file stored at /var/lib/ubuntu-release-upgrader/release-upgrade-available).

For testing one can just temporarily run the (previously weekly) cronjob more often to get the alert every e.g. 5 minutes:

*/5 * * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly)

But since the message in question here isn't being parsed by OSSEC, I don't think adding a local rule will suppress it - instead, the simplest resolution is probably just to take the same approach as in our vagrant VMs: in /etc/update-manager/release-upgrades replace Prompt=lts with Prompt=never. We could do this in postinst of the SecureDrop OSSEC packages.

@redshiftzero redshiftzero self-assigned this Jun 20, 2018
@redshiftzero redshiftzero mentioned this issue Jun 20, 2018
Merged
4 tasks
@conorsch conorsch mentioned this issue Aug 8, 2018
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@redshiftzero redshiftzero

Labels
bug ops/deployment OSSEC
Projects
None yet
Milestone
0.8
4 participants
@eloquence @msheiny @redshiftzero @anxiousnix