Merge pull request #5882 from freedomofpress/5835_fix_ossec_fwupd

Disables OSSEC email for fwupd
freedomofpress · Apr 7, 2021 · b8795a2 · b8795a2
2 parents a67977f + 19ade45
commit b8795a2
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml b/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml
@@ -47,3 +47,10 @@
 <decoder name="dhclient">
   <program_name>dhclient</program_name>
 </decoder>
+
+<!--
+  The default fwupd tries to auto-update and generates error.
+-->
+<decoder name="fwupd">
+  <program_name>fwupd</program_name>
+</decoder>
diff --git a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
@@ -73,6 +73,25 @@
   </rule>
 </group>
 
+<!--
+  fwupd auto-updates realted rules.
+-->
+
+<group name="fwupd">
+  <rule id="100111" level="0">
+    <decoded_as>fwupd</decoded_as>
+    <match>Error opening directory</match>
+    <description>fwupd error</description>
+    <options>no_email_alert</options>
+  </rule>
+  <rule id="100112" level="0">
+    <decoded_as>fwupd</decoded_as>
+    <match>Failed to load SMBIOS</match>
+    <description>fwupd error for auto updates</description>
+    <options>no_email_alert</options>
+  </rule>
+</group>
+
 <!--
   Do not alert on stagging VM dhcp client errors. These events should not occur
   in production environments

diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml
@@ -133,6 +133,20 @@ log_events_without_ossec_alerts:
       jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6a
       hj-%A-m_5lgab!OVR,!pR+;L]eLgilU
 
+  # Override and suppress fwupd-specific errors under Ubuntu Focal
+  - name: test_ossec_fwupd_fuplugin_uefi_does_not_produce_alert
+    alert: >
+      Mar  1 13:22:53 app fwupd[133921]: 13:22:53:0883 FuPluginUefi
+      Error opening directory â€œ/sys/firmware/efi/esrt/entriesâ€�: No such file or directory
+    level: "0"
+    rule_id: "100111"
+
+  - name: test_ossec_fwupd_fuengine_does_not_produce_alert
+    alert: >
+      Mar  1 13:22:53 mon fwupd[133921]: 13:22:53:0576 FuEngine
+      Failed to load SMBIOS: invalid DMI data size, got 2527 bytes, expected 2745
+    level: "0"
+    rule_id: "100112"
 
 # Log events we expect an OSSEC alert to occur for
 log_events_with_ossec_alerts: