Merge pull request #5682 from freedomofpress/5673-v3-ossec-warning

adds daily OSSEC check/alert for v2 onion service config
freedomofpress · Jan 12, 2021 · e4d5f2f · e4d5f2f
2 parents baf0bfa + 4ae7469
commit e4d5f2f
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/codecov.yml b/codecov.yml
@@ -1,6 +1,7 @@
 codecov:
   disable_default_path_fixes: false
 ignore:
+  - "securedrop/loaddata.py"
   - "securedrop/upload-screenshots.py"
   - "securedrop/qa_loader.py"
   - "securedrop/create-dev-data.py"

diff --git a/install_files/securedrop-ossec-agent/var/ossec/etc/ossec.conf b/install_files/securedrop-ossec-agent/var/ossec/etc/ossec.conf
@@ -144,6 +144,13 @@
     <frequency>90000</frequency>
   </localfile>
 
+  <localfile>
+    <log_format>command</log_format>
+    <command>grep "HiddenServiceVersion 2" /etc/tor/torrc | head -1</command>
+    <alias>v2_service_check</alias>
+    <frequency>86400</frequency>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/kern.log</location>

diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/ossec.conf b/install_files/securedrop-ossec-server/var/ossec/etc/ossec.conf
@@ -104,6 +104,13 @@
     <frequency>90000</frequency>
   </localfile>
 
+  <localfile>
+    <log_format>command</log_format>
+    <command>grep "HiddenServiceVersion 2" /etc/tor/torrc | head -1</command>
+    <alias>v2_service_check</alias>
+    <frequency>86400</frequency>
+  </localfile>
+
   <reports>
     <group>authentication_success</group>
     <user type="relation">srcip</user>
@@ -160,6 +167,14 @@
     <do_not_group />
   </email_alerts>
 
+  <email_alerts>
+    <email_to>root@localhost</email_to>
+    <group>system_configuration</group>
+    <rule_id>400901</rule_id>
+    <do_not_delay />
+    <do_not_group />
+  </email_alerts>
+
   <!-- rules global entry -->
   <rules>
     <include>rules_config.xml</include>

diff --git a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
@@ -233,4 +233,11 @@
     <regex>System configuration error:</regex>
     <description>Indicates a problem with the configuration of the SecureDrop servers.</description>
   </rule>
+  <rule id="400901" level="12" >
+    <if_sid>530</if_sid>
+    <options>alert_by_email</options> <!-- force email to be sent -->
+    <match>ossec: output: 'v2_service_check'</match>
+    <regex>HiddenServiceVersion 2</regex>
+    <description>v2 onion services are still enabled. Support for v2 onion services is deprecated and will be removed starting in February 2021. To preserve access to SecureDrop, you must migrate to v3 onion services: https://securedrop.org/v2-onion-eol</description>
+  </rule>
 </group>