adds daily OSSEC check/alert for v2 onion service config

[zenmonkeykstop]

Status

Ready for review

Description of Changes

Fixes #5673.

Adds a daily OSSEC check for "HiddenServiceVersion 2" matches in the /etc/tor/torrc files on the app and mon servers.

Testing:

Prod:

• install latest prod version with only v2 onion services enabled

• build debs from this branch

• install built securedrop-ossec-agent .deb on app, securedrop-ossec-server .deb on mon and restart OSSEC on both servers with the command sudo systemctl restart ossec

• observe the /var/ossec/logs/alerts/alerts.log file on mon and confirm there are v2_service_check alerts generated for both app and mon

• if configured, the OSSEC alert email address receives both the alerts above

• install latest prod version with both v2 and v3 onion services enabled

• build debs from this branch

• install built securedrop-ossec-agent .deb on app, securedrop-ossec-server .deb on mon and restart OSSEC on both servers with the command sudo systemctl restart ossec

• observe the /var/ossec/logs/alerts/alerts.log file on mon and confirm there are v2_service_check alerts generated for both app and mon

• if configured, the OSSEC alert email address receives both the alerts above

• update the last prod install to use v3 onion services only via ./securedrop-admin sdconfig && ./securedrop-admin install

• reinstall the built debs if overwritten and restart OSSEC as above

• observe the /var/ossec/logs/alerts/alerts.log file on mon and confirm there are nov2_service_check alerts generated for both app and mon

• confirm no v2_service_check alert emails are sent.

Checklist

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

[rmol]

Looks good:

• install latest prod version with only v2 onion services enabled

• build debs from this branch

• install built securedrop-ossec-agent .deb on app, securedrop-ossec-server .deb on mon and restart OSSEC on both servers with the command sudo systemctl restart ossec

• observe the /var/ossec/logs/alerts/alerts.log file on mon and confirm there are v2_service_check alerts generated for both app and mon

• if configured, the OSSEC alert email address receives both the alerts above

• install latest prod version with both v2 and v3 onion services enabled

• build debs from this branch

• install built securedrop-ossec-agent .deb on app, securedrop-ossec-server .deb on mon and restart OSSEC on both servers with the command sudo systemctl restart ossec

• observe the /var/ossec/logs/alerts/alerts.log file on mon and confirm there are v2_service_check alerts generated for both app and mon

• if configured, the OSSEC alert email address receives both the alerts above

• update the last prod install to use v3 onion services only via ./securedrop-admin sdconfig && ./securedrop-admin install

• reinstall the built debs if overwritten and restart OSSEC as above

• observe the /var/ossec/logs/alerts/alerts.log file on mon and confirm there are nov2_service_check alerts generated for both app and mon

• confirm no v2_service_check alert emails are sent.

[eloquence]

What does the email look like that's generated by these alerts - I don't see a subject line or message body in the PR itself, so I'm guessing it's fairly cryptic? If so, can we customize it to be much more explicit and human-friendly?

[rmol]

Currently the subject is OSSEC Notification - (app) - Alert level 12 and the body is:

OSSEC HIDS Notification.
2021 Jan 05 12:59:21

Received From: (app) 10.20.2.2->v2_service_check
Rule: 400901 fired (level 12) -> "Indicates that legacy v2 onion services are still configured and should be disabled in favour of v3 services."
Portion of the log(s):

ossec: output: 'v2_service_check': HiddenServiceVersion 2

 --END OF NOTIFICATION

Pretty typical for an OSSEC alert, with the exception of the misspelling of "favor". 😉 I'd be all for making these more readable, but how to do that isn't obvious from a glance at the OSSEC docs.

[eloquence]

Thanks @rmol. A level 12 alert will hopefully stand out, but if there are other ways that we can customize the subject line, that might help the email to not get lost in the flood.

Regarding the body, I would suggest more directive language, e.g.:

v2 onion services are still enabled. Support for v2 onion services is deprecated and will be removed starting in February 2021. To preserve access to SecureDrop, you must migrate to v3 onion services: https://securedrop.org/v2-onion-eol

Whether this goes into the description or the command output (assuming that's fully included in the email) doesn't matter as much, I think, as long as it's clearly visible in the email body.

[zenmonkeykstop]

Updating language in the description field - I don't see any easy way to update the subject line either.

[codecov-io]

Codecov Report

Merging #5682 (4ae7469) into develop (0454478) will increase coverage by 0.13%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #5682      +/-   ##
===========================================
+ Coverage    85.54%   85.68%   +0.13%     
===========================================
  Files           52       52              
  Lines         3771     3771              
  Branches       474      474              
===========================================
+ Hits          3226     3231       +5     
+ Misses         440      436       -4     
+ Partials       105      104       -1     

Impacted Files	Coverage Δ
securedrop/source_app/main.py	93.29% <0.00%> (+1.54%)	⬆️
securedrop/source_app/utils.py	92.20% <0.00%> (+2.59%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0454478...4ae7469. Read the comment docs.

[eloquence]

Updated description LGTM, thanks!

[rmol]

New alert text looks good to me.