fix(ossec): run "disconnected submissions" checks from systemd timers; report on saved output

molecule/testinfra/vars/staging.yml

@@ -146,6 +146,21 @@ log_events_without_ossec_alerts:
     level: "0"
     rule_id: "199996"
 
+  # OSSEC should not alert when "manage.py check-disconnected-{db,fs}-
+  # submissions" has logged that there are no disconnected submissions.
+  - name: test_no_disconnected_db_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_db_submissions.txt':
+      No problems were found. All submissions' files are present.
+    level: "1"
+    rule_id: "400800"
+  - name: test_disconnected_fs_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_fs_submissions.txt':
+      No unexpected files were found in the store.
+    level: "1"
+    rule_id: "400801"
+
 # Log events we expect an OSSEC alert to occur for
 log_events_with_ossec_alerts:
   # Check that a denied RWX mmaping would produce an OSSEC alert
@@ -215,6 +230,24 @@ log_events_with_ossec_alerts:
     level: "7"
     rule_id: "400700"
 
+  # OSSEC should alert when "manage.py check-disconnected-{db,fs}-submissions"
+  # has logged that there are disconnected submissions.
+  - name: test_disconnected_db_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_db_submissions.txt':
+      There are submissions in the database with no corresponding files. Run
+      "manage.py list-disconnected-db-submissions" for details.
+    level: "1"
+    rule_id: "400800"
+  - name: test_disconnected_fs_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_fs_submissions.txt':
+      There are files in the submission area with no corresponding records in
+      the database. Run "manage.py list-disconnected-fs-submissions" for
+      details.
+    level: "1"
+    rule_id: "400801"
+
 fpf_apt_repo_url: "https://apt-test.freedom.press"
 
 daily_reboot_time: "4"

securedrop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-db-submissions.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=job to check for disconnected submissions in the database
+
+[Service]
+ExecStart=/bin/bash -c "/var/www/securedrop/manage.py check-disconnected-db-submissions > /var/lib/securedrop/disconnected_db_submissions.txt"
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+User=www-data
+WorkingDirectory=/var/www/securedrop

securedrop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-db-submissions.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=check for disconnected submissions in the database
+
+[Timer]
+# We want to run this 1 hour before reboot, or 23h after the last reboot
+OnBootSec=23h
+
+[Install]
+WantedBy=timers.target

securedrop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-fs-submissions.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=job to check for disconnected submissions on the filesystem
+
+[Service]
+ExecStart=/bin/bash -c "/var/www/securedrop/manage.py check-disconnected-fs-submissions > /var/lib/securedrop/disconnected_fs_submissions.txt"
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+User=www-data
+WorkingDirectory=/var/www/securedrop

securedrop/debian/app-code/lib/systemd/system/securedrop-check-disconnected-fs-submissions.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=check for disconnected submissions on the filesystem
+
+[Timer]
+# We want to run this 1 hour before reboot, or 23h after the last reboot
+OnBootSec=23h
+
+[Install]
+WantedBy=timers.target

securedrop/debian/ossec-agent/var/ossec/etc/ossec.conf

@@ -52,6 +52,8 @@
     <ignore>/var/lib/securedrop/db.sqlite</ignore>
 
     <ignore>/var/lib/securedrop/submissions_today.txt</ignore>
+    <ignore>/var/lib/securedrop/disconnected_db_submissions.txt</ignore>
+    <ignore>/var/lib/securedrop/disconnected_fs_submissions.txt</ignore>
 
     <ignore type="sregex">/var/lib/securedrop/shredder/tmp</ignore>
 
@@ -128,13 +130,13 @@
 
   <localfile>
     <log_format>command</log_format>
-    <command>sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-db-submissions</command>
+    <command>cat /var/lib/securedrop/disconnected_db_submissions.txt</command>
     <frequency>90000</frequency>
   </localfile>
 
   <localfile>
     <log_format>command</log_format>
-    <command>sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-fs-submissions</command>
+    <command>cat /var/lib/securedrop/disconnected_fs_submissions.txt</command>
     <frequency>90000</frequency>
   </localfile>
 

securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml

@@ -248,15 +248,15 @@
   <rule id="400800" level="1" >
     <if_sid>530</if_sid>
     <options>alert_by_email</options> <!-- force email to be sent -->
-    <match>ossec: output: 'sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-db-submissions'</match>
+    <match>ossec: output: 'cat /var/lib/securedrop/disconnected_db_submissions.txt'</match>
     <regex>There are submissions in the database with no corresponding files\.</regex>
     <description>Indicates that submissions in the database are missing their corresponding files.</description>
   </rule>
 
   <rule id="400801" level="1" >
     <if_sid>530</if_sid>
     <options>alert_by_email</options> <!-- force email to be sent -->
-    <match>ossec: output: 'sudo -u www-data /opt/venvs/securedrop-app-code/bin/python3 /var/www/securedrop/manage.py check-disconnected-fs-submissions'</match>
+    <match>ossec: output: 'cat /var/lib/securedrop/disconnected_fs_submissions.txt'</match>
     <regex>There are files in the submission area with no corresponding records in the database\.</regex>
     <description>Indicates that there are files in the submission area without corresponding submissions in the database.</description>
   </rule>