search

freedomofpress / securedrop-docs

Documentation for the SecureDrop project
https://docs.securedrop.org/
Other
22 stars 26 forks source link

document expected `New dpkg (Debian Package) installed` and checksum-changed alerts #447

Closed cfm closed 1 year ago

cfm commented 1 year ago

Describe the change

Supersedes freedomofpress/securedrop#1667:

  1. OSSEC issues New dpkg (Debian Package) installed alerts whenever a new package is installed on the Application and Monitor Servers. These are alert noise, since they are expected as part of unattended-upgrades.
  2. OSSEC also issues "checksum changed" alerts whenever files change on disk. These may be alert signal, since these changes may or may not have resulted from an attack. But they're usually just more alert noise as side effects of unattended-upgrades.
  3. freedomofpress/securedrop#1667 proposed to silence (1). But without (1), administrators lose context for interpreting (2).

Therefore, we should document the expected pattern of (1) and (2) so that administrators know how to interpret these alerts.

How will this impact users?

Administrators will have less alert fatigue.

User Research Evidence

freedomofpress/securedrop#1667

sssoleileraaa commented 1 year ago

Once this is merged, we can manually close https://github.com/freedomofpress/securedrop/issues/1667 (keeping for now just in case we don't get to this stretch goal for 2.6.0).

zenmonkeykstop commented 1 year ago

IMO this is a securedrop-docs ticket, not -dev-docs. Moving but open to debate