INCIDENT 018 | Developer version information referenced by 3 out of 5 collectors

[ross-spencer]

Trigger

• ⬛ suspected malware infections
• ⬛ access violations
• ⬛ anomalous system behaviors
• ✔️ human errors
• ⬛ unauthorized access attempts

Date

2024-02-19

Summary

Version information was not being used correctly by three collector nodes.

Status

Resolved

Assessment

Three collector nodes were using developer versioning information "0.0.0-dev" instead of "1.0.0" due to referencing the local environment versus packaged version information derived from the source control management system (SCM). Repositories are read only and were referencing the same commit and tag.

Importantly, validation continued to verify data coming from all nodes and so data veracity was not impacted.

Additional Notes

The issue was caused by human error deploying the virtual environment. The packaged collector was not installed and so local code was referenced instead of packaged version information. Users will notice this impact when analyzing archived data where 3 out of 5 data points will reference "0.0.0-dev" labelled versions of collectors.

It is difficult to bake version information into Python software without packaging the code and so it was imperative that the packages be referenced by code-runners.

This issue was noticed while upgrading the collector nodes used by Orcfax to utilize compiled packages versus the original Python-based collectors. The new collector nodes will have version information baked into the code referencing Git tags and commit versions. Additionally, code will be publicly verifiable and so can be better audited by consumers.

Technical improvements

Short-term Python collector nodes have now been configured to report version information correctly.

We are investigating:

1. Long-term compiled collector nodes with Git SCM information containing tag and commit information will be used by Orcfax.
2. Improved checklists for network upgrades.

Documentation improvements

N/A