New securityonion-rule-update package resolves 5 issues

[Doug Burks]

http://blog.securityonion.net/2015/04/new-securityonion-rule-update-package.html

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Ryan John Peck]

Looks like OnionSalt removes the rule-update file when in use from all minions.

https://github.com/Security-Onion/onionsalt/blob/master/opt/onionsalt/salt/sensor/init.sls#L98

"""
Setting up securityonion-rule-update (20120726-0ubuntu0securityonion27) ...

Configuration file `/etc/cron.d/rule-update'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** rule-update (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing securityonion-rule-update (--configure):
EOF on stdin at conffile prompt
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Errors were encountered while processing:
securityonion-rule-update
E: Sub-process /usr/bin/dpkg returned an error code (1)
###########################################################################
All updates have been installed.
"""

Doesn't appear that the newly updated package for rule-update handles this well.

We can run apt-get keeping the current version. This looks to work for me, through could have unexpected results if there are other packages that require intervention during the upgrade process.

sudo apt-get dist-upgrade -o Dpkg::Options::="--force-confold" -y securityonion-rule-update

[Doug Burks]

Hi Ryan,

Replies inline.

Nothing really changed in the packaging itself. The only changes
should have been in /usr/bin/rule-update. So as far as the packaging
is concerned, I would have expected you and other users to have seen
this issue on previous updates to the securityonion-rule-update
package. Have you seen this issue before?

I just tested in a VM and didn't see this issue. Did you update using soup?

[Ryan]

I've never seen this issue before.

Had you run a salt state.highstate on the minion before updating? I don't believe this will happen on a standalone install or a master. Just a salt managed sensor.

Ryan Peck

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/6-WYvNJbyaY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Doug Burks]

I just re-tested and am now able to duplicate this issue. My previous
test was a sensor-only installation where state.highstate had been run
and /etc/cron.d/rule-update didn't exist, so I'm not sure why it
didn't happen in the first test.

I'm thinking that the best way to resolve this is to install the
rule-update cron job to a different location and then add some code to
the package postinst script to copy the cron job to /etc/cron.d/ but
NOT if BOTH of the following conditions exist:
- /etc/cron.d/salt-update exists
AND
- /etc/cron.d/rule-update does not exist

Thoughts?

> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Ryan]

Would have to be handled differently on the server. The server SHOULD have a rule-update file present as I understand it.

That approach seems sensible. Only other approach or maybe in addition is to have the rule-update script itself check if this is a salt managed sensor. If it is, (optionally) remove the rule-update file and don't run the update.

You approach seems to be a better separation of concerns though.

[Doug Burks]

On Thu, Apr 23, 2015 at 11:47 AM, Ryan <iam...@gmail.com> wrote:
> Would have to be handled differently on the server. The server SHOULD have a
> rule-update file present as I understand it.

Yes, a server should have /etc/cron.d/rule-update (and, if salt is
enabled, should also have /etc/cron.d/salt-update). Here are the
changes:
https://github.com/Security-Onion-Solutions/securityonion-rule-update/commit/6762b5764dda0d7ca9e99cff8d54a619b9324bdf

Specifically, see the new postinst:
https://github.com/Security-Onion-Solutions/securityonion-rule-update/blob/6762b5764dda0d7ca9e99cff8d54a619b9324bdf/debian/postinst

Since the server has /etc/cron.d/rule-update, this new strategy will
force (re)installation of /etc/cron.d/rule-update.

For sensors connected to that server with salt enabled, they should
simply output the following:
This is a sensor-only box with salt enabled.
NOT installing /etc/cron.d/rule-update.

securityonion-rule-update - 20120726-0ubuntu0securityonion28 is now
copying to ppa:securityonion/test. Would you be able to test this
afternoon? Once we get some testing, I'll go ahead and push to
stable.

Thanks!

[Doug Burks]

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/Awm2W1LAlm4/discussion

[Doug Burks]

Hi Ryan,

Would you have a chance to test this new package today?

Thanks!

[Ryan]

Doug - Hope to test this afternoon.

Ryan Peck

[Doug Burks]

Published:
http://blog.securityonion.net/2015/04/new-securityonion-rule-update-package_28.html

> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.