An observation on rule-update
50 views
Skip to first unread message
Shane Castle
Aug 30, 2016, 8:36:05 AM8/30/16
to securit...@googlegroups.com
If rule-update is run manually and not through the cron job, the file
/var/log/nsm/pulledpork.log will not be updated with the results of the run.
Here is the line from /etc/cron.d/rule-update:
01 7 * * * root date >> /var/log/nsm/pulledpork.log ;
/usr/bin/rule-update cron >> /var/log/nsm/pulledpork.log 2>&1
As a result, when I want to run rule-update manually, I will "sudo -i" to get a
root command line and then run the command portion of the cron job entry, less
the 'cron' parameter:
date >> /var/log/nsm/pulledpork.log ; /usr/bin/rule-update >>
/var/log/nsm/pulledpork.log 2>&1
Question: should rule-update be changed so that it always updates the log file?
This would probably require a wrapper around a renamed script, probably using
tee as well:
date >> /var/log/nsm/pulledpork.log
/usr/bin/rule-update 2>&1 | tee -a /var/log/nsm/pulledpork.log
Making rule-update run 'date' first could eliminate the first line.
Where this becomes an issue is when the output of sostat is relied on to tell
the truth about the last run of rule-update, when in fact it will do so only if
it was run by cron or by the method mentioned above. The sostat-quick script,
for instance, believes this.
--
Mit besten Grüßen
Shane Castle
/var/log/nsm/pulledpork.log will not be updated with the results of the run.
Here is the line from /etc/cron.d/rule-update:
01 7 * * * root date >> /var/log/nsm/pulledpork.log ;
/usr/bin/rule-update cron >> /var/log/nsm/pulledpork.log 2>&1
As a result, when I want to run rule-update manually, I will "sudo -i" to get a
root command line and then run the command portion of the cron job entry, less
the 'cron' parameter:
date >> /var/log/nsm/pulledpork.log ; /usr/bin/rule-update >>
/var/log/nsm/pulledpork.log 2>&1
Question: should rule-update be changed so that it always updates the log file?
This would probably require a wrapper around a renamed script, probably using
tee as well:
date >> /var/log/nsm/pulledpork.log
/usr/bin/rule-update 2>&1 | tee -a /var/log/nsm/pulledpork.log
Making rule-update run 'date' first could eliminate the first line.
Where this becomes an issue is when the output of sostat is relied on to tell
the truth about the last run of rule-update, when in fact it will do so only if
it was run by cron or by the method mentioned above. The sostat-quick script,
for instance, believes this.
--
Mit besten Grüßen
Shane Castle
Wes Lambert
Aug 30, 2016, 8:57:50 AM8/30/16
to securit...@googlegroups.com
I agree, and think it would be beneficial to have this changed, so that we could get a more accurate representation of the last run of rule-update (when running sostat or sostat-quick).
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Aug 30, 2016, 5:42:37 PM8/30/16
to securit...@googlegroups.com
I've created Issue 985 for this:
https://github.com/Security-Onion-Solutions/security-onion/issues/985
>> email to security-onio...@googlegroups.com.
>> To post to this group, send email to securit...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
Doug Burks
https://github.com/Security-Onion-Solutions/security-onion/issues/985
>> To post to this group, send email to securit...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Reply all
Reply to author
Forward
0 new messages