Closed bitskri3g closed 4 years ago
Hi @bitskri3g ,
How about if we default rule-update
to always running immediately with no delay? Then have a check to see if the word cron
is being passed as a parameter and only then add the random delay. The only time that would ever happen is when called from our cron job, so that should resolve this issue for your use case, right?
@dougburks That would work fine!
securityonion-rule-update - 20151201-1ubuntu1securityonion20
is now available at ppa:securityonion/test
.
Please test/verify as follows:
start with a 16.04.6.2 box
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
install all updates:
sudo soup -y
verify that /etc/cron.d/rule-update
now calls rule-update
with the cron
option:
cat /etc/cron.d/rule-update
run rule-update
with cron
option and verify delay to avoid overwhelming rule download sites:
sudo rule-update cron
run rule-update
with no options and verify no delay:
sudo rule-update
note that sensors running salt
won't run rule-update
at all but simply call salt
anything else we missed?
Thanks in advance for your time and effort!
Looks good from my testing 👍
This has been resolved - thanks @dougburks!
The changeset implemented to address https://github.com/security-onion-solutions/security-onion/issues/724 doesn't accurately detect interactive sessions not created by an actual user, e.g. when initiated by cloud-init:
When cloud-init executes the above, it is done interactively by the daemon, but
tty -s
exits nonzero, so it waits a random amount of minutes between 1 and 50 (as described in https://github.com/Security-Onion-Solutions/securityonion-rule-update/commit/80383559525982ed87b358f6bd8d374d2a29a804). This is not ideal when you're bootstrapping a new installation in a cloudy environment. Killing the sleep at the terminal lets the installation continue as expected.I think a
--force-update
flag in sosetup would be appropriate here, which would let you run rules-update immediately, even iftty -s
has a nonzero exit.