OPNSense plugin shows crowdsecurity/freebsd disabled

[cookiemonsteruk]

I am unsure if this is expected. What happened: I installed the three components: Agent and firewall => https://github.com/crowdsecurity/packaging-freebsd/tree/v1.2.3_1-v0.0.22_1/security OS plugin => https://github.com/crowdsecurity/opnsense-plugin-crowdsec/tree/v0.0.3 Then I wanted to test the geopip enrichment, to see what it might do/look like with sudo cscli parsers install crowdsecurity/geoip-enrich I then removed the geoip with sudo cscli parsers remove crowdsecurity/geoip-enrich and since then there were messages of taints with sudo cscli hub update

WARN[07-02-2022 04:49:34 PM] Crowdsec is not the latest version. Current version is 'v1.2.3' and the latest stable version is 'v1.3.0'. Please update it! 
WARN[07-02-2022 04:49:34 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.3.0 
INFO[07-02-2022 04:49:35 PM] Wrote new 221674 bytes index to /usr/local/etc/crowdsec/hub/.index.json 
INFO[07-02-2022 04:49:35 PM] dependency of crowdsecurity/freebsd : missing parsers crowdsecurity/geoip-enrich, tainted. 
INFO[07-02-2022 04:49:35 PM] dependency of crowdsecurity/opnsense : sub collection crowdsecurity/freebsd is broken : missing parsers crowdsecurity/geoip-enrich, tainted. 

I have since then reinstalled all three components but the message of taints remains. Also on the OPNSense plugin UI , in the Collections tab, crowdsecurity/freebsd remains red cross. (Disabled). In case it helps, cat /usr/local/etc/crowdsec/collections/freebsd.yaml gives:

parsers:
  - crowdsecurity/syslog-logs
  - crowdsecurity/geoip-enrich
  - crowdsecurity/dateparse-enrich
collections:
  - crowdsecurity/sshd
description: "core freebsd support : syslog+geoip+ssh"
author: crowdsecurity
tags:
  - freebsd 

That to my untrained eyes seem to suggest maybe a place where the removal of geopi should have removed its references.?

[cookiemonsteruk]

So how do I "untaint it"?

% sudo crowdsec-cli collections list
WARN[07-02-2022 10:00:23 PM] Crowdsec is not the latest version. Current version is 'v1.2.3' and the latest stable version is 'v1.3.0'. Please update it! 
WARN[07-02-2022 10:00:23 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.3.0 
COLLECTIONS
--------------------------------------------------------------------------------------------------------
 NAME                    📦 STATUS           VERSION  LOCAL PATH                                        
--------------------------------------------------------------------------------------------------------
 crowdsecurity/sshd      ✔️  enabled          0.2      /usr/local/etc/crowdsec/collections/sshd.yaml     
 crowdsecurity/opnsense  ✔️  enabled          0.1      /usr/local/etc/crowdsec/collections/opnsense.yaml 
 crowdsecurity/freebsd   ⚠️  enabled,tainted  0.1      /usr/local/etc/crowdsec/collections/freebsd.yaml  
--------------------------------------------------------------------------------------------------------

[cookiemonsteruk]

I might have found my answer:

me@OPNsense:~ % sudo cscli collections install crowdsecurity/freebsd
WARN[07-02-2022 10:17:08 PM] Crowdsec is not the latest version. Current version is 'v1.2.3' and the latest stable version is 'v1.3.0'. Please update it! 
WARN[07-02-2022 10:17:08 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.3.0 
WARN[07-02-2022 10:17:09 PM] crowdsecurity/syslog-logs : overwrite        
WARN[07-02-2022 10:17:09 PM] crowdsecurity/geoip-enrich : overwrite       
INFO[07-02-2022 10:17:09 PM] Enabled parsers : crowdsecurity/geoip-enrich 
WARN[07-02-2022 10:17:09 PM] crowdsecurity/dateparse-enrich : overwrite   
WARN[07-02-2022 10:17:09 PM] crowdsecurity/sshd-logs : overwrite          
WARN[07-02-2022 10:17:09 PM] crowdsecurity/ssh-bf : overwrite             
WARN[07-02-2022 10:17:10 PM] crowdsecurity/ssh-slow-bf : overwrite        
WARN[07-02-2022 10:17:10 PM] crowdsecurity/sshd : overwrite               
WARN[07-02-2022 10:17:10 PM] crowdsecurity/sshd : overwrite               
FATA[07-02-2022 10:17:10 PM] error while enabling  crowdsecurity/freebsd : crowdsecurity/freebsd is tainted, won't enable unless --force. 
penguin@OPNsense:~ % sudo cscli collections install --force crowdsecurity/freebsd
WARN[07-02-2022 10:17:39 PM] Crowdsec is not the latest version. Current version is 'v1.2.3' and the latest stable version is 'v1.3.0'. Please update it! 
WARN[07-02-2022 10:17:39 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.3.0 
WARN[07-02-2022 10:17:40 PM] crowdsecurity/syslog-logs : overwrite        
WARN[07-02-2022 10:17:40 PM] crowdsecurity/geoip-enrich : overwrite       
INFO[07-02-2022 10:17:40 PM] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb' in '/var/db/crowdsec/data/GeoLite2-City.mmdb' 
INFO[07-02-2022 10:18:02 PM] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb' in '/var/db/crowdsec/data/GeoLite2-ASN.mmdb' 
WARN[07-02-2022 10:18:03 PM] crowdsecurity/dateparse-enrich : overwrite   
WARN[07-02-2022 10:18:03 PM] crowdsecurity/sshd-logs : overwrite          
WARN[07-02-2022 10:18:03 PM] crowdsecurity/ssh-bf : overwrite             
WARN[07-02-2022 10:18:03 PM] crowdsecurity/ssh-slow-bf : overwrite        
WARN[07-02-2022 10:18:03 PM] crowdsecurity/sshd : overwrite               
WARN[07-02-2022 10:18:03 PM] crowdsecurity/sshd : overwrite               
WARN[07-02-2022 10:18:03 PM] crowdsecurity/freebsd : overwrite            
INFO[07-02-2022 10:18:03 PM] /usr/local/etc/crowdsec/collections/sshd.yaml already exists. 
INFO[07-02-2022 10:18:03 PM] /usr/local/etc/crowdsec/collections/freebsd.yaml already exists. 
INFO[07-02-2022 10:18:03 PM] Enabled crowdsecurity/freebsd                
INFO[07-02-2022 10:18:03 PM] Run 'sudo service crowdsec reload' for the new configuration to be effective. 
me@OPNsense:~ % sudo service crowdsec reload

As a result now me@OPNsense:~ % sudo crowdsec-cli collections list

WARN[07-02-2022 10:22:05 PM] Crowdsec is not the latest version. Current version is 'v1.2.3' and the latest stable version is 'v1.3.0'. Please update it! 
WARN[07-02-2022 10:22:05 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.3.0 
COLLECTIONS
------------------------------------------------------------------------------------------------
 NAME                    📦 STATUS   VERSION  LOCAL PATH                                        
------------------------------------------------------------------------------------------------
 crowdsecurity/freebsd   ✔️  enabled  0.1      /usr/local/etc/crowdsec/collections/freebsd.yaml  
 crowdsecurity/sshd      ✔️  enabled  0.2      /usr/local/etc/crowdsec/collections/sshd.yaml     
 crowdsecurity/opnsense  ✔️  enabled  0.1      /usr/local/etc/crowdsec/collections/opnsense.yaml 
------------------------------------------------------------------------------------------------

Does that look right and the correct approach, given that the installation was from txz files, and subsequently force updates have been made to a repo?

[mmetc]

Hi, thanks for the report!

Then I wanted to test the geopip enrichment, to see what it might do/look like with sudo cscli parsers install crowdsecurity/geoip-enrich
I then removed the geoip with sudo cscli parsers remove crowdsecurity/geoip-enrich and since then there were messages of taints

GeoIP is already part of the default collection, so you should not need to install it. Removing it taints the collection. Then, v0.0.3 it does not display that the collection is tainted, but shows it as disabled. v0.0.4 addresses that (it displays "enabled,tainted" instead of the checkmark)

You did the right thing by re-installing it.

[cookiemonsteruk]

Ok, thanks. Closing.