Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup: improve removal of Elastic auth files #1632

Closed
dougburks opened this issue Sep 4, 2019 · 3 comments

Comments

@dougburks
Copy link
Contributor

commented Sep 4, 2019

In #1570 we updated Setup to remove Logstash output files since they might contain auth information. However, the Logstash output files are not getting re-created because README.txt still exists. So let's delete that as well.

Also add an if statement so files are only removed if Elastic auth was actually enabled.

@dougburks dougburks self-assigned this Sep 4, 2019

@dougburks dougburks added this to To do in 16.04.6.3 via automation Sep 4, 2019

@dougburks dougburks changed the title Setup: remove /etc/logstash/conf.d/README.txt Setup: improve removal of Elastic auth files Sep 4, 2019

dougburks added a commit to Security-Onion-Solutions/securityonion-setup that referenced this issue Sep 4, 2019

@dougburks dougburks moved this from To do to In progress in 16.04.6.3 Sep 4, 2019

dougburks added a commit to Security-Onion-Solutions/securityonion-setup that referenced this issue Sep 4, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented Sep 5, 2019

securityonion-setup - 20120912-0ubuntu0securityonion314 is now available at ppa:securityonion/test. Please test and verify as follows:

  • create a VM using the latest 16.04.6.2 ISO image, but do not install any updates yet

  • run through normal Setup (not sosetup-minimal) and choose Evaluation Mode

  • verify that everything works correctly on this first run of Setup

  • re-run Setup as described previously

  • /etc/logstash/conf.d/*output* files should be missing and so logs never make it to Elasticsearch

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install all updates:
sudo soup
  • run through Setup choosing Evaluation Mode again

  • /etc/logstash/conf.d/*output* files should now exist and logs should be sending properly to Elasticsearch

  • re-run Setup and choose Evaluation Mode again

  • verify that /etc/logstash/conf.d/*output* files were not deleted and that logs are flowing to Elasticsearch

  • enable Elastic Auth:

sudo so-elastic-auth
  • verify that /etc/logstash/conf.d/*output* files have been rewritten with auth credentials

  • re-run Setup and choose Evaluation Mode again

  • verify that /etc/logstash/conf.d/*output* files were deleted and re-created as symlinks and that logs are flowing to Elasticsearch

  • anything else we missed?

Thanks in advance for your time and effort!

@dougburks dougburks moved this from In progress to In Testing in 16.04.6.3 Sep 5, 2019

@weslambert

This comment has been minimized.

Copy link
Collaborator

commented Sep 5, 2019

No issues here!

@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented Sep 5, 2019

@dougburks dougburks closed this Sep 5, 2019

16.04.6.3 automation moved this from In Testing to Done Sep 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
2 participants
You can’t perform that action at this time.