NSM: change filesystem grep Security-Onion-Solutions/security-onion#1488

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion202) xenial; urgency=medium
+
+  * NSM: change filesystem grep Security-Onion-Solutions/security-onion#1488 
+
+ -- Doug Burks <doug.burks@gmail.com>  Tue, 19 Mar 2019 06:13:43 -0400
+
 securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion201) xenial; urgency=medium
 
   * NSM: when (re)starting Suricata, make sure stats.log has proper ownership Security-Onion-Solutions/security-onion#1477 

debian/patches/NSM:-change-filesystem-grep-Security-Onion-Solutionssecurity-onion#1488

@@ -0,0 +1,61 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion202) xenial; urgency=medium
+ .
+   * NSM: change filesystem grep Security-Onion-Solutions/security-onion#1488
+Author: Doug Burks <doug.burks@gmail.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/lib/nsmnow/lib-nsm-sensor-utils
++++ securityonion-nsmnow-admin-scripts-20120724/usr/lib/nsmnow/lib-nsm-sensor-utils
+@@ -292,7 +292,7 @@ sensor_cleandisk()
+ 	SENSOR_DIR=`pwd`
+ 	cd - >/dev/null
+ 	#echo $SENSOR_DIR
+-	CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
++	CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+ 	#echo $CUR_USAGE
+
+ 	# let's change color based on severity
+@@ -366,13 +366,13 @@ sensor_cleandisk()
+ 			if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
+ 			then
+ 				# there are no pcaps from previous days, so look for pcaps from today that we can delete
+-			        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
++			        CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+ 				# keep looping until EITHER disk usage is no longer critical OR we're out of pcaps to delete
+ 				while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ] && [ `find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | wc -l` -gt 1 ]; do
+ 					PCAP=`find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | sort | head -1`
+ 					echo_msg 1 "removing pcap from today's directory: $PCAP"
+ 					rm -f "$PCAP"
+-				        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
++				        CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+ 				done
+ 				# if we're out of pcaps to delete, then increment variable
+ 				if [ `ls $SENSOR/dailylogs/$TODAY/snort.log.* | wc -l` -le 1 ]; then
+@@ -436,7 +436,7 @@ sensor_cleandisk()
+ 		done
+
+ 		# check if we're still above disk usage threshold
+-	        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
++	        CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+ 		if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
+ 			# if we're out of pcaps to delete for all sensor interfaces, then stop writing pcaps
+ 			if [ "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -ne 0 -a "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -eq "$NUMBER_OF_SENSORS" ]; then

debian/patches/series

@@ -193,3 +193,4 @@ rename-setting-to-SURICATA_CAPTURE-Security-Onion-Solutionssecurity-onion#1431
 ensure-SURICATA_CAPTURE-gets-added-to-sensor.conf-Security-Onion-Solutionssecurity-onion#1431
 NSM:-wipe-Suricata-stats.log-using-truncate-rather-than-rm-Security-Onion-Solutionssecurity-onion#1456
 NSM:-when-(re)starting-Suricata,-make-sure-stats.log-has-proper-ownership-Security-Onion-Solutionssecurity-onion#1477
+NSM:-change-filesystem-grep-Security-Onion-Solutionssecurity-onion#1488

usr/lib/nsmnow/lib-nsm-sensor-utils

@@ -292,7 +292,7 @@ sensor_cleandisk()
 	SENSOR_DIR=`pwd`
 	cd - >/dev/null
 	#echo $SENSOR_DIR
-	CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
+	CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
 	#echo $CUR_USAGE
 
 	# let's change color based on severity
@@ -366,13 +366,13 @@ sensor_cleandisk()
 			if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
 			then
 				# there are no pcaps from previous days, so look for pcaps from today that we can delete
-			        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
+			        CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
 				# keep looping until EITHER disk usage is no longer critical OR we're out of pcaps to delete
 				while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ] && [ `find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | wc -l` -gt 1 ]; do
 					PCAP=`find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | sort | head -1`
 					echo_msg 1 "removing pcap from today's directory: $PCAP"
 					rm -f "$PCAP"
-				        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
+				        CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
 				done
 				# if we're out of pcaps to delete, then increment variable
 				if [ `ls $SENSOR/dailylogs/$TODAY/snort.log.* | wc -l` -le 1 ]; then
@@ -436,7 +436,7 @@ sensor_cleandisk()
 		done
 
 		# check if we're still above disk usage threshold
-	        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
+	        CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
 		if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
 			# if we're out of pcaps to delete for all sensor interfaces, then stop writing pcaps
 			if [ "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -ne 0 -a "$SENSORS_WITH_NO_PCAPS_TO_DELETE" -eq "$NUMBER_OF_SENSORS" ]; then