Security Onion 2.3.40 Hotfix for Curator Closed Index Issue

[dougburks]

We were notified of an issue in a curator script in Security Onion 2.3.40 this morning. Thanks to Github user Masaya-A for submitting the pull request (#3724). We've merged the pull request into our dev branch and so the fix will be included in our upcoming 2.3.50 release.

Am I affected?

This issue only applies to you if you're running Security Onion 2.3.40 on a standalone installation or a combined manager/search node. This issue does not apply to you if you have a full distributed deployment with a dedicated manager and separate search nodes and/or heavy nodes.

What is the problem?

This issue can result in closed Elasticsearch indices not getting deleted properly. This can then cause other data such as steno pcap data to be purged prematurely. Depending on your total storage and configuration, this could possibly result in filling your storage.

How can I fix it?

The fix has been merged into our dev branch so it will be included in the upcoming 2.3.50 release. If you don't want to wait for the 2.3.50 release, you can manually download and apply the hotfix as follows:

# Download the curator hotfix on the standalone or manager/search node
sudo wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/dev/salt/curator/files/bin/so-curator-closed-delete-delete -O /opt/so/saltstack/default/salt/curator/files/bin/so-curator-closed-delete-delete

# Apply the curator state
sudo salt-call state.apply curator queue=True

[dougburks]

Security Onion 2.3.50 is now available and includes this fix:
https://blog.securityonion.net/2021/04/security-onion-2350-now-available.html