implement idaholab#128, have install.py prompt for Arkime to manage P…

…CAP or not
mmguero-dev · Nov 18, 2022 · 3501539 · 3501539
1 parent f0ab2d8
commit 3501539
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
@@ -192,6 +192,8 @@ Capture packets using netsniff-ng? (Y/n): y
 
 Capture packets using tcpdump? (y/N): n
 
+Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y
+
 Should Malcolm analyze live network traffic with Suricata? (y/N): y
 
 Should Malcolm analyze live network traffic with Zeek? (y/N): y

diff --git a/scripts/install.py b/scripts/install.py
@@ -696,12 +696,17 @@ def tweak_malcolm_runtime(
         pcapIface = 'lo'
         tweakIface = False
         pcapFilter = ''
+        arkimeManagePCAP = False
 
         if InstallerYesOrNo(
             'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False
         ):
             pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True)
             pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=(not pcapNetSniff))
+            arkimeManagePCAP = InstallerYesOrNo(
+                'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?',
+                default=False,
+            )
 
         liveSuricata = InstallerYesOrNo('Should Malcolm analyze live network traffic with Suricata?', default=False)
         liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False)
@@ -880,6 +885,12 @@ def tweak_malcolm_runtime(
                                 r'(PCAP_ENABLE_TCPDUMP\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(pcapTcpDump)}", line
                             )
 
+                        elif 'MANAGE_PCAP_FILES' in line:
+                            # Whether or not Arkime is allowed to delete uploaded/captured PCAP
+                            line = re.sub(
+                                r'(MANAGE_PCAP_FILES\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(arkimeManagePCAP)}", line
+                            )
+
                         elif 'ZEEK_LIVE_CAPTURE' in line:
                             # live traffic analysis with Zeek
                             line = re.sub(