Plaso reinstall

[digitalsleuth]

To support VM's and environments which already have plaso installed with the current pyparsing issue, this state will remove the existing installation of plaso, then re-install. This will ensure that the current, broken installation gets removed and re-installed properly.

[ekristen]

Are they broken because of us or for other reasons, this seems dirty.

[digitalsleuth]

For those that have a SIFT instance already from before the issue, plaso doesn't upgrade properly because the prior version of pyparsing is still installed. Uninstalling and re-installing forces the correct version to be installed without issue.

[ekristen]

Can we try and tailor it to just remove the pyparsing bad version with something like this? I'm not super familiar with the current plaso dependency tree.

vim-enhanced:
  pkg.removed:
    - version: 2:7.4.160-1.el7``` 

[digitalsleuth]

We could, however this will only fix that one particular issue and upgrade pyparsing, but not necessarily update the other dependency packages. The dependencies for plaso can be found here.

If plaso is already installed, then pkg.installed will just see it as installed and not re-install. If the version of plaso is old for other users and we upgrade pyparsing, then their installation will break.

If the version of plaso is newer but with the pyparsing issue, and we fix the pyparsing version, then the other requirements may remain at their previous version and the newest version of the package and dependencies may break.

[digitalsleuth]

@ekristen I believe this PR may assist in resolving the Plaso issues currently ongoing, and if possible, the SIFT VM on the SANS homepage may have to be rebuilt with a newer version (which doesn't have the plaso issues on first launch). Thoughts?

[ekristen]

Agreed.

[ekristen]

Are we just trying to force reinstall of Plaso? A clean install shouldn't need this? How does this fix it?

[digitalsleuth]

This is meant to do two things:

• Allow those who have a broken installation of plaso (either from their existing SIFT, or the current SIFT OVA) to have it fixed during an update/upgrade
• Ensure those who are installing fresh have a properly installed version of plaso.

The installation process for plaso only requires the installation of plaso-tools so the full removal of the other packages from the original state (plaso and plaso-data) ensures that the installation is done according to the supported method.

I had planned on moving python-evtx into a virtualenv as well, but was waiting on a confirmed course of action before I submitted that.

Ultimately, this just ensures that, no matter the status of the current install of plaso (broken or working), that the installation is completed from the correct source in the approved manner to ensure no future compatibility issues.