Cleanup. Closes #440

[regulartim]

Description

Added a scheduled task that automatically removes outdated records based on configurable retention periods. The job cleans up old IOCs, Cowrie sessions, and command sequences to prevent database bloat and improve performance. All retention periods are configurable via environment settings.

Related issues

• Add IOC and Cowrie Session retention #440

Type of change

• New feature (non-breaking change which adds functionality).

Checklist

• I have read and understood the rules about how to Contribute to this project.
• The pull request is for the branch develop.
• I have added documentation of the new features.
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved. All the tests (new and old ones) gave 0 errors.
• If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.

Important Rules

• If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
• If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
• Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review. After being reviewed and received a "change request", you should explicitly ask for a review again once you have made the requested changes.

[mlodic]

ok I noticed now that you already opened the PR so let's keep the retention management for IOCs and Command Sequences too. I would put a higher value as default (10 years)

[regulartim]

Two important considerations:

• CowrieSession serves as the n:m relationship bridge between IOC and CommandSequence objects. Deleting a session removes the association between an IOC and the commands it executed during that session.
• With 10 years of CommandSequence data, clustering may become too computationally expensive due to the time complexity of these algorithms.

[mlodic]

CowrieSession serves as the n:m relationship bridge between IOC and CommandSequence objects. Deleting a session removes the association between an IOC and the commands it executed during that session.

Because of that, I would keep CowrieSessions with at least one associated command alive for more time.
If the CommandSequence objects are deleted on cascade with CowrieSessions, does it make sense to clean that table too directly? (Maybe I am missing something so please tell me if you see any flaw)

With 10 years of CommandSequence data, clustering may become too computationally expensive due to the time complexity of these algorithms

Ok so nevermind, I am more interested in keeping a long retention for the IOC itself

[regulartim]

Because of that, I would keep CowrieSessions with at least one associated command alive for more time.

Yes. I think it is sensible to keep them at least as long as they have an associated command.

If the CommandSequence objects are deleted on cascade with CowrieSessions, does it make sense to clean that table too directly? (Maybe I am missing something so please tell me if you see any flaw)

CommandSequence objects are NOT deleted on cascade. One CommandSequence can be executed by multiple IOCs. If we would cascade delete it with the deletion of a single CowrieSession, that would also delete it for Sessions from other IOCs, which is not what we want.

Conclusion:

• we set IOC_RETENTION to 3650 (10y)
• we leave the default for COWRIE_SESSION_RETENTION and COMMAND_SEQUENCE_RETENTION at 365
• we only delete CowrieSessions if they have no associated CommandSequence (either because they never had one or because it got cleaned up)

Do you agree?

[mlodic]

super!