-
Notifications
You must be signed in to change notification settings - Fork 521
ProductionDeployment
First, check the Hardware Requirements page.
Download and verify the Security Onion ISO image OR download and verify the ISO image for your preferred flavor of Ubuntu 16.04 64-bit.
If deploying a distributed environment, you’ll need to perform the remaining steps on the server, as well as all forward and storage nodes, but make sure you install/configure the master server first. For best performance, the master server should be dedicated to just being a server for the other nodes (the master server should have no sniffing interfaces of its own). Please note that forward and heavy nodes need to connect to the master server on ports 22 and 7736. If you choose to enable salt for node management, nodes will need to be able to connect to the master server on ports 4505 and 4506.
-
Using the downloaded ISO, install the operating system. If prompted with an "encrypt home folder" option, DO NOT enable this feature. If asked about automatic updates, DO NOT enable automatic updates. If prompted to install any additional packages, leave "standard system utilities" selected and also select "OpenSSH Server" (openssh-server). Do NOT choose MySQL at this point. All other required dependencies will be installed automatically.
-
When asked about partitioning, there are a few things to keep in mind:
- If you have more than 2TB of disk space, you will probably want to create a dedicated
/boot
partition at the beginning of the disk to ensure that you don’t have any Grub booting issues. Choosing the LVM option should do this automatically. - Check to see if the installer allocates a large amount of space to /home. If this is the case, you may want to shrink /home to give more space to /.
- The Sguil database on the server (doesn’t exist on other node types) can grow fairly large (100GB or more for decent-size networks). It’s stored at
/var/lib/mysql/
, so you may want to put /var on a dedicated partition/disk and assign a good amount of disk space to it. Also see theDAYSTOKEEP
instructions on the Post-Installation page.
- Forward, Heavy, and Standalone nodes store full packet captures at
/nsm/sensor_data/
, so you may want to put/nsm
on a dedicated partition/disk and assign as much disk space as possible (1TB or more). For larger volumes you might also consider using XFS for the/nsm
partition. - For Heavy, Standalone, and Storage Nodes, it is highly recommended to place
/nsm/elasticsearch
and/nsm/logstash
on SSD or fast spinning disk in a RAID 10 configuration. See Hardware Requirements for more details.
- If you have more than 2TB of disk space, you will probably want to create a dedicated
-
When installation completes, reboot into your new installation and login with the credentials you specified during installation.
-
If you’re running a VM, now would be a good time to snapshot it so you can revert later if you need to.
-
Verify that you have Internet connectivity. If necessary, configure your proxy settings.
-
If you installed from the Security Onion 16.04 ISO image, run
sudo soup
. If you get any errors relating to MySQL, please see MySQL-Upgrade-Errors. Reboot if prompted. Skip to the Setup section below. -
Install all Ubuntu updates and reboot:
sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot
-
Log back in and configure MySQL not to prompt for root password (Setup will generate a random password later):
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
-
Install software-properties-common if it's not already installed:
sudo apt-get -y install software-properties-common
-
Add the Security Onion stable repository:
sudo add-apt-repository -y ppa:securityonion/stable
-
Update:
sudo apt-get update
-
Install the securityonion-all metapackage (or one of the more focused metapackages). This could take 15 minutes or more depending on the speed of your CPU and Internet connection.
sudo apt-get -y install securityonion-all syslog-ng-core
-
OPTIONAL: If you want to use Salt to manage your deployment, also install securityonion-onionsalt. You can do this before or after Setup, but it's much easier if you do it before Setup.
sudo apt-get -y install securityonion-onionsalt
-
Update all packages:
sudo soup
- Run the Setup wizard. If you are locally on the box, you can run the GUI:
sudo sosetup
Otherwise, if you are remote and logged in over ssh, you can run CLI-only Setup using sosetup.conf. For more information, please see /usr/share/securityonion/sosetup.conf. - The Setup wizard will walk you through configuring
/etc/network/interfaces
and will then reboot.
- When prompted whether you would like to configure
/etc/network/interfaces
now, choose “Yes, configure /etc/network/interfaces!.”
- If you have more than one network interface, you’ll be asked which to specify which one should be the management interface.
- You’ll then be asked to choose DHCP or static addressing for the management interface. It is highly recommended you choose static.
- Choosing static, you’ll be prompted to enter a static IP address for your management interface, the network’s subnet mask, gateway IP address, DNS server IP addresses (separated by spaces), and your local domain.
- You’ll then be prompted to select any additional interfaces that will be used for sniffing/monitoring network traffic.
- When prompted, choose “Yes, make changes!"
- If you need to adjust any network settings manually (e.g.
MTU
), you may edit/etc/network/interfaces
before rebooting.
- When ready to reboot, click "Yes, reboot!”
- After rebooting, log back in and start the Setup wizard again (GUI if local, sosetup.conf CLI if remote). It will detect that you have already configured /etc/network/interfaces and will walk you through the rest of the configuration.
- Select
Production Mode
.
- Select
New
orExisting
(New
if this is a master or standalone, andExisting
for forward, heavy, and storage nodes).
-
New
- Provide a username and password for the analyst user.
- Select
Best Practices
. - Choose your IDS ruleset.
- Choose your IDS engine (Snort or Suricata).
- Choose whether or not to enable sensor services:
-
Master Server
-
Do not enable sensor services.
-
Choose whether or not to use storage nodes for log storage.
- Storage node
- Use storage node for load-balancing.
Please note: If you choose this option, until a storage node is configured and Logstash has intialized (on the storage node), you will not be able to review log data for configured forward nodes in Kibana.
- Use storage node for load-balancing.
- Local storage
- Store logs locally.
- Storage node
-
Select
Yes
to proceed with your changes.
-
-
Standalone
-
Enable sensor services
-
Choose whether or not to use storage nodes for log storage:
- Storage node
- Use storage node for load-balancing.
Please note: If you choose this option, until a storage node is configured and Logstash has intialized (on the storage node), you will not be able to review log data from sensor services in Kibana.
- Use storage node for load-balancing.
- Local storage
- Store logs locally.
- Storage node
-
Select
Yes
to proceed with your changes.
-
-
Existing
-
Provide the hostname or IP address of the master server (some folks may want to specify the IP/hostname of the master server in
/etc/hosts
and use the specified hostname during setup -- this may help in the event the master server IP changes.) -
Provide a username to SSH to the master for the node (should have already been created on the master and added to the sudo group). Please make sure that your server has been set up and you have network connectivity and no firewall rules that would block this traffic. Additionally, consider creating a separate SSH account on the master server for each node so that if a node is ever compromised, its individual account can be disabled without affecting the other nodes.
On the Master, the following or similar should have been run (where
$nodeuser
is your specified user):sudo adduser $nodeuser && sudo adduser $nodeuser sudo
The new account must have a full home directory. If you do not create it when you create the account, copy
/etc/skel
to/home/$nodeuser
and dochown -R $nodeuser:$nodeuser /home/$nodeuser
. This is needed so the .ssh directory may be created to manage the connection.NOTE: This user should be removed from the sudo group on the master server after setup.
-
Select Node Type:
- Forward Node
- Select
Best Practices
. - Keep the default for PF_RING min_num_slots, unless you would like to change it.
- Modify the selected sniffing interfaces if necessary -- otherwise, continue.
- Modify HOME_NET as desired.
- Select
Yes
to proceed with your changes.
- Select
Please note: If you chose to use one or more storage nodes with your master server, you will be able to receive IDS alerts and pull PCAPs from the forward node once setup completes, however, you will not be able to review other logs (i.e. Bro logs in Kibana) from the node until a storage node has been configured for the master server and Logstash on the storage node has initialized.
- Heavy Node
- Select
Best Practices
. - Keep the default for PF_RING min_num_slots, unless you would like to change it.
- Modify the selected sniffing interfaces if necessary -- otherwise, continue.
- Modify HOME_NET as desired.
- Provide amount of disk space to be used for Elasticsearch to store logs (default is half of available disk space).
- Select
Yes
to proceed with your changes.
- Select
- Storage Node
- Provide amount of disk space to be used for Elasticsearch to store logs (default is half of available disk space).
- Select
Yes
to proceed with your changes.
- Forward Node
-
Remove
$nodeuser
from the sudo group on the master server:
sudo deluser $nodeuser sudo
-
Proceed to PostInstallation
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs