Security Onion at Home
Security Onion (https://github.com/Security-Onion-Solutions/securityonion) is a great system, I love it, but starting with V2 I really had problems installing it on my test systems at home. I spent hours, many hours. No, I don’t have a data center at home, and yes, I’m fine testing it with WiFi and not having a monitoring interface. And no, I don’t understand why SO went this road to make it hard to impossible to test it this way.
So to set up a testing system at home which e.g. serves as a pure syslog server I finally found a way to fool the installation scripts. You will get a pure syslog server (and potentially more, e.g. OSSEC) without monitoring interface. It works for me for version 2.3.21, but I don’t know if it will survive updates, etc. Use it at your own risk. It’s your wasted time ;-)
Preconditions
- have WiFi adapter which is supported by CentOS 7 and can be configured by
nmtui
- temporarily install normal NIC (yes, this is a must)
Installation
- install ISO on USB stick
- boot USB stick
- provide “yes”, username, 2x password
- reboot
- login with the user
- continue -> no
- sudo edit
SecurityOnion/setup/so-functions
: in line 58 find the assignment forfiltered_nics
; remove the substring “|wl
” from the assignment - restart installation:
sudo /home/USERNAME/SecurityOnion/setup/so-setup iso
- install, e.g. standalone or eval, make sure to choose the options wisely (remeber: no monitoring, slow testing device, …)
- important:
- management NIC must be the normal NIC
- monitoring NIC must be the WiFi device
- grab and enjoy you coffee (pot, not cup …)
- reboot
Tidy up
We have to fix two thins: 1st remove the NIC flags which are set for the WiFi device for monitoring (PROMISC mode and other) and swap the WiFi device for the NIC in the configuration.
Tip: use ALT + F1 / ALT + F2 / … to switch between multiple console sessions if needed.
- use e.g.
ifconfig
to make sure your WiFi device is found and note down the device name - sudo edit the script
/etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable
: place an “exit
” between thebash
andif
statement; this will remove the monitoring flags from all interfaces - sudo edit the SALT configuration file:
/opt/so/saltstack/local/pillar/minions/tools_standalone.sls
and replace all occurrences of the normal NIC with the WiFi device, e.g.::1,$s/OLD/NEW/cg
- use network manager
nmtui
(sudo, of course) to- unconfigure / delete the normal NIC
- configure your WiFi adapter for accessing the WiFi network (make sure to use static IP configuration)
- activate the WiFi adapter
- check with
ifconfig
if WiFi interface is configured with an IP address (note: it won’t work yet!) - reboot
Configuration
Because we don’t have a monitoring interface, we don’t need all of the tools. Unfortunately I haven’t found a way to simple disable the tools which aren’t needed in such a scenario. But I’ve figured out the following:
All changes can be done in /opt/so/saltstack/local/pillar/minions/$SENSORNAME_$ROLE.sls
:
- change
True
toFalse
forsteno:enabled:
- this will result in a disabled state for stenography
- create an empty configuration section for zeek: add the following to the bottom of the file:
zeek:
local:
'@load':
'@load-sigs':
- this will result in an error state for zeek which actually disables it
Reboot and check with so-status
the outcome.
Basic Tests
- ping default gateway
- test name resolution
- check SO status:
sudo so-status
- allow syslog for your LAN using
so-allow
- configure system as remote syslog device for other systems
- access SO web interface from another system and check if syslog traffic is flowing in (e.g. Kibana -> Discover)
Have fun and enjoy :-)