Table of Contents
Security Operation Center@home
We'll use SecurityOnion
Minimum requirements as of version 2.4 are :
- 4 Cores
- 16GB RAM
- 200GB HDD
On top of this you'll need: 2 NICs (1 for management, 1 for the monitoring)
You ARE NOT ALLOWED TO SNIFF/MONITOR network you don't own or for which you are not authorized:!:
That being said let's jump on it.
2.4 installation
boot on the ISO
first setup
- Operating system device: sdb. (in my case 256GB)
- same device for nsm ? NO
- NSM storage: sda (in my case 2TB)
- continue: yes it will erase EVERYTHING
- username
- pass
~5 minutes later if it's not frozen for whatever reason, reboot by pressing [enter]
First reboot
- log in
- install
- STANDALONE (in my case)
- Elastic search AGREE
- node install: standard
- name: soc
- description [enter] (in my case)
- management interface: eno1
- IP address: static (recommended! or you can force your DHCP always to give you the same IP….)
- IP: 192.168.1.XX/24
- gateway: 192.168.1.YY
- DNS: 192.168.1.ZZ,192.168.1.WW
- domain: fortier-family.com (in my case)
- connection method: Direct (in my case, no proxy)
- default Docker IP: yes
- NIC monitoring interface: enp1s0 (in my case) [space] to select
- Email address for admin account
- pass: 12345678
- web access method: OTHER
- type in the FQDN
- allow access through web interface?: …. YES (!!)
- IP range: 192.168.1.0/24
- Telemetry Yes/no
- summary
Troubleshooting
The installer is a piece of shit… you cannot go back, it freezes, and once at first reboot mgmt NIC was dead !! I had to reinstall it completely.
if the network is not working at the end, just log in, then:
sudo SecurityOnion/so-setup-network
Good luck
Virtual or Physical
It's really up to you, personally, I have a Dell Optiplex 7010 (16GB RAM i5-3470 256GB SSD) I tried using Security Onion under VMWare ESXi 7 but couldn't make it see all devices of my home network. So I bought an 8-port SWITCH with port mirroring (TP-link TL-SG108E)and used the Optiplex as standalone physical machine. I installed using sda as system disk and sdb (2TB SSD) for NSM data. I chose to run all services available and installed Security Onion as “STANDALONE” set the management NIC with a static IP
Once installed and setup you can access the web interface using https://static_IP_of_Security_Onion
SWAP
16GB is a bit tight …
dd if=/dev/zero of=/nsm/16GB.swap count=16384 bs=1MiB chmod 600 /nsm/16GB.swap mkswap /nsm/16GB.swap swapon /nsm/16GB.swap echo "/nsm/16GB.swap swap swap sw 0 0" >> /etc/fstab
EPEL
dnf install -y epel-release dnf update dnf install -y htop toilet
NTP
timedatectl set-timezone Europe/Zurich timedatectl vi /etc/chrony.conf
# NTP server list #server 0.pool.ntp.org iburst #server 1.pool.ntp.org iburst server ntp.fortier-family.com # Config options driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony
systemctl restart chronyd chronyc sources
SSL Certs
Like for the rest of my local webservice I use a A record in my DNS then use certbot
sudo certbot -d yoursoc.yourdomain.tld --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns certonly
- /etc/salt/minion.d/signing_policies.conf
grep ssl -A10 /etc/salt/minion.d/signing_policies.conf
First time (backup original files)
cd /etc/pki cp ca.key ca.key.org cp ca.crt ca.crt.org cp managerssl.crt managerssl.crt.org cp managerssl.key managerssl.key.org
Renewal/Install
sudo su cd /etc/letsencrypt/live/soc.fortier-family.com/ scp fullchain.pem privkey.pem warnaud@soc.fortier-family.com:~/. ssh soc.fortier-family.com cd /etc/pki cp /home/warnaud/fullchain.pem managerssl.crt cp: overwrite ‘managerssl.crt’? y cp /home/warnaud/privkey.pem managerssl.key cp: overwrite ‘managerssl.key’? y so-nginx-restart
Wazuh Agent
Download from https://soc.fqdn.tld/#/downloads
Then
Silence rule
grep 2033078 /opt/so/rules/nids/all.rules
where 2033078 is the rule.uuid in “Alerts”
vi /opt/so/saltstack/local/pillar/minions/soc_standalone.sls
... idstools: config: ruleset: 'ETOPEN' oinkcode: '' urls: sids: enabled: disabled: - 2033078 modify:
as always it's NOT WORKING and SCREW UP TOTALLY ALL SO containers (!!!!!!!!!!!!!!!!!!!!!)
References
- https://docs.securityonion.net/en/2.3/url-base.html | change IP to FQDN for web manager