devices:dell_optiplex7010:soc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| devices:dell_optiplex7010:soc [2022/06/30 08:22] – [First time (backup original files)] warnaud | devices:dell_optiplex7010:soc [2024/06/11 16:30] (current) – [NTP] warnaud | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Security Operation Center@home ====== | ||
| + | We'll use [[https:// | ||
| + | Minimum requirements as of version 2.4 are : | ||
| + | * 4 Cores | ||
| + | * 16GB RAM | ||
| + | * 200GB HDD | ||
| + | |||
| + | |||
| + | On top of this you'll need: **2 NICs** (1 for management, 1 for the monitoring)\\ | ||
| + | :!: You ARE NOT ALLOWED TO SNIFF/ | ||
| + | That being said let's jump on it. | ||
| + | |||
| + | ====== 2.4 installation ====== | ||
| + | boot on the ISO | ||
| + | ===== first setup ===== | ||
| + | * Operating system device: sdb. (in my case ;-) 256GB) | ||
| + | * same device for nsm ? NO | ||
| + | * NSM storage: sda (in my case 2TB) | ||
| + | * continue: yes :!: it will erase EVERYTHING :!: | ||
| + | * username | ||
| + | * pass | ||
| + | |||
| + | ~5 minutes later if it's not frozen for whatever reason, reboot by pressing [enter] | ||
| + | ===== First reboot ===== | ||
| + | * log in | ||
| + | * install | ||
| + | * STANDALONE (in my case) | ||
| + | * Elastic search AGREE | ||
| + | * node install: standard | ||
| + | * name: soc | ||
| + | * description [enter] (in my case) | ||
| + | * management interface: eno1 | ||
| + | * IP address: static (recommended! or you can force your DHCP always to give you the same IP....) | ||
| + | * IP: 192.168.1.XX/ | ||
| + | * gateway: 192.168.1.YY | ||
| + | * DNS: 192.168.1.ZZ, | ||
| + | * domain: fortier-family.com (in my case) | ||
| + | * connection method: Direct (in my case, no proxy) | ||
| + | * default Docker IP: yes | ||
| + | * NIC monitoring interface: enp1s0 (in my case) [space] to select | ||
| + | * Email address for admin account | ||
| + | * pass: 12345678 | ||
| + | * web access method: OTHER | ||
| + | * type in the FQDN | ||
| + | * allow access through web interface?: .... YES (!!) | ||
| + | * IP range: 192.168.1.0/ | ||
| + | * Telemetry Yes/no | ||
| + | * summary | ||
| + | ==== Troubleshooting ==== | ||
| + | The installer is a piece of shit... you cannot go back, it freezes, and once at first reboot mgmt NIC was dead !! I had to reinstall it completely. | ||
| + | |||
| + | if the network is not working at the end, just log in, then:< | ||
| + | |||
| + | Good luck 8-) | ||
| + | |||
| + | |||
| + | |||
| + | ====== Virtual or Physical ====== | ||
| + | |||
| + | It's really up to you, personally, I have a Dell Optiplex 7010 (16GB RAM i5-3470 256GB SSD) | ||
| + | I tried using Security Onion under VMWare ESXi 7 but couldn' | ||
| + | So I bought an 8-port SWITCH with port mirroring (TP-link TL-SG108E)and used the Optiplex as standalone physical machine. | ||
| + | I installed using sda as system disk and sdb (2TB SSD) for NSM data. I chose to run all services available and installed Security Onion as " | ||
| + | :!: set the management NIC with a static IP :!: | ||
| + | |||
| + | Once installed and setup you can access the web interface using https:// | ||
| + | |||
| + | ====== SWAP ====== | ||
| + | 16GB is a bit tight ... | ||
| + | <code bash> | ||
| + | dd if=/ | ||
| + | chmod 600 / | ||
| + | mkswap / | ||
| + | swapon / | ||
| + | echo "/ | ||
| + | </ | ||
| + | |||
| + | ====== EPEL ====== | ||
| + | <code bash> dnf install -y epel-release | ||
| + | dnf update | ||
| + | dnf install -y htop toilet</ | ||
| + | |||
| + | ====== NTP ====== | ||
| + | <code bash> | ||
| + | timedatectl set-timezone Europe/ | ||
| + | timedatectl | ||
| + | vi / | ||
| + | <code perl> | ||
| + | # NTP server list | ||
| + | #server 0.pool.ntp.org iburst | ||
| + | #server 1.pool.ntp.org iburst | ||
| + | server ntp.fortier-family.com | ||
| + | |||
| + | # Config options | ||
| + | driftfile / | ||
| + | makestep 1.0 3 | ||
| + | rtcsync | ||
| + | logdir / | ||
| + | <code bash> | ||
| + | chronyc sources</ | ||
| + | |||
| + | ====== SSL Certs ====== | ||
| + | Like for the rest of my local webservice I use a A record in my DNS then use certbot | ||
| + | <code bash> | ||
| + | * / | ||
| + | <code bash> grep ssl -A10 / | ||
| + | ===== First time (backup original files) ===== | ||
| + | <code bash> | ||
| + | cd /etc/pki | ||
| + | cp ca.key ca.key.org | ||
| + | cp ca.crt ca.crt.org | ||
| + | cp managerssl.crt managerssl.crt.org | ||
| + | cp managerssl.key managerssl.key.org | ||
| + | </ | ||
| + | ===== Renewal/ | ||
| + | <code bash> | ||
| + | sudo su | ||
| + | cd / | ||
| + | scp fullchain.pem privkey.pem warnaud@soc.fortier-family.com: | ||
| + | ssh soc.fortier-family.com | ||
| + | cd /etc/pki | ||
| + | cp / | ||
| + | cp: overwrite ‘managerssl.crt’? | ||
| + | cp / | ||
| + | cp: overwrite ‘managerssl.key’? | ||
| + | so-nginx-restart | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | ===== Wazuh Agent ===== | ||
| + | |||
| + | Download from https:// | ||
| + | Then | ||
| + | * https:// | ||
| + | * https:// | ||
| + | ===== Silence rule ===== | ||
| + | * https:// | ||
| + | <code bash> grep 2033078 / | ||
| + | <code bash> vi / | ||
| + | <code perl> | ||
| + | ... | ||
| + | idstools: | ||
| + | config: | ||
| + | ruleset: ' | ||
| + | oinkcode: '' | ||
| + | urls: | ||
| + | sids: | ||
| + | enabled: | ||
| + | disabled: | ||
| + | - 2033078 | ||
| + | modify: | ||
| + | </ | ||
| + | |||
| + | :!: as always it's NOT WORKING and SCREW UP TOTALLY ALL SO containers :!: (!!!!!!!!!!!!!!!!!!!!!) | ||
| + | ====== References ====== | ||
| + | |||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||
| + | * https:// | ||