CyBrainZ
Published on

How to install a Security Onion

Authors

Installing an all-in-one Security Onion node with endpoint agents.

This how-to is part of a bigger guide Building the secured self-hosted Nextcloud, which is about creating an encrypted and SIEM monitored Nextcloud instance.

install_security_onion_banner_1200x630.png

Installation

  • During the ISO boot, chose the first option:
securing_nextcloud_SO_ISO_Boot.png
  • Confirm that you agree to delete all data on selected drive and set the admin user:
securing_nextcloud_SO_confirm_wipe.png

The base OS and default applications will now be installed. It may take a while. Grab a cup of tea/coffee and maybe check some of CybrainZ artworks.

  • Once it asks to reboot, stop the VM, unmount the ISO from the VM, proceed the reboot, and log in with the created admin account:
securing_nextcloud_SO_first_logon.png

The setup will start automatically. If for some reason you'll have to exit the setup and need to restart it, you can log out/log back in and it should start automatically this time. If it still doesn’t work, you can try run it manually as follows: sudo SecurityOnion/setup/so-setup iso.

  • Confirm the welcome notice:
securing_nextcloud_SO_setup_welcome.png
  • Chose the standard Security Onion installation:
securing_nextcloud_SO_setup_install.png
  • We want to install all the components on a single node, so we'll select the "Standalone Production Installation" type.:
securing_nextcloud_SO_setup_install_type.png
  • You must accept an elastic license to continue:
securing_nextcloud_SO_Elastic_license.png
  • Set the hostname:
securing_nextcloud_SO_setup_hostname.png
  • The Management NIC is the network interface on which the SO web application and other SO integration services like Wauzh will listen. Select the first option - the one in the default KVM network:
securing_nextcloud_SO_setup_management_NIC.png
  • Select DHCP to configure the IP address by KVM and confirm your selection in the following warning screen:
securing_nextcloud_SO_setup_DHCP.png
  • Confirm the system has an internet access:
securing_nextcloud_SO_setup_internet_connected.png
  • Confirm the direct connection to the internet:
securing_nextcloud_SO_setup_direct_connect.png
  • Now select the interface on which Suricata will be "sniffing".:
securing_nextcloud_SO_setup_monitor_NIC.png
  • Set the automatic updates for the underlying operating system:
securing_nextcloud_SO_setup_patch_management.png
  • Define "home networks" so Security Onion knows which networks are actually being monitored and protected. In our case it is KVM default network 192.168.122.0/24:
securing_nextcloud_SO_setup_home_network.png
  • Leave BASIC for the management node settings:
securing_nextcloud_SO_setup_manager.png
  • For the sake of simplicity, choose 'Suricata':
securing_nextcloud_SO_setup_metadata.png
  • Now we need to choose which intrusion detection system threat signatures to use. Here is a comparison between ETPRO (1000/year) and ETOPEN (free):
securing_nextcloud_SO_setup_ETOPEN_ETPRO.png

The third one, Snort, may have great potential as it is known to be as comprehensive as ETPRO. A personal license costs only 30 USD per year, but unfortunately, it is not yet fully optimized for Suricata. See the SO Managing Rules for more details. So for now, we'll set it to ETOPEN:

securing_nextcloud_SO_setup_IDS_ruleset.png
  • Also, we remove OSQUERY from the set of tools to be installed. At the time of writing this guide, Linux endpoint support wasn't too good and it could not collect information about installed software (if it's already working it may be worth giving a try):
securing_nextcloud_SO_setup_components.png
  • Keep the default Docker IP range:
securing_nextcloud_SO_setup_docker_IP_range.png
  • Chose the admin account and set the password:
securing_nextcloud_SO_setup_mail_address.png
  • To keep things simple again, we will access the web interface using IP addresses:
securing_nextcloud_SO_setup_web_access.png
  • Configure the password for connecting remote sensors. We do not plan to connect any of them yet, but we will at least set the password and save it in the password manager:
securing_nextcloud_SO_setup_sosetup_password.png
  • We will keep recommended settings of the Network Security Monitoring components that we selected before:
securing_nextcloud_SO_setup_NSM.png
  • We will keep 3 processes by default. We can change this in case Suricata encounters increased packet loss:
securing_nextcloud_SO_setup_suricata_procs.png
  • Confirm the default NTP servers and leave the recommended settings of Search Node components:
securing_nextcloud_SO_setup_config_type.png
  • so-allow is a firewall management tool for the SO stack. Here we want to configure that access to the SO web service is allowed by the IP from the network 192.168.122.0/24:
securing_nextcloud_SO_setup_so-allow_yes.png
securing_nextcloud_SO_setup_so-allow_range.png

Can be done also later by the command so-allow.

  • The installation is now completed:
securing_nextcloud_SO_setup_finish.png
  • After the restart, log in and use the so-status command to wait until the services (docker containers) are 'green':
securing_nextcloud_SO_setup_starting.png
  • Wait for all services to become green:
securing_nextcloud_SO_setup_started.png
  • Open the web interface and log in:
securing_nextcloud_SO_setup_logon.png
  • Go to Alerts. There should be some alerts already waiting for us.:
securing_nextcloud_SO_setup_first_alerts.png

At this point, we see events from two modules:

ModulePurpose
ossecHost intrusion detection alerts derived from continuous host auditing. Monitoring binary file changes, newly opened ports and many other types of suspicious events
suricataNetwork intrusion detection alerts coming from traffic monitoring. Alerting of suspicious observations based on network traffic patterns (signatures)

In the next chapter, we will deploy the Wazuh across all remaining hosts and join them to the Wazuh server in Security Onion.

Deploy Endpoint Security Monitoring Agents Across The Environment

We will install the Wazuh agent on all other systems - vpn, nextcloud, and host and connect them all to the Wazuh server running on onion.

But first, we have to prepare the Wazuh server for new agents to be added. Run this command as root on onion:

so-wazuh-agent-manage

Add [a] future agents, their names, and IP addresses. Then extract the [e] key for each of them. We will enter the key during the client configuration. Also, we have to allow incoming Wazuh traffic:

so-allow

Set the default KVM-made network for the Wazuh agents [w] and for Wazuh registration service [s] as well.

Navigate to the Downloads page in Security Onion Console (SOC) and download the Wazuh agent software packages.

securing_nextcloud_SO_download.png

Using these (version) is important as different versions might be not compatible. Install on all other systems - vpn, nextcloud, and host:

rpm -ivh wazuh-agent-3.13.1-1.x86_64.rpm

# or

apt install ./wazuh-agent_3.13.1-1_amd64.deb

Update the server section in the Wazuh configuration file /var/ossec/etc/ossec.conf, in our case:

    <server>
      <address>192.168.122.150</address>
      <port>1514</port>
      <protocol>udp</protocol>
    </server>

Then, import the key you previously exported on Wazuh server:

/var/ossec/bin/manage_agents

  ****************************************
  * Wazuh v3.13.1 Agent manager.         *
  * The following options are available: *
  ****************************************
     (I)mport key from the server (I).
     (Q)uit.
  Choose your action: I or Q:

Start the client and watch for a message 'Connected to the server' in the ossec.log - tail -f /var/ossec/logs/ossec.log. If message appears, the agent is connected and you can enable the agent to start on boot:

systemctl start wazuh-agent && systemctl enable wazuh-agent

This needs to be done on all three VMs: vpn, nextcloud and host.

At this point, all endpoints and related network events will be visible in the Security Onion.