ProductionDeployment

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/ProductionDeployment.

If you're going to be deploying Security Onion in production, follow these steps:

Hardware Requirements

First, check the Hardware Requirements page.

Download and Verify

Download and verify the Security Onion ISO image OR download and verify the ISO image for your preferred flavor of Ubuntu 16.04 64-bit.

Install

If deploying a distributed environment, you’ll need to perform the remaining steps on the server, as well as all forward and storage nodes, but make sure you install/configure the master server first. For best performance, the master server should be dedicated to just being a server for the other nodes (the master server should have no sniffing interfaces of its own). Please note that forward and heavy nodes need to connect to the master server on ports 22 and 7736. If you choose to enable salt for node management, nodes will need to be able to connect to the master server on ports 4505 and 4506.

1. Using the downloaded ISO, install the operating system. If prompted with an "encrypt home folder" option, DO NOT enable this feature. If asked about automatic updates, DO NOT enable automatic updates. If prompted to install any additional packages, leave "standard system utilities" selected and also select "OpenSSH Server" (openssh-server). Do NOT choose MySQL at this point. All other required dependencies will be installed automatically.
   

2. When asked about partitioning, there are a few things to keep in mind:

   • If you have more than 2TB of disk space, you will probably want to create a dedicated /boot partition at the beginning of the disk to ensure that you don’t have any Grub booting issues. Choosing the LVM option should do this automatically.
   • Check to see if the installer allocates a large amount of space to /home. If this is the case, you may want to shrink /home to give more space to /.
     
   • The Sguil database on the server (doesn’t exist on other node types) can grow fairly large (100GB or more for decent-size networks). It’s stored at /var/lib/mysql/, so you may want to put /var on a dedicated partition/disk and assign a good amount of disk space to it. Also see the DAYSTOKEEP instructions on the Post-Installation page.
     
   • Forward, Heavy, and Standalone nodes store full packet captures at /nsm/sensor_data/, so you may want to put /nsm on a dedicated partition/disk and assign as much disk space as possible (1TB or more). For larger volumes you might also consider using XFS for the /nsm partition.
   • For Heavy, Standalone, and Storage Nodes, it is highly recommended to place /nsm/elasticsearch and /nsm/logstash on SSD or fast spinning disk in a RAID 10 configuration. See Hardware Requirements for more details.
     

3. When installation completes, reboot into your new installation and login with the credentials you specified during installation.
   

4. If you’re running a VM, now would be a good time to snapshot it so you can revert later if you need to.
   

5. Verify that you have Internet connectivity. If necessary, configure your proxy settings.
   

6. If you installed from the Security Onion 16.04 ISO image, run sudo soup. If you get any errors relating to MySQL, please see MySQL-Upgrade-Errors. Reboot if prompted. Skip to the Setup section below.
   

7. Install all Ubuntu updates and reboot:
   sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot

8. Log back in and configure MySQL not to prompt for root password (Setup will generate a random password later):
   echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections

9. Install software-properties-common if it's not already installed:
   sudo apt-get -y install software-properties-common

10. Add the Security Onion stable repository:
    sudo add-apt-repository -y ppa:securityonion/stable

11. Update:
    sudo apt-get update

12. Install the securityonion-all metapackage (or one of the more focused metapackages). This could take 15 minutes or more depending on the speed of your CPU and Internet connection.
    sudo apt-get -y install securityonion-all syslog-ng-core

13. OPTIONAL: If you want to use Salt to manage your deployment, also install securityonion-onionsalt. You can do this before or after Setup, but it's much easier if you do it before Setup.
    sudo apt-get -y install securityonion-onionsalt

14. Update all packages:
    sudo soup

Setup

1. Run the Setup wizard. If you are locally on the box, you can run the GUI:
   sudo sosetup
   Otherwise, if you are remote and logged in over ssh, you can run CLI-only Setup using sosetup.conf. For more information, please see /usr/share/securityonion/sosetup.conf.
2. The Setup wizard will walk you through configuring /etc/network/interfaces and will then reboot.
   
3. When prompted whether you would like to configure /etc/network/interfaces now, choose “Yes, configure /etc/network/interfaces!.”
   
4. If you have more than one network interface, you’ll be asked which to specify which one should be the management interface.
   
5. You’ll then be asked to choose DHCP or static addressing for the management interface. It is highly recommended you choose static.
   
6. Choosing static, you’ll be prompted to enter a static IP address for your management interface, the network’s subnet mask, gateway IP address, DNS server IP addresses (separated by spaces), and your local domain.
   
7. You’ll then be prompted to select any additional interfaces that will be used for sniffing/monitoring network traffic.
   
8. When prompted, choose “Yes, make changes!"
   
9. If you need to adjust any network settings manually (e.g. MTU), you may edit /etc/network/interfaces before rebooting.
   
10. When ready to reboot, click "Yes, reboot!”
    
11. After rebooting, log back in and start the Setup wizard again (GUI if local, sosetup.conf CLI if remote). It will detect that you have already configured /etc/network/interfaces and will walk you through the rest of the configuration.
    
12. Select Production Mode.
    
13. Select New or Existing (New if this is a master or standalone, and Existing for forward, heavy, and storage nodes).

• New

  1. Provide a username and password for the analyst user.
  2. Select Best Practices.
  3. Choose your IDS ruleset.
  4. Choose your IDS engine (Snort or Suricata).
  5. Choose whether or not to enable sensor services:

  • Master Server

    1. Do not enable sensor services.

    2. Choose whether or not to use storage nodes for log storage.
       

       • Storage node
         1. Use storage node for load-balancing.
            Please note: If you choose this option, until a storage node is configured and Logstash has intialized (on the storage node), you will not be able to review log data for configured forward nodes in Kibana.
       • Local storage
         1. Store logs locally.

    3. Select Yes to proceed with your changes.

  • Standalone

    1. Enable sensor services

    2. Choose whether or not to use storage nodes for log storage:

       • Storage node
         1. Use storage node for load-balancing.
            Please note: If you choose this option, until a storage node is configured and Logstash has intialized (on the storage node), you will not be able to review log data from sensor services in Kibana.
       • Local storage
         1. Store logs locally.

    3. Select Yes to proceed with your changes.

• Existing

  1. Provide the hostname or IP address of the master server (some folks may want to specify the IP/hostname of the master server in /etc/hosts and use the specified hostname during setup -- this may help in the event the master server IP changes.)

  2. Provide a username to SSH to the master for the node (should have already been created on the master and added to the sudo group). Please make sure that your server has been set up and you have network connectivity and no firewall rules that would block this traffic. Additionally, consider creating a separate SSH account on the master server for each node so that if a node is ever compromised, its individual account can be disabled without affecting the other nodes.

     On the Master, the following or similar should have been run (where $nodeuser is your specified user):

     sudo adduser $nodeuser && sudo adduser $nodeuser sudo

     The new account must have a full home directory. If you do not create it when you create the account, copy /etc/skel to /home/$nodeuser and do chown -R $nodeuser:$nodeuser /home/$nodeuser. This is needed so the .ssh directory may be created to manage the connection.

     NOTE: This user should be removed from the sudo group on the master server after setup.

  3. Select Node Type:

     • Forward Node
       • Select Best Practices.
       • Keep the default for PF_RING min_num_slots, unless you would like to change it.
       • Modify the selected sniffing interfaces if necessary -- otherwise, continue.
       • Modify HOME_NET as desired.
       • Select Yes to proceed with your changes.

     Please note: If you chose to use one or more storage nodes with your master server, you will be able to receive IDS alerts and pull PCAPs from the forward node once setup completes, however, you will not be able to review other logs (i.e. Bro logs in Kibana) from the node until a storage node has been configured for the master server and Logstash on the storage node has initialized.

     • Heavy Node
       • Select Best Practices.
       • Keep the default for PF_RING min_num_slots, unless you would like to change it.
       • Modify the selected sniffing interfaces if necessary -- otherwise, continue.
       • Modify HOME_NET as desired.
       • Provide amount of disk space to be used for Elasticsearch to store logs (default is half of available disk space).
       • Select Yes to proceed with your changes.
     • Storage Node
       • Provide amount of disk space to be used for Elasticsearch to store logs (default is half of available disk space).
       • Select Yes to proceed with your changes.

  4. Remove $nodeuser from the sudo group on the master server:
     sudo deluser $nodeuser sudo

Proceed to PostInstallation