Centralized monitoring and intrusion detection

Alarm System

Installation

The ISO image [14] (version 2.4.30, weighing north of 11GB, was current at press time) can be launched from a removable medium after downloading and checking the signature file for verification.

You must comply with a number of specifications [15] for the target hardware. Production use of the security suite requires at least four CPU cores. The minimum RAM in most application scenarios is 12 to 16GB; ideally 24GB of RAM or more should be installed. The project specifies a mass storage capacity of at least 200GB. Some application scenarios also require two network connections.

Security Onion only supports locally installed mass storage devices as installation media. According to the installation instructions, machines with distributed storage capacity, such as NFS drives, are not suitable because of potential performance issues and the complexity of the expected configuration. This problem also rules out the use of RAID controllers. In our lab, the installation routine stopped working shortly after launching on a computer with two physical drives combined in a RAID array.

Once all the hardware requirements are met, you launch the target system from the prepared removable medium. A GRUB boot menu offers to install the system permanently; you can choose between a basic graphical version and a desktop version. If required, you can also integrate the desktop version into a system that already has the Security Onion Console in place.

For newcomers, I recommend the automatic install; you can enable it by selecting the first entry in the boot menu. The system setup is largely automatic; you only need to enter a username and an admin password. After completing the basic installation, reboot the computer and log in at the prompt with the credentials of the newly created admin account. A setup wizard designed as an ncurses application then appears (Figure 1).

Figure 1: After the basic installation, you can complete the setup with the help of a wizard.

The wizard can only be controlled by the keyboard to add numerous additional components and a Docker environment to the system. To begin, select the Install option in the second dialog window and the Import option in the third. In the next step, confirm that you have access to the Internet by selecting the Standard option. Please note that Security Onion only identifies wired network connections during the install; it cannot be used with WiFi access.

In the next two steps, first confirm the license terms, enter the hostname, and select the network interface. If the system has two or more LAN connections, select the first one that displays the Link UP status. You can enter a static IP address, specify the gateway, and define further access data for this network interface in the next few windows.

To complete the configuration, the wizard displays a brief summary of the settings and finishes setting up the system after you confirm your entries. At the same time, the wizard runs a system update. The entire installation can take several hours, depending on the available computing power and speed of your Internet connection.

Use

After installation, you can connect to the Security Onion host from any workstation on the LAN by entering the IP address or hostname in the web browser, as specified during configuration in the setup wizard. Authentication credentials are the email address defined with the setup wizard and the matching password. You are then taken to a very clear-cut admin interface (Figure 2).

Figure 2: Managing the system in the straightforward admin interface.

Top left in the browser window you will find elements that apply to the entire tool collection, such as the Alerts display, the Dashboards , and the settings dialog, where you can create and manage user accounts. You can also configure your network nodes (Grid ) or store license keys for external packages. Use the Downloads option to set up Elastic agents on external hosts for monitoring. Links to download the agents for all of the popular operating systems then appear in the right-hand part of the window.

The lower section takes you to the individual tools, some of which have their own web interfaces. Please note that before you can use some of the tools, you will need to install the matching agents up front.

Overview

The Dashboards group provides an overview of the installation. Graphical displays of the respective databases appear on the right-hand side of the browser window when you enter a category and define time intervals for the individual data categories at the top of the window. The security suite then displays the aggregated data and an analysis lower down in the window. Numerous categories are enabled by default to give you a quick overview of the different view formats. The filtering options in the individual views then extract specific data (Figure 3).