lost and found ( for me ? )

install security onion within Ubuntu 13.10 KVM host

In short, security onion is Linux based IDS and NSM (Network Security Monitoring), which is an open source.

about security onion

Here is how to install security onion within Ubuntu 13.10 KVM host


I downloaded security-onion-12.04.3-20130904.iso.

install security onion within KVM.

KVM host
root@ubuntu:~# tail -1 /etc/lsb-release ;uname -ri
DISTRIB_DESCRIPTION="Ubuntu 13.10"
3.11.0-12-generic x86_64
root@ubuntu:~# qemu-system-x86_64 --version
QEMU emulator version 1.5.0 (Debian 1.5.0+dfsg-3ubuntu5), Copyright (c) 2003-2008 Fabrice Bellard



Create a virtual machine.
Security onion 12.04 is Xubuntu 12.04 64bit based linux, so I specified Ubuntu 12.04 as guest OS type.

Here is VM’s definition file.
# virsh dumpxml onion-vm1
<domain type='kvm' id='2'>
 <name>onion-vm1</name>
 <uuid>uuid</uuid>
 <memory unit='KiB'>1048576</memory>
 <currentMemory unit='KiB'>1048576</currentMemory>
 <vcpu placement='static'>1</vcpu>
 <resource>
   <partition>/machine</partition>
 </resource>
 <os>
   <type arch='x86_64' machine='pc-i440fx-1.5'>hvm</type>
   <boot dev='cdrom'/>
   <bootmenu enable='yes'/>
 </os>
 <features>
   <acpi/>
   <apic/>
   <pae/>
 </features>
 <clock offset='utc'/>
 <on_poweroff>destroy</on_poweroff>
 <on_reboot>restart</on_reboot>
 <on_crash>restart</on_crash>
 <devices>
   <emulator>/usr/bin/kvm-spice</emulator>
   <disk type='file' device='disk'>
     <driver name='qemu' type='qcow2'/>
     <source file='/var/lib/libvirt/images/onion-vm1.qcow2'/>
     <target dev='vda' bus='virtio'/>
     <alias name='virtio-disk0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
   </disk>
   <disk type='file' device='cdrom'>
     <driver name='qemu' type='raw'/>
     <source file='/home/hattori/securityonion-12.04.3-20130904.iso'/>
     <target dev='hdc' bus='ide'/>
     <readonly/>
     <alias name='ide0-1-0'/>
     <address type='drive' controller='0' bus='1' target='0' unit='0'/>
   </disk>
   <controller type='usb' index='0'>
     <alias name='usb0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
   </controller>
   <controller type='pci' index='0' model='pci-root'>
     <alias name='pci0'/>
   </controller>
   <controller type='ide' index='0'>
     <alias name='ide0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
   </controller>
   <interface type='network'>
     <mac address='mac address'/>
     <source network='default'/>
     <target dev='vnet0'/>
     <model type='virtio'/>
     <alias name='net0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
   </interface>
   <serial type='pty'>
     <source path='/dev/pts/3'/>
     <target port='0'/>
     <alias name='serial0'/>
   </serial>
   <console type='pty' tty='/dev/pts/3'>
     <source path='/dev/pts/3'/>
     <target type='serial' port='0'/>
     <alias name='serial0'/>
   </console>
   <input type='mouse' bus='ps2'/>
   <graphics type='vnc' port='5900' autoport='yes' listen='127.0.0.1'>
     <listen type='address' address='127.0.0.1'/>
   </graphics>
   <video>
     <model type='vga' vram='9216' heads='1'/>
     <alias name='video0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
   </video>
   <memballoon model='virtio'>
     <alias name='balloon0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
   </memballoon>
 </devices>
 <seclabel type='none'/>
</domain>

boot security onion by using ISO image and then click “Install Security Oninon 12.04” icon.
The installation is very easy, just click “OK” or “Next”.

finish the installation. reboot the VM to boot the OS from its local storage(vHDD)

booting..


after the login




to access to the VM via “virsh console”,

create ttyS0.conf file under /etc/init directory
root@onion-vm1:~# cat /etc/init/ttyS0.conf
# tty6 - getty
#
# This service maintains a getty on tty6 from the point the system is
# started until it is shut down again.

start on runlevel [23] and not-container

stop on runlevel [!23]

respawn
exec /sbin/getty -8 115200 ttyS0



edit /etc/default/grub.(add red line)

# egrep -v ^# /etc/default/grub | grep -v ^$
GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash console=ttyS0,115200"
GRUB_CMDLINE_LINUX=""

update grub.conf
root@onion-vm1:~# grub-mkconfig -o /boot/grub/grub.cfg

reboot the VM to reflect the setting.

you will login to the VM via virsh console.
virsh # console 2
ドメイン onion-vm1 に接続しました
エスケープ文字は ^] です

Ubuntu 12.04.3 LTS onion-vm1 ttyS0

onion-vm1 login: root
Password:
Last login: Thu Oct 31 02:20:26 JST 2013 on ttyS0
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-generic x86_64)

* Documentation:  https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

root@onion-vm1:~#





ubuntu 13.10: deploy wordpress and mysql with juju-local ( local provider)

I am newbie to juju :)
here is how to install juju-local on your local physical box(LXC).
# tail -1 /etc/lsb-release ;uname -ri
DISTRIB_DESCRIPTION="Ubuntu 13.10"
3.11.0-12-generic x86_64

at first, disable ufw

# ufw disable
Firewall stopped and disabled on system startup



# ufw status
Status: inactive






install juju-local
# apt-add-repository ppa:juju/stable
# apt-get update

# apt-get install juju-local
パッケージリストを読み込んでいます... 完了
依存関係ツリーを作成しています                
状態情報を読み取っています... 完了
以下の特別パッケージがインストールされます:
 apparmor cloud-image-utils distro-info euca2ools juju-core
 libboost-filesystem1.53.0 libboost-program-options1.53.0
 libgoogle-perftools4 liblxc0 libpcrecpp0 libsnappy1 libtcmalloc-minimal4
 libunwind8 lxc lxc-templates mongodb-clients mongodb-server python-boto
 python-distro-info python-m2crypto python3-lxc
提案パッケージ:
 apparmor-profiles apparmor-docs apparmor-utils shunit2 btrfs-tools lxctl
 qemu-user-static
以下のパッケージが新たにインストールされます:
 apparmor cloud-image-utils distro-info euca2ools juju-core juju-local
 libboost-filesystem1.53.0 libboost-program-options1.53.0
 libgoogle-perftools4 liblxc0 libpcrecpp0 libsnappy1 libtcmalloc-minimal4
 libunwind8 lxc lxc-templates mongodb-clients mongodb-server python-boto
 python-distro-info python-m2crypto python3-lxc
アップグレード: 0 個、新規インストール: 22 個、削除: 0 個、保留: 0 個。
83.0 MB のアーカイブを取得する必要があります。
この操作後に追加で 252 MB のディスク容量が消費されます。




change the juju provider to local from amazon.
# juju generate-config
A boilerplate environment configuration file has been written to /root/.juju/environments.yaml.
Edit the file to configure your juju environment and run bootstrap.

# ls .juju/
current-environment  environments.yaml



# juju switch local
Changed default environment from "amazon" to "local"


# egrep -v "#" .juju/current-environment
local

# egrep -v "#" .juju/environments.yaml | grep -v admin-secret



default: amazon

environments:
 openstack:
   type: openstack
   control-bucket: juju-bde536d2444c7533e9c19b5877d4efd1
 
 hpcloud:
   type: openstack
   use-floating-ip: false
   control-bucket: juju-108cbfed20c4909f4e95bb6458b17c52
   auth-url: https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/
 
 "null":
         type: "null"
         bootstrap-host:
         storage-auth-key: da66fcac91d766cb8e3c5a7bdd146e67
 
 maas:
   type: maas
   maas-server: 'http://192.168.1.1/MAAS/'
   maas-oauth: '<add your OAuth credentials from MAAS here>'
   default-series: precise
 
 local:
   type: local
 
 amazon:
   type: ec2
   control-bucket: juju-86ea87cd8c0d2c5c34aabdd972c74dfb
 
 azure:
   type: azure
   location: West US
   management-subscription-id: 886413e1-3b8a-5382-9b90-0c9aee199e5d
   management-certificate-path: /home/me/azure.pem
   storage-account-name: ghedlkjhw54e





juju bootstrap        start up an environment from scratc
# juju bootstrap



# cat .juju/environments/local.jenv  
user: ""
password: ""
state-servers: []
ca-cert: ""
bootstrap-config:
 admin-secret: 03edd75816997e16a7f9bfe0afecc362
 agent-version: 1.16.0
 api-port: 17070
 authorized-keys: 'ssh-rsa
   root@ubuntu
'
 bootstrap-ip: 10.0.3.1
 ca-cert: '-----BEGIN CERTIFICATE-----
   -----END RSA PRIVATE KEY-----

'
 default-series: precise
 development: false
 firewall-mode: instance
 image-metadata-url: ""
 logging-config: <root>=DEBUG
 name: local
 network-bridge: lxcbr0
 root-dir: /root/.juju/local
 shared-storage-port: 8041
 ssl-hostname-verification: true
 state-port: 37017
 storage-port: 8040
 tools-url: ""
 type: local



deploy charms from the charm store using the following commands

# juju deploy mysql
# juju deploy wordpress
# juju add-relation wordpress mysql




# ls .juju/local/storage/
bootstrap-verify           cs_3a_precise_2f_wordpress-20  tools
cs_3a_precise_2f_mysql-28  provider-state



in my environment, it took 20 minutes or so for deploying wordpress and mysql containers.
# lxc-ls --fancy
NAME                  STATE    IPV4  IPV6  AUTOSTART  
----------------------------------------------------
root-local-machine-1  STOPPED  -     -     NO

# lxc-ls --fancy
NAME                  STATE    IPV4        IPV6  AUTOSTART  
----------------------------------------------------------
root-local-machine-1  RUNNING  10.0.3.184  -     YES        
root-local-machine-2  RUNNING  10.0.3.151  -     YES  




# juju -v status
verbose is deprecated with the current meaning, use show-log
2013-10-29 17:46:44 INFO juju.provider.local environprovider.go:32 opening environment "local"
2013-10-29 17:46:44 INFO juju.state open.go:68 opening state; mongo addresses: ["10.0.3.1:37017"]; entity ""
2013-10-29 17:46:44 INFO juju.state open.go:106 connection established
environment: local
machines:
 "0":
   agent-state: started
   agent-version: 1.16.0.1
   dns-name: 10.0.3.1
   instance-id: localhost
   series: saucy
 "1":
   agent-state: started
   agent-version: 1.16.0.1
   dns-name: 192.168.11.100
   instance-id: root-local-machine-1
   series: precise
 "2":
   agent-state: started
   agent-version: 1.16.0.1
   dns-name: 192.168.11.100
   instance-id: root-local-machine-2
   series: precise
services:
 mysql:
   charm: cs:precise/mysql-28
   exposed: false
   relations:
     cluster:
     - mysql
     db:
     - wordpress
   units:
     mysql/0:
       agent-state: started
       agent-version: 1.16.0.1
       machine: "1"
       public-address: 10.0.3.184
 wordpress:
   charm: cs:precise/wordpress-20
   exposed: false
   relations:
     db:
     - mysql
     loadbalancer:
     - wordpress
   units:
     wordpress/0:
       agent-state: started
       agent-version: 1.16.0.1
       machine: "2"
       open-ports:
       - 80/tcp
       public-address: 10.0.3.151
2013-10-29 17:46:44 INFO juju supercommand.go:286 command finished

access to wordpress ( http://10.0.3.151 )


destroy the environment
root@ubuntu:~# juju destroy-environment
WARNING: this command will destroy the "local" environment (type: local)
This includes all machines, services, data and other resources.

Continue [y/N]? y
root@ubuntu:~#

root@ubuntu:~# lxc-ls --fancy
NAME                  STATE    IPV4  IPV6  AUTOSTART  
----------------------------------------------------
root-local-machine-2  STOPPED  -     -     NO         
root@ubuntu:~# lxc-ls --fancy
NAME  STATE  IPV4  IPV6  AUTOSTART  
----------------------------------
root@ubuntu:~# lxc-ls --fancy
NAME  STATE  IPV4  IPV6  AUTOSTART  
----------------------------------
root@ubuntu:~#