defensivedepth
commented
4 years ago Run through it all and have not seen any issues!
Closed dougburks closed 4 years ago
defensivedepth
commented
4 years ago Run through it all and have not seen any issues!
dougburks
commented
4 years ago
Our Security Onion 16.04.6.2 ISO image is ready for testing! This image is based on Ubuntu 16.04.6 with the HWE stack (kernel and video drivers from 18.04) and the latest Ubuntu and Security Onion updates. It should include all updates from https://github.com/Security-Onion-Solutions/security-onion/projects/7 and should specifically resolve the following issues:
so-iso-build: purge /var/ossec/queue/diff #1543 https://github.com/Security-Onion-Solutions/security-onion/issues/1543
pinguybuilder: increment version to 16.04.6.2 #1624 https://github.com/Security-Onion-Solutions/security-onion/issues/1624
Please follow the download/verify instructions here: https://github.com/Security-Onion-Solutions/security-onion/blob/master/testing/Verify_ISO_16.04.6.2.md
Please verify that /etc/apt/apt.conf.d/01autoremove (and other files in that directory) exist on the installed operating system and that soup operates correctly.
Please verify that the desktop wallpaper changes to prompt the user to run Setup when necessary.
Please verify that all services start correctly after a reboot.
Please verify that each and every ISO installation has unique ssl cert and key for Wazuh in /var/ossec/etc/sslmanager*.
Please verify that the screensaver locks the screen after idle for a few minutes.
Please test in as many different combinations as possible:
Evaluation Mode vs Production Mode
standalone vs distributed deployments
heavy node deployments (local Elastic stack) vs forward-only node deployments (no local Elastic stack)
connected to the Internet vs not connected
physical hardware vs VMware vs VirtualBox vs other virtualization
EFI vs traditional BIOS
As always, please test using nmap or other port scanner to verify proper firewall config. Before you do that, however, you will want to whitelist your scanning IP address as follows:
Edit /var/ossec/etc/ossec.conf using vi or your favorite text editor:
copy the existing white_list line and paste it directly underneath and changing the entry to your scanning IP address
save the file and exit the editor (vi requires :wq! to save the file)
restart Wazuh:
Now that you've whitelisted your scanning IP, you can scan using an nmap command like this (watch out for line-wrapping and replace 1.2.3.4 with the actual IP address of the Security Onion box you're testing):
Run Setup on the Security Onion box.
On the scanning box, run nmap and it should only see port 22 open on the Security Onion box.
Run so-allow on the Security Onion box and allow your scanning IP to access a port.
so-allowshows you the output ofufw statusand also the current contents of the DOCKER-USER chain. Also review/etc/ufw/after.rulesto see the new firewall rule that will be added at every reboot.Re-run nmap from your scanning box and verify that only proper ports are open.
Reboot the Security Onion box.
Re-run nmap from your scanning box and verify that only proper ports are open.
Anything else we missed?
If everything works correctly, please reply back and let us know. If not, please reply back and include detailed information about what you're experiencing.
If no showstoppers are found, I'd like to release this on Wednesday, August 28.
Thanks in advance for your time and effort!