Our Security Onion 16.04.7.2 ISO image is ready for testing! This image is based on Ubuntu 16.04.7 with the HWE stack (kernel and video drivers from 18.04) and the latest Ubuntu and Security Onion updates. It should include all updates from https://github.com/Security-Onion-Solutions/security-onion/projects/14 and should specifically resolve the following issues:
pinguybuilder: increment version to 16.04.7.2 #1805
Please verify that /etc/apt/apt.conf.d/01autoremove (and other files in that directory) exist on the installed operating system and that soup operates correctly.
Please verify that the desktop wallpaper changes to prompt the user to run Setup when necessary.
Please verify that all services start correctly after a reboot.
Please verify that each and every ISO installation has unique ssl cert and key for Wazuh in /var/ossec/etc/sslmanager*.
Please verify that the screensaver locks the screen after idle for a few minutes.
Please test in as many different combinations as possible:
Evaluation Mode vs Production Mode
standalone vs distributed deployments
heavy node deployments (local Elastic stack) vs forward-only
node deployments (no local Elastic stack)
connected to the Internet vs not connected
physical hardware vs VMware vs VirtualBox vs other virtualization
EFI vs traditional BIOS
As always, please test using nmap or other port scanner to verify
proper firewall config. Before you do that, however, you will want to
whitelist your scanning IP address as follows:
Edit /var/ossec/etc/ossec.conf using vi or your favorite text editor:
sudo vi /var/ossec/etc/ossec.conf
copy the existing white_list line and paste it directly underneath
and changing the entry to your scanning IP address
save the file and exit the editor (vi requires :wq! to save the file)
restart OSSEC:
sudo service ossec-hids-server restart
Now that you've whitelisted your scanning IP, you can scan using an
nmap command like this (watch out for line-wrapping and replace
1.2.3.4 with the actual IP address of the Security Onion box you're
testing):
On the scanning box, run nmap and it should only see port 22 open on
the Security Onion box.
Run so-allow on the Security Onion box and allow your scanning IP to
access a port.
so-allow shows you the output of ufw status and also the current
contents of the DOCKER-USER chain. Also review /etc/ufw/after.rules
to see the new firewall rule that will be added at every reboot.
Re-run nmap from your scanning box and verify that only proper ports are open.
Reboot the Security Onion box.
Re-run nmap from your scanning box and verify that only proper ports are open.
Anything else we missed?
Please record all test results via comments below.
Hello testers!
Our Security Onion 16.04.7.2 ISO image is ready for testing! This image is based on Ubuntu 16.04.7 with the HWE stack (kernel and video drivers from 18.04) and the latest Ubuntu and Security Onion updates. It should include all updates from https://github.com/Security-Onion-Solutions/security-onion/projects/14 and should specifically resolve the following issues:
pinguybuilder: increment version to 16.04.7.2 #1805
Please follow the download/verify instructions here: https://github.com/Security-Onion-Solutions/security-onion/blob/master/testing/Verify_ISO_16.04.7.2.md
Please verify that
/etc/apt/apt.conf.d/01autoremove
(and other files in that directory) exist on the installed operating system and that soup operates correctly.Please verify that the desktop wallpaper changes to prompt the user to run Setup when necessary.
Please verify that all services start correctly after a reboot.
Please verify that each and every ISO installation has unique ssl cert and key for Wazuh in
/var/ossec/etc/sslmanager*
.Please verify that the screensaver locks the screen after idle for a few minutes.
Please test in as many different combinations as possible:
Evaluation Mode vs Production Mode
standalone vs distributed deployments
heavy node deployments (local Elastic stack) vs forward-only node deployments (no local Elastic stack)
connected to the Internet vs not connected
physical hardware vs VMware vs VirtualBox vs other virtualization
EFI vs traditional BIOS
As always, please test using nmap or other port scanner to verify proper firewall config. Before you do that, however, you will want to whitelist your scanning IP address as follows:
Edit
/var/ossec/etc/ossec.conf
using vi or your favorite text editor:copy the existing
white_list
line and paste it directly underneath and changing the entry to your scanning IP addresssave the file and exit the editor (vi requires :wq! to save the file)
restart OSSEC:
Now that you've whitelisted your scanning IP, you can scan using an
nmap
command like this (watch out for line-wrapping and replace1.2.3.4
with the actual IP address of the Security Onion box you're testing):Run Setup on the Security Onion box.
On the scanning box, run
nmap
and it should only see port 22 open on the Security Onion box.Run
so-allow
on the Security Onion box and allow your scanning IP to access a port.so-allow
shows you the output ofufw status
and also the current contents of the DOCKER-USER chain. Also review/etc/ufw/after.rules
to see the new firewall rule that will be added at every reboot.Re-run
nmap
from your scanning box and verify that only proper ports are open.Reboot the Security Onion box.
Re-run
nmap
from your scanning box and verify that only proper ports are open.Anything else we missed?
Please record all test results via comments below.
Thanks in advance for your time and effort!