Security onion vagrant
In this post ill go through on how to setup SO vagrant box, enabling us to do fast iterations and provisioning development.
The first step is creating the SO box itself using packer:
$ git clone git://github.com/narkisr/packer-security-onion.git # won't work on a headless machine $ make virtualbox/security-onion-12.04.4
The box itself is quite heavily customized due to the requirements of SO, once the box was created we import it like any other:
$ vagrant box add security-onion-12.04.4_puppet-3.7.3 box/virtualbox/security-onion-12.04.4_puppet_3.7.3.box
Now we are ready to start rolling vagrant.
- Opskeleton defines the project layout of the following Vagrant/Puppet code base so make sure to have.
- SO itself requires a running GUI (so no headless servers).
- Have a mirror port ready on your switch connected to a physical interface (if you want to capture meaningful traffic), note that you can customize the mirror port vagrant uses (using VAGRANT_MIRROR).
$ git clone git://github.com/opskeleton/security-onion-sandbox.git # Wont work on a headless machine $ gem install bundle $ bundle install $ librarian-puppet install # in order to customize mirror port use VAGRANT_MIRROR=ifc $ vagrant up
Once the VM UI is running enter a terminal and start sosetup:
On its first invocation the wizard will guide you through the network setup, choose eth0 as the management interface and eth1 as the monitor interface, reboot once done.
Once the machine is up run sosetup again to setup Sguil and Snorby u/p
- Sadly automating the setup wizard using Puppet didn't workout, you can pass an answer file but the text based wizard does not work proprerly while being ran from the Puppet exec call.
- openssh server didn't work well so the vagrant box is using dropbear instead.