Security Onion: July 2023

Friday, July 28, 2023

Security Onion 2.4 Release Candidate 1 (RC1) Now Available!

We recently released the fourth Beta version of Security Onion 2.4:
https://blog.securityonion.net/2023/07/security-onion-24-beta-4-release-now.html

Today, we are excited to release Security Onion 2.4 Release Candidate 1 (RC1)!

Highlights

A few highlights of this release:

You may remember the Analyst Workstation in 2.3. It's back in 2.4 and it's now called Security Onion Desktop!
https://github.com/Security-Onion-Solutions/securityonion/issues/10862
SOC now has a new feature that, if enabled, will automatically perform DNS lookups on the fly:
https://github.com/Security-Onion-Solutions/securityonion/issues/8655
SOC now has pivots for relational operators on numbers:
https://github.com/Security-Onion-Solutions/securityonion/issues/8024

Please review the Release Notes for all other changes in this release:
https://docs.securityonion.net/en/2.4/release-notes.html

Base OS

If you haven't already, please review our recent blog post on our 2.4 base OS changes:
https://blog.securityonion.net/2023/07/security-onion-24-base-os.html

Known Issues

Here are some known issues that should be resolved in later releases:

You cannot do an in-place upgrade from 2.3 to 2.4. We are still investigating data migration.
Security Onion Desktop is still considered experimental.
Please do not run "soup" as that will currently try to downgrade the system to 2.3 and cause problems. We will provide further information with the upcoming RC2 release.

Transition from 2.3 to 2.4

When we release the final version of Security Onion 2.4, we will announce an End Of Life (EOL) date for Security Onion 2.3. Security Onion 2.3 will continue to receive security patches and priority bug fixes until it reaches EOL.

Documentation

You can find 2.4 documentation at:
https://docs.securityonion.net/en/2.4/

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

Warnings and Disclaimers

Things may change between this release candidate version and the final GA release.
Ask your doctor if pre-GA software is right for you.
If it breaks, you get to keep both pieces!

Enough warnings and disclaimers? Let’s go!

License Reminder

Please be reminded of the license change we posted last year:
https://blog.securityonion.net/2022/08/security-onion-enterprise-features-and.html

Installation

We highly recommend starting with an IMPORT installation as shown at:
https://docs.securityonion.net/en/2.4/first-time-users.html

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations.

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:
https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

We welcome your detailed feedback!

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html

Tuesday, July 25, 2023

Security Onion 2.4 Base OS

Introduction

Recent events have forced us to change course on the base operating system (OS) for Security Onion 2.4.

On 6/21/2023, Red Hat announced changes to their source code availability for Red Hat Enterprise Linux (RHEL):

https://www.redhat.com/en/blog/furthering-evolution-centos-stream

On 6/26/2023, Red Hat then posted a follow-up:

https://www.redhat.com/en/blog/red-hats-commitment-open-source-response-gitcentosorg-changes

These announcements prompted us to go back to first principles and re-evaluate the base OS options for our upcoming Security Onion 2.4 RC1 release.

First Principles

To re-evaluate our base OS options based on first principles, we start with the basic hard requirements. Security Onion 2.4 primarily consists of Docker images orchestrated by Saltstack, so here are our requirements for the base OS:

stable Linux kernel
stable Docker packages
stable Saltstack packages
freely available at no cost
long term support (greater than 3 years)

In addition to the requirements above, our customers have indicated certain preferences:

Most customers prefer some sort of Red Hat derivative.
Some customers strongly prefer operating systems that meet specific US government standards or certifications.

Options

Based on the requirements and preferences above, we considered the following options:

Rocky Linux 9 (free RHEL rebuild) - https://rockylinux.org/
Alma Linux 9 (free RHEL/CentOS rebuild) - https://almalinux.org/
Oracle Linux 9 (free RHEL rebuild) - https://www.oracle.com/linux/
CentOS Stream 9 (free RHEL upstream) - https://www.centos.org/centos-stream/
Ubuntu 22.04 (free Debian derivative) - https://ubuntu.com/
Debian 12 - https://www.debian.org/

Over the last few weeks, we performed an exhaustive investigation of each option to see if they satisfy the requirements and preferences above and also determine if there are any additional advantages or disadvantages.

Security Onion 2.4 ISO Image

At the conclusion of our exhaustive investigation, we decided to base our Security Onion 2.4 ISO image on Oracle Linux 9 for the following reasons:

Oracle Linux 9 satisfies the highest number of requirements and preferences for the greatest number of customers.
Oracle Linux is a RHEL rebuild that has been available since 2006 so they have a long track record.
Oracle Linux is free. From https://yum.oracle.com/oracle-linux-downloads.html:
Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use.
Oracle is well funded and fully committed to Oracle Linux in the long term:
https://www.oracle.com/news/announcement/blog/keep-linux-open-and-free-2023-07-10/
Oracle Linux 9 FIPS (Federal Information Processing Standards) certification is listed as “Under Test” as of 3/7/2023:
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List
Oracle Linux offers the ability to run a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds:
https://unix.foo/posts/enterprise-linux/
https://blogs.oracle.com/linux/post/tracking-linux-stable-kernels-with-uek

Network Installation

If you don’t want to use our Security Onion 2.4 ISO image, you can still perform a network installation of our Security Onion components after manually installing one of the following:

Oracle Linux 9
Rocky Linux 9
Alma Linux 9
CentOS Stream 9
RHEL 9
Ubuntu 22.04
Debian 12

Support

Customers with premium support and professional services can reach out to their normal support contacts for more information about support.

If you are a non-paid community user, then please pay close attention to the support levels below.

Supported

Our Security Onion 2.4 ISO image (based on Oracle Linux 9) is the only fully supported installation method. Choose this option if any of the following apply to you:

You are deploying in an enterprise environment.
You are deploying in an airgap environment.
You are performing a distributed deployment.
You want the quickest and easiest installation with the fewest issues.
You need full support.

Unsupported

If you don’t want to use our Security Onion 2.4 ISO image and choose to perform a manual OS installation followed by a network installation of our Security Onion components, then we recommend using Oracle Linux 9 or Rocky Linux 9. CentOS Stream 9 or Alma Linux 9 should also work. Another option might be RHEL 9 itself although that is a paid option.

If you really want to run Ubuntu 22.04 or Debian 12, then please note that these distros may work but they get less testing and therefore you will be more likely to run into issues.

Q&A

What will the Security Onion 2.4 ISO image be based on?

Our Security Onion 2.4 ISO image will be based on Oracle Linux 9.

Why Oracle Linux?

Oracle Linux has been around since 2006 and so it has a long track record. Additionally, FIPS certification is in progress. Finally, Oracle Linux offers a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds.

Is Oracle Linux free?

Yes, from https://yum.oracle.com/oracle-linux-downloads.html:

Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use.

If we don’t want to use the Security Onion 2.4 ISO image or Oracle Linux, do we have other options?

If you don’t want or need support, then you can choose from Rocky Linux 9, Alma Linux 9, CentOS Stream 9, RHEL 9, Ubuntu 22.04, or Debian 12. However, please note that if you choose one of these options there will be more manual work required and you may be more likely to run into issues.

Why not use Rocky Linux 9 for the Security Onion 2.4 ISO image?

As of 7/25/2023, Rocky Linux 9 is not yet listed at the FIPS certification pages:

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List

Why not use Alma Linux 9 for the Security Onion 2.4 ISO image?

Alma Linux does not yet have FIPS certification. Also, it has only been around since 2021 so it doesn’t have that long of a track record.

Why not use CentOS Stream for the Security Onion 2.4 ISO image?

CentOS Stream does not have any FIPS certification whatsoever.

Why not use Ubuntu for the Security Onion 2.4 ISO image?

Standard Ubuntu has no FIPS certification. FIPS certification requires a paid upgrade to Ubuntu Pro. Additionally, Ubuntu seems to be focused on their own snap architecture for the future.

Why not use Debian for the Security Onion 2.4 ISO image?

Debian does not have any FIPS certification whatsoever.

Why not use another Linux distro like fill in the blank?

We considered several other Linux distributions but only the ones listed above met the core requirements.

When do these Security Onion changes take effect?

These changes go into effect for the upcoming Security Onion 2.4 RC1 release.

When will Security Onion 2.4 reach General Availability (GA)?

These OS changes delayed our release schedule for Security Onion 2.4, but it was important to take our time and fully investigate our options. Security Onion 2.4 RC1 is coming soon. Stay tuned!

What does all of this mean for Security Onion 2.3?

There are no planned OS changes for 2.3.

I am a current customer with premium support and professional services and I have other questions about this change. To whom should I reach out?

Please feel free to reach out to your account manager.

I am a community user of Security Onion and I have other questions about this change. How may I ask those questions?

You may start a new discussion at https://securityonion.net/discuss.

UPDATE 2023/07/27 - Added that these changes go into effect for the upcoming Security Onion 2.4 RC1 release.

Thursday, July 20, 2023

Registration Now Open for Augusta Cyber Week 2023!

Registration is now open for Augusta Cyber Week in beautiful Augusta GA from October 2, 2023 through October 7, 2023! This includes:

4-day Security Onion training
10th annual Security Onion Conference (SOCAugusta)
10th annual BSidesAugusta

These are separate events, but if you sign up for the 4-day training class, then you get a FREE non-transferable ticket to both Security Onion Conference and BSidesAugusta!

Even if you can't make the training class, you won't want to miss Security Onion Conference! It's our 10th annual conference so we are celebrating in style with the one and only Dave Kennedy as our keynote speaker!

4-day Security Onion training:
https://bsidesaugusta.org/training/#so

10th Annual Security Onion Conference:
https://socaugusta2023.eventbrite.com/

10th Annual BSidesAugusta!
https://bsidesaugusta.org/

Hope to see you there!

Wednesday, July 12, 2023

Security Onion 2.4 Beta 4 Release Now Available!

We recently released the third Beta version of Security Onion 2.4:
https://blog.securityonion.net/2023/06/security-onion-24-beta-3-release-now.html

Today, we are excited to release the fourth Beta (Beta 4) version of Security Onion 2.4!

One of the new features in this release is the ability to upload PCAP and EVTX files right in Security Onion Console (SOC)! When you go to the Grid page, you can select a node in your deployment. If the node is a network sensor or import node, then there will be an icon in the Node Status section for uploading your own PCAP or EVTX file.

Clicking this upload icon results in an upload form. Once you’ve selected a file and initiated the upload, a status message appears. Uploaded PCAP files are automatically imported via so-import-pcap and EVTX files are automatically imported via so-import-evtx. Only one file can be imported at a time, so upload will be disabled until import is complete. Once the import is complete, a message will appear containing a hyperlink to view the logs from the import.

We also added a new passwordless login option using the WebAuthn standard. You can read more about this at https://docs.securityonion.net/en/2.4/passwords.html#passwordless-logins-to-soc.

Finally, we've implemented lots of fixes to improve feature parity with 2.3 and overall user experience.

Release Notes

Please review the Release Notes for changes in this release:
https://docs.securityonion.net/en/2.4/release-notes.html

Red Hat, Rocky Linux, and Security Onion

For background, please see https://blog.securityonion.net/2023/06/red-hat-rocky-linux-and-security-onion.html. For this release, our ISO image is still based on Rocky Linux. We are continuing to monitor this situation and will provide updates as necessary.