Tuesday, July 25, 2023

Security Onion 2.4 Base OS

Introduction

Recent events have forced us to change course on the base operating system (OS) for Security Onion 2.4. 

On 6/21/2023, Red Hat announced changes to their source code availability for Red Hat Enterprise Linux (RHEL):

On 6/26/2023, Red Hat then posted a follow-up:

These announcements prompted us to go back to first principles and re-evaluate the base OS options for our upcoming Security Onion 2.4 RC1 release.

First Principles

To re-evaluate our base OS options based on first principles, we start with the basic hard requirements. Security Onion 2.4 primarily consists of Docker images orchestrated by Saltstack, so here are our requirements for the base OS:
  • stable Linux kernel
  • stable Docker packages
  • stable Saltstack packages
  • freely available at no cost
  • long term support (greater than 3 years)

In addition to the requirements above, our customers have indicated certain preferences:
  • Most customers prefer some sort of Red Hat derivative.
  • Some customers strongly prefer operating systems that meet specific US government standards or certifications.

Options

Based on the requirements and preferences above, we considered the following options:
Over the last few weeks, we performed an exhaustive investigation of each option to see if they satisfy the requirements and preferences above and also determine if there are any additional advantages or disadvantages.

Security Onion 2.4 ISO Image

At the conclusion of our exhaustive investigation, we decided to base our Security Onion 2.4 ISO image on Oracle Linux 9 for the following reasons:

Network Installation

If you don’t want to use our Security Onion 2.4 ISO image, you can still perform a network installation of our Security Onion components after manually installing one of the following:
  • Oracle Linux 9
  • Rocky Linux 9
  • Alma Linux 9
  • CentOS Stream 9
  • RHEL 9
  • Ubuntu 22.04
  • Debian 12

Support

Customers with premium support and professional services can reach out to their normal support contacts for more information about support. 

If you are a non-paid community user, then please pay close attention to the support levels below.

Supported

Our Security Onion 2.4 ISO image (based on Oracle Linux 9) is the only fully supported installation method. Choose this option if any of the following apply to you:
  • You are deploying in an enterprise environment.
  • You are deploying in an airgap environment.
  • You are performing a distributed deployment.
  • You want the quickest and easiest installation with the fewest issues.
  • You need full support.

Unsupported

If you don’t want to use our Security Onion 2.4 ISO image and choose to perform a manual OS installation followed by a network installation of our Security Onion components, then we recommend using Oracle Linux 9 or Rocky Linux 9. CentOS Stream 9 or Alma Linux 9 should also work. Another option might be RHEL 9 itself although that is a paid option.

If you really want to run Ubuntu 22.04 or Debian 12, then please note that these distros may work but they get less testing and therefore you will be more likely to run into issues.

Q&A


What will the Security Onion 2.4 ISO image be based on?
Our Security Onion 2.4 ISO image will be based on Oracle Linux 9.

Why Oracle Linux?
Oracle Linux has been around since 2006 and so it has a long track record. Additionally, FIPS certification is in progress. Finally, Oracle Linux offers a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds.

Is Oracle Linux free?
Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use.
If we don’t want to use the Security Onion 2.4 ISO image or Oracle Linux, do we have other options?
If you don’t want or need support, then you can choose from Rocky Linux 9, Alma Linux 9, CentOS Stream 9, RHEL 9, Ubuntu 22.04, or Debian 12. However, please note that if you choose one of these options there will be more manual work required and you may be more likely to run into issues.

Why not use Rocky Linux 9 for the Security Onion 2.4 ISO image?
As of 7/25/2023, Rocky Linux 9 is not yet listed at the FIPS certification pages:

Why not use Alma Linux 9 for the Security Onion 2.4 ISO image?
Alma Linux does not yet have FIPS certification. Also, it has only been around since 2021 so it doesn’t have that long of a track record.

Why not use CentOS Stream for the Security Onion 2.4 ISO image?
CentOS Stream does not have any FIPS certification whatsoever.

Why not use Ubuntu for the Security Onion 2.4 ISO image?
Standard Ubuntu has no FIPS certification. FIPS certification requires a paid upgrade to Ubuntu Pro. Additionally, Ubuntu seems to be focused on their own snap architecture for the future.

Why not use Debian for the Security Onion 2.4 ISO image?
Debian does not have any FIPS certification whatsoever.

Why not use another Linux distro like fill in the blank?
We considered several other Linux distributions but only the ones listed above met the core requirements.

When do these Security Onion changes take effect?
These changes go into effect for the upcoming Security Onion 2.4 RC1 release.

When will Security Onion 2.4 reach General Availability (GA)?
These OS changes delayed our release schedule for Security Onion 2.4, but it was important to take our time and fully investigate our options. Security Onion 2.4 RC1 is coming soon. Stay tuned!

What does all of this mean for Security Onion 2.3?
There are no planned OS changes for 2.3.

I am a current customer with premium support and professional services and I have other questions about this change. To whom should I reach out?
Please feel free to reach out to your account manager.

I am a community user of Security Onion and I have other questions about this change. How may I ask those questions?
You may start a new discussion at https://securityonion.net/discuss

UPDATE 2023/07/27 - Added that these changes go into effect for the upcoming Security Onion 2.4 RC1 release.

No comments:

Search This Blog

Featured Post

Celebrating 10 Years of Security Onion Solutions and Announcing Security Onion Pro!

From Doug Burks, Founder and CEO of Security Onion Solutions:  There’s an old saying that it takes ten years to be an overnight success. Tha...

Popular Posts

Blog Archive