Introduction
Recent events have forced us to change course on the base operating system (OS) for Security Onion 2.4.
On 6/21/2023, Red Hat announced changes to their source code availability for Red Hat Enterprise Linux (RHEL):
On 6/26/2023, Red Hat then posted a follow-up:
These announcements prompted us to go back to first principles and re-evaluate the base OS options for our upcoming Security Onion 2.4 RC1 release.
First Principles
To re-evaluate our base OS options based on first principles, we start with the basic hard requirements. Security Onion 2.4 primarily consists of Docker images orchestrated by Saltstack, so here are our requirements for the base OS:
- stable Linux kernel
- stable Docker packages
- stable Saltstack packages
- freely available at no cost
- long term support (greater than 3 years)
In addition to the requirements above, our customers have indicated certain preferences:
- Most customers prefer some sort of Red Hat derivative.
- Some customers strongly prefer operating systems that meet specific US government standards or certifications.
Options
Based on the requirements and preferences above, we considered the following options:
- Rocky Linux 9 (free RHEL rebuild) - https://rockylinux.org/
- Alma Linux 9 (free RHEL/CentOS rebuild) - https://almalinux.org/
- Oracle Linux 9 (free RHEL rebuild) - https://www.oracle.com/linux/
- CentOS Stream 9 (free RHEL upstream) - https://www.centos.org/centos-stream/
- Ubuntu 22.04 (free Debian derivative) - https://ubuntu.com/
- Debian 12 - https://www.debian.org/
Over the last few weeks, we performed an exhaustive investigation of each option to see if they satisfy the requirements and preferences above and also determine if there are any additional advantages or disadvantages.
Security Onion 2.4 ISO Image
At the conclusion of our exhaustive investigation, we decided to base our Security Onion 2.4 ISO image on Oracle Linux 9 for the following reasons:
- Oracle Linux 9 satisfies the highest number of requirements and preferences for the greatest number of customers.
- Oracle Linux is a RHEL rebuild that has been available since 2006 so they have a long track record.
- Oracle Linux is free. From https://yum.oracle.com/oracle-linux-downloads.html:
Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use. - Oracle is well funded and fully committed to Oracle Linux in the long term:
https://www.oracle.com/news/announcement/blog/keep-linux-open-and-free-2023-07-10/ - Oracle Linux 9 FIPS (Federal Information Processing Standards) certification is listed as “Under Test” as of 3/7/2023:
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List - Oracle Linux offers the ability to run a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds:
https://unix.foo/posts/enterprise-linux/
https://blogs.oracle.com/linux/post/tracking-linux-stable-kernels-with-uek
Network Installation
If you don’t want to use our Security Onion 2.4 ISO image, you can still perform a network installation of our Security Onion components after manually installing one of the following:
- Oracle Linux 9
- Rocky Linux 9
- Alma Linux 9
- CentOS Stream 9
- RHEL 9
- Ubuntu 22.04
- Debian 12
Support
Customers with premium support and professional services can reach out to their normal support contacts for more information about support.
If you are a non-paid community user, then please pay close attention to the support levels below.
Supported
Our Security Onion 2.4 ISO image (based on Oracle Linux 9) is the only fully supported installation method. Choose this option if any of the following apply to you:
- You are deploying in an enterprise environment.
- You are deploying in an airgap environment.
- You are performing a distributed deployment.
- You want the quickest and easiest installation with the fewest issues.
- You need full support.
Unsupported
If you don’t want to use our Security Onion 2.4 ISO image and choose to perform a manual OS installation followed by a network installation of our Security Onion components, then we recommend using Oracle Linux 9 or Rocky Linux 9. CentOS Stream 9 or Alma Linux 9 should also work. Another option might be RHEL 9 itself although that is a paid option.
If you really want to run Ubuntu 22.04 or Debian 12, then please note that these distros may work but they get less testing and therefore you will be more likely to run into issues.
Q&A
What will the Security Onion 2.4 ISO image be based on?
Our Security Onion 2.4 ISO image will be based on Oracle Linux 9.
Why Oracle Linux?
Oracle Linux has been around since 2006 and so it has a long track record. Additionally, FIPS certification is in progress. Finally, Oracle Linux offers a newer Linux kernel which, in theory, should be more secure than the default kernel included in other RHEL rebuilds.
Is Oracle Linux free?
Since 2006, Oracle Linux has been completely free to download and use. Free source code, binaries, and updates. Freely redistributable. Free for production use.
If we don’t want to use the Security Onion 2.4 ISO image or Oracle Linux, do we have other options?
If you don’t want or need support, then you can choose from Rocky Linux 9, Alma Linux 9, CentOS Stream 9, RHEL 9, Ubuntu 22.04, or Debian 12. However, please note that if you choose one of these options there will be more manual work required and you may be more likely to run into issues.
Why not use Rocky Linux 9 for the Security Onion 2.4 ISO image?
As of 7/25/2023, Rocky Linux 9 is not yet listed at the FIPS certification pages:
Why not use Alma Linux 9 for the Security Onion 2.4 ISO image?
Alma Linux does not yet have FIPS certification. Also, it has only been around since 2021 so it doesn’t have that long of a track record.
Why not use CentOS Stream for the Security Onion 2.4 ISO image?
CentOS Stream does not have any FIPS certification whatsoever.
Why not use Ubuntu for the Security Onion 2.4 ISO image?
Standard Ubuntu has no FIPS certification. FIPS certification requires a paid upgrade to Ubuntu Pro. Additionally, Ubuntu seems to be focused on their own snap architecture for the future.
Why not use Debian for the Security Onion 2.4 ISO image?
Debian does not have any FIPS certification whatsoever.
Why not use another Linux distro like fill in the blank?
We considered several other Linux distributions but only the ones listed above met the core requirements.
When do these Security Onion changes take effect?
These changes go into effect for the upcoming Security Onion 2.4 RC1 release.
When will Security Onion 2.4 reach General Availability (GA)?
These OS changes delayed our release schedule for Security Onion 2.4, but it was important to take our time and fully investigate our options. Security Onion 2.4 RC1 is coming soon. Stay tuned!
What does all of this mean for Security Onion 2.3?
There are no planned OS changes for 2.3.
I am a current customer with premium support and professional services and I have other questions about this change. To whom should I reach out?
Please feel free to reach out to your account manager.
I am a community user of Security Onion and I have other questions about this change. How may I ask those questions?
You may start a new discussion at https://securityonion.net/discuss.
UPDATE 2023/07/27 - Added that these changes go into effect for the upcoming Security Onion 2.4 RC1 release.
