From afc73715b52f11371517a312a7215f6955e1b7ad Mon Sep 17 00:00:00 2001 From: Kirk K Date: Fri, 14 Jun 2019 11:19:01 -0500 Subject: [PATCH 1/8] Rock On RHEL --- docs/deploy/rock-on-rhel.md | 185 ++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 docs/deploy/rock-on-rhel.md diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md new file mode 100644 index 0000000..a954195 --- /dev/null +++ b/docs/deploy/rock-on-rhel.md @@ -0,0 +1,185 @@ +# Rock on RHEL +We are ofthen asked how deploy rock on RHEL. This should work for both a single node deployment and a multi-node deployment. + +Install RHEL using the same guidelines outlined in [Install Section](docs\install\install.md) of the documentation. + +If you have not done so already, register the RHEL OS. +``` +[root@server1 ~]# subscription-manager register --username admin-example --password secret +``` +It should reply back with something like this: +``` +The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97 +``` +To aid in the installation make sure that you have the [latest ISO](https://mirror.rocknsm.io/isos/stable/) downloaded on the machine via `scp` or some other avenue. + +## Disable FIPS to allow Deployment on all components +> **If** your STIG enabled FIPS you will need to disable it on certain machines. The machines that contain Bro/Zeek, Docket, and Stenographer will need to be disabled. + + +Remove the dracut-fips* packages + ``` +sudo yum remove dracut-fips\* +``` + +Backup existing FIPS initramfs + ``` +sudo mv -v /boot/initramfs-$(uname -r).img{,.FIPS-bak} +``` + +Run dracut to rebuild the initramfs +``` +sudo dracut + ``` + +Run Grubby +``` +sudo grubby --update-kernel=ALL --remove-args=fips=1 +``` + +Carefully up date the grub config file setting fips=0 + ``` +sudo vi /etc/default/grub +``` + +Reboot the VM +``` +sudo reboot +``` + +Log back in... + +Confirm that fips is disabled by +``` +sysctl crypto.fips_enabled +``` + +if it returns `0` then it has been properly disabled + + + +## Deployment of Rock across All Machines +Mount the latest iso in this case its rocknsm2-4.iso to `/mnt` + +Copy the folders form the mounted device to `/srv/rocknsm` + +Create the a place for your pet ROCK to live +``` +sudo mkdir -p /usr/share/rock +``` + +Git Clone or Copy the rocknsm repo to the `/usr/share/rock` directory +``` +sudo git clone https://github.com/rocknsm/rock.git +``` + +Install Ansible to coordinate the installation of the Sensor +``` +sudo yum install ansible +``` + +Ensure the latest version of markupsafe is installed also +``` +sudo yum install python2-markupsafe +``` + +Copy the hosts.ini file that so ansible knows where to deploy things using `sudo cp /usr/share/rock/etc/rocknsm/hosts.ini /etc/rocknsm/.` + +> NOTE: Most of the Rock configuration is now automated and can be called from anywhere on the os. + +``` +[admin@sensor ~]$ sudo rock help +Usage: /sbin/rock COMMAND [options] +Commands: +setup Launch TUI to configure this host for deployment +tui Alias for setup +ssh-config Configure hosts in inventory to use key-based auth (multinode) +deploy Deploy selected ROCK components +deploy-offline Same as deploy --offline (Default ISO behavior) +deploy-online Same as deploy --online +stop Stop all ROCK services +start Start all ROCK services +restart Restart all ROCK services +status Report status for all ROCK services +genconfig Generate default configuration based on current system +destroy Destroy all ROCK data: indexes, logs, PCAP, i.e. EVERYTHING + NOTE: Will not remove any services, just the data + +Options: +--config, -c Specify full path to configuration overrides +--extra, -e Set additional variables as key=value or YAML/JSON passed to ansible-playbook +--help, -h Show this usage information +--inventory, -i Specify path to Ansible inventory file +--limit Specify host to run plays +--list-hosts Outputs a list of matching hosts; does not execute anything else +--list-tags List all available tags +--list-tasks List all tasks that would be executed +--offline, -o Deploy ROCK using only local repos (Default ISO behavior) +--online, -O Deploy ROCK using online repos +--playbook, -p Specify path to Ansible playbook file +--skip-tags Only run plays and tasks whose tags do not match these values +--tags, -t Only run plays and tasks tagged with these values +--verbose, -v Increase verbosity of ansible-playbook +``` + +Change Directory into `usr/share/rock/bin` if you are not already there + +Run `sudo ./rock ssh-config` to setup ssh on all the host you will use for the deployment. It uses the host from the previously created `hosts.ini` if you have a multinode deployment + +Run `sudo ./rock genconfig` to generate config file. Unless you are doing something really off the beaten path of a normal deployment you should not need to edit this file. + +Ensure you are in the `/usr/share/rock/bin/` directory. + +Fire off the installation + +``` +sudo ./rock deploy-offline +``` +Once the deployment is completed with the components you chose, you'll be +congratulated with a success banner. Congratulations! + +

+ +

+ + +Ensure the following ports on the firewall are open if you need them to be + - 9300 TCP - Node coordination (I am sure elastic has abetter name for this) + - 9200 TCP - Elasticsearch + - 5601 TCP - Kibna + - 22 TCP - SSH Access + - 9092 TCP - Kafka + + ``` + sudo firewall-cmd --add-port=9300/tcp --permanent + ``` + +Reload the firewall config +``` +sudo firewall-cmd --reload +``` + +Check the Suricata `threads` per interface. This is so Suricata doesn't compete with bro for cpu threads. if you are listening on multiple interfaces then you will have to set threads for all of them. + +```yml +%YAML 1.1 +--- +default-rule-path: "/var/lib/suricata/rules" +rule-files: + - suricata.rules + +af-packet: + - interface: em3 + threads: 4 <--------- + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes + use-mmap: yes + mmap-locked: yes + #rollover: yes + tpacket-v3: yes + use-emergency-flush: yes +default-log-dir: /data/suricata +``` + +CONGRATZ!!! You now have ROCK NSM of RHEL From 494f38e4ca661c455191360b4a02407d279875bb Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:33:36 -0500 Subject: [PATCH 2/8] Update docs/deploy/rock-on-rhel.md Co-authored-by: Brad Solomon --- docs/deploy/rock-on-rhel.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index a954195..f0583f3 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -159,7 +159,8 @@ Reload the firewall config sudo firewall-cmd --reload ``` -Check the Suricata `threads` per interface. This is so Suricata doesn't compete with bro for cpu threads. if you are listening on multiple interfaces then you will have to set threads for all of them. +Check the Suricata `threads` per interface. This is so Suricata doesn't compete with Zeek for CPU threads. If you are listening on multiple interfaces, then you will have to set threads for all of them. + ```yml %YAML 1.1 From 03a9fb2051334ca40b91f34f32ac35136af50cf1 Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:33:48 -0500 Subject: [PATCH 3/8] Update docs/deploy/rock-on-rhel.md Co-authored-by: Brad Solomon --- docs/deploy/rock-on-rhel.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index f0583f3..e415599 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -37,7 +37,8 @@ Run Grubby sudo grubby --update-kernel=ALL --remove-args=fips=1 ``` -Carefully up date the grub config file setting fips=0 +Carefully update the grub config file setting fips=0 + ``` sudo vi /etc/default/grub ``` From 79485b7af0e2d8df732d23076e28f910235bbfd3 Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:34:04 -0500 Subject: [PATCH 4/8] Update docs/deploy/rock-on-rhel.md Co-authored-by: Brad Solomon --- docs/deploy/rock-on-rhel.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index e415599..df87fa1 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -17,7 +17,8 @@ To aid in the installation make sure that you have the [latest ISO](https://mirr > **If** your STIG enabled FIPS you will need to disable it on certain machines. The machines that contain Bro/Zeek, Docket, and Stenographer will need to be disabled. -Remove the dracut-fips* packages +Remove the dracut-fips* packages: + ``` sudo yum remove dracut-fips\* ``` From 6489ec2c4847ff07141554792b4c95c2fe0545b7 Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:34:38 -0500 Subject: [PATCH 5/8] Update docs/deploy/rock-on-rhel.md Co-authored-by: Brad Solomon --- docs/deploy/rock-on-rhel.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index df87fa1..b62ac58 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -11,7 +11,8 @@ It should reply back with something like this: ``` The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97 ``` -To aid in the installation make sure that you have the [latest ISO](https://mirror.rocknsm.io/isos/stable/) downloaded on the machine via `scp` or some other avenue. +To aid in the installation, make sure that you have the [latest ISO](https://mirror.rocknsm.io/isos/stable/) downloaded on the machine via `scp` or some other avenue. + ## Disable FIPS to allow Deployment on all components > **If** your STIG enabled FIPS you will need to disable it on certain machines. The machines that contain Bro/Zeek, Docket, and Stenographer will need to be disabled. From 30bf3310b84673f6db4c9690de3a8c1a79adfa43 Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:35:33 -0500 Subject: [PATCH 6/8] Update docs/deploy/rock-on-rhel.md Co-authored-by: Brad Solomon --- docs/deploy/rock-on-rhel.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index b62ac58..d84ec55 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -15,7 +15,8 @@ To aid in the installation, make sure that you have the [latest ISO](https://mir ## Disable FIPS to allow Deployment on all components -> **If** your STIG enabled FIPS you will need to disable it on certain machines. The machines that contain Bro/Zeek, Docket, and Stenographer will need to be disabled. +> **If** your STIG enabled [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final), you will need to disable it on certain machines. The machines that contain Bro/Zeek, Docket, and Stenographer will need to disable FIPS. + Remove the dracut-fips* packages: From 287cd8308804e0e727ccd89498063b310b776b34 Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:35:52 -0500 Subject: [PATCH 7/8] Update docs/deploy/rock-on-rhel.md Co-authored-by: Brad Solomon --- docs/deploy/rock-on-rhel.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index d84ec55..ee18af8 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -126,7 +126,8 @@ Options: --verbose, -v Increase verbosity of ansible-playbook ``` -Change Directory into `usr/share/rock/bin` if you are not already there +Change directory into `/usr/share/rock/bin` if you are not already there. + Run `sudo ./rock ssh-config` to setup ssh on all the host you will use for the deployment. It uses the host from the previously created `hosts.ini` if you have a multinode deployment From ac5a85cd2f74f14e076f0844878551be946f2c56 Mon Sep 17 00:00:00 2001 From: Kirk K Date: Wed, 7 Apr 2021 09:36:55 -0500 Subject: [PATCH 8/8] Update rock-on-rhel.md --- docs/deploy/rock-on-rhel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy/rock-on-rhel.md b/docs/deploy/rock-on-rhel.md index ee18af8..652acdc 100644 --- a/docs/deploy/rock-on-rhel.md +++ b/docs/deploy/rock-on-rhel.md @@ -1,5 +1,5 @@ # Rock on RHEL -We are ofthen asked how deploy rock on RHEL. This should work for both a single node deployment and a multi-node deployment. +We are often asked how deploy rock on RHEL. This should work for both a single node deployment and a multi-node deployment. Install RHEL using the same guidelines outlined in [Install Section](docs\install\install.md) of the documentation.