-
Notifications
You must be signed in to change notification settings - Fork 16
Rock On RHEL #49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
koelslaw
wants to merge
8
commits into
rocknsm:master
Choose a base branch
from
koelslaw:master
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Rock On RHEL #49
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
afc7371
Rock On RHEL
koelslaw 494f38e
Update docs/deploy/rock-on-rhel.md
koelslaw 03a9fb2
Update docs/deploy/rock-on-rhel.md
koelslaw 79485b7
Update docs/deploy/rock-on-rhel.md
koelslaw 6489ec2
Update docs/deploy/rock-on-rhel.md
koelslaw 30bf331
Update docs/deploy/rock-on-rhel.md
koelslaw 287cd83
Update docs/deploy/rock-on-rhel.md
koelslaw ac5a85c
Update rock-on-rhel.md
koelslaw File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,191 @@ | ||
| # Rock on RHEL | ||
| We are often asked how deploy rock on RHEL. This should work for both a single node deployment and a multi-node deployment. | ||
|
|
||
| Install RHEL using the same guidelines outlined in [Install Section](docs\install\install.md) of the documentation. | ||
|
|
||
| If you have not done so already, register the RHEL OS. | ||
| ``` | ||
| [root@server1 ~]# subscription-manager register --username admin-example --password secret | ||
| ``` | ||
| It should reply back with something like this: | ||
| ``` | ||
| The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97 | ||
| ``` | ||
| To aid in the installation, make sure that you have the [latest ISO](https://mirror.rocknsm.io/isos/stable/) downloaded on the machine via `scp` or some other avenue. | ||
|
|
||
|
|
||
| ## Disable FIPS to allow Deployment on all components | ||
| > **If** your STIG enabled [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final), you will need to disable it on certain machines. The machines that contain Bro/Zeek, Docket, and Stenographer will need to disable FIPS. | ||
|
|
||
|
|
||
|
|
||
| Remove the dracut-fips* packages: | ||
|
|
||
| ``` | ||
| sudo yum remove dracut-fips\* | ||
| ``` | ||
|
|
||
| Backup existing FIPS initramfs | ||
| ``` | ||
| sudo mv -v /boot/initramfs-$(uname -r).img{,.FIPS-bak} | ||
| ``` | ||
|
|
||
| Run dracut to rebuild the initramfs | ||
| ``` | ||
| sudo dracut | ||
| ``` | ||
|
|
||
| Run Grubby | ||
| ``` | ||
| sudo grubby --update-kernel=ALL --remove-args=fips=1 | ||
| ``` | ||
|
|
||
| Carefully update the grub config file setting fips=0 | ||
|
|
||
| ``` | ||
| sudo vi /etc/default/grub | ||
| ``` | ||
|
|
||
| Reboot the VM | ||
| ``` | ||
| sudo reboot | ||
| ``` | ||
|
|
||
| Log back in... | ||
|
|
||
| Confirm that fips is disabled by | ||
| ``` | ||
| sysctl crypto.fips_enabled | ||
| ``` | ||
|
|
||
| if it returns `0` then it has been properly disabled | ||
|
|
||
|
|
||
|
|
||
| ## Deployment of Rock across All Machines | ||
| Mount the latest iso in this case its rocknsm2-4.iso to `/mnt` | ||
|
|
||
| Copy the folders form the mounted device to `/srv/rocknsm` | ||
|
|
||
| Create the a place for your pet ROCK to live | ||
| ``` | ||
| sudo mkdir -p /usr/share/rock | ||
| ``` | ||
|
|
||
| Git Clone or Copy the rocknsm repo to the `/usr/share/rock` directory | ||
| ``` | ||
| sudo git clone https://github.com/rocknsm/rock.git | ||
| ``` | ||
|
|
||
| Install Ansible to coordinate the installation of the Sensor | ||
| ``` | ||
| sudo yum install ansible | ||
| ``` | ||
|
|
||
| Ensure the latest version of markupsafe is installed also | ||
| ``` | ||
| sudo yum install python2-markupsafe | ||
| ``` | ||
|
|
||
| Copy the hosts.ini file that so ansible knows where to deploy things using `sudo cp /usr/share/rock/etc/rocknsm/hosts.ini /etc/rocknsm/.` | ||
|
|
||
| > NOTE: Most of the Rock configuration is now automated and can be called from anywhere on the os. | ||
|
|
||
| ``` | ||
| [admin@sensor ~]$ sudo rock help | ||
| Usage: /sbin/rock COMMAND [options] | ||
| Commands: | ||
| setup Launch TUI to configure this host for deployment | ||
| tui Alias for setup | ||
| ssh-config Configure hosts in inventory to use key-based auth (multinode) | ||
| deploy Deploy selected ROCK components | ||
| deploy-offline Same as deploy --offline (Default ISO behavior) | ||
| deploy-online Same as deploy --online | ||
| stop Stop all ROCK services | ||
| start Start all ROCK services | ||
| restart Restart all ROCK services | ||
| status Report status for all ROCK services | ||
| genconfig Generate default configuration based on current system | ||
| destroy Destroy all ROCK data: indexes, logs, PCAP, i.e. EVERYTHING | ||
| NOTE: Will not remove any services, just the data | ||
|
|
||
| Options: | ||
| --config, -c <config_yaml> Specify full path to configuration overrides | ||
| --extra, -e <ansible variables> Set additional variables as key=value or YAML/JSON passed to ansible-playbook | ||
| --help, -h Show this usage information | ||
| --inventory, -i <inventory_path> Specify path to Ansible inventory file | ||
| --limit <host> Specify host to run plays | ||
| --list-hosts Outputs a list of matching hosts; does not execute anything else | ||
| --list-tags List all available tags | ||
| --list-tasks List all tasks that would be executed | ||
| --offline, -o Deploy ROCK using only local repos (Default ISO behavior) | ||
| --online, -O Deploy ROCK using online repos | ||
| --playbook, -p <playbook_path> Specify path to Ansible playbook file | ||
| --skip-tags <tags> Only run plays and tasks whose tags do not match these values | ||
| --tags, -t <tags> Only run plays and tasks tagged with these values | ||
| --verbose, -v Increase verbosity of ansible-playbook | ||
| ``` | ||
|
|
||
| Change directory into `/usr/share/rock/bin` if you are not already there. | ||
|
|
||
|
|
||
| Run `sudo ./rock ssh-config` to setup ssh on all the host you will use for the deployment. It uses the host from the previously created `hosts.ini` if you have a multinode deployment | ||
|
|
||
| Run `sudo ./rock genconfig` to generate config file. Unless you are doing something really off the beaten path of a normal deployment you should not need to edit this file. | ||
|
|
||
| Ensure you are in the `/usr/share/rock/bin/` directory. | ||
|
|
||
| Fire off the installation | ||
|
|
||
| ``` | ||
| sudo ./rock deploy-offline | ||
| ``` | ||
| Once the deployment is completed with the components you chose, you'll be | ||
| congratulated with a success banner. Congratulations! | ||
|
|
||
| <p align="center"> | ||
| <img src="../../img/install_banner.png"> | ||
| </p> | ||
|
|
||
|
|
||
| Ensure the following ports on the firewall are open if you need them to be | ||
| - 9300 TCP - Node coordination (I am sure elastic has abetter name for this) | ||
| - 9200 TCP - Elasticsearch | ||
| - 5601 TCP - Kibna | ||
| - 22 TCP - SSH Access | ||
| - 9092 TCP - Kafka | ||
|
|
||
| ``` | ||
| sudo firewall-cmd --add-port=9300/tcp --permanent | ||
| ``` | ||
|
|
||
| Reload the firewall config | ||
| ``` | ||
| sudo firewall-cmd --reload | ||
| ``` | ||
|
|
||
| Check the Suricata `threads` per interface. This is so Suricata doesn't compete with Zeek for CPU threads. If you are listening on multiple interfaces, then you will have to set threads for all of them. | ||
|
|
||
|
|
||
| ```yml | ||
| %YAML 1.1 | ||
| --- | ||
| default-rule-path: "/var/lib/suricata/rules" | ||
| rule-files: | ||
| - suricata.rules | ||
|
|
||
| af-packet: | ||
| - interface: em3 | ||
| threads: 4 <--------- | ||
| cluster-id: 98 | ||
| cluster-type: cluster_flow | ||
| defrag: yes | ||
| use-mmap: yes | ||
| mmap-locked: yes | ||
| #rollover: yes | ||
| tpacket-v3: yes | ||
| use-emergency-flush: yes | ||
| default-log-dir: /data/suricata | ||
| ``` | ||
|
|
||
| CONGRATZ!!! You now have ROCK NSM of RHEL | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is unclear. is the user still booting from the ROCK ISO?