Security Onion 16.04 failing to install

[Brandon Stephens]

All,

I have 4 servers planned for a distributed deployment. Just my luck, as soon as I got 14.04 installed (but not in production) 16.04 was released. I decided since it was so early on in the process to just re-install with the 16.04 image. I am finding that this install fails every time so far. I am going through the boot process, choosing LVM and all the settings from the 14.04 but as soon as the actual installer runs I get an "installer crashed" error and some bug report message.

I have no idea what to do moving forward except to go back to 14.04 and then jump through the upgrade process but given the "We offer no guarantees that this upgrade process will work perfectly." statement on the wiki I would rather have a clean install of 16.04.

Any thought?

-Brandon

[Doug Burks]

Hi Brandon,

First, did you verify the ISO image?

https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Are these modern servers with EFI instead of traditional BIOS?

https://help.ubuntu.com/community/UEFI

When the ISO boots, do you have an option to run the installer and an option to boot the Live Desktop?  If so, have you tried the Live Desktop option and then launching the installer from there?

-Brandon

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Doug Burks

[Brandon Stephens]

On Tuesday, June 5, 2018 at 7:44:56 AM UTC-4, Doug Burks wrote:
> Hi Brandon,
>
>
> First, did you verify the ISO image?
> https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
>
>
>
> Are these modern servers with EFI instead of traditional BIOS?
> https://help.ubuntu.com/community/UEFI
>
>
>
> When the ISO boots, do you have an option to run the installer and an option to boot the Live Desktop?  If so, have you tried the Live Desktop option and then launching the installer from there?
>
>
> On Tue, Jun 5, 2018 at 7:34 AM, Brandon Stephens <brandonst...@gmail.com> wrote:
> All,
>
>
>
> I have 4 servers planned for a distributed deployment. Just my luck, as soon as I got 14.04 installed (but not in production) 16.04 was released. I decided since it was so early on in the process to just re-install with the 16.04 image. I am finding that this install fails every time so far. I am going through the boot process, choosing LVM and all the settings from the 14.04 but as soon as the actual installer runs I get an "installer crashed" error and some bug report message.
>
>
>
> I have no idea what to do moving forward except to go back to 14.04 and then jump through the upgrade process but given the "We offer no guarantees that this upgrade process will work perfectly." statement on the wiki I would rather have a clean install of 16.04.
>
>
>
>
>
> Any thought?
>
>
>
> -Brandon
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
> --
>
> Doug Burks

Thanks for the quick reply Doug. So I did verify the image, these are EFI though I have tried both that and BIOS options. For what it is worth the 14.04 image worked just fine with EFI. These are Dell R730xd servers.

I tried the live boot option you suggested which looked to work initially but when the server rebooted for the changes to take effect Ubuntu would not boot. I am stuck at the grub screen for now.

Any other suggestions?

[Doug Burks]

There is an issue with Pinguy Builder (used for building the ISO) and 16.04 where you can't run the Ubuntu installer directly from the boot menu otherwise it will crash due to insufficient permissions.  We try to avoid this by removing the "Install" option from the boot menu.  However, that boot menu only applies to traditional BIOS installations.  UEFI boxes get a different boot menu and thus they have the Install option which leads to "Installer crashed".  In my UEFI testing, choosing "Try SecurityOnion 16.04.4.1 without installing" results in a successful installation and I can then reboot into the new installation successfully.  

If you try a new EFI installation and choose the LVM option, does it then create a /boot partition at the beginning of the drive?

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Doug Burks

[Brandon Stephens]

Yes, it looks as if that is happening. As I go to initiate the install, the boot menu is showing 3 partitions titled "ubuntu" but are not bootable options. This is likely one for each time I have tried the install but failed. Will removing these partitions then restarting work?

[Doug Burks]

Please try removing all existing partitions and see if that helps.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Doug Burks

[Blason R]

I had IBM 3650 M4 and i faced same issue with 16.04 but then I went ahead with Std Ubuntu 16.04 and then manual install which worked perfectly fine.

[Brandon Stephens]

So to make sure I was starting from square one, I removed the RAID virtual disk from the iDRAC setting completely then rebuilt in RAID 1 for the SSD for the OS install. Went through the live boot > install steps, then went into the disk and removed all partitions.

Finally installed from the setup script and it installed just fine. I have 3 more servers to do this on so I will post any additional findings. Thanks for the help Doug!

[Blason R]

Just off the topic, what is your use-case NSM or SIEM? Are you using any other mechanism to monitor your network like EDR or integrating any other services like Sandbox logs?

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/qvYCwnjwxC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Brandon Stephens]

> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

My end goal has always been NSM as we have a SIEM in place. There are just too many use cases where NSM saves time and provides a higher level of confidence at the end of the day than log correlation. I see a ton of value add for our IR team adding this capability. I am hoping the Elastic Stack and the management there of doesn't create too much overhead but we will see. I do like the interface far better than ELSA but it feels like there will be much more overhead.