Command line only install?

[Jason]

Hey everyone,

Is it possible to do a command line only install of SO 14?

[Wes Lambert]

Jason,

Currently, the only method of doing this is as described here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Automating-Setup

Thanks,
Wes

On Jan 6, 2017 10:56 AM, "Jason" <jca...@gmail.com> wrote:

Hey everyone,

Is it possible to do a command line only install of SO 14?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Wes Lambert]

There is also an issue open here for an interactive command-line install:

https://github.com/Security-Onion-Solutions/security-onion/issues/977

Thanks,
Wes

On Jan 6, 2017 11:00 AM, "Wes Lambert" <wlamb...@gmail.com> wrote:

Jason,

Currently, the only method of doing this is as described here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Automating-Setup

Thanks,
Wes

On Jan 6, 2017 10:56 AM, "Jason" <jca...@gmail.com> wrote:

Hey everyone,

Is it possible to do a command line only install of SO 14?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

[Jason]

I'll take a look. Thanks, Wes!

[Wes Lambert]

Patrick, have you run the script a second time?

Thank,
Wes

On Jan 9, 2017 7:39 AM, "Jason" <jca...@gmail.com> wrote:

On Friday, January 6, 2017 at 11:12:46 AM UTC-5, Jason wrote:
> I'll take a look.  Thanks, Wes!

While on the subject, I'm trying to spin up a server only config in AWS using user data only.  I'm not sure how familiar you are with AWS and user data, but it basically allows you to script the entire installation and configuration of servers so that no user intervention is required.

Knowing that, here is my sosetup.conf for a server only install:

MGMT_INTERFACE='eth0'
MGMT_CONFIG_TYPE='DHCP'
SERVER=1
SERVERNAME='localhost'
SSH_USERNAME=''
SGUIL_SERVER_NAME='securityonion'
SGUIL_CLIENT_USERNAME='MY PERSONAL USERNAME'
SGUIL_CLIENT_PASSWORD_1='MY PERSONAL PASSWORD'
XPLICO_ENABLED='no'
ELSA=YES
UPDATE_ELSA_SERVER='YES'
LOG_SIZE_LIMIT='10000000000'
OSSEC_AGENT_ENABLED='yes'
OSSEC_AGENT_LEVEL='5'
SALT='yes'
SENSOR=0
BRO_ENABLED='yes'
IDS_ENGINE_ENABLED='yes'
SNORT_AGENT_ENABLED='no'
PCAP_ENABLED='yes'
PRADS_ENABLED='no'
SANCP_AGENT_ENABLED='no'
PADS_AGENT_ENABLED='no'
HTTP_AGENT_ENABLED='no'
ARGUS_ENABLED='no'
IDS_RULESET='TALOS and ET'
OINKCODE='733cdfaa7588432336a8347fd160bc400a4697a4'
PF_RING_SLOTS=4096
IDS_ENGINE='suricata'
IDS_LB_PROCS='2'
HOME_NET='MY NET'
BRO_LB_PROCS='2'
EXTRACT_FILES='yes'
PCAP_SIZE='150'
PCAP_RING_SIZE='64'
PCAP_OPTIONS='-c'
WARN_DISK_USAGE='80'
CRIT_DISK_USAGE='90'
DAYSTOKEEP='15'
DAYSTOREPAIR='7'

After turining on the server and it automatically running sudo sosetup -f ~/sosetup.conf using the above, SO gets installed and updated, but Ossec wont start.

Here is /var/log/nsm/ossec_agent:

Executing: /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
chown: invalid user: ΓÇÿsguilΓÇÖ
No passwd entry for user 'sguil'

sostat redacted attached.  Keep in mind, no sensor has been added.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to security-onion@googlegroups.com.

[Mitul Patel]

I have tried to run "sudo sosetup -w ~/sosetup.conf" but I get prompted with a display issue.

I am really stuck on this piece of the conf file:

# If MGMT_CONFIG_TYPE=static, then provide the details here:
ADDRESS='172.16.124.243'
NETMASK='255.255.0.0'
GATEWAY='172.16.0.1'
NAMESERVER='172.16.0.2'
DOMAIN='ec2.internal.compute.internal'

Is my ADDRESS suppose to be my EIP? is the Gateway suppose to be the Internet Gateway from my VPC? Should Nameserver be my private IP?

This is literally my first attempt at SO. Thank You

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

[Wes]

Mitul,

Please start a new thread, instead of replying to an old one:

https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one

Keep in mind, the "-w" option for sosetup is to write an answerfile, not to read from one.

The writing of an answerfile is so that you can take your responses from sosetup and apply them when running setup again (using the -"f" option), so that you have the same configuration.

Thanks,
Wes