Security Onion on CentOS 7

[Rene Bon Ciric]

Hello,

I'm interested in spining a CentOS 7 version of Security Onion. I think we have a lot to gain from it.

I'll be starting work on this. I need to do my homework first. My rough & cryptic road-map goes something like:

- software list
- licensing compatibility
- packaging
- EPEL compatibility
- kickstarts (spin)

Everything 100% adhered to the FOSS way, FHS 3.0 and SELinux protected. I'm gonna work in favor of the Fedora/RHEL/CentOS community and not against it.

If you're interested, post something, will ya?

[Joseph Spenner]

Sounds great!

Also consider the upgrading, and standard CentOS patching for the base OS.

I'd like to see Dell OpenManage support, but was afraid to risk it on my current installation.

Regards,

Joseph Spenner

 If life gives you lemons, keep them-- because hey.. free lemons.
"♥ Sticker" fixer:  http://microflush.org/stuff/stickers/heartFix.html

---

From: Rene Bon Ciric <ren...@woralelandia.com>
To: securit...@googlegroups.com
Sent: Wednesday, February 11, 2015 9:17 PM
Subject: [security-onion] Security Onion on CentOS 7

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsub...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Lee Sharp]

On 02/11/2015 10:17 PM, Rene Bon Ciric wrote:

> I think we have a lot to gain from it.

What, specifically? I mean that I prefer deb based distributions, but
when I am spinning up an Astrisk box I use Centos. And when it comes
down to it, Linux is Linux. So what is the advantage here?

(And to be honest, SO is not a pure deb based distribution anymore, as
you use soup, not apt-get for updates...)

Lee

[Doug Burks]

On Thu, Feb 12, 2015 at 10:53 AM, Lee Sharp <lees...@hal-pc.org> wrote:
> (And to be honest, SO is not a pure deb based distribution anymore, as you
> use soup, not apt-get for updates...)

Soup is just a simple wrapper for apt-get. All of our software is
packaged in standard debs.


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Lee Sharp]

On 02/12/2015 10:12 AM, Doug Burks wrote:
> On Thu, Feb 12, 2015 at 10:53 AM, Lee Sharp <lees...@hal-pc.org> wrote:
>> (And to be honest, SO is not a pure deb based distribution anymore, as you
>> use soup, not apt-get for updates...)
>
> Soup is just a simple wrapper for apt-get. All of our software is
> packaged in standard debs.

I know, but it must be wrapped, or bad things can happen, so to the
debian purist... ;)

And if he manages to make a RH (or Fedora, I was never clear on which he
was going for...) spin, he will still need soup (for yum, so
yummy-soup?) so I still do not see the value.

Lee

[Rene Bon Ciric]

On Thursday, February 12, 2015 at 9:53:33 AM UTC-6, leesharp wrote:
> On 02/11/2015 10:17 PM, Rene Bon Ciric wrote:
>
> > I think we have a lot to gain from it.
>
> What, specifically? I mean that I prefer deb based distributions, but
> when I am spinning up an Astrisk box I use Centos. And when it comes
> down to it, Linux is Linux. So what is the advantage here?

Well, basically:

- SELinux support.
- Much broader and better industry coverage and support (RHEL?)
- Much more collaboration, community wise (Ubuntu is full of... users)
- Much better security practices (kernel/system-wise)

I do not wish to start a flame on this. It is just my biased opinion. It is what I use and what my clients use. I am a member of the Fedora community so I just relate to that.

> (And to be honest, SO is not a pure deb based distribution anymore, as
> you use soup, not apt-get for updates...)
>
> Lee

I think using a distro and working towards integration on their side is paramount. There is a lot of work going on upstream and, if you start maintaining your own ways, you'll do 10 times the work.

[Rene Bon Ciric]

On Thursday, February 12, 2015 at 10:23:39 AM UTC-6, leesharp wrote:
> And if he manages to make a RH (or Fedora, I was never clear on which he
> was going for...) spin, he will still need soup (for yum, so
> yummy-soup?) so I still do not see the value.

Well, Fedora is upstream to RHEL/CentOS/Scientific, etc. They're, all, Fedora's children.

So, maintaining packages for Fedora and making them EPEL compatible is the way to go.

[C. L. Martinez]

Some time ago, I have got a similar idea. But in my case, I will use
CentOS 6.x for server and FreeBSD 10.x/11(this last one only for
testing) for sensors. In this type of architecture, it will not be
possible to do an "all-in-one" installation but offers a really
powered options. And some advantages. For example, maintain packages
for FreeBSD is really easy these days with a tool like poudriere.
Snort, suricata and Bro are really stable running under FreeBSD hosts
and performance is really good (and in a near future you don't need to
worry about things like pf_ring because FreeBSD 11 will support netmap
aout of the box).

But the problem is with CentOS 6.x due to packages dependencies: it
will be very hard to maintain. CentOS 7 is the perfect solution for
the manager but, IMO, there is a stopper component: systemd. It is the
worst decision that I never see in opensource world in years ... But
this is a SO list and this is not the place to speak about systemd.

Maybe in a near future, I will try to accomplish this development:
FreeBSD as a sensors and ¿CentOS, Ubuntu, Solaris-like? management
server.

Thanks.

[Lee Sharp]

On 02/12/2015 10:49 AM, Rene Bon Ciric wrote:

Doing this out of order, and for a good reason... :)

> I do not wish to start a flame on this. It is just my biased opinion.
> It is what I use and what my clients use. I am a member of the Fedora
> community so I just relate to that.

I totally get this. I have an affinity for apt, and prefer deb based
Linux spins. I am also a contributer to m0n0wall, and love FreeBSD.
But if you have seen the pathetic attempts to port Asterisk to Debian
and Ubuntu you will understand my reticence. :)

Also, I love reasoned debate. It keeps you from defaulting to the tool
you know when it is the wrong one for the job. (Like putting that app
in the cloud when it is only accessed from the local office...)

So this is not some snarky comment, but an actual debate trying to get
to the center of your desires and if porting is the best answer to them.

> - SELinux support.

https://wiki.ubuntu.com/SELinux
Now this is a bit out of date... However, this is current.
https://help.ubuntu.com/12.04/serverguide/apparmor.html
And, I can see this as a benifit to a security distribution... :)

> - Much broader and better industry coverage and support (RHEL?)

For what? (remember, not snarky...) Yes, RH/Centos supports more
telephony cards, but we don't use them in a security server. So what is
missing from Ubuntu that you need supported? (Note: If you say RAID
cards, that might cause me to spin off into why hardware RAID is a very
bad idea, but I will try and restrain myself...)

Or do you mean phone support? In that case, your do NOT want third
party support, as they could very easily break SO. And to be honest,
the problems you will have are most likely to be in SO, and they will
not support SO... So, just buy SO support.

> - Much more collaboration, community wise (Ubuntu is full of... users)

Yet, it seems to get a lot of stuff ported to it very quickly. For
example, where is the RedHat Steam client? (At least Fedora is there
now) https://developer.valvesoftware.com/wiki/Steam_under_Linux

> - Much better security practices (kernel/system-wise)

This can cause some serious battles here. I have heard some very good
arguments that the RH patches to the kernel are not peer reviewed, and
not able to be built from source, and therefor, totally insecure.

In all honesty, I think the kernels are a wash, and security is much
more about the admin running it then the kernel running on it.

> I do not wish to start a flame on this. It is just my biased opinion. It is what I use and what my clients use. I am a member of the Fedora community so I just relate to that.

Again, I am not meaning this as a flame. Just looking at your points as
valid concerns, and looking at other options to cover them. :)

Lee

[Renich Bon Ciric]

On Thu, Feb 12, 2015 at 3:07 PM, Lee Sharp <lees...@hal-pc.org> wrote:
> On 02/12/2015 10:49 AM, Rene Bon Ciric wrote:
>
> Doing this out of order, and for a good reason... :)
>
>> I do not wish to start a flame on this. It is just my biased opinion.
>> It is what I use and what my clients use. I am a member of the Fedora
>> community so I just relate to that.
>
> I totally get this. I have an affinity for apt, and prefer deb based Linux
> spins. I am also a contributer to m0n0wall, and love FreeBSD. But if you
> have seen the pathetic attempts to port Asterisk to Debian and Ubuntu you
> will understand my reticence. :)
>
> Also, I love reasoned debate. It keeps you from defaulting to the tool you
> know when it is the wrong one for the job. (Like putting that app in the
> cloud when it is only accessed from the local office...)
>
> So this is not some snarky comment, but an actual debate trying to get to
> the center of your desires and if porting is the best answer to them.

I totally get your point and will try to collaborate my side of the discussion.

>> - SELinux support.
> https://wiki.ubuntu.com/SELinux
> Now this is a bit out of date... However, this is current.
> https://help.ubuntu.com/12.04/serverguide/apparmor.html
> And, I can see this as a benifit to a security distribution... :)

Even if Ubuntu has a wiki page of it, it is not enabled by default,
nor there is much interest and support within the Ubuntu community.
I'd go as far as daring to say all that comes directly from Fedora;
with Daniel Walsh responding to bug requests on Fedora's/Redhat's
bugzilla.

They have a team dedicated to SELinux support. I'd rather have them
doing the heavy lifting on that side and provide feedback, bug reports
and fixes than maintaining it myself.

AppArmor is, definitely, a MAC worth considering. I can see they have
bug reports and they get attended. This makes the matter a question of
taste; since I do not understand AppArmor at this point. I feel more
comfortable with SELinux overall.

>> - Much broader and better industry coverage and support (RHEL?)
> For what? (remember, not snarky...) Yes, RH/Centos supports more telephony
> cards, but we don't use them in a security server. So what is missing from
> Ubuntu that you need supported? (Note: If you say RAID cards, that might
> cause me to spin off into why hardware RAID is a very bad idea, but I will
> try and restrain myself...)
>
> Or do you mean phone support? In that case, your do NOT want third party
> support, as they could very easily break SO. And to be honest, the problems
> you will have are most likely to be in SO, and they will not support SO...
> So, just buy SO support.

Redhat is a consulting firm. We can participate with Redhat and Fedora
(community side) to make this even better. They do that for a living.
They produce and collaborate to projects in a much grater manner than
Canonical. This is well known and I do not mean to bash anybody with
it; it's just a fact. That makes me trust Redhat/Fedora much more than
Ubuntu.

It is not a matter of phone support or company support. It is a matter
of packaging quality, security minded devs and overall collaboration.
Like I said, I've been much in this side of things. In fact, I've
maintained packages from Ubuntu in Fedora; which have been dropped,
just like that. I am sorry, but I do not trust Ubuntu's community
much. This is of major importance to me.

Personally, and with all the bias in the world, I feel Ubuntu is a pop
distro; one that attracts many people that are not tech-minded. They
just want the free (as in beer) software. This bothers me too much. I
hate going through the support channels and watching people say "just
chmod -R 777 /" or stuff like that. It makes me think that they don't
know what they're doing.

Compare that to the Arch, Fedora, Gentoo, Debian or Funtoo
communities... to me it's pretty obvious but that is just my very
tendentious opinion.

>> - Much more collaboration, community wise (Ubuntu is full of... users)
> Yet, it seems to get a lot of stuff ported to it very quickly. For example,
> where is the RedHat Steam client? (At least Fedora is there now)
> https://developer.valvesoftware.com/wiki/Steam_under_Linux

Maybe it get's ported... hey, maybe it even works... but how it works?
That is not a common question in the general user's mind. This is my
problem with them.

On the other hand, check this out: https://fedoraproject.org/wiki/User_base

>> - Much better security practices (kernel/system-wise)
> This can cause some serious battles here. I have heard some very good
> arguments that the RH patches to the kernel are not peer reviewed, and not
> able to be built from source, and therefor, totally insecure.
>
> In all honesty, I think the kernels are a wash, and security is much more
> about the admin running it then the kernel running on it.

Well, I've reported a few bugs on the Fedora kernel. Here's is a very
long read about it: http://fedoraproject.org/wiki/Kernel

Fedora has a kernel team. That kernel team works for Redhat as well.
Believe me when I say that these things get taken very seriously in
Fedora. Redhat reports a lot of the vulnerabilities at the CVE
database. Check these out:

https://access.redhat.com/security/cve/
http://people.canonical.com/~ubuntu-security/cve/

Check out who reports them. Many are not kernel-related, but, still,
redhat takes these things very seriously and collaborates and fixes
proactively.

>> I do not wish to start a flame on this. It is just my biased opinion. It
>> is what I use and what my clients use. I am a member of the Fedora community
>> so I just relate to that.
>
> Again, I am not meaning this as a flame. Just looking at your points as
> valid concerns, and looking at other options to cover them. :)

So, that is that. I have no intention of offending anybody here. I
just want to make my stance clear. May we, both, learn from each
other.


--
It's hard to be free... but I love to struggle. Love isn't asked for;
it's just given. Respect isn't asked for; it's earned!
Renich Bon Ciric

http://www.woralelandia.com/
http://www.introbella.com/

[Lee Sharp]

On 02/12/2015 10:01 PM, Renich Bon Ciric wrote:
> Even if Ubuntu has a wiki page of it, it is not enabled by default,

And this is something that can be fixed... The question is do we want
to fix it with SElinux or AppArmor? I think everyone will agree that
security on the security box is a good thing.

> Redhat is a consulting firm. We can participate with Redhat and Fedora
> (community side) to make this even better. They do that for a living.
> They produce and collaborate to projects in a much grater manner than
> Canonical. This is well known and I do not mean to bash anybody with
> it; it's just a fact. That makes me trust Redhat/Fedora much more than
> Ubuntu.

But you would need them to buy off on supportying both SO and all of the
componants that make up SO. All to compete for a share of a very small
market with the incumbant player at http://www.securityonionsolutions.com/

> Personally, and with all the bias in the world, I feel Ubuntu is a pop
> distro; one that attracts many people that are not tech-minded. They
> just want the free (as in beer) software. This bothers me too much. I
> hate going through the support channels and watching people say "just
> chmod -R 777 /" or stuff like that. It makes me think that they don't
> know what they're doing.

Yep. Ubuntu shot themselves in the foot and ran off the best support
people. Of the people I know from my Ubuntu cheerleading days, some
have moved to Mint. Some to Kali. And some to FreeBSD. And the ones
that stayed, like me, are much less likely to support folks in the
forums. But it is still a very large community, and so it gets a lot of
development mind share.

>>> - Much more collaboration, community wise (Ubuntu is full of... users)
>> Yet, it seems to get a lot of stuff ported to it very quickly. For example,
>> where is the RedHat Steam client? (At least Fedora is there now)
>> https://developer.valvesoftware.com/wiki/Steam_under_Linux
>
> Maybe it get's ported... hey, maybe it even works... but how it works?
> That is not a common question in the general user's mind. This is my
> problem with them.

But the only support thing I care about is closed software that can not
be ported by the community. If it is open,someone will port it. Valve
hit Ubuntu first, then Debian, and then the rest... And they did it
because that is where the consumer market is.

>>> - Much better security practices (kernel/system-wise)
>> This can cause some serious battles here. I have heard some very good
>> arguments that the RH patches to the kernel are not peer reviewed, and not
>> able to be built from source, and therefor, totally insecure.
>>
>> In all honesty, I think the kernels are a wash, and security is much more
>> about the admin running it then the kernel running on it.
>
> Well, I've reported a few bugs on the Fedora kernel. Here's is a very
> long read about it: http://fedoraproject.org/wiki/Kernel
>
> Fedora has a kernel team. That kernel team works for Redhat as well.
> Believe me when I say that these things get taken very seriously in
> Fedora.

It is not that they fix them, but that they diverge from upstream, and
can not be replicated... But, as I said, I really think the people is
less important that the argument to some people. :)

>>> I do not wish to start a flame on this. It is just my biased opinion. It
>>> is what I use and what my clients use. I am a member of the Fedora community
>>> so I just relate to that.
>>

>> Again, I am not meaning this as a flame. Just looking at your points as
>> valid concerns, and looking at other options to cover them. :)
>
> So, that is that. I have no intention of offending anybody here. I
> just want to make my stance clear. May we, both, learn from each
> other.

Ditto! The best thing about being proven wrong is you get to stop being
wrong. :) And in good debates like this, it is very hard not to learn
something worthwhile. :)

Lee

[Renich Bon Ciric]

On Fri, Feb 13, 2015 at 12:23 PM, Lee Sharp <lees...@hal-pc.org> wrote:
> And this is something that can be fixed... The question is do we want to
> fix it with SElinux or AppArmor? I think everyone will agree that security
> on the security box is a good thing.

Well, I think both are very good. The trick is to support it as well
as possible by taking it seriosly. Many independent projects,
OpenStack for instance, made the great mistake of dismissing SELinux
and asking people to turn it off. To me, this is as bad as turning
your firewall off; and it is so because they don't take a MAC
seriously; they don't view it as the last line of defense against a
breach.

I am glad to see OpenStack (Fedora and Redhat's contribution) taking
steps towards it. I am very glad to read about you considering it for
SO.

> But you would need them to buy off on supportying both SO and all of the
> componants that make up SO. All to compete for a share of a very small
> market with the incumbant player at http://www.securityonionsolutions.com/

Well, it is not a buyoff. If they see the benefit for it, I am sure
individuals from Fedora's community will contribute. Look at it as a
set of packages. IDS software is always awesome to have, in case you
need it. I am sure the Fedora community (or any community) would see
that value. The thing is starting the movement, as you, guys, have. ;)

> Yep. Ubuntu shot themselves in the foot and ran off the best support
> people. Of the people I know from my Ubuntu cheerleading days, some have
> moved to Mint. Some to Kali. And some to FreeBSD. And the ones that
> stayed, like me, are much less likely to support folks in the forums. But
> it is still a very large community, and so it gets a lot of development mind
> share.

Indeed, it is a very big community. Well, diversity is always good.
Also, good to know people like you are still behind the Ubuntu
project. It gives me hope.

> But the only support thing I care about is closed software that can not be
> ported by the community. If it is open,someone will port it. Valve hit
> Ubuntu first, then Debian, and then the rest... And they did it because
> that is where the consumer market is.

I agree. The userbase on Ubuntu is highly commercial. Besides,
Ubuntu's flexibility (towards closed source software) makes it
convenient.

> It is not that they fix them, but that they diverge from upstream, and can
> not be replicated... But, as I said, I really think the people is less
> important that the argument to some people. :)

Well, the truth is that Redhat, alone, is the single biggest
contributor to the kernel. This is important and it impacts all
around. I am no kernel expert, by far. But I notice that some projects
use the Redhat kernel in their own distributions; or at least provide
it. The same goes for the Debian kernel. Funtoo and Gentoo, for
example, provide both.

> Ditto! The best thing about being proven wrong is you get to stop being
> wrong. :) And in good debates like this, it is very hard not to learn
> something worthwhile. :)

I appreciate your posture and attitude. I am glad we are part of the
same movement; which is FOSS. This discussion leaves me with
admiration and respect for you, man. I wish more people like you join
the community and get behind projects like the ones you back. Keep it
up and let's do our best.

[Ali Kilinc]

How is this project coming along?

[Renich Bon Ciric]

On Tue, Oct 20, 2015 at 6:16 PM, Ali Kilinc <ahki...@gmail.com> wrote:
> How is this project coming along?

Hello. It is frozen for the time being. The client that needs this
said they would go on with the project in Summer... didn't happen I
guess.