In an effort to get this into hands of people that will break it and or make it useful, I’m sharing this ISO and some notes about how to use it. Note this is a work in progress, and I will build upon these notes to make what will ultimately be the release notes.
Last caveat, there’s nothing secret here. Everything on the ISO is available in a repo, including the build scripts. I’m not going to go into how to build this, but a curious little rhino could likely figure it out without too much trouble poking around the source tree.
ℹ️
|
I’m calling this BETA1, though it’s not quite so formal. |
Time to face the change…
Some of the biggest changes with ROCK 2.0 are upgrading all the software to the latest versions. Here’s a list.
Software | Version | Notes |
---|---|---|
CentOS |
7.3 (1611) |
|
Bro |
2.5 |
Plugins for kafka output and af_packet capture |
Suricata |
3.1.3 |
This is the default signature-based IDS |
Snort |
2.9.8.3 |
This is now optional replacement for suricata |
Stenographer |
Git 12106b |
|
Kafka |
0.10.0.0 |
|
Elasticsearch |
5.1.1 |
|
Logstash |
5.1.1 |
|
Kibana |
5.1.1 |
|
Ansible |
2.2.0.0 |
On top of software updates, we also changed the deployment mechanism to using Ansible as the primary mechanism. We did this for a few reasons: I used it for one of my full-time projects, it’s super lightweight and available in EPEL, doesn’t require an agent, super easy to understand. I’m hoping that ultimately this makes the platform more approachable to a wider community and better suitable to offline or isolated install environments, which I’ve frequently encountered for sensor networks.
On that last note, we now have an ISO that should contain everything you need to deploy. The ISO is merely a snapshot of packages available at the time and latest snapshot of various Git repositories.
Download the ISO here:
Filename |
|
Filesize |
1.7 GB (1733177344 bytes) |
SHA256 |
d0ecd173561bdd7695a2b4c1b03f27bb824ce15fd8d845cd8c69d9231a9b3920 |
I’ve tested the ISO booting mostly in a VMware VM, which uses BIOS. I’ve also burned it to a USB thumbdrive (I used the 16 GB USB3 from MicroCenter) and installed it in UEFI mode on my home test sensor. For now, you’ll have to Google how to copy an ISO to a thumbdrive. I used dd
on a Mac.
Boot the ISO. If you’re installing in a VM, I recommend you disable the "consistent naming" of network interfaces, since it makes no sense in the VMware (or other hypervisor) universe. When the boot splash screen appears, press Tab, and it will allow you to edit. Add the following:
biosdevname=0 if.netnames=0
This will ensure you get interface names like eth0
. If you have physical hardware, I highly recommend that you do not use this function.
The installer will autorun and install according to the kickstart on the disk. Once complete, it will reboot and you will be presented with a login prompt. We’re working on generating a random password in a useful way, but for now, the credentials are:
rockadmin
/ ROCKadmin!1234
The root
account is locked by default and rockadmin
has sudo
access. Don’t let this fall in production without changing that password.
|
In fact, don’t use this in production at all! |
You’re now ready for Configuration
You can also clone the SimpleRock repository. The instructions for the ISO above use a snapshot of the devel
repo. You can clone this repo and simply run the ./generate_defaults.sh
script in the ansible
directory. This will generate the file /etc/rocknsm/config.yml
.
You’re now ready for Configuration
If you wish to run an offline install (the ISO sets you up for this already) edit /etc/rocknsm/config.yml
and change the following setting as shown:
rock_online_install: False
If this value is set to True
, Ansible will configure your system for the yum repositories listed and pull packages and git repos directly from the URLs given. You could easily point this to local mirrors, if needed.
While you’re in there, you can change the auto-detected defaults, such as which interfaces to use, hostname, fqdn, resources to use, etc. You can also disable features altogether at the bottom by simply changing the feature value to False
as shown below. Don’t do this unless you know what you’re doing.
with_nginx: False (1)
-
This disables nginx from installing or being configured. Note that it will not remove it if it is already present.
Once you’ve completed flipping the bits as you see fit, simply run /opt/rocknsm/ansible/deploy_rock.sh
. If everything is well, this should install all the components and give you a success banner.