lost and found ( for me ? )

install security onion within Ubuntu 13.10 KVM host

In short, security onion is Linux based IDS and NSM (Network Security Monitoring), which is an open source.

about security onion

Here is how to install security onion within Ubuntu 13.10 KVM host

I downloaded security-onion-12.04.3-20130904.iso.

install security onion within KVM.

KVM host
root@ubuntu:~# tail -1 /etc/lsb-release ;uname -ri
3.11.0-12-generic x86_64
root@ubuntu:~# qemu-system-x86_64 --version
QEMU emulator version 1.5.0 (Debian 1.5.0+dfsg-3ubuntu5), Copyright (c) 2003-2008 Fabrice Bellard

Create a virtual machine.
Security onion 12.04 is Xubuntu 12.04 64bit based linux, so I specified Ubuntu 12.04 as guest OS type.

Here is VM’s definition file.
# virsh dumpxml onion-vm1
<domain type='kvm' id='2'>
 <memory unit='KiB'>1048576</memory>
 <currentMemory unit='KiB'>1048576</currentMemory>
 <vcpu placement='static'>1</vcpu>
   <type arch='x86_64' machine='pc-i440fx-1.5'>hvm</type>
   <boot dev='cdrom'/>
   <bootmenu enable='yes'/>
 <clock offset='utc'/>
   <disk type='file' device='disk'>
     <driver name='qemu' type='qcow2'/>
     <source file='/var/lib/libvirt/images/onion-vm1.qcow2'/>
     <target dev='vda' bus='virtio'/>
     <alias name='virtio-disk0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
   <disk type='file' device='cdrom'>
     <driver name='qemu' type='raw'/>
     <source file='/home/hattori/securityonion-12.04.3-20130904.iso'/>
     <target dev='hdc' bus='ide'/>
     <alias name='ide0-1-0'/>
     <address type='drive' controller='0' bus='1' target='0' unit='0'/>
   <controller type='usb' index='0'>
     <alias name='usb0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
   <controller type='pci' index='0' model='pci-root'>
     <alias name='pci0'/>
   <controller type='ide' index='0'>
     <alias name='ide0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
   <interface type='network'>
     <mac address='mac address'/>
     <source network='default'/>
     <target dev='vnet0'/>
     <model type='virtio'/>
     <alias name='net0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
   <serial type='pty'>
     <source path='/dev/pts/3'/>
     <target port='0'/>
     <alias name='serial0'/>
   <console type='pty' tty='/dev/pts/3'>
     <source path='/dev/pts/3'/>
     <target type='serial' port='0'/>
     <alias name='serial0'/>
   <input type='mouse' bus='ps2'/>
   <graphics type='vnc' port='5900' autoport='yes' listen=''>
     <listen type='address' address=''/>
     <model type='vga' vram='9216' heads='1'/>
     <alias name='video0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
   <memballoon model='virtio'>
     <alias name='balloon0'/>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
 <seclabel type='none'/>

boot security onion by using ISO image and then click “Install Security Oninon 12.04” icon.
The installation is very easy, just click “OK” or “Next”.

finish the installation. reboot the VM to boot the OS from its local storage(vHDD)


after the login

to access to the VM via “virsh console”,

create ttyS0.conf file under /etc/init directory
root@onion-vm1:~# cat /etc/init/ttyS0.conf
# tty6 - getty
# This service maintains a getty on tty6 from the point the system is
# started until it is shut down again.

start on runlevel [23] and not-container

stop on runlevel [!23]

exec /sbin/getty -8 115200 ttyS0

edit /etc/default/grub.(add red line)

# egrep -v ^# /etc/default/grub | grep -v ^$
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash console=ttyS0,115200"

update grub.conf
root@onion-vm1:~# grub-mkconfig -o /boot/grub/grub.cfg

reboot the VM to reflect the setting.

you will login to the VM via virsh console.
virsh # console 2
ドメイン onion-vm1 に接続しました
エスケープ文字は ^] です

Ubuntu 12.04.3 LTS onion-vm1 ttyS0

onion-vm1 login: root
Last login: Thu Oct 31 02:20:26 JST 2013 on ttyS0
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-generic x86_64)

* Documentation:  https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.


ubuntu 13.10: deploy wordpress and mysql with juju-local ( local provider)

I am newbie to juju :)
here is how to install juju-local on your local physical box(LXC).
# tail -1 /etc/lsb-release ;uname -ri
3.11.0-12-generic x86_64

at first, disable ufw

# ufw disable
Firewall stopped and disabled on system startup

# ufw status
Status: inactive

install juju-local
# apt-add-repository ppa:juju/stable
# apt-get update

# apt-get install juju-local
パッケージリストを読み込んでいます... 完了
状態情報を読み取っています... 完了
 apparmor cloud-image-utils distro-info euca2ools juju-core
 libboost-filesystem1.53.0 libboost-program-options1.53.0
 libgoogle-perftools4 liblxc0 libpcrecpp0 libsnappy1 libtcmalloc-minimal4
 libunwind8 lxc lxc-templates mongodb-clients mongodb-server python-boto
 python-distro-info python-m2crypto python3-lxc
 apparmor-profiles apparmor-docs apparmor-utils shunit2 btrfs-tools lxctl
 apparmor cloud-image-utils distro-info euca2ools juju-core juju-local
 libboost-filesystem1.53.0 libboost-program-options1.53.0
 libgoogle-perftools4 liblxc0 libpcrecpp0 libsnappy1 libtcmalloc-minimal4
 libunwind8 lxc lxc-templates mongodb-clients mongodb-server python-boto
 python-distro-info python-m2crypto python3-lxc
アップグレード: 0 個、新規インストール: 22 個、削除: 0 個、保留: 0 個。
83.0 MB のアーカイブを取得する必要があります。
この操作後に追加で 252 MB のディスク容量が消費されます。

change the juju provider to local from amazon.
# juju generate-config
A boilerplate environment configuration file has been written to /root/.juju/environments.yaml.
Edit the file to configure your juju environment and run bootstrap.

# ls .juju/
current-environment  environments.yaml

# juju switch local
Changed default environment from "amazon" to "local"

# egrep -v "#" .juju/current-environment

# egrep -v "#" .juju/environments.yaml | grep -v admin-secret

default: amazon

   type: openstack
   control-bucket: juju-bde536d2444c7533e9c19b5877d4efd1
   type: openstack
   use-floating-ip: false
   control-bucket: juju-108cbfed20c4909f4e95bb6458b17c52
   auth-url: https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/
         type: "null"
         storage-auth-key: da66fcac91d766cb8e3c5a7bdd146e67
   type: maas
   maas-server: ''
   maas-oauth: '<add your OAuth credentials from MAAS here>'
   default-series: precise
   type: local
   type: ec2
   control-bucket: juju-86ea87cd8c0d2c5c34aabdd972c74dfb
   type: azure
   location: West US
   management-subscription-id: 886413e1-3b8a-5382-9b90-0c9aee199e5d
   management-certificate-path: /home/me/azure.pem
   storage-account-name: ghedlkjhw54e

juju bootstrap        start up an environment from scratc
# juju bootstrap

# cat .juju/environments/local.jenv  
user: ""
password: ""
state-servers: []
ca-cert: ""
 admin-secret: 03edd75816997e16a7f9bfe0afecc362
 agent-version: 1.16.0
 api-port: 17070
 authorized-keys: 'ssh-rsa
 ca-cert: '-----BEGIN CERTIFICATE-----
   -----END RSA PRIVATE KEY-----

 default-series: precise
 development: false
 firewall-mode: instance
 image-metadata-url: ""
 logging-config: <root>=DEBUG
 name: local
 network-bridge: lxcbr0
 root-dir: /root/.juju/local
 shared-storage-port: 8041
 ssl-hostname-verification: true
 state-port: 37017
 storage-port: 8040
 tools-url: ""
 type: local

deploy charms from the charm store using the following commands

# juju deploy mysql
# juju deploy wordpress
# juju add-relation wordpress mysql

# ls .juju/local/storage/
bootstrap-verify           cs_3a_precise_2f_wordpress-20  tools
cs_3a_precise_2f_mysql-28  provider-state

in my environment, it took 20 minutes or so for deploying wordpress and mysql containers.
# lxc-ls --fancy
NAME                  STATE    IPV4  IPV6  AUTOSTART  
root-local-machine-1  STOPPED  -     -     NO

# lxc-ls --fancy
NAME                  STATE    IPV4        IPV6  AUTOSTART  
root-local-machine-1  RUNNING  -     YES        
root-local-machine-2  RUNNING  -     YES  

# juju -v status
verbose is deprecated with the current meaning, use show-log
2013-10-29 17:46:44 INFO juju.provider.local environprovider.go:32 opening environment "local"
2013-10-29 17:46:44 INFO juju.state open.go:68 opening state; mongo addresses: [""]; entity ""
2013-10-29 17:46:44 INFO juju.state open.go:106 connection established
environment: local
   agent-state: started
   instance-id: localhost
   series: saucy
   agent-state: started
   instance-id: root-local-machine-1
   series: precise
   agent-state: started
   instance-id: root-local-machine-2
   series: precise
   charm: cs:precise/mysql-28
   exposed: false
     - mysql
     - wordpress
       agent-state: started
       machine: "1"
   charm: cs:precise/wordpress-20
   exposed: false
     - mysql
     - wordpress
       agent-state: started
       machine: "2"
       - 80/tcp
2013-10-29 17:46:44 INFO juju supercommand.go:286 command finished

access to wordpress ( )

destroy the environment
root@ubuntu:~# juju destroy-environment
WARNING: this command will destroy the "local" environment (type: local)
This includes all machines, services, data and other resources.

Continue [y/N]? y

root@ubuntu:~# lxc-ls --fancy
NAME                  STATE    IPV4  IPV6  AUTOSTART  
root-local-machine-2  STOPPED  -     -     NO         
root@ubuntu:~# lxc-ls --fancy
root@ubuntu:~# lxc-ls --fancy