Prerequisite for installing SecMon system is OS CentOS7/CentOS Stream 8/Rocky Linux 9/Ubuntu 22.04 (tested Linux distribution) with user secmon (under which we will deploy SecMon system), internet access and installed programs Docker Engine and Docker Compose v2.3.3.
The functionality of the Docker Engine can be verified with the command docker run hello-world
. Docker Compose functionality can be verified with docker compose version
. If the commands do not run correctly, this problem must be resolved or the installation will not be successful.
# System Update
sudo yum clean all
sudo yum -y update
# Install git, firewall & rsyslog
sudo yum install -y git firewalld rsyslog
# Install python packages
sudo yum install -y https://repo.ius.io/ius-release-el7.rpm
sudo yum install -y python36u python36u-libs python36u-devel python36u-pip
sudo pip3.6 install -U configparser
# Setting up firewall
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload
# Download SecMon repository
git clone https://github.com/jlasti/secmon.git secmon
# Start deployment process with configuration
cd secmon
sudo python3 secmon_manager.py deploy
# Create password for database user 'secmon' during installation
# Default login credentials user:secmon, password:password
# !!! Change password after first login !!!
https://<host_machine_IP_address>:8443/secmon/web
After successful installation configure logs forwarding on clients using rsyslog service.
# System Update
sudo yum clean all
sudo yum -y update
# Install git, firewall & rsyslog
sudo yum install -y git firewalld rsyslog
# Install python packages
sudo pip3.6 install -U configparser
# Setting up firewall
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload
# Download SecMon repository
git clone https://github.com/jlasti/secmon.git secmon
# Start deployment process with configuration
cd secmon
sudo python3 secmon_manager.py deploy
# Create password for database user 'secmon' during installation
# Default login credentials user:secmon, password:password
# !!! Change password after first login !!!
https://<host_machine_IP_address>:8443/secmon/web
After successful installation configure logs forwarding on clients using rsyslog service.
# System Update
sudo yum clean all
sudo yum -y update
# Install git, firewall & rsyslog
sudo yum install -y git firewalld rsyslog
# Install python packages
sudo yum install python3-pip
sudo pip install -U configparser
# Setting up firewall
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload
# Download SecMon repository
git clone https://github.com/jlasti/secmon.git secmon
# Start deployment process with configuration
cd secmon
sudo python3 secmon_manager.py deploy
# Create password for database user 'secmon' during installation
# Default login credentials user:secmon, password:password
# !!! Change password after first login !!!
https://<host_machine_IP_address>:8443/secmon/web
Installation of Docker on Rocky Linux 9: installation help.
After successful installation configure logs forwarding on clients using rsyslog service.
# System Update
sudo apt clean all
sudo apt -y update
# Install git, firewall & rsyslog
sudo apt install -y git ufw rsyslog
# Install python packages
sudo apt-get install -y make build-essential libssl-dev zlib1g-dev \
libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev \
libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev \
libgdbm-dev libnss3-dev libedit-dev libc6-dev
wget https://www.python.org/ftp/python/3.6.15/Python-3.6.15.tgz
sudo tar -xzf Python-3.6.15.tgz
cd Python-3.6.15
sudo ./configure --enable-optimizations -with-lto --with-pydebug
sudo make altinstall
# Setting up firewall
sudo ufw allow 8080/tcp
sudo ufw allow 8443/tcp
sudo ufw allow 514/tcp
# Download SecMon repository
git clone https://github.com/jlasti/secmon.git secmon
# Start deployment process with configuration
cd secmon
sudo python3 secmon_manager.py deploy
# Create password for database user 'secmon' during installation
# Default login credentials user:secmon, password:password
# !!! Change password after first login !!!
https://<host_machine_IP_address>:8443/secmon/web
After successful installation configure logs forwarding on clients using rsyslog service.
SecMon manager (secmon_manager.py) is a python script located in root directory of SecMon repository. It is used for managing SecMon services as docker containers.
# Show list of all available parameters
python3 secmon_manager.py help
# Stop running SecMon system
python3 secmon_manager.py stop
# Start stopped SecMon system
python3 secmon_manager.py start
# Restart running/stopped SecMon system
python3 secmon_manager.py restart
# Remove SecMon enrichment containers
python3 secmon_manager.py remove
# Manually run configuration script
python3 secmon_manager.py config
# Deploy SecMon system on a host machine
python3 secmon_manager.py deploy
# Update standard rules set
python3 secmon_manager.py update-rules
Set value true
/false
in the file ./config/secmon_config.ini
for a particular enrichment module which you want to turn on/off:
[ENRICHMENT]
correlation = true
geoip = true
network_model = true
After any changes in configuration or rule states, restart the SecMon system with the command:
python3 secmon_manager.py restart
To redirect logs from client machine to the SecMon add the following line at the end of the /etc/rsyslog.conf
file, where <secmon_machine_IP_address>
is the IP address of the remote server (SecMon), you will be writing your logs to:
*.* @@<secmon_machine_IP_address>:514
Save your changes and restart the rsyslog
service on the client with the command:
sudo systemctl restart rsyslog
SecMon UI is written in php Yii2 framework. More information about this framework can be found here or here ;)
SecMon root directory contains a few important directories:
- assets - used for Yii assets/dependencies registration
- commands - main scripts for SecMon services which could be run in Docker containers
- config - storage of SecMon config files after deployment
- controllers - standard MVC directory
- deployment - necessary files for SecMon deployment (system config files, docker-compose.yml and GeoIP database)
- config_files - configuration files for system services
- config_templates - configuration files which are modified during deployment
- dockerfiles - custom Dockerfiles for creating docker images of SecMon services
- docs - tutorials and how to's
- migrations - migrations for database
- models - standard MVC directory
- pids - SEC PIDs in normalizator and correlator
- reporting - SecMon security testing script
rules - contains normalization and correlation rules(moved here)- services - standard MVC+S directory
- views - standard MVC directory
- web - root directory of the web application
- widgets - common UI components or functionalities
Run command inside container:
docker exec <container_name> <command>
docker exec -it secmon_app ls
Run bash
inside container:
docker exec -it <container_name> bash
docker exec -it secmon_app bash
Run composer update
/install
:
docker exec secmon_app composer update
docker exec secmon_app composer install
Database migrations: official guide
docker exec -it secmon_app <command>
Run migration:
docker exec -it secmon_app ./yii migrate
Refreshing migration:
docker exec -it secmon_app ./yii migrate/fresh
Create new migration:
docker exec -it secmon_app ./yii migrate/create <name>
docker exec -it secmon_app ./yii migrate/create security_events_table
Run psql
:
docker exec -it secmon_db psql -U secmon
- Changes in database:
docker exec -it secmon_app ./yii migrate
- Changes in
composer.json
file:docker exec -it secmon_app composer update
- Changes in
./commands
directory/New enrichment module/New normalization or correlation rules:python3 secmon_manager.py deploy
git pull
- Changes in database:
docker exec -it secmon_app ./yii migrate
- Changes in
composer.json
file:docker exec -it secmon_app composer update
- Changes in
./commands
directory/New enrichment module/New normalization or correlation rules:python3 secmon_manager.py deploy
SecMon logs are located in file /var/log/docker/secmon.log