Perched | Security Education, Consulting, and Support
Security Solutions

Perched Blog

ROCK@home — Installation (2/3)

1*e8ZaK43fMk6Cqo6Cnw2Pbw.png

RockNSM is an open-source network sensor platform that focuses on being reliable, scalable, and secure. Check out the full documentation for more details. This is a companion article to the second part of our ROCK@home video series.

Series Outline

Now I know what network security monitoring is and what I need to get started. How do I install this thing?

Welcome back! Last time we reviewed the topology of a typical home network, and the basic hardware requirements to get a ROCK sensor built on a shoestring budget. In part 2 of this series we’re going to walk through:

  • Getting and applying the .iso

  • Installation

  • Basic configuration

  • Deployment

Media Prep

It’s important to note upfront that RockNSM has been designed to be used as a linux distribution. It’s not a package or a suite of tools. It’s purpose-built from the ground up. While you can install by cloning the repository and building from there, the only supported installation method is via the official ISO.

Getting the Bits

You can get the image file and it’s corresponding checksum by heading to download.rocknsm.io.

Once downloaded, let’s talk about different options to apply the image to a USB drive.

GUI Tools

There are several applications out there that make creating bootable media easy and reliable, but let’s specifically mention Etcher. It’s cross-platform, easy to use, and we’ve had great success with it. Here are a few more solid tools:

Command Line

If you’re comfortable working in the terminal, use dd to apply the image. The below demo is using macOS, but if you’re in a linux environment, the corresponding steps are widely available.

⚠️ Take caution here and verify what disks you’re writing to ⚠️

  1. Once you’ve inserted a USB get the drive ID:

diskutil list

2. Unmount the target drive so you can write to it:

diskutil umount /dev/disk#

3. Write the image to drive:

sudo dd bs=8m if=/path/to/rocknsm.iso of=/dev/disk#

4. After this, the new ROCK install disk can be safely removed

Installation

Let’s walk through the installation steps for ROCK. I’m going to assume that you’re able to boot your hardware from the USB install drive you created. ROCK will support both legacy BIOS and UEFI modes.

During the install ROCK will see the network interface with an ip and use it as the management port. So plug in the interface you want to use to remotely manage your sensor.

Once we’re at the main menu there are 2 basic options:

  1. Automated Install

  2. Custom Install

Automated

The automated install makes a lot of decisions for users by skipping over many options to get you up and running.

Custom

The Custom option uses the same settings as Automated, but pauses at the anaconda screen that will allow advanced users to customize how to configure local storage. This is especially helpful when you’re working with multiple disks.

Admin User

I’d like to clarify some steps and encourage users to follow what we believe to be best practices when it comes to admin users. We recommend that the root user is never used directly to interact with a machine, but rather create an account with administrator privileges. We take care of this for you with ROCK by explicitly disabling root in the kickstart file.

After clicking “USER CREATION”, be sure that when creating your admin account you check the box to “make an administrator”.

Once the installation is complete, reboot the machine when prompted and accept the EULA.

Configuration

After reboot we’re ready to review and possibly tune the sensor’s configuration. The primary configuration file for ROCK is found at

/etc/rocknsm/config.yml

This file contains key variables like network interface setup, cpu core utilization, file retention, and more. This configuration file template can be found here.

All of this file’s options are tunable and are commented to describe their function. In a demonstration environment just about all of these settings can be left as default, but I want to point out some things about network interfaces next. Please refer to the full documentation for full configuration details.

Network Interfaces

As I mentioned above, ROCK will see the interface with an ip address and gateway and designate it as the management interface. Any additional interfaces that do not have an active link will be treated as monitor (listening) interfaces. Let’s look at an example box with 2 NICS:

em1 was listed under “rock_monifs:” in config.yml

This sensor has 2 NICs:

  1. enp0s20u3 — plugged in during install and received IP from a local dhcp server. This will be used to remotely manage ROCK via ssh.

  2. em1 — not connected during install and will be used as a listening interface

Deploy

Once your configuration file is tuned to suit your environment, it’s finally time to deploy this thing! This is done by running the Ansible deployment script located in: /opt/rocknsm/rock/bin

Kick off the deployment by running the script:

sudo /opt/rocknsm/rock/bin/deploy_rock.sh

Congratulations! Now let’s talk about what to do if things don’t go just right.

Generate Defaults

So what do you do when your config file or other settings get completely messed up and you need to get back to basic default settings? Well we’ve done that a time or two, and there’s a script for that:

/opt/rocknsm/rock/bin/generate_defaults.sh

This script will regenerate a fresh config file for you and get you out of jail.

Conclusion

That wraps things up for now. Stay tuned for the conclusion of this series where we’ll overview how to functions check, operate, and some basic steps to maintain ROCK. See you then!