Installing the Sguil Server

From NSMWiki
Revision as of 09:46, 21 June 2007 by Bianco (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

To install the central Sguil server, change to the scripts subdirectory of the InstantNSM distribution and run instantnsm_install.pl as root:

# cd ~/instantnsm/scripts
# ./instantnsm_install.pl

If this is your first time running the script on this host, you may be asked for the location of several key programs. If they are in your default path, the script should find them and offer them as the default response. Otherwise, just provide the full path to the requested program.

The installation script should now show you the main menu:

InstantNSM Configuration Utility v0.7.0
David J. Bianco <david@vorant.com>


Select software to configure on this system:

  1)    Configure sguil server
  2)    Configure sguil sensor
  3)    List installed sensors
  4)    Remove a sensor
  5)    Start/Restart a sensor
  6)    Stop a sensor
  7)    Sensor status
  8)    Start/Restart the server
  9)    Stop the server
  10)   Server status
  99)   Exit Configuration Script
>

Selection option #1 (Configure sguil server) and press return.

At this point, you'll probably be asked to help the script locate several additional binaries. These are specific to the server installation, and all are required to be installed.

Where is your 'mysql_install_db' binary located? [/usr/local/bin/mysql_install_db]:
Where is your 'mysqld_safe' binary located? [/usr/local/bin/mysqld_safe]:
Where is your 'mysqladmin' binary located? [/usr/bin/mysqladmin]:
Where is your 'sguild' binary located? [/usr/local/sguil/server/sguild]:
Where is your 'tcltls_so' binary located? []: /usr/local/tcltls/lib/libtls1.50.so
Where is your 'tcpflow' binary located? [/usr/local/bin/tcpflow]:
Where is your 'p0f' binary located? [/usr/local/bin/p0f]:

Notice that the tcltls_so binary could not be located automatically. In fact, this isn't really a program, it's just a shared library. Type the full path name to the installed library and hit ENTER. The other binaries were located automatically.

Now you're ready to begin configuring the server. The script starts by creating two new users, sguil and mysql. The mysql user is the owner of all the backend database files and processes, while sguil owns all the Sguil server files and processes.

You'll also be asked to tell the script where to store the NSM data, which in this case includes the database files and some packet log files that are sent from the sensors to the server in order to satisfy analyst requests. You'll also be asked to specify where the Sguil software itself was installed.

Sguil user already exists.  Using existing account.
MySQL user already exists.  Using existing account.

Where will the NSM data be stored?
[/nsm]:

NSM data will be stored in /nsm
Where is the Sguil source tree?
[/usr/local/sguil]:

Sguil sources are assumed to be at /usr/local/sguil.

Next you'll be asked to supply passwords for the database root and sguil accounts. Note that these are not OS accounts. They're only used within MySQL. The root account is used to create additional db users and to configure security, while the sguil user is the owner of all the actual data. Do not forget these passwords. Once you've selected the passwords, the script will ask for confirmation before proceeding. The installer will wipe out any existing MySQL databases on the computer (not just Sguil databases), so consider carefully before answering yes.

Please select a password for the MySQL 'root' user:
Please retype the password:some_password

Please select a password for the MySQL 'sguil' user:
Please retype the password:some_password

Installing a new server will overwrite any existing configuration
and delete any existing database(s) on this system.  Type 'yes' to continue
or press CTRL-C to cancel : yes
Creating archive and rules directories...

Removing MySQL data directory...

Removing InstantNSM MySQL data directory...

Creating a MySQL data directory...
Configuring MySQL server...
Creating an initial MySQL database structure...
Configuring MySQL to start at boot time...
Starting the MySQL server...
Setting the MySQL root password...
Creating the 'sguil' database user...

Next, the installer will beging to configure the Sguil server. It will copy some configuration files into place in /etc/sguild and then create an SSL certificate to protect communication between the server and the consoles or sensors. The certificate creation process will ask you for several pieces of information, most of which pertain to your organization and it's location.

Creating sguil PID directory...
Creating initial sguild config directories...
Configuring sguild...

InstantNSM needs to create an SSL certificate to protect communication
between the analyst consoles and the sguil server.  This will require
additional information.

Press ENTER to proceed:

Generating a 1024 bit RSA private key
...++++++
............................................++++++
writing new private key to '/var/tmp/instantnsm_ssl_key.CD9531'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:San Diego
Organization Name (eg, company) [My Company Ltd]:Your Company, Inc.
Organizational Unit Name (eg, section) []:Network Security
Common Name (eg, your name or your server's hostname) []:sguilhost.yourdomain.com
Email Address []:security@yourdomain.com

In the final step, the installer will ask you for a password for the initial analyst account. The account will be called sguil (not to be confused with either the OS or the database accounts of the same name). This is the username and password with which you will log onto the analyst console. Once you've set a password, the installer completes the process by starting the Sguil server, then returns you to the main menu.

Creating the initial user account ('sguil')
Please enter a passwd for sguil:some_password
Retype passwd:some_password
User 'sguil' added successfully
SGUILD: Exiting...

Configuring sguild to start at boot...
/etc/init.d/sguild already exists.  Overwrite it? [Y/n]:
Starting the sguil server...

=====================
Your sguil server has been configured successfully!
You may now connect to it with your analyst console(s), though no data
will show up until at least one sensor has been configured.
=====================

At this point, you may want to go ahead and try to log in to the analyst console using the sguil user and the password you just provided. You won't see any data yet, but at least you'll know that the MySQL database and the Sguil server are both running properly.