Trouble with automated installation


#1

Hello everyone,

I’m trying to get RockNSM working. I’m not doing anything special. I’m using the newest 2.2 .iso in VirtualBox 6.0, on a laptop with a WiFi NIC for management and an Ethernet NIC for monitoring.

I chose to do the automated installation.

I added a user with root privileges via the text-based menu during installation. (This did not match the docs, but the user is working as expected.)

I followed the instructions to update the OS using yum.

I reviewed /etc/rocknsm/config.yml and didn’t make any changes. It saw my second NIC as the right one for monitoring. I noticed this looked odd:

the number of CPUs that bro will use

bro_cpu: 0

but I didn’t change it.

I ran deploy_rock.sh and saw what looked like errors at the end:

TASK [debug] *******************************************************************
skipping: [simplerockbuild.simplerock.lan]

TASK [Install packages] ********************************************************
failed: [simplerockbuild.simplerock.lan] (item={u’state’: u’installed’, u’pkg’: [u’java-1.8.0-openjdk-headless’, u’jq’, u’GeoIP’, u’GeoIP-update’, u’tcpreplay’, u’tcpdump’, u’bats’, u’policycoreutils-python’, u’htop’, u’vim’, u’git’, u’tmux ‘, u’nmap-ncat’, u’logrotate’]}) => {“changed”: false, “item”: {“pkg”: [“java-1. 8.0-openjdk-headless”, “jq”, “GeoIP”, “GeoIP-update”, “tcpreplay”, “tcpdump”, “b ats”, “policycoreutils-python”, “htop”, “vim”, “git”, “tmux”, “nmap-ncat”, “logr otate”], “state”: “installed”}, “msg”: “Error: Package: audit-libs-python-2.8.1- 3.el7_5.1.x86_64 (rocknsm-local)\n Requires: audit-libs(x86-64) = 2.8. 1-3.el7_5.1\n Installed: audit-libs-2.8.4-4.el7.x86_64 (@base)\n audit-libs(x86-64) = 2.8.4-4.el7\n Available: audit-libs-2.8. 1-3.el7_5.1.x86_64 (rocknsm-local)\n audit-libs(x86-64) = 2.8.1-3. el7_5.1\nError: Package: GeoIP-update-1.5.0-11.el7.noarch (rocknsm-local)\n Requires: GeoIP = 1.5.0-11.el7\n Installed: GeoIP-1.5.0-13.el7.x 86_64 (@base)\n GeoIP = 1.5.0-13.el7\n Available: GeoIP- 1.5.0-11.el7.x86_64 (rocknsm-local)\n GeoIP = 1.5.0-11.el7\nError: Package: policycoreutils-python-2.5-22.el7.x86_64 (rocknsm-local)\n R equires: policycoreutils = 2.5-22.el7\n Installed: policycoreutils-2.5 -29.el7.x86_64 (@base)\n policycoreutils = 2.5-29.el7\n Available: policycoreutils-2.5-22.el7.x86_64 (rocknsm-local)\n pol icycoreutils = 2.5-22.el7\nError: Package: libsemanage-python-2.5-11.el7.x86_64 (rocknsm-local)\n Requires: libsemanage = 2.5-11.el7\n Insta lled: libsemanage-2.5-14.el7.x86_64 (@base)\n libsemanage = 2.5-14 .el7\n Available: libsemanage-2.5-11.el7.x86_64 (rocknsm-local)\n libsemanage = 2.5-11.el7\n”, “rc”: 1, “results”: [“jq-1.5-1.el7.x86_64 providing jq is already installed”, “GeoIP-1.5.0-13.el7.x86_64 providing GeoIP is already installed”, “14:tcpdump-4.9.2-3.el7.x86_64 providing tcpdump is alrea dy installed”, “2:vim-enhanced-7.4.160-5.el7.x86_64 providing vim is already ins talled”, “git-1.8.3.1-20.el7.x86_64 providing git is already installed”, “tmux-1 .8-4.el7.x86_64 providing tmux is already installed”, “logrotate-3.8.6-17.el7.x8 6_64 providing logrotate is already installed”, “Loaded plugins: fastestmirror\n Loading mirror speeds from cached hostfile\nResolving Dependencies\n–> Running transaction check\n—> Package GeoIP-update.noarch 0:1.5.0-11.el7 will be insta lled\n–> Processing Dependency: GeoIP = 1.5.0-11.el7 for package: GeoIP-update- 1.5.0-11.el7.noarch\n—> Package bats.noarch 0:0.4.0-1.20141016git3b33a5a.el7 w ill be installed\n—> Package htop.x86_64 0:2.2.0-1.el7 will be installed\n—> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.191.b12-0.el7_5 will be inst alled\n–> Processing Dependency: copy-jdk-configs >= 2.2 for package: 1:java-1. 8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.x86_64\n–> Processing Dependency: tz data-java >= 2015d for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el 7_5.x86_64\n–> Processing Dependency: jpackage-utils for package: 1:java-1.8.0- openjdk-headless-1.8.0.191.b12-0.el7_5.x86_64\n–> Processing Dependency: libjpe g.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-1.8.0-openjdk-headless-1.8.0.191 .b12-0.el7_5.x86_64\n–> Processing Dependency: lksctp-tools(x86-64) for package : 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.x86_64\n–> Processing Dep endency: libjpeg.so.62()(64bit) for package: 1:java-1.8.0-openjdk-headless-1.8.0 .191.b12-0.el7_5.x86_64\n—> Package nmap-ncat.x86_64 2:6.40-13.el7 will be ins talled\n—> Package policycoreutils-python.x86_64 0:2.5-22.el7 will be installe d\n–> Processing Dependency: policycoreutils = 2.5-22.el7 for package: policyco reutils-python-2.5-22.el7.x86_64\n–> Processing Dependency: audit-libs-python > = 2.1.3-4 for package: policycoreutils-python-2.5-22.el7.x86_64\n–> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5- 22.el7.x86_64\n–> Processing Dependency: setools-libs >= 3.3.8-2 for package: p olicycoreutils-python-2.5-22.el7.x86_64\n–> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.el7.x86_64\n–> Processing Dependency : libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.el7.x 86_64\n–> Processing Dependency: libcgroup for package: policycoreutils-python- 2.5-22.el7.x86_64\n–> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64\n–> Processing Dependency: li bqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.el7.x86_6 4\n–> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils -python-2.5-22.el7.x86_64\n–> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64\n—> Package tcpreplay.x86_64 0:4.2.5-1.el7 will be installed\n–> Running transaction check\n—> Package Ge oIP-update.noarch 0:1.5.0-11.el7 will be installed\n–> Processing Dependency: G eoIP = 1.5.0-11.el7 for package: GeoIP-update-1.5.0-11.el7.noarch\n—> Package audit-libs-python.x86_64 0:2.8.1-3.el7_5.1 will be installed\n–> Processing Dep endency: audit-libs(x86-64) = 2.8.1-3.el7_5.1 for package: audit-libs-python-2.8 .1-3.el7_5.1.x86_64\n—> Package checkpolicy.x86_64 0:2.5-6.el7 will be install ed\n—> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be installed\n—> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be installed\n–> Processi ng Dependency: python-javapackages = 3.4.1-11.el7 for package: javapackages-tool s-3.4.1-11.el7.noarch\n—> Package libcgroup.x86_64 0:0.41-15.el7 will be insta lled\n—> Package libjpeg-turbo.x86_64 0:1.2.90-5.el7 will be installed\n—> P ackage libsemanage-python.x86_64 0:2.5-11.el7 will be installed\n–> Processing Dependency: libsemanage = 2.5-11.el7 for package: libsemanage-python-2.5-11.el7. x86_64\n—> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be installed\n—> Package policycoreutils-python.x86_64 0:2.5-22.el7 will be installed\n–> Proces sing Dependency: policycoreutils = 2.5-22.el7 for package: policycoreutils-pytho n-2.5-22.el7.x86_64\n—> Package setools-libs.x86_64 0:3.3.8-2.el7 will be inst alled\n—> Package tzdata-java.noarch 0:2018f-2.el7 will be installed\n–> Runn ing transaction check\n—> Package GeoIP-update.noarch 0:1.5.0-11.el7 will be i nstalled\n–> Processing Dependency: GeoIP = 1.5.0-11.el7 for package: GeoIP-upd ate-1.5.0-11.el7.noarch\n—> Package audit-libs-python.x86_64 0:2.8.1-3.el7_5.1 will be installed\n–> Processing Dependency: audit-libs(x86-64) = 2.8.1-3.el7_ 5.1 for package: audit-libs-python-2.8.1-3.el7_5.1.x86_64\n—> Package libseman age-python.x86_64 0:2.5-11.el7 will be installed\n–> Processing Dependency: lib semanage = 2.5-11.el7 for package: libsemanage-python-2.5-11.el7.x86_64\n—> Pa ckage policycoreutils-python.x86_64 0:2.5-22.el7 will be installed\n–> Processi ng Dependency: policycoreutils = 2.5-22.el7 for package: policycoreutils-python- 2.5-22.el7.x86_64\n—> Package python-javapackages.noarch 0:3.4.1-11.el7 will b e installed\n–> Processing Dependency: python-lxml for package: python-javapack ages-3.4.1-11.el7.noarch\n–> Running transaction check\n—> Package GeoIP-upda te.noarch 0:1.5.0-11.el7 will be installed\n–> Processing Dependency: GeoIP = 1 .5.0-11.el7 for package: GeoIP-update-1.5.0-11.el7.noarch\n—> Package audit-li bs-python.x86_64 0:2.8.1-3.el7_5.1 will be installed\n–> Processing Dependency: audit-libs(x86-64) = 2.8.1-3.el7_5.1 for package: audit-libs-python-2.8.1-3.el7 _5.1.x86_64\n—> Package libsemanage-python.x86_64 0:2.5-11.el7 will be install ed\n–> Processing Dependency: libsemanage = 2.5-11.el7 for package: libsemanage -python-2.5-11.el7.x86_64\n—> Package policycoreutils-python.x86_64 0:2.5-22.e l7 will be installed\n–> Processing Dependency: policycoreutils = 2.5-22.el7 fo r package: policycoreutils-python-2.5-22.el7.x86_64\n—> Package python-lxml.x8 6_64 0:3.2.1-4.el7 will be installed\n–> Finished Dependency Resolution\n You c ould try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n”]}

RUNNING HANDLER [stenographer : start stenographer service] ********************

RUNNING HANDLER [stenographer : start stenographer per interface] **************

RUNNING HANDLER [docket : docket | restart redis] ******************************

RUNNING HANDLER [docket : docket | restart docket celery services] *************

RUNNING HANDLER [docket : docket | restart docket uwsgi] ***********************

RUNNING HANDLER [docket : docket | restart lighttpd] ***************************
to retry, use: --limit @/opt/rocknsm/rock/playbooks/site.retry

PLAY RECAP *********************************************************************
simplerockbuild.simplerock.lan : ok=76 changed=45 unreachable=0 failed=1

I checked my home directory and didn’t see a ~/KIBANA_CREDS.README file, and the Web server isn’t running anyway.

Any ideas? I tried the most vanilla, basic installation possible, so I’m not sure what the problem is.

Thank you,

Richard


#2

Sorry for the rate reply. thanks for bringing this up – I believe this is a EPEL change around the GeoIP program.
I recently fixed a GeoIP rpm issues on my personal setup after doing a full yum update and such.
However I am going to walk-through a brand new setup just to confirm for you.


#3

I got the same error and it is just the GeoIP plugin, however the instructions I sent to compile a new geoip plugin are incorrect…
So give me few more minutes to get the exact ones needed.


#4

In “etc/rocknsm/config.yml” can you set the line “rock_online_install: False” to “rock_online_install: True”
https://rocknsm.gitbooks.io/rocknsm-guide/content/build/install.html#online--offline-install
Then re-run the /opt/rocknsm/rock/bin/deploy_rock.sh script

This should fix for now.

I will submit a bug ticket so someone can fix this for next release, so online is not required.


#5

I’m seeing the same error installing in a VM in ESXi 6.7. I’m installing from the rocknsm-2.2.0.iso image.

Glad to see I’m not the only one with this issue. I’ll snapshot my install after the system upgrade, and try out your suggested fix once posted.

-Jeff


#6

sorry to hear about this! Please let me know if setting “rock_online_install: True” in “/etc/rocknsm/config.yml” fixes it for you as well.

also let me know if you have any other questions or comments.


#7

Looks like that fixed the initial script fail. I followed the directions: “sudo yum update -y”, rebooted (mostly to easily snapshot the vm), updated the “rock_online_install:” setting to True and finally ran the install script. There were a few warnings, but no errors.

I was able to follow along and replay a pcap file for testing. Bro and Suricata seem happy. I’m looking into setting up the proper dashboards in kibana now. I can see the raw data, but I don’t see any default dashboards. I’ll try running “github.com/rocknsm/rock-dashboards” by hand.

Thanks again for the quick replies. Looks like a great product, and I’m looking forward to testing it out more on my home lab.


#8

Try the rock-dashboards, as you said, and let me know if that works. I would recommend these if your testing anyways because this has a bit newer options


#10

Hi Nate, that fixed it! Initially I had an error (I deleted that post) but it was cleared by re-running the deploy script a second time.

Sincerely,

Richard


#11

fantastic, glad to hear!
As always, let me know when you have any feedback or questions :slight_smile:
There is always more to improve…