Analyst VM

Full-time analysts may want to create a dedicated Analyst VM. This allows you to investigate pcaps and other potentially malicious artifacts without impacting your Security Onion deployment or your workstation.

_images/analyst-vm.png

Note

The Analyst desktop currently only supports CentOS, so you’ll either need to use our Security Onion ISO image (recommended) or a manual installation of CentOS 7.

so-analyst-install

The so-analyst-install script will install a full GNOME desktop environment including Chromium web browser, NetworkMiner, Wireshark, and other analyst tools. so-analyst-install is totally independent of the standard setup process, so you can run it before or after setup or not run setup at all if all you really want is the Analyst VM itself.

Security Onion 2.3.120 Changes

In Security Onion 2.3.120, we improved several aspects of the Analyst desktop, including installation, joining to grid, and disabling.

Installation

Starting in Security Onion 2.3.120, there are a few different ways to install the Analyst desktop:

  • Our Security Onion ISO image includes a new boot menu option for Analyst installs that will partition your disk appropriately and immediately perform an Analyst installation.
  • In our normal Setup wizard, you can choose OTHER and then choose ANALYST.
  • You can still run so-analyst-install as in previous versions.

Joining to Grid

Security Onion 2.3.120 allows you to optionally join your Analyst installation to your grid. This allows it to pull updates from the grid and automatically trust the grid’s HTTPS certificate. It also updates the manager’s firewall to allow the Analyst installation to connect. Please note that Analyst installations won’t actually display on the Grid page.

If you choose not to join your Analyst installation to your grid, then you may need to run so-allow on the manager node and choose the analyst option to allow the traffic through the host-based Firewall.

Disabling

Starting in Security Onion 2.3.120, the analyst desktop is controlled via Salt pillar. If you need to disable the Analyst desktop environment, find the workstation setting in your Salt pillar and change enabled: true to enabled: false:

workstation:
  gui:
    enabled: false