Network Installation

Warning

Network installations are NOT supported and should only be used as a last resort in case there is some reason you can’t use our official Security Onion images as shown in the Installation section.

Our official Security Onion images (ISO image and cloud images) are the ONLY supported installation method and you should use them if any of the following apply to you:

  • You are deploying in an enterprise environment.

  • You are deploying in an airgap environment.

  • You are performing a distributed deployment.

  • You want the quickest and easiest installation with the fewest issues.

  • You need any kind of support.

If NONE of the above apply to you, then you MAY be able to install one of the following operating systems and then perform a network installation:

  • Oracle Linux 9

  • Rocky Linux 9

  • Alma Linux 9

  • RHEL 9

  • Ubuntu 22.04

  • Debian 12

For the least amount of issues, choose Oracle Linux 9 since it’s used for our official images. If for some reason you can’t use Oracle Linux 9, then Rocky Linux 9 and Alma Linux 9 SHOULD work but they are not fully tested. Another option MIGHT be RHEL 9 itself although that is a paid option.

If you really want to run Ubuntu 22.04 or Debian 12, then please note that these distros MAY work but they get even less testing and therefore you will be more likely to run into issues. If you choose Ubuntu 22.04, we recommend the Ubuntu 22.04 Server ISO image and selecting the Ubuntu Server installation option as there are known issues when choosing the Ubuntu Server (minimized) option.

Warning

Just because a distro is listed above and works today does NOT guarantee that it will work in the future. If at some point in the future a distro listed above stops working, then we will simply remove it from the list rather than trying to fix an unsupported distro.

Partitioning

Our official Security Onion images take care of partitioning for you. However, if you choose to perform a network installation then it’s your responsibility to make sure that partitions are configured correctly to avoid filling up a partition.

Minimum Storage

As the Hardware Requirements section mentions, the MINIMUM requirement is 200GB storage. This is to allow 100GB for /nsm and 100GB for the rest of /.

LVM

You may want to consider Logical Volume Management (LVM) as it will allow you to more easily change your partitioning in the future if you need to.

/boot

You probably want a dedicated /boot partition of at least 1GB at the beginning of the drive.

/nsm

The vast majority of data will be written to /nsm, so you’ll want to dedicate the vast majority of your disk space to that partition. You’ll want at least 100GB.

/

/ (the root partition) currently contains /var/lib/docker/ (more on that below) and thus you’ll want at least 100GB.

Docker

Docker images are stored in /var/lib/docker/. The current set of Docker images uses 30GB on disk. If you’re planning a production deployment, you should plan on having enough space for another set of those Docker images for in-place updates.

Other

The OS installer may try to dedicate a large amount of space to /home. You may need to adjust this to ensure that it is not overly large and wasting valuable disk space.

Example

Here’s an example of how our current ISO image partitions a 1TB disk:

  • 1GB /boot partition at the beginning of the drive

  • the remainder of the drive is an LVM volume that is then partitioned as follows:

    • 630GB /nsm

    • 300GB /

    • 2GB /tmp

    • 8GB swap

Installing via the network

Warning

Please keep in mind that network installations are NOT supported and should only be used as a last resort.

If you understand all of the warnings above and still want to perform a network installation, then you can follow the steps below.

  1. Review the Hardware Requirements and Release Notes sections.

  2. Download the ISO image for your desired x86-64 operating system. Verify the ISO image and then boot from it.

  3. Follow the prompts in the installer. If you’re building a production deployment, you’ll probably want to use LVM and dedicate most of your disk space to /nsm as discussed in the Partitioning section above.

  4. Reboot into your new installation.

  5. Login using the username and password you specified during installation.

  6. Install prerequisites. If you’re using Oracle Linux 9 or another RHEL derivative:

    sudo dnf -y install git

    If you’re using Ubuntu or Debian:

    sudo apt -y install git curl ethtool

  7. Download our repo and start the Setup process:

    git clone -b 2.4/main https://github.com/Security-Onion-Solutions/securityonion
cd securityonion
sudo bash so-setup-network

  8. Proceed to the Configuration section.