Our Security Onion 16.04.7.3 ISO image is ready for testing! This image is based on Ubuntu 16.04.7 with the HWE stack (kernel and video drivers from 18.04) and the latest Ubuntu and Security Onion updates. It should include all updates from https://github.com/Security-Onion-Solutions/security-onion/projects/15 and should specifically resolve the following issues:

pinguybuilder: increment version to 16.04.7.3 #1815

Update docs and cheat sheet for 16.04.7.3 #1814

Update CyberChef to latest version #1819

Please follow the download/verify instructions here:
https://github.com/Security-Onion-Solutions/security-onion/blob/master/testing/Verify_ISO_16.04.7.3.md

Please verify that /etc/apt/apt.conf.d/01autoremove (and other files in that directory) exist on the installed operating system and that soup operates correctly.

Please verify that the desktop wallpaper changes to prompt the user to run Setup when necessary.

Please verify that all services start correctly after a reboot.

Please verify that each and every ISO installation has unique ssl cert and key for Wazuh in /var/ossec/etc/sslmanager*.

Please verify that the screensaver locks the screen after idle for a few minutes.

Please test in as many different combinations as possible:

• Evaluation Mode vs Production Mode

• standalone vs distributed deployments

• heavy node deployments (local Elastic stack) vs forward-only
  node deployments (no local Elastic stack)

• connected to the Internet vs not connected

• physical hardware vs VMware vs VirtualBox vs other virtualization

• EFI vs traditional BIOS

As always, please test using nmap or other port scanner to verify
proper firewall config. Before you do that, however, you will want to
whitelist your scanning IP address as follows:

• Edit /var/ossec/etc/ossec.conf using vi or your favorite text editor:

sudo vi /var/ossec/etc/ossec.conf

• copy the existing white_list line and paste it directly underneath
  and changing the entry to your scanning IP address

• save the file and exit the editor (vi requires :wq! to save the file)

• restart OSSEC:

sudo service ossec-hids-server restart

• Now that you've whitelisted your scanning IP, you can scan using an
  nmap command like this (watch out for line-wrapping and replace
  1.2.3.4 with the actual IP address of the Security Onion box you're
  testing):

nmap 1.2.3.4 -Pn
-p22,443,9200,9300,9600,5601,6050,6051,6052,6053,514,4505,4506,7736,3142,7734,5044,6379

• Run Setup on the Security Onion box.

• On the scanning box, run nmap and it should only see port 22 open on
  the Security Onion box.

• Run so-allow on the Security Onion box and allow your scanning IP to
  access a port.

• so-allow shows you the output of ufw status and also the current
  contents of the DOCKER-USER chain. Also review /etc/ufw/after.rules
  to see the new firewall rule that will be added at every reboot.

• Re-run nmap from your scanning box and verify that only proper ports are open.

• Reboot the Security Onion box.

• Re-run nmap from your scanning box and verify that only proper ports are open.

Anything else we missed?

Please record all test results via comments below.

Thanks in advance for your time and effort!