Install RITA on SecOnion 2.4

[MPI-CSL-DH]

Hi,

I try to install Rita on Security Onion 2.4.40 using your installation script. This fails with the following error message:

[-] In order to run the installer, several basic packages must be installed.
[-] Updating packages... SUCCESS
[-] Ensuring curl is installed... SUCCESS
[-] Ensuring coreutils is installed... SUCCESS
[-] Ensuring lsb-release is installed...
Failed to install package: redhat-lsb-core

[!] Installation FAILED on line 767.

Is Sec Onion 2.4 not supported?

Best regards

[BeanBagKing]

Edit: Maybe change your issue title to "Add support for OracleServer 9.4"

Came here myself to open a ticket for this. It's not that Security Onion 2.4 isn't supported, it's that SecOnion switched to Oracle Linux with the 2.4 release. Oracle currently fails the checks for RHEL/CentOS.

For that specific error, you can add the following repo and it will install redhat-lsb-core.

sudo vim /etc/yum.repos.d/ol9_distro_builder.repo

[ol9_distro_builder]
name=OL9 Distro Builder
baseurl=https://yum.oracle.com/repo/OracleLinux/OL9/distro/builder/x86_64
enabled=1

Oracle should be fully compatible with RHEL, so I don't think there's a technical reason they couldn't support it, or it wouldn't work. If someone on the ActiveCM team can do that, here's my lsb information from Security Onion 2.4.

[root@securityonion ~]# lsb_release -is
OracleServer
[root@securityonion ~]# lsb_release -cs
n/a
[root@securityonion ~]# lsb_release -rs
9.4

Once you get past that, there's a few more lines that check for RHEL in the $_OS version variable set by lsb_release -is. You can add OracleServer to those and it works fine. Eventually you run into the MongoDB wall though. From here you can't rely on repos anymore. The RHEL 9 / Mongo 4.2 repo no longer contains mongodb as it's EOL.

You might be able to give it an older RHEL repo and have it work, e.g. add the RHEL 8 repo https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.2/x86_64/. You could also install mongodb and whatever else from an rpm package. Honestly, having been through this once (my old blog post here might be adaptable: https://nullsec.us/mongo-3-6-on-ubuntu-20-04/) I just don't have the energy right now :P

[BeanBagKing]

I've come to the conclusion that this really isn't possible to install directly onto OL9, not in it's current state. It's pretty easy to get mongo 4.4 installed and working. Zeek is already there of course, and with the distro builder repo added and a few minor tweaks to the install.sh file, it installs fine. However, it seems RITA isn't compatible with mongo 4.4 and refuses to connect. Mongo 4.3 (unstable) packages are out there, however that, and anything earlier (e.g. 4.2) requires python2. You can get the rpm for that, but that requires python2 libs, which conflict with python 3 and also require a host of other dependencies. You quickly enter dependency hell.

Even updating RITA to use 4.4 -might- allow this to work, but if any updates are to happen, it'd be nice to see it go to a supported version.

I think it's possible (even likely) that a docker version of RITA would work. I've never managed to make sense of docker though. It's abstraction hell to me, and at least I understand dependency hell. The docker instructions for RITA feel like "draw the rest of the owl" to me. If someone gets it working on Security Onion 2.4, please post exact steps for the rest of us.