Setting up SIFT Workstation in Proxmox
I recently decided to set up a Proxmox server in my house for running VM farms (this thing is fantastic by the way). The initial set up for Proxmox was simple and setting up most VMs is also easy but today I ran into a very strange problem. How do I get my SIFT workstation running in Proxmox?
The SIFT website links to this Github page which gives you instructors to download files here so that you can run the sift install command to set up SIFT on a Ubuntu 16.04 machine. Should be easy, except it doesn't work. If you check the SIFT issues page you'll see countless people reporting the same error. "Error: Update exit code not zero", and every single one of these issues has a different solution. Here's the most recent one at the time of this writing.
I ran into this same issue on my VM and despite multiple solutions on the git hub issues page it didn't work.
I Googled around but didn't find anyone talking about importing SIFT to Proxmox so I figured I'd give it a try myself. Oh boy was this hacky. The big issue with importing SIFT is that proxmox does not recognize ova files so we have to make some changes
Download the OVA
This part isn't very difficult. Just go to the SIFT website above and download the OVA file.
SCP the OVA to proxmox
The command above will copy the OVA file over to the workstation. From there you'll need to ssh into the workstation
You could also use the shell in the proxmox gui
Unzip the OVA
An OVA file is technically just a form of archive file containing a virtual harddrive and another file listing details of the machine (OVF). So we'll use tar to unzip the ova
tar vxf SIFT-Workstation.ova
This should put out three tiles for you
Import the OVF file to Proxmox
This is where Proxmox earns its money in this process. Using the OVF file we can tell Proxmox to create a VM as defined in the OVF..
qm importovf 150 sift-2020.2.0-ovf local-lvm
The 150 here is the VM number that I'm assigning to this new VM. Use whatever you want here. You should see a VM appear on the left hand side as Proxmox creates the VM defined in the OVF file.
We'll need to make some changes before we try to use this machine.
Configure SIFT VM
You may notice that the machine it created is missing a NIC so go ahead and add that. Trust me, you'll be needing internet connection for the nest part. If you have the resources to spare then I recommend adding some extra memory and cores but that's optional.
Go ahead and boot up the VM.
When you first boot the VM it's going to display bpfilter and get stuck.
This appears to be a bug in Ubuntu 18.04 except the fix there doesn't fix it. We need to get a shell and install a new UI.
The bpfilter comment will never go away so you need to bypass it and get a shell.
ctrl + alt + F2
Hitting these buttons in combination will move you to a different TTY and give you a shell.
This screen will flash interrupting text input for about a minute but if you power through the interrupts or wait a minute you'll be able to actually login using the username:password combination of
Add user and Install UI
While we have a shell we need to make a few configuration changes to the system. One issue we'll encounter later is that the sansforensics user is not able to login to the system through the gui so we'll need to make a new user.
sudo adduser forensics
Give them a password and then add them to the sudo group
sudo usermod -aG sudo [new user]
After this user is created we need to install a new UI as the current one (gdm3) doesn't load.
sudo apt install lightdm
sudo dpkg-reconfigure lightdm (This is only necessary if the system does not give you a windows to switch the UI from gdm3 to lightdm
The system should now reboot and get you to a login page. The sansforensics user didn't log in for me so I had to log in with my newly created account. The background is just stock Ubuntu but all of the tools appear to still be installed and configured
This was a really hacky way to get SIFT working on Proxmox but until SANS fixes the installer this is the only way I've found to get it working.