Change Guardian has undergone security hardening before being released. This section describes some of the hardening mechanisms used in Change Guardian.
The administrator should close all unnecessary ports. For more information, see Default Ports.
Whenever possible, a service port listens only for local connections and does not allow remote connections.
Files are installed with least privileges so that the least number of users can read the files.
Reports against the database are run as a user that only has SELECT permissions on the database.
All Web interfaces require HTTPS.
All communication over the network uses SSL by default and is configured to require authentication.
User account passwords are encrypted by default when they are stored on the file system or in the database.
In addition to the points mentioned in Traditional Installation, the appliance has undergone the following additional hardening:
Only the minimally required packages are installed.
The firewall is enabled by default and all unnecessary ports are closed in the firewall configuration.
Change Guardian is automatically configured to monitor the local operating systems syslog messages for audit purposes.