NetIQ Documentation: Sentinel Log Manager 1.0.0.5 Administration Guide

2.3 Securing Sentinel Data

IMPORTANT:Because of the highly sensitive nature of the data on the Sentinel Log Manager, you must keep the machine physically secure and in a secure area of the network. To collect data from event sources outside the secure network, use a remote Collector Manager.

For certain components, passwords must be stored so that they are available to the components when the system needs to connect to a resource such as a database or an event source. In this case, when the password is stored, it is first encrypted to avoid unauthorized access to the clear-text password.

Even when the password is encrypted, you must be careful that the access to the stored password data is protected in order to avoid password exposure. For example, you can use permissions to ensure that files with sensitive data are not readable by other users.

Database credentials are stored in the <Installation_Directory>/config/server.xml file.

<class>esecurity.base.ccs.comp.dataobject.ConnectionManager</class>
    <property name="username">appuser</property>
    <property name="password">7fA+ogBMeK7cRbJ+S6xJ/InLBUi+sRVGK5qYycDxfIqGDHVX9FApWg==</property>

Following is an example of Database Credentials in configuration.xml file:

<strategy active="yes" id="jms" location="com.esecurity.common.communication.strategy.jmsstrategy.activemq.ActiveMQStrategyFactory" name="ActiveMQ">
      <jms brokerURL="ssl://localhost:61616?wireFormat.maxInactivityDuration=0&amp;jms.copyMessageOnSend=false" interceptors="compression" keystore="../config/.activemqclientkeystore.jks" keystorePassword="password" password="ebccfebf4ec3dac874494b992a91a3c9" username="system"/>
    </strategy>

The following database tables store passwords (/certificate) in the encrypted format.You must limit access to these tables.

EVT_SRC: column: ect_src_config column data
evt_src_collector: column: evt_src_collector_props
evt_src_grp: column: evt_src_default_config
md_config: column: data
integrator_config: column: integrator_properties
md_view_config: column: view_data
esec_content: column: content_context, content_hash
esec_content_grp_content: column: content_hash
sentinel_plugin: column: content_pkg, file_hash

Sentinel Log Manager stores both configuration data and event data in the following locations:

Table 2-2 Locations for Configuration Data and Event Data

Components	Location for Configuration Data	Location for Event Data
Event Data	The database tables and file system at Install_Directory/config. This configuration information includes the encrypted database, event source, integrators, and passwords.	The database (EVENTS, CORRELATED_EVENTS, and the EVT_SMRY_* and AUDIT_RECORD tables), and the file system at Install_Directory/data/events. NOTE:Event data can be archived to the file system as part of the partition management job.
Collector Manager	The file system at Install_Directory/data/eventdata and Install_Directory/data/rawdata. The most sensitive configuration information is the client key pair used to connect to the message bus.	Event data might be cached on the file system during error conditions such as the message bus being down or event overflow. This event data is stored in the Install_Directory/data/collector_mgr.cache directory.

Components

Location for Configuration Data

Location for Event Data

Event Data

The database tables and file system at Install_Directory/config.

This configuration information includes the encrypted database, event source, integrators, and passwords.

The database (EVENTS, CORRELATED_EVENTS, and the EVT_SMRY_* and AUDIT_RECORD tables), and the file system at Install_Directory/data/events.

NOTE:Event data can be archived to the file system as part of the partition management job.

Collector Manager

The file system at Install_Directory/data/eventdata and Install_Directory/data/rawdata. The most sensitive configuration information is the client key pair used to connect to the message bus.

Event data might be cached on the file system during error conditions such as the message bus being down or event overflow. This event data is stored in the Install_Directory/data/collector_mgr.cache directory.