2.1 Hardening

2.1.1 Out of the Box Hardening

The following sections describe the out of the box hardening mechanisms used in Sentinel Log Manager:

Novell Sentinel Log Manager Application

  • All unnecessary ports are turned off.

  • Whenever possible, a service port listens only for local connections and does not allow remote connections.

  • Files are installed with the least privileges so that only a small number of users can read the files.

  • Default passwords are not permitted to be used.

  • Reports against the database runs as a user that only has select permissions on the database.

  • All web interfaces require HTTPS.

  • Prior to releasing the product, a vulnerability scan was run against the application and all potential security problems were addressed.

  • All communication over the network use SSL by default and are configured for authentication.

  • User account passwords are encrypted by default when stored on the file system or in the database.

Novell Sentinel Log Manager Appliance

In addition to the points mentioned in Novell Sentinel Log Manager Application, the Sentinel Log Manager Appliance, also has the following:

  • The appliance includes a Just enough Operating System (JeOS). Only the required packages are installed.

  • Default passwords for the appliance operating system or the control center are not permitted for use.

  • The firewall is enabled by default and all unnecessary ports are closed in the firewall configuration.

  • Prior to releasing the product, a vulnerability scan was run against the appliance and all potential security problems were addressed.

  • It is automatically configured to monitor the syslog messages of the local operating system.

2.1.2 Enforcing Password Policy for Users

The Sentinel Log Manager utilizes standards-based mechanisms to make it easier to enforce password policies.

The installer creates and configures a PostgreSQL database with the following users.

dbauser: The database owner (database administrator user). The password is set during the installation process.

appuser: A user that is used by the Sentinel Log Manager server process (the ConnectionManager) to log in to the database. The password is randomly generated during the installation process, and it is intended for internal use only.

admin: The administrator credentials can be used to log in to the Sentinel Log Manager Web interface. The password is set during the installation process.

By default, user passwords are stored within the PostgreSQL database embedded in Sentinel Log Manager. PostgreSQL provides the option to utilize a number of these standards-based authentication mechanisms, as described in Client Authentication

Utilizing these mechanisms affects all user accounts in Sentinel Log Manager, including users of the Web application and accounts used only by back-end services, such as dbauser and appuser.

A simpler option is to use an LDAP directory to authenticate Web application users. To enable this option by using the Sentinel Log Manager Web UI, see Section 11.0, LDAP Authentication. This option has no affect on accounts used by back-end services, which continue to authenticate through PostgreSQL unless you change the PostgreSQL configuration settings.

You can achieve robust Sentinel Log Manager password policy enforcement by using these standards based mechanisms and the existing mechanisms in your environment such as your LDAP directory.

2.1.3 Securing Sentinel Log Manager Data

Because of the highly sensitive nature of the data in Sentinel Log Manager, you must keep the machine physically secure and in a secure area of the network. To collect data from event sources outside the secure network, use a remote Collector Manager. For more information on remote Collector Managers, see Installing Additional Collector Managers in the Sentinel Log Manager 1.1 Installation Guide.

Sentinel Log Manager is compatible with disk encryption technologies.These technologies provide a higher level of data privacy when they are used on the file systems where Sentinel Log Manager stores its data. However, software-based encryption technologies, such as dm-crypt, have a significant CPU overhead, they can dramatically reduce the performance of Sentinel Log Manager by 50% or more. On the other hand, hardware-based encryption technologies have a much lower impact on the performance of the rest of the system and are available from leading hard drive manufacturers.

2.1.4 Securing Communication with Networked Storage

You must consider the security implications before deciding the type of networked storage location to use. If you are using CIFS or NFS servers as networked storage locations to store the Sentinel Log Manager event data and raw data, remember that these protocols do not offer data encryption. An alternative is to use direct attached storage (local or SAN), which does not have the same security vulnerabilities. If you choose to use CIFS or NFS, it is important to configure the CIFS or NFS server to maximize the security of your data.

For more information about configuring the networked storage location server settings, see Section 3.2.3, Configuring Networked Storage.