Novell Doc: Sentinel Rapid Deployment Installation Guide

5.4 Securing Sentinel Data

IMPORTANT:Because of the highly sensitive nature of the data on the Sentinel Server, you should keep the machine physically secure and in a secure area of the network. To collect data from event sources outside the secure network, use a remote Collector Manager.

For certain components, passwords must be stored so that they are available when the system needs to connect to a resource such as the database or an event source. In this case, when the password is stored, it is first encrypted to avoid unauthorized access to the clear text password.

Even when the password is encrypted, you must be careful that the access to the stored password data is protected in order to avoid password exposure. For example, you can ensure that the permissions on the files with sensitive data are not readable by unauthorized users.

FILES

advisor_client.xml

Database Credentials

The database credentials are stored in the <installation_directory>/config/server.xml file

<class>esecurity.base.ccs.comp.dataobject.ConnectionManager</class>
    <property name="username">appuser</property>
    <property name="password">7fA+ogBMeK7cRbJ+S6xJ/InLBUi+sRVGK5qYycDxfIqGDHVX9FApWg==</property>

Advisor Credentials

<obj-component id="DownloadComponent">
          <class>esecurity.ccs.comp.advisor.feed.NewAdvClientDownload</class>
      <property name="advisor.downloadfrom.url">https://secure-www.novell.com/sentinel/advisor/advisordata</property>
      <property name="username">admin</property>
      <!-- Set the password (encrypted) using the adv_change_password script -->
      <property name="password">jqhlWIX8HD6GDHVX9FApWg==</property>
<property name="compression.enabled">true</property>
      <!--
        Set the following properties to connect through an HTTP proxy.
        Set the proxy password (encrypted) using the adv_change_password script (make a
        copy of the script and add "-x" to the java cmd line to set the proxy password
        instead of the advisor password.
      -->
      <!--
      <property name="proxy_host"></property>
      <property name="proxy_port"></property>
      <property name="proxy_username"></property>
      <property name="proxy_password"></property>
      -->
        </obj-component>

Configuration.xml

<strategy active="yes" id="jms" location="com.esecurity.common.communication.strategy.jmsstrategy.activemq.ActiveMQStrategyFactory" name="ActiveMQ">
<jms brokerURL="failover://(ssl://localhost:61616?wireFormat.maxInactivityDuration=30000)?randomize=false" interceptors="compression" keystore="../config/.activemqclientkeystore.jks" keystorePassword="password" password="374d9f338b4dc4b50e45b3822fc6be12" username="system"/>
    </strategy>

das_binary.xml

<class>esecurity.base.ccs.comp.dataobject.ConnectionManager</class>
    <property name="username">appuser</property>
    <property name="password">7fA+ogBMeK7cRbJ+S6xJ/InLBUi+sRVGK5qYycDxfIqGDHVX9FApWg==</property>

das_core.xml

 <class>esecurity.base.ccs.comp.dataobject.ConnectionManager</class>
    <property name="username">appuser</property>
    <property name="password">7fA+ogBMeK7cRbJ+S6xJ/InLBUi+sRVGK5qYycDxfIqGDHVX9FApWg==</property>

Some database tables store passwords and certificates. This sensitive data is encrypted and is stored in the tables listed below. You must limit the access to these tables.

evt_src: evt_src_config column data
evt_src_collector: columns: evt_src_collector_props
evt_src_grp (doubt): columns: evt_src_default_config
md_config: column: data
integrator_config: column: integrator_properties
md_view_config: column: view_data
esec_content: column: content_context, content_hash
esec_content_grp_content: columns: content_hash
sentinel_plugin: columns: content_pkg, file_hash

Sentinel Rapid Deployment stores both configuration data and event data. This data is stored at the following locations:

Components	Location for Configuration Data	Location for Event Data
Sentinel Rapid Deployment server	Database tables and the file system (<install_directory>/config) This configuration information includes the encrypted database, event source, integrators, and passwords.	Database (EVENTS, CORRELATED_EVENTS, and EVT_SMRY_, AUDIT_RECORD tables) and the file system at <Install_Directory>/data/eventdata and <Install_Directory>/data/raw data The event data can be archived to the file system as part of the partition management job.
Correlation Engine	File system (<Install_Directory>/config). The only sensitive configuration information is the client key pair used to connect to the message bus.	correlation_engine.cache
DAS Core	<Install_Directory>/config	das_core.cache
DAS Binary	<Install_Directory>/config	The event data might be cached if the database is down. das_binary.cache
Collector Manager	File system (<Install_Directory>/config). The only sensitive configuration information is the Collector Manager user password used to connect to the message bus.	The event data might be cached on the file system during error conditions, such as the message bus being down or event overflow. This event data is stored in the <Install_Directory>/data/collector_mgr.cache directory.
Client Applications	File system (install_directory/config). The client applications do not store any sensitive information in their configuration files. For example, client applications can export the ESM data to a local file system. The exported file contains encrypted passwords, if they are present in the configuration of the event sources that were exported. Although the passwords are encrypted, the ESM export permission should only be given to users that can be trusted with this privilege.	None