Use the following best practices to secure your Sentinel server:
To increase security, you can change the passwords of the system users created during the installation of Sentinel. There are two different types of users:
The Sentinel server installation creates a novell system user and novell group that owns the installed files within the install_directory. The user’s home directory is set to /home/novell. By default, if a new user is created, the password for the user is not set in order to maximize security. If you want to log in to the system as the novell user, you must set a password for the user after installation.
Sentinel application users are native database users and their passwords are protected by the native database platform, unless LDAP authentication is used. These users have only read access to certain tables in the database so that they can execute queries against the database. Users authenticated by LDAP do not have read access on the database.
The admin user is the administrator user for Sentinel user applications.
By default, the following database users are created during installation:
dbauser: The dbauser is created as a superuser who can manage the database and is typically the user who can log in to the pgAdmin. The password for the dbauser is the same as the admin user password during installation. This password is stored in the user home directory/.pgpass file. The system follows the PostgreSQL database password policies.
appuser: The appuser is the non-superuser used by Sentinel to connect to the database. The password for the appuser is the same as the password for the admin user during installation. This password is stored encrypted in the /etc/opt/novell/sentinel/config/server.xml file. To modify the password for appuser, in the database use the following command:
db.sh sql SIEM dbauser "ALTER ROLE appuser WITH password 'new_password’”
Update the server.xml file by using the using the /opt/novell/sentinel/bin/dbconfig utility.
For more information, see Section 1.5, Command Line Utilities.
NOTE:There is also a PostgreSQL database user that owns the entire database, including system database tables. By default, the postgres database user is set to NOLOGIN, so that no one can log in as the PostgreSQL user.
The Sentinel utilizes standards-based mechanisms to make it easier to enforce password policies.
The installer creates and configures a PostgreSQL database with the following users.
dbauser: The database owner (database administrator user). The password is set during the installation process.
appuser: A user that is used by the Sentinel server process (the ConnectionManager) to log in to the database. The password is same password you entered for the admin user during installation.
admin: The administrator credentials can be used to log in to the Sentinel Web interface. The password is set during the installation process.
By default, user passwords are stored within the PostgreSQL database embedded in Sentinel. PostgreSQL provides the option to utilize a number of these standards-based authentication mechanisms, as described in “Client Authentication”
Utilizing these mechanisms affects all user accounts in Sentinel, including users of the Web application and accounts used only by back-end services, such as dbauser and appuser.
A simpler option is to use an LDAP directory to authenticate Web application users. To enable this option by using the Sentinel Web interface, see Section 3.0, Configuring LDAP Authentication. This option has no affect on accounts used by back-end services, which continue to authenticate through PostgreSQL unless you change the PostgreSQL configuration settings.
You can achieve robust Sentinel password policy enforcement by using these standards-based mechanisms and the existing mechanisms in your environment, such as your LDAP directory.
You can configure Sentinel to securely collect data from various event sources. However, secured data collection is determined by the specific protocols supported by the event source. For example, the Check Point LEA, Syslog, and Audit Connectors can be configured to encrypt their communication with event sources.
For more information on the possible security features that can be enabled, see the Sentinel Plug-ins Web site.
You must consider the security implications before deciding the type of networked storage location to use. If you are using CIFS or NFS servers as networked storage locations to store the Sentinel event data and raw data, remember that these protocols do not offer data encryption. An alternative is to use direct attached storage (local or SAN), which does not have the same security vulnerabilities. If you choose to use CIFS or NFS, it is important to configure the CIFS or NFS server to maximize the security of your data.
For more information about configuring the networked storage location server settings, see Section 5.2.3, Configuring Networked Storage.
Sentinel generates audit events for many actions performed by users and also for actions performed internally for system activities. These events are tagged with the Sentinel tag and can be included within a report by selecting and searching by using the rv145:Sentinel query. However, you must have the necessary permissions to view system events. For more information, see Section 2.0, Configuring Users and Roles.
Sentinel includes reports that are preconfigured to include only the events tagged with the Sentinel tag.
A well-audited Sentinel system not only audits the events occurring within Sentinel, but also the infrastructure that Sentinel is running on top of. You can set up data collection from the machines and the devices that make up the Sentinel infrastructure and tag them with the Sentinel tag to enable a complete auditing of the systems that can affect the behavior of Sentinel.
The raw data files are stored in one of the following locations:
Local storage location: <Sentinel data directory>/rawdata/online
Networked storage location: <Sentinel networked storage directory>/rawdata_archive
If your networked storage is NFS or CIFS, then the NFS/CIFS share is automatically mounted to the /var/opt/novell/sentinel/data/archive_remote directory on the Sentinel server. If the networked storage is SAN, then the NFS/CIFS share is mounted to the directory configured by you.
Each raw data file is either a .zip file or a .log file. A .zip file contains the.log files in a compressed format. For more information on raw data files, see Section 5.1.1, Raw Data.
You can check the integrity of raw data files present in local or networked storage by using UI.
To determine if the deleted raw data files were tampered with:
Verify the sequence number of JSON records. All JSON records have same ChainID with a monotonically increasing ChainSequence number starting with zero. There are no gaps or missing numbers in the ChainID sequence. If a new ChainID is present, then its ChainSequence begins with zero.If there are gaps in the sequence of numbers, the records were either tampered with or were manually deleted.
Verify the RawDataHash against the RawData.To do this, convert the RawData value to a sequence of bytes in UTF-8 format. Calculate a 256 SHA digest against those bytes. Convert the digest to a HEX string, and compare the string with the value in RawDataHash. If they are not identical, either the RawData or the RawDataHash file was tampered with.
If, for example, you want to compute the hash of a file on the file system on Linux, specify a command similar to the following:
sha256sum F6673C60-573A-102D-ADE0-003048306A7C/2010-06/15-1600.zip
For example, if, you want to query the database for the hash of a file, you can specify a command similar to the following:
db.sh sql SIEM dbauser "select FILE_HASH from RAW_DATA_FILES_INFO where FILE_NAME='/F6673C60-573A-102D-ADE0-003048306A7C/2010-06/15-1600.zip';"
However, there is a possibility that a person tampered with the files in such a way that the tampering cannot be detected, because the person also recomputed the sequence number or the RawDataHash. To determine if the raw data files were tampered with, there is another method by using the hash key values of each raw data file stored in the database. The Sentinel server calculates a hash key value for every raw data file and stores it in the RAW_DATA_FILES_INFO table in the database.
The table has the following columns:
FILE_NAME: This column contains the relative file name in the following format:
<Event Source UUID>/<Date>/<RawDataFile>
STATE: This column indicates if the raw data file is in the local storage location or the networked storage location.If the value is ARCHIVED, the raw data file is in the networked storage location. If the value is ONLINE or COMPRESSED, the raw data file is in the local storage location. If the value is DELETED, it indicates that the file is deleted from the disk and was not present either in local or in networked storage location.
FILE_HASH: The hash value is computed after the file is compressed and placed in a .zip file. Therefore, only files in the COMPRESSED or ARCHIVED state have a hash value.The FILE_HASH column contains a SHA256 hash key value computed over the contents of the file. The file is treated as a stream of binary bytes in order to compute the hash. The hash is stored as a HEX string (lowercase).
To determine if a file is tampered with, compute the SHA-256 hash, convert it to a HEX string (lowercase), then compare this computed value with the hash value stored in the RAW_DATA_FILES_INFO table. If the values are different, it indicates that either the file or the database has been tampered with.
To determine if the files were deleted in an unauthorized way, you can scan the records in the RAW_DATA_FILES_INFO table and look for files whose STATE value is ARCHIVED, ONLINE, or COMPRESSED.You can ignore those marked DELETED. If the STATE value is ARCHIVED, the raw data file should be in the networked storage location. If the STATE value is ONLINE or COMPRESSED, the raw data file should be in the local storage location or the networked storage location.
Sentinel uses several digital, public-key certificates as part of establishing secure TLS/SSL communications. During the initial configuration of Sentinel, these certificates are self-signed. In some circumstances, it might be necessary to obtain certificates digitally signed by a certificate authority (CA).
You can replace the self-signed certificate with a certificate signed by a well-known CA, such as VeriSign, Thawte, or Entrust. You can also replace the self-signed certificate with a certificate digitally signed by a less common CA, such as a CA within your company or organization.
NOTE:There are many well-known CAs and identifying which CAs are most commonly used varies with the country.
This section provides information on various certificates used in Sentinel and also provides instructions on configuring the TLS/SSL certificates to get them digitally signed by CA and then importing the digitally signed certificates into Sentinel:
The Web server certificate is used for the following purposes:
It is used with Web browsers to connect to the Sentinel Web user interface.
It is used to establish trust relationships for the REST API calls between Sentinel instances. For example, it is used when configuring Distributed Search.
If the Web server certificate is not signed by a well-known CA and you connect to the Sentinel Web user interface, the Connection is Untrusted message is displayed.
The Java Messaging Service (JMS) certificates include the following:
Broker Certificate
Client Certificate
The JMS certificates are used to establish secure communications between various components of Sentinel, including the Sentinel server and remote Collector Managers.
The Client Proxy Server certificate is used to establish secure communication between the Sentinel server and client applications, such as the Sentinel Control Center or the Solution Designer. This certificate is not used with the Sentinel Web interface.
Sentinel provides the ssl_certs command line tool that helps with the certificate signing process. This tool is available at:
<installation_root>/opt/novell/sentinel/setup/ssl_certs
The tool can be run in an interactive mode or with the command line specifications and options. To see the command line options, change to the directory that contains ssl_certs, then run the -help command.
Configuring the TLS/SSL certificates involves the following steps:
To obtain a digitally signed certificate, you must first generate a certificate signing request, which is presented to the CA. To generate one or more certificate signing requests, perform the following steps on the Sentinel server:
Log in as the novell user, or switch to the novell user.
Change to the setup directory:
cd $APP_HOME/setup
Run the ./ssl_certs script
The following options are displayed:
1. Generate certificate signing requests 2. Import Certificate Authority root certificate 3. Import certificates signed by Certificate Authority 4. Exit
Enter 1.
The following options are displayed if you are running tool on the Sentinel server:
1. Web Server 2. Java Messaging Service 3. Client Proxy Service 4. All 5. Done
or
If you run this tool on a remote Collector Manager or remote Correlation engine you are only presented with two options:
1. Java Messaging Service 2. Done
Specify the service for which you want to obtain the signed certificates.
Specify a filename where the certificate signing request must be saved.
The default filename is based on the internal name of the certificate entry.
Select another service if necessary, or enter 5 to select Done to exit from the service option.
Enter 4 to exit from the TLS/SSL certificate configuration.
The certificate signing requests are now saved in the specified files.
Submit the certificate signing requests to the CA for signature.
Obtain the signed certificate files from the CA.
The details of how this is done depend on the CA. For more information, consult your CA.
Copy the files that contains the digital certificates signed by the CA to the Sentinel server. If the files are signed by an enterprise or organizational CA rather than a well-known CA, you must copy the CA's self-signed root certificate to the Sentinel server.
To import the certificate files to the Sentinel server:
Log in as the novell user, or switch to the novell user.
Change to the setup directory:
cd $APP_HOME/setup
Run the .ssl/certs command.
The following options are displayed:
1. Generate certificate signing requests 2. Import Certificate Authority root certificate 3. Import certificates signed by Certificate Authority 4. Exit
(Conditional) For certificates that are signed by the enterprise or organizational CAs, enter 2, then specify the name of the file that contains the CA root certificates.
(Conditional) For certificates that are signed by a well-known CA such as Verisign or Entrust, enter 3.
Select the service for which you obtained the signed certificates.
Specify the name of the file that contains the CA’s signed digital certificate.
Select another service if necessary, or enter 5 to select Done and exit from the service option.
Enter 4 to exit from the TLS/SSL certificate configuration.
Restart Sentinel.
There can be conflicts with the certificates on the remote Collector Manager and remote Correlation Engine, depending on the order products are installed and certificates are generated. A common cause of conflicts occurs if you installed products in the following order:
You installed the server Sentinel server.
You installed a remote Collector Manager or Correlation Engine.
You obtained and imported a digitally signed certificate into the first Sentinel server.
If you do things in this order, the certificates on the remote Collector Manager and Correlation Engine don’t match the certificates on the Sentinel server. This causes errors when trying to access the Sentinel Web interface and other Sentinel services.
To fix this issue you must import the digitally signed certificate into the remote Collector Manager and Correlation Engine.