On-premise Security¶
In the cloud version of LogSentinel SIEM we take all necessary operational security measures. However, in on-premise deployments this becomes the responsibility of the customer. Here are a few recommendations for keeping the installation secure.
Install TLS certificate¶
By default the LogSentinel SIEM appliance uses a self-signed certificate. If you want to use another certificate, e.g. Let's encrypt, you should configure that on the load balancer that you use (e.g. check "High availability" or on the appliance itself, for example following this Let's encrypt tutorial
Configure network restrictions¶
The LogSentinel SIEM instances should only have the required ports opened. For a single, non-clustered appliance, that includes only 80 and 443.
For clustered setups, check the ports below:
* application nodes:
* incoming: 8080 (for web requests), 1514, 1515, 1516 (for syslog), 5701 (for hazelcast) and 22 for SSH.
* outgoing: 80, 443, 9200 (for elastic search), 9042 (for cassandra), 5701, 465 (for smtp)
* database nodes:
* incoming: 7000, 7001, 7199, 9042, 9160 and 22
* outgoing: 80, 443, 7000, 7001
* search nodes:
* incoming: 9200, 9300, 22
* outgoing: 80, 443, 9300
* load balancer node:
* incoming: 80, 443, 22
* outgoing: 80, 443, 8080
Configure administrator access restrictions¶
Ideally SSH access to all nodes should be protected via 2-factor authentication. You can do that by executing the following setup-2fa.sh script:
#!/bin/sh
# Execute manually AFTER the host has been setup
# Based on https://aws.amazon.com/blogs/startups/securing-ssh-to-amazon-ec2-linux-hosts/
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install google-authenticator
# Execute this line for each user manually, before they can login. Use > sudo su <user> before that
google-authenticator --time-based --disallow-reuse --force --rate-time=30 --rate-limit=3 --window-size=8
sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
sudo sed -i -- 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
sudo sed -i -- 's/auth substack password-auth/#auth substack password-auth/g' /etc/pam.d/sshd
sudo echo "\nAuthenticationMethods publickey,keyboard-interactive" >> /etc/ssh/sshd_config
sudo service sshd restart
Track administrative access through a custom PAM¶
We provide a custom PAM which you can get by following the instructions here. The PAM makes sure that each administrative access is pushed directly to external sources (e.g. a qualified trust service provider). That way, in case an administrator tries to manipulate the logs that will not only be detected, but they won't be able to cover who they were. The PAM does some additional checks, e.g. if the network is not blocked, and does not let the administrator login if the log event can't be pushed properly.
Internal audit log¶
Every activity performed in the system is logged in a specialized admin account (initial values configurable through application.properties
- admin.username
and admin.password
)
The audit log contains all authentication attempts, all configuration changes and all queries executed. Alert rules can be defined in this account to monitor the security of the SIEM deployment itself.