Security Configuration: Component Authentication

This topic describes how component authentication settings control the process of verifying an identity claimed by an external or internal system or component.

Host Configuration and Service Authentication

When you install or upgrade to NetWitness Platform 11.x, trusted connections are established by default with two settings:

1. SSL is enabled.
2. NetWitness Platform is connected to core services using the encrypted SSL port.

RSA NetWitness Platform allows secure authentication services for the following hosts as SSL is enabled by default:

• NetWitness Server
• Decoder
• Log Decoder
• Concentrator
• Broker
• Log Collector
• Archiver​
• ESA
• Malware Analysis
• Endpoint
• UEBA

Note: By default all the services on the hosts have SSL enabled.

For more information, see the Host and Service Configuration Guide.

Changing Credentials for Default Configuration Service Accounts

For information on how to reset the password for an admin of the host service accounts, see "Users Tab" in the Host and Services Configuration Guide.

Note: The default user name of the host service accounts (admin) cannot be modified.

Configuring Live Account Authentication

RSA NetWitness Platform supports secure authentication for the Live account connection to the Content Management System (CMS) as the SSL is enabled by default. The default communications port on the CMS is 443. For information on how to configure this setting, see "Configure Live Settings" in the System Configuration Guide.

Configuring Lockbox Authentication

Lockbox provides an encrypted file that Warehouse Connector or Log Collector uses to store and protect sensitive data. You need to create the lockbox by providing a lockbox password while configuring the Warehouse Connector or Log Collector for the first time. For more information on lockbox setup, see the following topics:

• "Log Collector - Set Up a Lockbox" in the Log Collection Guide.
• "Warehouse Connector - Create Lockbox" in the Host and Services Configuration Guide.

Change Root Account Password On All NW Hosts

You must change the default SSH root account password to a strong password in all the hosts in the NetWitness Platform Deployment.

Display Logon Banner for Remote SSH Connections

RSA NetWitness Platform allows you to customize the logon banner to display standard government or corporate warning signs for SSH remote connections to the hosts.

For example:

"This system is private. Use or misuse may be logged and invalid access pursued."

1. Log on to the appliance using root credentials.
2. Type cd /etc/ to switch to the /etc/ directory.
3. Edit the /etc/issue.net file with the required banner text.
4. Save the changes and exit.
5. Type cd /etc/ssh to switch to the /etc/ssh directory.
6. Edit the /etc/ssh/sshd_config file to remove the comment for the banner and provide the location of the banner text file (For example, /etc/issue.net).

   The following file is an example of an sshd.config file before being modified:

   # no default banner path

   #Banner none

   The following file is an example of an sshd.config file after being modified:

   # no default banner

   #Banner /etc/issue.net

7. Save the changes and exit.
8. Type service sshd restart in order to restart the sshd service.

Secure Boot Loader

A boot loader password is set to prevent unauthorized modification of boot menu entries. Change the default password to a strong password.

To change the boot loader password:

1. Run the grub2-setpassword command as root.

   # grub2-setpassword

2. Enter and confirm the password:

   Enter password:

   Confirm password:

Disable Interactive Startup

To prevent users from starting up the system interactively, as root, disable the PROMPT parameter in the file:

"/etc/sysconfig/init"

PROMPT= no