Skip to content
  • There are no suggestions because the search field is empty.

Security Configuration: Other Security Considerations

Tags: Version 11.4

This topic describes various other security configuration settings that are not covered in previous sections.

Changing the RabbitMQ Management Password for Windows Legacy Collectors

For Windows Legacy Log Collectors (WLCs), a default password is used for the "logcollector" username to access the RabbitMQ broker on that machine. RSA recommends that you change the password for WLCs, per the procedure outlined, which involves changing the RabbitMQ password for the Log Collector and for the RabbitMQ broker.

Note: For CentOS, changing the RabbitMQ password is not supported.

If you are using a Log Collector, you may have to initialize the "lockbox". For instructions, see "Set Up a Lockbox" topic in the Log Collection Guide.

To change the RabbitMQ password:

  1. Change the RabbitMQ password in Log Collector:
    1. Go to the Explore view for the Log Collector service.
    2. Right-click the event-broker node and select config.
    3. Type the new password in the amqp_password field. The password is encrypted by a key that is managed through the lockbox of this Log Collector. This only changes the password on the Log Collector side.

    Note: Most of the settings should not be changed. Ensure you do NOT change the Message Queue User Name "amqp_username" because it is referred to in some certificate checks.

  2. Change the RabbitMQ password for the RabbitMQ broker:
    1. Go to the Explore view for the Log Collector service.
    2. Right-click the event-broker node and select properties.
    3. Select passwd in the drop-down list.
    4. In the Parameters field, type the old and new password.
      Ensure you remember your old password. If it was never changed, it should be "netwitness" by default.
      Example: Parameters: oldpw= newpw=
    5. Click Send.

Hardening the NetWitness Platform Core service

By default, all NetWitness PlatformCore services ship with a default username and password and with SSL turned off. To harden the service, you have to run it with the command line option -s harden=true

Using a Decoder, here's an example command line:

NwDecoder -s harden=true -s defaultUsername= -s defaultPassword=

The above command does the following:

  1. Removes the default admin account (with caveats, see below).
  2. Creates a new account with a password of (thus meeting the password requirements below).
  3. Enables SSL on both the native and REST ports.
  4. Strengthens default password requirements:

    • /users/config/account.lockout.time = 60

    • /users/config/password.alpha.lowercase.min = 1

    • /users/config/password.alpha.uppercase.min = 1

    • /users/config/password.length.min = 8

    • /users/config/password.numeric.min = 1

    • /users/config/password.symbol.min = 1

  1. Sets /rest/config/user.agent.whitelist = Apache-HttpClient/\d\.\d\.\d

    Note: This setting prevents the browsers to connect to the REST port.

The caveat for changing the default user account is that there cannot be an already existing configuration file. This is always true the first time the service is run or before the service is licensed. To harden a service, you must run it before a configuration is written or delete whatever configuration file exists and then harden.

To alter the command line for a service that writes its own upstart script without actually SSHing into the box and modifying the script, there is a new parameter that you can pass to either the /sys shutdown or /decoder reset command (substitute decoder for the actual service name) and this parameter is called "cl" for command line. What you do is pass name=value pairs to the "cl" parameter and those parameters will take affect on the next restart of the service.

Example:

/sys shutdown reason="Restart because license was applied" cl="harden=true default

Username= defaultPassword= "

The above command shuts down the service (which should be restarted by Linux upstart) and the command line parameters will be applied on the restart. This command line exactly matches the command line given above for the decoder service. If you want to do a configuration reset, you can use the following:

/broker reset config=true cl="harden=true defaultUsername= defaultPassword= "

This will delete the broker configuration file and create a new default configuration that is automatically hardened with the given default account and credentials. The admin account will not exist when the broker restarts, only the account exists.

NFS Access Controls

By default, the NFS mounts are wide open. To lock them down to a specific address, you must edit the exports file and specify the IP addresses that are allowed to interact with the SAW.

The SAW NFS service is managed from the command line using mapr-nfsserver.

[root@saw-node1 ~]# service mapr-nfsserver

Usage: /etc/init.d/mapr-nfsserver {start|stop|status|restart|}

[root@saw-node1 ~]# service mapr-nfsserver status

nfsserver (pid 5692 5691) is running...

[root@saw-node1 ~]#

If nfs-utils is installed on the node, you can execute a showmount on the localhost to see the exposed exports.

[root@saw-node1 ~]# showmount -e localhost

Export list for localhost:

/mapr *

/mapr/saw *

[root@saw-node1 ~]#

Exports are controlled using the exports file in the /opt/mapr/conf directory.

[root@saw-node1 ~]# cat /opt/mapr/conf/exports

# Sample Exports file

# for non /mapr exports

#

# for /mapr exports

#

#access_control -> order is specific to default

# list the hosts before specifying a default for all

# a.b.c.d,1.2.3.4(ro) d.e.f.g(ro) (rw)

# enforces ro for a.b.c.d & 1.2.3.4 and everybody else is rw

# special path to export clusters in mapr-clusters.conf. To disable exporting,

# comment it out. to restrict access use the exports_control

#

/mapr (rw)

#to export only certain clusters, comment out the /mapr & uncomment.

# Note: this will cause /mapr to be unexported

#/mapr/clustername (rw)

#to export /mapr only to certain hosts (using exports_control)

#/mapr a.b.c.d(rw),e.f.g.h(ro)

# export /mapr/cluster1 rw to a.b.c.d & ro to e.f.g.h (denied for others)

#/mapr/cluster1 a.b.c.d(rw),e.f.g.h(ro)

# export /mapr/cluster2 only to e.f.g.h (denied for others)

#/mapr/cluster2 e.f.g.h(rw)

# export /mapr/cluster3 rw to e.f.g.h & ro to others

#/mapr/cluster2 e.f.g.h(rw) (ro)

[root@saw-node1 ~]#

To restrict the SAW exports to a certain IP address or group of IPs, you must first edit the exports file and then restart the mapr-nfsserver service.

[root@saw-node1 ~]# vi /opt/mapr/conf/exports

[root@saw-node1 ~]# cat /opt/mapr/conf/exports | grep ^/mapr

/mapr 10.42.1.87(rw)

[root@saw-node1 ~]# showmount -e localhost

Export list for localhost:

/mapr *

/mapr/saw *

[root@saw-node1 ~]# service mapr-nfsserver restart

[root@saw-node1 ~]# showmount -e localhost

Export list for localhost:

/mapr 10.42.1.87

/mapr/saw 10.42.1.87

[root@saw-node1 ~]# mount -t nfs -o nolock,tcp localhost:/mapr/saw /saw

mount.nfs: access denied by server while mounting localhost:/mapr/saw

[root@saw-node1 ~]#

Note: Trying to mount the export on the localhost will fail as only a specific host IP is now allowed to use the NFS mount.

Previous Topic: STIG Compliance
You are here
Table of Contents > Security Configuration Settings > Other Security Considerations