cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Securing and hardening SIEM appliance and OS

Hi, greetings. We informed that our purchased SIEM appliance was installed with Linux based OS which is CentOS. We also have ePolicy Ochestrator to managing workstations and servers, when sorting out the system tree we just found out the SIEM was listed and managed on that. There are several question we want to ask for clarification, 1. When we tried to enforce newer version installation on the SIEM via ePO it did not working, Why? 2. We tried to push some Linux based Security platform module on the appliance via ePO but it also did not working. Do the SIEM appliance does not have to be installed with additional protection layer or it already secured? If it should be possible to do above procedure, please guide us. Thanks
2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Securing and hardening SIEM appliance and OS

Hi,

Sometimes, you might want to install your own Red Hat Package Manager (RPM) packages, or make other changes to the SIEM Appliance. 

IMPORTANT: Installing third-party software can undermine the security of the system and open it up to exploits and instability. If you do not fully understand the consequences of installing and using third-party software products on your SIEM Appliance, McAfee strongly recommends that you speak with your System Administrator or a Linux/Unix expert.
Recommended best practices for the security and stability of the SIEM system are to avoid changing the system and avoid operating the system outside of the graphical user interface. Normal product operation and configuration are performed strictly through the graphical user interface. There is no circumstance where installing third-party software on the appliance is warranted.

It is not advisable to use the SIEM product as a repository, FTP server, or NFS share. In addition, McAfee does not advise the use of other functions that require command-line or root-level access to the system. Essentially, if it is not possible to do something from the graphical user interface, it is not be done on the SIEM.

NOTE: As a security appliance, the environment in which the SIEM operates must be secured against exploits and attacks. To help achieve a secure environment, the product operates with a strict firewall. It regularly performs integrity checks to make sure that no third-party software has been installed. If invalid RPM packages or software is detected, the system produces an alarm accompanied by a red flag.

For More details you can follow the below SIEM third-party software policy KB article KB82505

https://kc.mcafee.com/corporate/index?page=content&id=KB82505

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!

 

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Securing and hardening SIEM appliance and OS

The Linux back-end in SIEM appliances is not CentOS based, it is a custom linux build and therefore packages generally written for other distributions are unlikely to work.  The SIEM appliances are configured with a relatively high level of security on them already. 

You can further improve this security by:

  1. Properly configuring the Access Control List ( this limits the IP addresses permitted to log into the SIEM via UI or SSH )
  2. Enabling the appropriate options for password security for your organisation and following these - with special attention to the NGCP password as this is also the root password for the ESMs
  3. Ensuring the SIEM has an appropriate DNS lookup and creating a UI certificate with a Subject Alternative Name that only includes the SIEM.
Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community