Hi, greetings. We informed that our purchased SIEM appliance was installed with Linux based OS which is CentOS. We also have ePolicy Ochestrator to managing workstations and servers, when sorting out the system tree we just found out the SIEM was listed and managed on that. There are several question we want to ask for clarification, 1. When we tried to enforce newer version installation on the SIEM via ePO it did not working, Why? 2. We tried to push some Linux based Security platform module on the appliance via ePO but it also did not working. Do the SIEM appliance does not have to be installed with additional protection layer or it already secured? If it should be possible to do above procedure, please guide us. Thanks
Sometimes, you might want to install your own Red Hat Package Manager (RPM) packages, or make other changes to the SIEM Appliance.
IMPORTANT: Installing third-party software can undermine the security of the system and open it up to exploits and instability. If you do not fully understand the consequences of installing and using third-party software products on your SIEM Appliance, McAfee strongly recommends that you speak with your System Administrator or a Linux/Unix expert. Recommended best practices for the security and stability of the SIEM system are to avoid changing the system and avoid operating the system outside of the graphical user interface. Normal product operation and configuration are performed strictly through the graphical user interface. There is no circumstance where installing third-party software on the appliance is warranted.
It is not advisable to use the SIEM product as a repository, FTP server, or NFS share. In addition, McAfee does not advise the use of other functions that require command-line or root-level access to the system. Essentially, if it is not possible to do something from the graphical user interface, it is not be done on the SIEM.
NOTE: As a security appliance, the environment in which the SIEM operates must be secured against exploits and attacks. To help achieve a secure environment, the product operates with a strict firewall. It regularly performs integrity checks to make sure that no third-party software has been installed. If invalid RPM packages or software is detected, the system produces an alarm accompanied by a red flag.
For More details you can follow the below SIEM third-party software policy KB article KB82505
The Linux back-end in SIEM appliances is not CentOS based, it is a custom linux build and therefore packages generally written for other distributions are unlikely to work. The SIEM appliances are configured with a relatively high level of security on them already.
You can further improve this security by:
Properly configuring the Access Control List ( this limits the IP addresses permitted to log into the SIEM via UI or SSH )
Enabling the appropriate options for password security for your organisation and following these - with special attention to the NGCP password as this is also the root password for the ESMs
Ensuring the SIEM has an appropriate DNS lookup and creating a UI certificate with a Subject Alternative Name that only includes the SIEM.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.