SevOne Data Platform Security Guide

About

This manual is intended to describe the SevOne NMS Security features, recommended configurations, default settings, additional options & how to change them, and best practices to harden SevOne NMS appliances and SevOne Data Insight without compromising the ability of the system to perform its business functionality.

Important: SevOne software is fine-tuned to speed at scale. If the customer's administrator / security team member makes modifications to the software or installs any agent technology on SevOne / Virtual appliances, it may result in an unknown impact to the performance of the appliance. SevOne Support will be able to assist only after the modifications made to the software by the customer are removed and any agent technology installed, is uninstalled. External scans such as Nessus, Synk, etc. are acceptable.
Important: SevOne NMS 6.7.0 has moved MySQL to MariaDB 10.6.12.
Important: SevOne NMS 6.8 release has migrated the operating system from CentOS 8 Stream to Red Hat Enterprise Linux (RHEL) 8.9.
Note: Terminology usage...

In this guide if there is,

  • [any reference to master] OR
  • [[if a CLI command contains master] AND/OR
  • [its output contains master]],
    it means leader.

And, if there is any reference to slave, it means follower.

Deployment

Network Location

SevOne NMS is targeted for use in internal and trusted network deployment. SevOne strongly recommends that you do not expose your cluster on an open internet. SevOne also recommends that you deploy the appliances close to the monitored devices. If you choose to purchase an HSA, it is recommended to be close to its primary appliance.

Exposing SevOne NMS in the open Internet may pose significant security risk to your organization!

Required Ports

SevOne cluster has sophisticated communication schema and relies on multiple required ports. Please refer to SevOne NMS Port Number Requirements Guide for a list of used ports. SevOne has clients that disable part of those ports, but this should be done with caution - only disable ports when you are certain that you do not use the functionality it serves and it does not compromise on security.

Firewall

SevOne appliances have disabled firewall process by default. For maximum security, SevOne recommends that you enable this and configure for all standard and custom ports that your appliance uses. You can find detailed instructions on how to configure your firewall in the SevOne NMS Installation Guide. Additionally, you can contact SevOne Support to provide further guidance and assistance.

SSL Certificate

SevOne NMS appliance is delivered with a self-signed SSL certificate as Apache/Nginx will not start otherwise. Using Certificate Authority, you must immediately replace the certificate with the real one. For details, please refer to Generate a Self Signed Certificate or a Certificate Signing Request guide. You may contact SevOne Support for assistance with the installation of the certificate, if needed. Once SSL is enabled, default configuration of Apache/Nginx will accept TLS v1.2 only. However, you may configure it to use TLS v1.3 as well.

SSL Security Level

OpenSSL is the SSL library used by SevOne NMS. SSL defines a security level setting (SECLEVEL) that determines the required strength of the signing algorithms used for keys. As of SevOne NMS 6.1 release, the SECLEVEL has increased from 1 to 2, restricting the accepted key signing algorithms from what was accepted previously.

The minimum accepted key length for SECLEVEL 2 is 2048 bits. The following are the accepted key signing algorithms.

  • RSA+SHA512
  • ECDSA+SHA512
  • RSA+SHA256
  • RSA+SHA384
  • RSA+SHAl:EC
  • DSA+SHA256
  • ECDSA+SHA384
  • ECDSA+SHA1
  • DSA+SHAI

SSL negotiation fails if you are using a less secure key signature algorithm. In this case it is suggested to regenerate the keys under one of the supported SECLEVEL 2 algorithms. However, if this is not possible, the configured SECLEVEL can be lowered to 1, but please be aware that this will result in less secure SSL handshakes.

To lower the SECLEVEL to 1 for a single appliance, please execute the steps below.

  1. SSH to your SevOne NMS appliance.
    $ ssh root@<NMS appliance>
  2. Enter into the NMS container.
    $ podman exec -it nms-nms-nms /bin/bash
  3. Using a text editor of your choice, edit /etc/crypto-policies/back-ends/opensslcnf.config file.
    $ vi /etc/crypto-policies/back-ends/opensslcnf.config
  4. Replace SECLEVEL for variable CipherString from SECLEVEL=2 to SECLEVEL=1.
    From...
    CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!
    RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
    To...
    CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!
    RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
  5. Save /etc/crypto-policies/back-ends/opensslcnf.config file.
    Note: Any new SSL handshakes initiated by OpenSSL will now use the updated SECLEVEL.

HTTPS Only

By default, Require HTTPS is disabled on the SevOne NMS appliance. You are strongly advised to enable the Require HTTPS option in Cluster Manager > Cluster Settings > Security.

Important: Require HTTPS option is only available when you are logged on via https. This option requires secure connection for all dynamic content.

This will force connections to the server via https protocol only and redirect all other attempts to https. It will also enable HTTP Strict Transport Security (HSTS), a mechanism that websites use to declare themselves accessible only via secure connections.

For improved security, SevOne recommends redirecting and rewriting the URLs that attempt to connect to the server via insecure protocol. Please contact SevOne Support to guide you through the process and/or assist in configuring the client appliance, if required.

You will now not be able to connect to the SevOne NMS appliance or the NMS REST API via simple HTTP call.

SSL Certificates for REST API

There is some functionality that requires REST APIs between the peers to communicate with each other. By default, REST API skips to validate the certificates of the other appliances when calling their REST API services. Enable the Rest API Validate by Certificates checkbox from Cluster Manager > Cluster Settings > Security to stop all untrusted calls. An inter-peer request will fail if it is not signed with a certificate from a valid Certificate Authority or if the certificate is not added to the java keystore of the appliances. Please make sure that you have added the SSL certificate in the trusted key for each peer. This can be done via:

  1. Add the root certificate to the trust store of every peer (trust anchor /path/to/rootCA.crt)
  2. Restart the REST API for each peer (svctl restart SevOne-restapi)

Add Root Certificate (and Chain)

To add root certificate (and chain) to the operating system trust store, execute the following command.

Example

$ SevOne-act add-certificates --file /path/to/cert.crt

User Management

Authorization

SevOne NMS relies on a built-in Role Based Access Control (RBAC) model. SevOne offers full capability to define and inherit User Roles. These roles enable granular control to grant/revoke permissions to access system functionality and/or data.

Users are assigned one or more user roles. There is also a mapping between LDAP groups and NMS roles.

The NMS roles can be granted or revoked permissions to:

  • See specific NMS UI pages
  • Access the SOAP and/or REST APIs
  • Perform specific set of administrative actions in the system
  • View and/or manage Device Groups
  • View and/or manage concrete Devices
  • View and/or manage other Users and User Roles

Authentication

Generally, users of the system fall into two different categories:

  • Need access to the application
  • Need access to the Operating System of the SevOne NMS appliance

If you need access to the NMS application then, you can authenticate in one or more of the following ways:

  • SevOne Local authentication (by default)
  • Using external system (recommended to integrate external system/s). SevOne products currently support integration via LDAP/Active Directory user credentials

SevOne encourages you to configure the system to provide authentication via an external system (LDAP/Active Directory). You can manage servers from Administration > Access Configuration > Authentication Settings. SevOne recommends you to always use secure LDAP with SSL or TLS certificate.

It is a best practice to keep one or more administrative accounts authenticated via SevOne Local method. It will be available if the external authentication systems are unavailable or their connections need to be repaired. By default, the NMS appliance is shipped with one administrative account, admin, for the Web application. 'admin' is the only user that has the role of a System Administrator. Upon initial installation, you are required to change the password for this account.

Local login is recommended for simple deployments and POV projects. This method allows management of user accounts, enforcing complex passwords, keeping password history, forcing users to change passwords for their age, repetition, or any other reason.

Device Information Encryption using AES256

For security reasons, along with user credentials, tables containing sensitive information for the devices being monitored along, are encrypted using AES256 encryption.

Important: Encryption was introduced in SevOne NMS 5.7.2.7 release. For this, MySQL was updated to version 5.7.24 to add encryption for data at-rest to secure user data. To check MySQL version, SSH to your NMS appliance as root and run command SevOne-show-version.
MySQL Tables Encrypted Internally
Users access_control.user
access_control.userrole
Devices net.deviceinfo
net.netflowdeviceinfo
Metadata net.metadata_attribute
net.metadata_namespace
net.metadata_map
local.metadata_map
local.device_object_metadata
Others net.peers
net.policy_webhooks
local.flowfalconaggregationtemplate
local.netflowdirection
local.netflowinterface
local.netflowoptionstemplate
local.netflowsourcetemplate

Credential Encryption

For security reasons, all credentials in the NMS database are encrypted when stored. This means that every plugin that needs to store authentication credentials, FTP server settings, SFTP passwords, SNMP community strings, etc in the database has to encrypt them on insertion and decrypt them on retrieval using reversible encryption.

Obtaining access to the sensitive database records would mean an attacker has already got access to the machine and the encryption key too. Improvements have been made to the database level. Usage of methods like SevOne::addDevice() or Device::getDevices() are transparent and there should be no change in the way you use these methods (as the encryption is handled by these methods). Everywhere inside the codebase of the NMS you should still be relying on the plain text values of all credentials.

However, if you need to query the database manually, for instance in the C/C++ backend, you should be aware of encrypted values. This affects the following:

Query Encrypted Value(s)
net.wmiproxy
  • encryption_password
net.wmideviceinfo
  • username
  • password
net.deviceinfo
  • ro_community
  • rw_community
  • authentication_username
  • authentication_passphrase
  • encryption_passphrase
net.device_candidates
  • snmp_ro_string
  • snmp_rw_string
  • snmp_username
  • snmp_auth_password
  • snmp_encryption_password
local.device_database
  • username
  • password
net.nam_deviceinfo
  • username
  • password
net.vmwaredeviceinfo
  • username
  • password
net.backupservers
  • user
  • passwd
net.bulkdata_sources
  • username
  • password
net.ldapsettings
  • bind_DN
  • bind_password
net.mount_points
  • username
  • password
net.callmanagerdeviceinfo
  • username
  • password
net.callmanagercdrdeviceinfo
  • sftp_username
  • sftp_password
net.ftp_servers
  • user
  • passwd

Session Management

Repeated failed login attempts results in account suspension.

The NMS administrator can define whether concurrent sessions by same user are allowed. If not allowed, upon new login by the same user credentials, the older session is terminated. By default, Cluster Manager > Cluster Settings > Login > Allow Concurrent User Sessions is enabled. It is recommended that this field is disabled.

The administrator can monitor and manage active user sessions from Administration > Access Configuration > Session Manager. When a suspicious activity is identified, a user session can be manually suspended by the administrator. . A notification is sent to the user, they are disconnected and redirected to the login screen.

Force Login

By default, Allow Forcelogin is enabled.SevOne recommends that you should not select the Allow Forcelogin check box from Cluster Manager > Cluster Settings > Security. This will prevent you from accessing SevOne NMS via the forcelogin.php script.

There are several other utilities available (however, not explicitly documented here) from Cluster Manager > Cluster Settings > Security to ensure the security of your cluster and its users. Please refer to SevOne NMS System Administration Guide, section Cluster Manager for additional options.

Audit Logging

SevOne NMS also supports generation of audit logs for important domain events, including security relevant administrative and system actions. By default all domain events are enabled and it is recommended that you should not disable them. However, if any domain event needs to be toggled, it can be done from Cluster Manager > Cluster Settings > Logging.

The list of actions to be logged is configurable by the system administrator via the application user interface. The system provides contextual details for the event - synchronized cluster timestamp, hostname / IP, system user that is triggering the event. Depending on the event type, the system logs further details (event specific) about the commands and result of the action.

By default, the logs are collected on the appliance. However, it is recommended that you forward the logs via syslog, optionally TLS enabled, to an external destination, using an external audit server to keep separate and allow robust operations on log files. It is possible for logs to grow too big in size and get harder to operate on. It is unlikely that the size of the log would impact the peer performance as there is a significant buffer. This can be done from Cluster Manager > Cluster Settings > Syslog.

Note: Audit logs are limited to 20MB with a maximum of 5 rotated files.

Appliance Administration

OS User Credentials

The SevOne cluster has some features that require remote access between peers to be performed by the root user. Some customers have configured the SevOne cluster to prevent root from being a login user and while the majority of the functionality continues to work as intended, some features simply do not operate. SevOne does not recommend disabling it at this time and cannot guarantee proper cluster operations in this case.

The password to the root user is unique for each client - randomly generated when the box is shipped. The client administrators are given the generated password but they are advised to change the password as soon as they receive their appliance(s). To change the password, login as root and execute the command, passwd. Please respond to the prompt to enter the new password.

Login as 'root'

login as: root
Using keyboard-interactive authentication.
Password:
Note: The new password must be at least 8 characters long.

Command to change password

$ passwd
Changing password for user root.
New password:

It is highly recommended to not use the root user for normal login. There is a special admin user that is available for system administrators. The password for this user must be changed immediately after the client receives the appliance (it is forced on first login). Clients must keep this password secure and not share it with anyone outside of their organization - this includes SevOne Support, Expert Labs, or Upgrade teams the user may be working with. To add the admin user as a sudo user, the following steps must be performed.

  1. Login as root.
    $ ssh root@<NMS appliance>
  2. Execute the following command to modify the client's admin account.
    $ usermod -aG wheel admin
  3. Run the visudo command to edit the sudoers file, which is used by the sudo command. Update secure_path in the Defaults section.
    $ visudo
    Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/bin:\
    /usr/local/sbin:/usr/sbin:/usr/local/scripts:/opt/dell/srvadmin/bin:\
    /home/admin/.local/bin:/home/admin/bin

SevOne employees do not have any known credentials to access appliances. If assistance is needed, SevOne can guide you through configuration, diagnostics, etc. If needed, you could provide them temporary access to the appliances by sharing the credentials. After the support case is completed, please change the passwords to keep unique and secret credentials. You may have a dedicated user to use for external access. SevOne recommends that you keep such accounts SSH disabled and only allow when you expect SevOne Support would need access to the machine. Account should be disabled after the case is resolved.

There is one more SSH allowed user in the NMS system - the support user. By default, the password is supportuser. You will be prompted and required to change the support user password. Enter the new password when prompted.

Further details about the users and initial set up, how to change the root, admin, or support user passwords, etc. post the initial set up, please refer to SevOne NMS Installation Guide.

There are standard requirements for password strength for all OS SSH users. Password must be longer than 15 characters, mixed case, special chars, numeric, etc. The passwords are hashed in 41 bytes.

DB Credentials

SevOne offers a utility to allow changes in the credentials for the database users. SevOne strongly recommends clients to change their database credentials when they receive the appliance. SevOne Support can assist you with the process.

You have an option Require Strong Passwords for mysql users to enable complex password policy. By default, this option is disabled but it is recommended that you enable it. This is available from Cluster Manager > Cluster Settings > Security. Select the Require Strong Passwords for mysql users check box to enforce the complexity of MySQL user passwords. The minimum length of the MySQL password must be at least 14 symbols long, contain at least one special character +-_@[]:,.%, at least one number, at least one UPPERCASE letter, and at least one lowercase letter. The valid characters are a-z, A-Z, 0-9, +-_@[]:,.%. An example of a valid password: 8s0H43o@7]o%p3. If the current MySQL password does not meet this requirement, it will be change the password to a random, compliant password.

Change MySQL User Credentials

SevOne NMS uses the MySQL database for storing the NMS configuration, NMS user authentication, device configuration and device poll data information. By default, the MySQL root user is set with an empty password. It is recommended that you change the password of the MySQL root user in SevOne NMS.

SevOne-change-mysql-password command is used to update the NMS appliance's MySQL administrative user's username and/or password.

If the appliance is in an HSA pair, this must be run on the active appliance and the passive appliance in this pair will update automatically. However, this command will not automatically update other appliances in the cluster with the same username and password change. This procedure needs to be run on all Active appliances in the cluster individually. The NMS MySQL default user is root.

Note: Executing SevOne-change-mysql-password command will restart the SevOne NMS services - it is highly recommended that you proceed with caution as there may be a small possibility of data loss due to the daemon's restarting and missing polls that were in progress. Any data that is already collected will not be lost.

Example

$ SevOne-change-mysql-password --username "NEW_USERNAME" --password "NEW_PASSWORD"

--username (Required) Rename the current username to this
--password (Required) Change the password to this value

The following are valid characters:
a-z, A-Z, 0-9, +-_@[]:,.%

To run this procedure for all Active Appliances in the cluster as a single command, first set the password as a shell variable and then execute the command as shown below. This command must be executed from the Cluster Leader Active appliance.

Note: The password to be set in the following example is Welcome@123456789. Set variable MYPASSWORD with a strong password.

Example

$ MYPASSWORD='Welcome@123456789';

$ for IP in $(mysqlconfig -BNe 'select ip from peers;'); \
do echo "Executing on $IP"; \
ssh $IP "SevOne-change-mysql-password \
--username root --password $MYPASSWORD"; done

Identify your current NMS identity and IP.

$ SevOne-peer-whoami
=== My Peer info:
--- ID: 1
--- Name: pandora-01
--- IP: 10.129.14.168

Using the MySQL client, connect to the IP address returned above (for example, 10.129.14.168) from any appliance in the cluster. You will be prompted for the password. Enter the new password as set in the example (Welcome@123456789). If you used a username other than root, you can change to the correct username as shown in the command below. Successful completion of the command will bring you to the MySQL prompt. You should be logged in and be able to execute the MySQL queries.

$ mysql -h 10.129.14.168 -P 3307 net -u root -p

Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6151
Server version: 5.6.40-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition
(Commercial)
Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

mysql> exit
Bye

If there is an error with the password or it has not updated correctly, then you may get an error as shown below - you may need to run the procedure all over.

$ mysql -h 10.129.14.168 -P 3307 net -u root -p

Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'pandora-01' (using password: YES)

Data & Configuration

Data at Rest

SevOne does not store or operate on any personal or confidential data for the users. SevOne only stores authentication data. All data used for authentication of users or integration with other systems is considered sensitive and is kept secured. The Cluster configuration and Device information are considered confidential and are also encrypted at rest. There are two types of encryption that SevOne uses to persist data:

  1. Passwords used to verify user identity - The application stores this data as a one-way hash and cannot decrypt it. All the passwords for local application users are stored in this manner.
    Important: The password hashing algorithm is strengthened by eliminating the external salt generation using the PASSWORD_BCRYPT algorithm, and increasing the cost factor to 14.
  2. Information that the application uses to connect to outside systems. Example: Credentials used for device access, SFTP passwords, LDAP bind account/password to sync the groups, etc. The application needs to be able to decrypt this information to perform its function. SevOne stores this data encrypted by using the stronger encryption technique in MySQL (AES256). For additional details, please see section Credential Encryption in this document.

Data in Motion

SevOne strongly recommends that the NMS system is not deployed on the open Internet and access is limited to authorized personnel only.

Data replication within the cluster is encrypted for both cluster configuration and high availability solution. During normal cluster operations, data is replicated from Cluster Leader Config to all peers Config. Additionally, each primary appliance replicates all its data to its secondary appliance (i.e., HSA). Also, there is authentication and encryption for all remote connections to the MySQL database for each peer. Only its local processes can access the database without encryption.

  • As a best practice, SevOne recommends to allowlist peers by restricting access in the cluster so that only peers can contact other peers. Since the appliance can be deployed where members may have a NAT firewall separating members, this is not configured by default.
  • For more security concerned clients, SevOne provides deployments where all traffic between the peers is encrypted using OpenVPN, an SSL/TLS-based VPN solution. However, this has performance impact on system operations.
Note: Example

If peers in the cluster communicate with each other by sending SSH commands, the SSH to the peers is allowed and restricted via combination of SSH keys and/or passwords.

At this point, most SSH commands need root level access.

SevOne is continuously decreasing the level of permissions needed to execute various commands and implementing the principles for least privileges.

Paths & Ciphers
SSH
Default
  • key exchange algorithm: diffie-hellman-group14-sha1
  • host key algorithm: ecdsa-sha2-nistp256
  • server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
  • client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none

FIPS

  • key exchange algorithm: diffie-hellman-group14-sha1
  • host key algorithm: ecdsa-sha2-nistp256
  • server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
  • client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none

SevOne-requestd

ZeroMQ CURVE encryption - Curve25519 elliptic curve encryption

MySQL

TLS 1.2 with rsa encryption (2048-bit public key), sha256 signature algorithm

Client Cipher
mysql cli client, c/c++, SevOne-ocd, soa ECDHE-RSA-AES128-GCM-SHA256
php, rest-api ECDHE-RSA-AES256-GCM-SHA384
replication system-default TLS 1.2 cipher

Kafka

TLS 1.2 with rsa encryption (2048-bit public key), sha256 signature algorithm, system-default TLS 1.2 cipher

REST API Live Maps

peers <-> Cluster Leader:443 (nginx will use its certificate configured at /secrets/nginx/nginx.crt), system-default TLS 1.2 cipher

Device Configuration in Motion

SevOne strongly recommends that you configure secure polling via SNMPv3 for all devices, where applicable. SevOne supports authentication (MD5, SHA, SHA-224, SHA-256, SHA-384, and SHA-512) and encryption (AES, AES192, AES192C, AES256, AES256C, 3DES, and DES) over SNMPv3. This is done by providing username, password and encryption key. Please refer to SNMP Quick Start Guide and/or section SNMP Plugin in SevOne NMS User Guide for details.

Note: System Administration Guide

Please refer to SevOne NMS System Administration Guide, section Cluster Manager for additional details.

Platform Security

SevOne appliances are complete solutions deployed with a full Linux, Apache/Nginx, MySQL, PHP (LAMP/LEMP) stack (NOTE: Apache or Ngnix depending on your SevOne NMS version). The SevOne Cluster grows through the deployment of new appliances and adding them to the cluster as peers.

OS and Third-party Packages

SevOne NMS 6.8 release has migrated the operating system from CentOS 8 Stream to Red Hat Enterprise Linux (RHEL) 8.9.

Kernel

SevOne's new deployments are not vulnerable to the dirty cow (CVE-2016-5195) attack. For maximum security, SevOne strongly advices our older clients to manually install and select the standalone package with the new kernel (4.9.X) that SevOne provides. For additional information and assistance, please contact SevOne Support.

Processes and Permissions

Some of the processes on the NMS appliance are running under their own user for separation of concerns and minimal permissions. Example: Apache/Nginx, MySQL, REST API, Redis, Kafka, etc. There are other processes that are still running as root user with full permissions. Where there are security concerns, SevOne is making an effort to convert such services to their own restricted users and groups and restrict their permissions and eliminate the use of the root user completely.

Some SevOne customers manually configure SevOne-daemons to run as non-root user. This change however, makes the appliances difficult to upgrade and maintain. SevOne does not recommend this configuration. For more details, please contact SevOne Support.

Important: SevOne appliances are not general usage applications. There are no use cases where a regular user (with lesser permissions) should use the box. Shell access to the appliance should be granted to the administrator only.

High Availability Solution

Each peer in a SevOne cluster can be peered with a Hot Standby Appliance (HSA) to provide real time backup and fault tolerance. In this configuration, the primary appliance will replicate all data it contains (configuration and polling) to the HSA. The HSA is then able to take over all duties of the primary appliance if it should happen to fail (due to hardware failure, power outage, loss of network connectivity, etc.). This includes polling, baselining, reporting, and also administrative functions of the cluster leader. HSA will turn on as soon as there is no connection to the primary PAS for more than x minutes (x = 10 minutes / 600 seconds by default, but this field is configurable).

The return from HSA back to the PAS is a manual activity as it requires merging the data of the two appliances.

HSA is just a precaution. SevOne have clients with HSA that have never been used. They have had years of stable operation.

Prevent XSS in Simple attachment

Due to backwards compatibility with legacy reports, by default, custom code in Simple reporting attachments is allowed. This means that any user who can edit a report, can potentially inject harmful code that would be executed when any other user views the report. In order to prevent this, Allow insecure code in Simple attachment check box from Cluster Manager > Cluster Settings > Security is available for SevOne NMS administrators to allow/disallow usage of custom code in the Simple attachments. By default, Allow insecure code in Simple attachment check box is enabled but SevOne recommends that this option should be disabled.

Important: This will prevent all users from entering custom widgets via Simple report attachments.

Force Same Origin Policy

By default, Force Same Origin Policy check box is enabled and it is recommended that this option should not be disabled. With the Force Same Origin Policy check box enabled, it prevents SevOne NMS from being loaded outside of the current domain. This includes portals and the use of the force login script to load SevOne NMS into an iframe from where a malicious user could log your activity. Note: If you clear this check box, the application security is lowered in a way that can prevent SevOne NMS from passing specific security scans. By selecting this check box, it enforces the Same Origin Policy (SOP) or allows you to configure a small list of allowed origins. Also, it will reduce attack surface and prevent CSRF attacks.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy for all individuals within the European Union (EU). It requires organizations to reform the way business operations are performed in order to meet increased standards of handling personal data. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This regulation is not applicable to a particular software product (such as SevOne NMS), but it requires the organization using SevOne NMS to use best practices guidelines to keep the organization compliant and demonstrate accountability.

Any personal data subject to the GDPR regulation is all data that serves to uniquely identify a natural person, or revealing their racial or ethnic origin, political opinions, religious or philosophical beliefs, any biometric data, etc. Given this definition, SevOne NMS can operate without any Personally Identifiable Information (PII). However, it is a common practice for administrators to provide this type of data in order to keep user accounts and personal accountability for actions performed by their employees.

When using SevOne NMS user accounts, it keeps track of the user's given name, surname, email address, and username. You must make sure that your organization's operations are in compliance with GDPR.

SevOne NMS is only intended to be used by a select number of company employees. It does not offer self-registration. Due to this, it does not collect personal information directly from the users. Users must provide the details to the SevOne administrator for a user account to be created. SevOne NMS does not require any confirmation or validation of the legitimacy of this data, including the email address.

SevOne recommends all customers to establish policies and best practices to properly handle any personal data. Data Protection Officers must be appointed and trained to oversee the correct application of these practices.

Note: For SevOne appliance to operate, PII data is optional. The decision to store PII is at customer's own discretion.

Best Practices for SevOne NMS

Allow Users to Request Personal Data Collected

SevOne NMS administrator uses SevOne NMS > Administration > Access Configuration > User Manager or SevOne NMS' REST API to export all details regarding the user and provide it to them.

Data Portability

SevOne NMS' REST API works in a standard JSON data format i.e. readable text. Export of user data can be used to transfer the information.

Right to be Forgotten

Organizational policy must allow users to request to be forgotten. Upon receiving such a request, SevOne NMS administrator is obliged to delete the user account using SevOne NMS > Administration > Access Configuration > User Manager or SevOne NMS' REST API.

Breach Notification

When organizations become aware of the data breach, they are obligated to notify all affected users within the first 72 hours. Data breach is likely to result in a risk for the rights and freedoms of individuals. SevOne recommends that the SevOne NMS appliance is kept off the public internet. SevOne utilizes best industry practices to maintain services secure of data breach. SevOne NMS offers auditing, self-monitoring, and other options to support administrators to prevent or quickly identify such events. In an unlikely event this happens, SevOne recommends implementation of established policies. For example, inform all employees (system users) whose details have been compromised.

Audit Logs

After a user is deleted, there may be traces of their id or username for auditing purposes to keep track of specific actions which are critical for the correct operation of the system. For security reasons, this information is saved for a pre-defined period of time. The retention period is configurable using the syslog configuration and depends on the client's organizational policy. At the end of the retention period or when the log exceeds 100MB, the log is archived. There is a configurable age-out period which is set to one year by default. At the end of the age-out period, the logs are deleted.

The logs are used to ensure proper operation of SevOne NMS and to continue servicing other SevOne NMS users.

SevOne recommends that when a user decides to leave the system, the username and id are insufficient to uniquely identify a natural physical person. In cases where this is not possible, users must be notified that their identifier username would be kept a bit longer for auditing purposes. The exact policy and timeline for deleting this data must be shared.

In the scenario when the information is backed up to another location by the NMS administrator, there must be a policy in place to ensure that the user data is deleted immediately after the retention period has passed. Even when the logs are exported to an external system or backup server for further analysis, there must be a clear expiration policy in place.

IP Addresses

A static IP address can serve as an online identifier and is considered personal data when additional information such as real name, phone number, email address, etc. are also stored along with it. At this time, there is no precedent for enforcing the GDPR policy however, there are generally accepted best practices.

Note: If the user information has been removed with WebUserName, IP address becomes irrelevant and out of GDPR scope.
  • The dynamic IP address must not be considered personal data. Even if it is assumed that the ISP has a record of the user for this IP address, certain legal criteria must be satisfied prior to sharing the data. The client company must not have a way to uniquely identify the user.
  • The static IP address is more likely, but not 100%, guaranteed to allow identification of a natural person and can point to a device (physical or virtual). In combination with other details such as the applications used, usernames, etc., it can point to a concrete person with a satisfactory confidence level.

The data that SevOne NMS collects is not enough on its own to identify a user and must not be considered personal data. SevOne recommends that the clients must make sure that there is no other data in their organization that in combination with SevOne data, may be enough to identify a person. If the client has accounting or other data for their network users, this information must be kept separate from SevOne NMS data. At no point must this data be combined. There must be no users that have access to both products and allowed to make combined reports.

GDPR User Rights

  • Log into SevOne NMS > from the navigation bar, go to SevOne NMS > Administration > Access Configuration > User Manager.
  • Or, you may directly use SevOne NMS' REST API endpoints.
User Rights SevOne NMS > Administration > Access Configuration SevOne NMS REST API Notes
Right to be informed User Manager
  • GET /api/v2/users/mypreferences
  • GET /api/v2/users
  • POST /api/v2/users/filter

Helps the administrator find and extract the data types stored in the product.

Allows the client administrator to send the details to the end-user who is affected.

Right of access User Manager
  • GET /api/v2/users/{id}
If the customer provides access to the Personally Identifiable Information (PII) from SevOne NMS, the administrator must use this REST API endpoint to provide JSON export of the PII data.
Right to rectification User Manager
  • PATCH /api/v2/users/mypreferences
  • PATCH /api/v2/users/{id}

Users have the ability to change their details or request the administrator for the change.

Administrators have the ability to rectify and correct all PII data from SevOne NMS.

Right to erasure User Manager
  • DELETE /api/v2/users/{id}
From User Manager, customer has the ability to rectify and correct PII data from SevOne NMS.
Right to restrict processing User Manager
  • DELETE /api/v2/users/{id}
From User Manager, customer has the ability to rectify and correct PII information from SevOne NMS.
Right to data portability User Manager
  • GET /api/v2/users/mypreferences
  • GET /api/v2/users
  • GET /api/v2/users/{id}
  • POST /api/v2/users/filter
In case the customer decides to provide access to the PII information from SevOne NMS, this script will provide a CSV export of the PII data.
Right to object n/a n/a Not applicable to SevOne. This is a manual process / policy at the client organization.

SevOne NMS Security Hardening

There are several security scanners commercially available in the market today. For example, Nessus. When running the scanner against SevOne NMS, it may result in a number of issues but, several of them may not be of any concern or have a solution available. Here is a list of some scenarios.

Issue Resolution
CIS Compliance related to Firewall configuration Loopback traffic must be configured on loopback interface (127.0.0.1/8) via firewalld.
CIS Compliance related to OS configuration If /etc/sysctl.d/90-custom.conf file does not exist, create it.

$ touch /etc/sysctl.d/90-custom.conf

Using a text editor of you choice, edit /etc/sysctl.d/90-custom.conf file, add the following, and then save it.

net.ipv4.ip_forward = 0

Clickjacking Vulnerability

Add X-Frame-Options header to location /manual in the following config files.

  • /config/nginx/conf.d/50_sevone.conf
  • /config/nginx/conf.d/50_ssl_sevone.conf
$ cd /config/nginx/conf.d

Using the text editor of your choice, edit the files.

Edit 50_sevone.conf file
$ vi 50_sevone.conf
Example: Add the following lines to 50_sevone.conf file
location /manual {
add_header "X-UA-Compatible" "IE=Edge";
add_header "X-Frame-Options" "SAMEORIGIN";
}
Edit 50_ssl_sevone.conf file
$ vi 50_ssl_sevone.conf
Example: Add the following to 50_ssl_sevone.conf file
location /manual {
add_header "X-UA-Compatible" "IE=Edge";
add_header "X-Frame-Options" "SAMEORIGIN";
}

After updating /config/nginx/conf.d/50_sevone.conf and /config/nginx/conf.d/50_ssl_sevone.conf, restart nginx.

$ systemctl restart nginx
docker

Docker packages have been updated.

$ rpm -qa| grep docker
docker-ce-23.0.1-1.el8.x86_64
docker-ce-cli-23.0.1-1.el8.x86_64
JAVA 11.0.20-0.x86-64 (IBM Semeru Certified)
Kernel 4.18.0-513.11.1.el8_9.x86_64
MySQL

MySQL moved to MariaDB 10.6.12 in SevOne NMS 6.7.0.

$ mysqlconfig -V
mysql Ver 15.1 Distrib 10.6.12-MariaDB, for Linux (x86_64)
using EditLine wrapper

$ mysqldata -V
mysql Ver 15.1 Distrib 10.6.12-MariaDB, for Linux (x86_64)
using EditLine wrapper
Nginx sets security tokens to off

Execute the following steps.

$ cd /config/nginx/conf.d
Using the text editor of your choice, create, edit, and save the new file 70_servertokens.conf.
Example
Create a new file
$ touch 70_servertokens.conf
Edit the new file
$ vi 70_servertokens.conf
Add the following line to the new file and save it
server_tokens off;
Nginx 1.25.2-1.el8.x86_64
REST API 2.1.47
SSH/SSL openssh-8.0p1-17.el8.x86_64
PHP

8.1.27-1.el8

NOTE: To consume PHP 8, please contact Expert Labs if assistance is needed.

Remove rsh and telnet
$ ssh root@<NMS appliance>
$ rpm -e --nodeps telnet rsh
Restrict usage of su

In scenarios where SevOne NMS instances accommodate custom users, a good security enhancement is to restrict the usage of su (CLI command) to wheel group members only. Using a text editor of your choice, uncomment line# 6) in /etc/pam.d/su file. i.e., remove # from the beginning of the following line.

#auth required pam_wheel.so use_uid

After editing /etc/pam.d/su file, line# 6 should appear as the following.

auth required pam_wheel.so use_uid
SSH Weak MAC Algorithms Please refer to FIPS Mode in this guide for details.
SSL Self-Signed Certificate

SevOne NMS appliance is delivered with a self-signed SSL certificate as Apache/Nginx will not start otherwise.

  • Purchase this service to generate a proper certificate.
  • If you have the service, generate a certificate.

Please refer to SSL Certificate in this guide for details.

systemd systemd-239-78.el8.x86_64
Users rocommunity and rocommunity6 share the same password. (/config/snmp/snmpd.conf) Use ssh and standard linux utility to configure rocommunity and rocommunity6 fields.
VIM 8.0.1763-19.el8_6.4.x86_64

CVE-2019-10246: In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. The information revealed is restricted to only the content in the configured Base Resource directories.

https://nvd.nist.gov/vuln/detail/CVE-2019-10246

This is a false positive because SevOne does not run on Windows.

CVE-2017-17484:The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.

https://nvd.nist.gov/vuln/detail/CVE-2017-17484

This is a false positive because it shows that there is no overflow in the target buffer.
CVE-2016-6497: https://nvd.nist.gov/vuln/detail/CVE-2016-6497 This is a false positive because it only affects LDAP logins and SevOne Data Bus does not use LDAP at all.

Industry Standards

Common Criteria

SevOne NMS 5.5.0.1 is officially Common Criteria certified. This serves to prove the trustworthiness of SevOne product and our commitment to keeping our client's appliances safe. The NMS certification report, protection profile, and security target are publicly available on the Common Criteria portal (https://www.commoncriteriaportal.org/products/#NS).

STIGs

The appliances can be configured to operate to the specifications of Security Technical Implementation Guide (STIG) but, it reduces functionality. This is not recommended configuration. For additional details, please contact SevOne Support.

FIPS Mode

Warning: Kernel does not support the FIPS Mode.
Starting SevOne NMS 6.1, 3DES cipers are disabled for Nginx FIPS Mode.

SevOne provides optional configuration files for web servers (Apache or Ngnix depending on your SevOne NMS version) and OpenSSH. When selected, the application works in a FIPS 140-2 mode. This disables the usage of less secure ciphers that have proven, in practice, easier to overcome than more secure ciphers. The more secure ciphers need to be supported by the SSH clients you use.

Note: xStats daemons (that use Kafka) and xStats plugin are not FIPS compliant. Thus, these are removed from the FIPS configuration and should not be used.

Supported during Non FIPS Mode

Execute the following commands to return the supported algorithms in non-FIPS mode.

Non FIPS mode for SSH Client

$ cat /config/ssh/ssh_config.default | grep -iE 'ciphers|mac|kex'

KexAlgorithms diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes256-ctr
MACs hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

Non FIPS mode for SSH Server

$ cat /config/ssh/sshd_config.default | grep -iE 'ciphers|mac|kex'

Ciphers aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96

Supported during FIPS Mode

Execute the following commands to return the supported algorithms in FIPS mode.

FIPS mode for SSH Client

$ cat /config/ssh/ssh_config.fips | grep -iE 'ciphers|mac|kex'

KexAlgorithms diffie-hellman-group14-sha1
Ciphers aes128-cbc,aes256-cbc
MACs hmac-sha1,hmac-sha1-96

FIPS mode for SSH Server

$ cat /config/ssh/sshd_config.fips | grep -iE 'ciphers|mac|kex'

Ciphers aes128-cbc,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512

Certain customers choose to reduce the number of supported communication Ciphers and Macs even further, however, this may cause compatibility issues when monitoring older devices.

Important: By default, all ciphers are Supported during Non FIPS Mode. It is recommended that a configuration file is selected that allows only Supported during FIPS Mode. This can be done by changing the configuration files for Nginx and OpenSSH.

Unconfigure SSH's Weak MAC Algorithms

  1. Using ssh, login to NMS appliance as root.
    $ ssh root@<NMS appliance>
  2. Change directory to /config/ssh.
    $ cd /config/ssh
  3. Enter into the NMS container.
    
    $ podman exec -it nms-nms-nms /bin/bash
    
  4. Make a copy of the sshd_config file.
    $ cp sshd_config sshd_config.custom
  5. Using the text editor of your choice, edit the new custom (sshd_config.custom) file and delete the offending SSH ciphers from the lines that start with the words Ciphers and MACs. Make sure you only delete the Ciphers and MACs that are necessary to be removed.
  6. Save and close the file.
  7. Verify SevOne-select shows the custom file.
    
    $ SevOne-select sshd config
  8. Symlink the custom config to sshd_config.
    $ ln -sf sshd_config.custom sshd_config
  9. Switch SevOne-select to use the new custom config.
    
    $ SevOne-select sshd config custom
  10. Verify that it is selected correctly with SevOne-select sshd config.
  11. Restart sshd.
    
    $ supervisorctl restart sshd

FAQs

Does IBM SevOne publish security scan results publicly?

No. Industry best practices is NOT to publish scan results because it puts all customers at further risk by informing hackers where to focus their efforts.

IBM SevOne does use a series of commercially available tools to test our products in house to identify risks. IBM SevOne does not endorse the tools used but, uses them as a guide to perform due diligence.

IBM SevOne strongly encourages all customers to follow additional industry best practices and perform periodic scans against products deployed on their network. This to cover any misconfiguration when deployed. If upon scanning IBM SevOne there are any concerns, the customer should report them by opening a ticket with Support.

IBM does takes security and privacy very seriously.   For additional information on IBM's process, please refer to https://www.ibm.com/trust/security-spbd.

Is the MySQL database encrypted?

The MySQL database is not fully encrypted. The cluster and device information, passwords, etc. are encrypted at rest. However, time-series data, for example, is not.

What encryption mechanisms are used for MySQL database?

It is AES256.

How often is MySQL database version updated?

MySQL database versions on SevOne Data Platform are updated only when there is substantial security update or a performance defect fix is made available.

Is there an ability to encrypt the entire filesystem at rest? And, if so, how is it done?

SevOne Data Platform does not support encryption for the entire filesystem at rest.

Which version of TLS does SevOne Data Platform support?

SevOne Data Platform supports TLS v1.2 and v1.3.

Can SevOne Data Platform support TLS v1.3 with non-default config?

Yes, the non-default config can be changed to enable TLS v1.3.

Reference Materials