Tenable Common Criteria Evaluated Configuration Guide. October 29, 2009 (Revision 4)

Transcription

1 Tenable Common Criteria Evaluated Configuration Guide October 29, 2009 (Revision 4)

2 Table of Contents TABLE OF CONTENTS... 2 OVERVIEW... 3 SECURITY CENTER COMPONENTS... 3 NESSUS VULNERABILITY SCANNER... 3 LOG CORRELATION ENGINE... 3 PASSIVE VULNERABILITY SCANNER DTOOL... 4 ASSUMPTIONS... 4 INSTALLATION... 6 INSTALL OS PLATFORM... 6 Required Packages... 6 Secure Network Services... 7 SOFTWARE LICENSES... 7 INSTALL SECURITY CENTER AND COMPONENTS... 7 SECURE APACHE WEB SERVER... 8 ADMIN CONFIGURATION... 8 INITIAL LOGIN... 8 Bring up web interface and login as admin... 8 Add License... 9 Change the admin User Password... 9 CONFIGURE CONSOLE OPTIONS... 9 Configure Set Security defaults... 9 CONFIGURE COMPONENTS Nessus Passive Vulnerability Scanner Log Correlation Engine D Tool Restart Security Center Daemons Implementing Storage Exhaustion Monitoring Install the LCE Scripts Install LCE Client ADD CUSTOMER CUSTOMER CONFIGURATION ADD END USERS ADD SECURITY MANAGERS ABOUT TENABLE NETWORK SECURITY

3 Overview The National Information Assurance Project (NIAP) is a U.S. Government initiative between the National Institute of Standards and Technology (NIST) and the National Security Agency. NIAP sponsors a variety of projects and activities, including the Common Criteria Evaluation and Validation Scheme (CCEVS). The Common Criteria is a standard for evaluation of security measures in a given product. Many government agencies require that products they deploy have been evaluated under the Common Criteria process. Tenable s Security Center 3.2 product has been evaluated at Evaluation Assurance Level Two Augmented with Flaw Remediation (EAL2+). This guide describes requirements and guidelines for installing, configuring, and maintaining Tenable s Security Center to comply with Common Criteria (CC) evaluation standards. If your company security policy requires your Security Center to exactly match the CC Target of Evaluation (TOE) configuration, carefully follow the instructions in this document. Security Center Components The Target Of Evaluation (TOE) includes all the elements that comprise a full deployment of the Security Center suite: Nessus Vulnerability Scanner (Nessus), Log Correlation Engine (LCE) and the LCE Clients, Passive Vulnerability Scanner (PVS), and the 3D Tool (3DT). Although the Security Center and Log Correlation Engine can accept data from third party products and applications, such as Snort, such products and applications are outside the scope of the evaluated configuration. The Tenable Security Center is a web based management console that unifies the process of asset recovery, vulnerability detection, event management, and compliance reporting. The Security Center enables efficient communication of security events to IT, management and audit teams. The Security Center supports input from a wide variety of security products. For the purpose of the Common Criteria evaluation, the only products validated with the Security Center are those listed in this section. The Nessus vulnerability scanner must be configured to only be operated from the Security Center. Nessus Vulnerability Scanner The Nessus Vulnerability Scanner is an active scanner that provides a snapshot of network assets and vulnerability exposure. Log Correlation Engine The Log Correlation Engine correlates and analyzes event log data from a variety of devices in the infrastructure. The Log Correlation Engine is designed to work in conjunction with the Security Center to provide a central portal for security management. 3

4 Passive Vulnerability Scanner The Passive Vulnerability Scanner behaves like a security motion detector on the network. The Passive Scanner maps new hosts and services as they appear on the network and monitors for vulnerabilities. It provides virtual real-time compliance monitoring. 3DTool The 3D Tool is an interface to the Security Center data that is designed to facilitate presentations and security analysis of different types of information acquired from the Security Center. Assumptions As with any application, the security and reliability of the Security Center is dependent on the environment that supports it. Organizations deploying the Security Center must have an established IT management policy that covers System Administration integrity, resource monitoring, physical security, and disaster recovery. It is assumed that the environment will be configured and maintained to ensure that the following conditions are met: Operating system The operating system that the Security Center and all components (Nessus, LCE, PVS) reside on must be configured in a secure manner to ensure that security controls cannot be bypassed. This can be accomplished by installing the Red Hat Linux OS in accordance with standards such as the CIS benchmarks or by using SELinux. Each system must be dedicated to the appropriate application (Security Center, Nessus, LCE, PVS) and contain no other applications except what is required to operate the system in a secure manner. As the Common Criteria requires monitoring for audit and system storage exhaustion, each application (SC3, Nessus, PVS, LCE) must reside on a dedicated file system. Instructions for configuring monitoring are provided later in this document. If you are using an additional file system, partition, SAN, or NAS for the LCE data repository, the mount point must be configured as /usr/thunder/db to permit monitoring for storage exhaustion of the LCE data repository. The syslog configuration file (/etc/syslog.conf) must log auth.info messages to the /var/log/messages file. This is the default setting, and must be configured in this manner to permit monitoring of the system storage. Configuration To monitor availability of system resources, the LCE client must be installed on each system that is hosting the Tenable applications (SC3, Nessus, PVS, LCE). The LCE server must be configured to use the system_monitor.tasl script, available at the Tenable Support Portal. The Tenable Security Center and Log Correlation Engine have the ability to accept input from other sources such as SNMP traps (port 162/udp) and SYSLOG data (port 514/udp) if they are configured to do so via the Add IDS 4

5 selection from the Security Center s Console tab. The Security Center will only accept input from devices whose IP address has been configured in this manner. This ability is not part of the evaluated configuration. The LCE must not be configured to export SYSLOG data to any server that is outside of the TOE components. The use of external authentication servers (such as LDAP) is not part of the evaluated configuration. The PVS has the ability to send data to third party applications. This configuration is not part of the evaluated configuration and the PVS must only be configured to send its data to the Security Center. While the PVS can be configured to forward vulnerability and alert data via SYSLOG to other components, this capability is not enabled in the evaluated configuration. Users have the ability to write their own rules and custom scripts to be used with the SC. Such rules and scripts are outside the evaluated configuration. The Security Center must be configured to update Nessus and PVS plugins on a at least a daily basis to ensure the latest vulnerability data is available. The Security Center must be configured to automatically scan systems on a regular basis in accordance with site policy. Administration The system must be administered by staff with appropriate qualifications for the deployed technologies. A Secure System and Network Administration Policy must be established for personnel tasked with administering servers and networks. This policy must include measures that mandate compliance and specify disciplinary actions for policy violations. A patch management policy must be in place to ensure that the latest recommended security patches are applied to the Operating System. A system monitoring utility must be in place to alert administrators on potential problems in availability of system resources. An infrastructure must be in place to allow receipt of messages sent by the Security Center. Acceptable Use An Acceptable Use policy must be established to mandate appropriate use of computing facilities. All desktop systems used to access security center data (either through the web GUI or through 3D Tool) must be secured, patched and have the latest anti-virus software installed. Any data downloaded from the Security Center, either through a report or 3D Tool graphical representation must be protected from unauthorized access. Network The network must be configured to ensure that the Security Center resides in a secure network segment. Network time synchronization must be enabled to ensure accurate time stamps are recorded in reports and log files. Physical Controls The hardware that supports the Security Center and related components must be secured from unauthorized physical access. Access Control 5

6 Access control mechanisms must be in place to ensure only authorized users have access to the OS platform for all components. The Nessus login and password must only be available to authorized Security Center administrators. The environment must support use of SSL certificates for use by the Nessus scanner. Installation Installation instructions for the Security Center and related components are available at the Tenable Support Portal. This section describes particular concerns for installation with regard to Common Criteria requirements. Install OS Platform Security Center version 3.2 is available for the 32 bit version of Red Hat Enterprise Server 3 and 4. There is no difference in configuration for these systems. The Security Center is comprised of the following components in a Common Criteria certified configuration: Security Center Nessus Scanner (one or more) Passive Vulnerability Scanner (one or more) Log Correlation Engine LCE Clients 3D Tool (one or more) Please see the specific product documentation applicable to each component for information on determining system requirements and placement within your specific environment. Required Packages The following prerequisite operating system packages are required on the system prior to installing the Security Center package: compat-db compat-libstdc expat gdbm libtool-libs el4.1 libxml ncurses readline sharutils Please note that the versions listed above were the most recent at the time of this writing. The latest stable/production version of each package must always be used. 6

7 Secure Network Services As with any system providing security services, it is important to harden the base Operating System and ensure that all unnecessary services are disabled prior to installation of the Security Center and components. The only network service required by the Security Center prior to installation is OpenSSH. For each of the systems hosting the Security Center, Nessus Vulnerability Scanner, Log Correlation Engine, and Passive Vulnerability Scanner, edit the file /etc/ssh_config and ensure that the Protocol variable under the Hosts * heading is uncommented and set to a value of 2. Edit the file /etc/sshd.config and ensure the following variables are configured as shown below: SSH Variable Value Protocol 2 X11Forwarding IgnoreRhosts PermitRootLogin PermitEmptyPasswords yes yes no no Restart sshd after changing these settings: # service sshd restart Software Licenses Contact Tenable Sales for license keys for the Security Center, Log Correlation Engine, and Passive Vulnerability Scanner. For each application, you will need to provide the hostname of the system that it will be installed on. This can be obtained by entering the hostname command at the shell prompt as the system root user. The Security Center license does not need to be initially loaded onto the system running the application. Save the Tenable provided key file to your local workstation s hard drive. Once installation is completed, you will be prompted to add your license. The Nessus Plugin Feed Activation Code is supplied with the Security Center license. Each Nessus scanner will receive plugin updates from the Security Center nightly and therefore the individual scanners do not need an activation code. The 3D Tool does not require a license. The licenses for the Log Correlation Engine and Passive Vulnerability Scanner must be copied to the systems hosting the applications. The installation for these applications is a command line process that will prompt for the licenses. Install Security Center and Components Please refer to the Installation section of the following documentation for specific installation instructions: Security Center 3.2 Documentation 7

8 Nessus 3.0 Installation Guide Passive Vulnerability Scanner 3.0 User Guide Log Correlation Engine 2.0 Admin and User Guide 3D Tool 1.2 User Guide Note that the Log Correlation Engine is undergoing a name change and the terms Log Correlation Engine and Thunder may be used interchangeably. Secure Apache Web Server The Security Center is designed to be managed from a web-based console interface. The Security Center supports use of SSL, which must be set as the default console interface by changing the URL in the configuration menu under Misc. Options to https instead of http. To force use of https, edit the configuration file for the Apache server provided with the Security Center so that the port it listens on is port 443 (the default is 80). To accomplish this, edit the file /opt/sc3/support/conf/httpd.conf and search for the string Listen 80. Change 80 to 443, save, and quit. Use the following command to restart the web server without affecting the Security Center daemons: # cd /opt/sc3/support/bin #./apachectl restart Admin Configuration Once the Security Center and all component applications (Nessus, LCE, PVS) have been installed, the Security Center must be configured to manage them. The configuration of the components is performed by the admin user. Specific details on configuring the Security Center are described in the Security Center documentation. The basic steps are as follows: Initial Login Bring up web interface and login as admin Bring up a web browser and login to the Security Center using a URL similar to the following: IP ADDRESS OR FQDN>/sc3/ You will be presented with a screen that looks similar to that shown on the right. The default administration account is the username admin with a password of admin. Default Login Screen Note that for Common Criteria compliance you must use https instead of http. The previous configuration guidance for the Apache web server will not support 8

9 Add License use of http. When you login as admin for the first time, you will be prompted to upload the license key. Click on the Browse button and then find and select your license key that was saved previously on your local workstation s hard drive. Then, click OK to upload the key file. You will receive an error message the first time you do this. As indicated in the message, click on the refresh button once after submitting the license key to clear it. Change the admin User Password To change the admin password, click on the Console Administrators tab and then click on Change My Password. You will be prompted to enter the new password and then confirm it. Finally, click on Update and then Continue. It is critical to change the default password at the initial login to a complex password that is at least 8 characters in length and contains a mixture of alphanumeric and special such as #(@^!. Configure Console Options To configure Security Center click on the Console tab and then click on Configure the Security Center. A wide variety of options are available to customize the Security Center. Please see the section titled Console Management in the Administrator Guide of the Security Center documentation for more details. This section is focused on those that affect the secure operation of the Security Center. Configure To receive alerts via , you must have an infrastructure in place that the Security Center can access. To use the features of Security Center, you must configure the Delivery Options : SMTP Gateway return address Does the remote SMTP server require authentication? SMTP Server User name SMTP Server password Set Security defaults Configure Default Console URL Change the default console URL under Misc. Options so that the actual IP address of the system is entered instead of the loop back address ( ). Also, change the default URL to reflect https instead of http. Set Authentication Options Make sure that the following options are set: 9

10 Option Maximum authentication attempts Log authentication failures Log successful authentication attempts Description This setting provides for automatic lockout after a specified number of failed authentication attempts occur. The default is 20 failed attempts before a user is locked out. For Common Criteria compliance, you must change this to a stricter setting that is in compliance with your site s security policy. The recommended setting is 3 to 5 failed attempts before the account is locked out. This setting provides the ability to log customer s failed authentication attempts. This log can be viewed by clicking on the Customer Management tab and then selecting View Admin & Customer Activity Logs. This setting provides the ability to log customer s successful authentication attempts. This log can be viewed by clicking on the Customer Management tab and then selecting View Admin & Customer Activity Logs. Submit Changes After all the changes have been made, click on the Submit button at the bottom of the page to put the changes into effect. Then, click on Continue. You will be brought back to the Configure the Security Center screen. Configure Components For specific instructions to add components to the Security Center, please refer to the Console Management section of the Security Center documentation. Nessus The Security Center logs in to the Nessus scanner via the lightning-proxy daemon to initiate scans and retrieve results using a login and password combination. The login account is created on the Nessus server as follows: # /opt/nessus/sbin/nessus-add-first-user nessusd (Nessus) for Linux (C) 2005 Tenable Network Security, Inc. Using /var/tmp as a temporary file holder Add a new nessusd user Login : nessus Authentication (pass/cert) [pass]: Login password: Login password (again): 10

11 User rules nessusd has a rules system which allows you to restrict the hosts that admin has the right to test. For instance, you may want him to be able to scan his own host only. Please see the nessus-adduser(8) man page for the rules syntax Enter the rules for this user, and hit ctrl-d once you are done: (the user can have an empty rules set) Login :paul Password :******** DN : Rules : Is that ok? (y/n) [y] User added. Thank you. You can now start Nessus by typing: /opt/nessus/sbin/nessusd D # To add a Nessus scanner to the Security Center, from the Console table select Add Nessus Scanner and fill in the information as shown in the form below: 11

12 Use SSL authentication instead of password authentication. Check the box marked SSL authentication and leave the password field blank. Using SSL authentication is discussed in more detail in Appendix 8: Nessus SSL Configuration of the Security Center documentation. Do not confuse this SSL certificate configuration with normal Security Center to Nessus communications. All communications between the Security Center and Nessus are SSL encrypted over port The SSL configuration described in Appendix 8: Nessus SSL Configuration of the Security Center documentation enables password-less authentication between Security Center and Nessus. Be sure to update plugins before running your first scan. Passive Vulnerability Scanner The Security Center logs in to the PVS scanner via the pvs-proxy daemon to retrieve data using a login and password combination. Unlike Nessus, which is an active scanner, the PVS does not need to have a scan initiated since it is constantly gathering data. UNIX Systems 12

13 The login account is created during installation of the PVS as follows: PVS CONFIGURATION : Security Center Uplink PVS can report its data to the Security Center console for centralised management. If you enable Security Center support, PVS will run a daemon (pvs-proxy) which will be polled by Security Center regularly to fetch all the new reports. To do so, you will need to set up a username and password for pvsproxy and give these credentials to Security Center. Do you want to enable Security Center support? (y/n) [y]y If you reply "y", you will be prompted for a username and password: Username : admin Password : Password (confirm) : Windows Systems On the Windows version of the PVS, a service named Tenable PVS Proxy is installed, but is not configured or enabled by default. To configure it, the Options/PVS SC3 Listener section of the PVS user interface can be used to specify the username, password, and port for the Security Center to log into with. Once this data is entered, the service must be manually started and also configured to start automatically if the system reboots. Security Center To communicate with the Security Center, the PVS establishes its own unique username and password. This credential information needs to be configured on the Security Center through the administration interface so that the Security Center can log into the PVS and retrieve vulnerability data. PVS systems many be added by the admin user via the Add/Remove a Passive Vulnerability Scanner from the Console tab. An example set of two PVS devices is shown below: 13

14 Example configured Passive Vulnerability Scanners The access control points related to the Passive Vulnerability Scanner integration with the Security Center are: The login from the Security Center to the PVS. The SSL certificates use to encrypt the communication Security Center SSL Communication with PVS PVS supports communication protocols based on the OpenSSL toolkit (please see for more details about the toolkit). This provides cryptographic protection for communication between two systems. There are three components involved: the Certificate Authority, the PVS Server and the Security Center. It is not necessary to generate the keys required for the SSL communication since they are provided with the Security Center software and downloaded to the appropriate directory or folder, depending on the OS version of PVS. On the Red Hat Linux version of PVS, the SSL keys and certificate are located in the /opt/pvs/var/pvs-proxy/ssl/ directory. On the Windows version of PVS, they are located in the C:\Program Files\Tenable\PVS\ca\ folder. More information is available on PVS operations in Appendix 3 of the Security Center documentation. Log Correlation Engine 14

15 LCE analysis is provided to the Security Center through the use of command execution across a secure shell network session. When the Security Center needs to query LCE servers, it invokes a Secure Shell (SSH) session to the configured LCE server. All execution and analysis of LCE data occurs on the LCE server. SSH public keys are configured so that the Security Center can invoke commands on the LCE server. Non system-administrator accounts are used to perform these queries. The trust relationship is only needed from the Security Center to the LCE server. LCE servers are configured by the admin user from the Log Correlation Engine Management selection under the Console tab as shown in the following screen: 15

16 The public SSH keys are for user tns which is the UNIX account the Security Center uses to perform a majority of its operation. 3D Tool The 3D Tool is a Windows desktop application that establishes a portal to the Security Center and retrieves data for visualization. This application has no ability to modify data or settings in the Security Center data repository or configuration files. There are no special configuration requirements for the 3D Tool since authentication is managed by the Security Center. However, it is important to note that users of the 3D Tool must use the supported HTTPS protocol when accessing the Security Center by clicking on the SSL box in the login screen. As per previous instructions in this guide, the Security Center will not accept http connections. Use of the 3D Tool is optional and is not required for the secure operation of the Security Center. Restart Security Center Daemons At this point the basic configuration is complete. Restart the Security Center services by clicking on the Console tab and selecting Start/Stop Security Center Services. Then, click on [START/RESTART ALL SERVICES] and then Continue. When you return to the Show Security Center Services Status screen, all of the services will display a status of Running if they have been properly installed. If this is the first time the Security Center services have been started/restarted, it may take a few minutes for all of the updates to get processed and provided to the remote components. Note that the mail daemon will not start (and will not provide an error) if the section of configure the console is not completed. Implementing Storage Exhaustion Monitoring Tenable provides the appropriate LCE Clients as well as several scripts for monitoring system storage exhaustion. All of these may be obtained from the Tenable Support Portal at Login to the customer support portal and click on the Downloads link, and then click on Log Correlation Engine. Scroll to the bottom of the page and click on TASL Scripts. Under the Utility Scripts, download the System Monitor script. Install the LCE Scripts Transfer the system_monitor.tasl files to the Log Correlation Engine server and place it in the following directory: /usr/thunder/daemons/plugins Set the permissions on these files to mode 640 as follows: -rwxr-x--- 1 thunder thunder 7439 Oct 21 14:08system_monitor.tasl 16

17 Install LCE Client Install the appropriate LCE clients on the servers that are supporting the Security Center, Nessus, Log Correlation Engine, and Passive Vulnerability Scanner. It is recommended that the LCE clients be installed and configured on all critical systems, but they must at least be installed on the security servers to ensure that system resources are monitored. Add Customer Customers are defined and managed by the Security Center Administrator (admin user) who specifies which network ranges can be monitored by a Security Center customer. Each customer has a unique name and serial number. The login id that is created with a new customer account is referred to as the Primary Security Manager (PSM). This account cannot be deleted and will have full access to the SC customer data and functions. There are four options for managing Security Center customers under the Customer tab of the Administrator s menu. These include: List/Edit/Delete Customers Add New Customer View Admin & Customer Activity Logs List/Delete Customer IDS Sources Customer Configuration Once the admin has set up a customer account, the Primary Security Manager can further define roles within the parameters established for this customer. The access rights for the Primary Security Manager are limited to the network address space as defined by the SC Administrator. The PSM can define either End Users or Security Managers for the defined address space through the Users tab, which has the following options: List/Edit/Delete Users Add New User Show Managed Asset List Change My Account Information Change My Password View Activity Log Add End Users An End User is typically a system administrator or network engineer who has responsibility for administrating security of hosts on a portion of the network. End users have the following capabilities: They can only see vulnerabilities, IDS events, and logs for a specific range of IP addresses that is determined by the particular asset lists the account has access to. They may be permitted to conduct vulnerability scanning of their network address space, but may also be locked out from scanning either manually or when the threshold for failed login attempts is reached. 17

18 They can track the remediation of vulnerabilities found on systems they are responsible for, which also permits the initiation of a rescan once the vulnerability is mitigated. The access rights for an End User are defined by the Security Manager(s) for the defined network address space. The End User does not have the ability to change this. End Users can be segregated to a subset of the network address space defined for the customer, thereby restricting their ability to monitor network activity. Add Security Managers A Security Manager is typically the security representative for an organization within the customer address space and is responsible for the overall security posture of that organization. Security Managers can do everything an End User can do with the following additions: Security Managers can add, edit, and delete new users who can be either Security Managers or End Users. Security Managers can add and manage asset lists lists or ranges of IP addresses that are statically or dynamically created. Asset lists permit grouping of monitored systems and play an integral part within Security Center. Security Managers can open tickets describing which vulnerabilities need to be mitigated, as well as recast or accept the risk level of a found vulnerability. The access rights for the Security Manager are limited to the network address space defined by the Security Center Administrator. Security Managers have the ability to change the access rights for End Users. 18

19 About Tenable Network Security Tenable, headquartered in Columbia, Md., USA, is the world leader in Unified Security Monitoring. Tenable provides agent-less solutions for continuous monitoring of vulnerabilities, configurations, data leakage, log analysis, and compromise detection. For more information, please visit us at TENABLE Network Security, Inc Columbia Gateway Drive Suite 100 Columbia, MD TEL: