Highlighted
Honored Contributor.
Honored Contributor.
378 views

How to protect the license file of ArcSight ESM in the path of Linux installed on?

Hi All

As you know, the license file of ArcSight ESM stored in the specific path (/opt/arcsight/manager/user/manager/license). what is your suggestion for protection this file against any modifications or deleting ?

BR

Amir 

Labels (1)
3 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hello Amir,

 

have a backup of that file for sure is the best idea in my opinion.

Best Regards,

 

Daniel

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hello,

hard to tell how to protect it, but I think we can monitor this file using linux audit daemon auditd, for example:

auditctl -a exit,always -F path=/opt/arcsight/manager/user/manager/license/arcsight.lic -F perm=rwa

Any way, we need to dig deeper and test it.

Highlighted
Respected Contributor.
Respected Contributor.

It can depend on where you are at just now with locking down your servers.

I would start by getting traceability on the servers, making sure there is no one accessing servers generically (eg logging in as root or arcsight) and delegating the permissions of those users with sudo / su. That way you can monitor who is doing what and when if you have auditing properly configured, usually your servers will be logging which users are using which commands anyway so you shouldn't need to configure anything custom other than making sure those logs are monitored (in ArcSight hopefully).

Once you have that you can look at specific folders or files if you would like in order to look for things like this.

That being said you could always get fancy and use SELinux to protect the file in a more suitable way if it really is a requirement.

Privileged access management is a one of the use cases you absolutely should have across the board in your environment, not just on the ArcSight servers, controlling who can do what and when, which is usually enough to meet this type of requirement.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.