Gen 6 Appliance Hardening (CIS/STIG)
Introduction
This page describes the hardening procedures applied in the factory before a LogRhythm appliance is shipped. It applies to all LogRhythm appliances that run on Microsoft Windows Server 2022 and Rocky Linux 9.x. Some LogRhythm appliances also include SQL Server 2019 Standard.
LogRhythm customers have a wide variety of security and compliance needs. It is LogRhythm’s goal to provide an appliance that meets or exceeds customer requirements, without compromising the functionality or usability of the product.
Why Microsoft Windows Server 2022, Rocky 9.x, and SQL Server 2019?
LogRhythm selected the combination of Microsoft Windows Server 2022, Rocky 9, and SQL Server 2019 for a variety of reasons:
Ease of use, administration, and maintenance
The ubiquitous nature of Windows systems means that most IT organizations have a working knowledge of the use, administration, and maintenance of Windows systems.
Rocky Linux is based on RHEL source code and offers a stable well maintained platform for our *NIX-based systems.
Documentation and administration tools
The availability of documentation, administrative tools, and security profiling tools for Microsoft products is unrivaled.
Common Criteria Certification
Windows Server 2022 reached Common Criteria certification status in February 2023.
SQL Server 2019 reached EAL4+ status in April 2022.
Hardening Procedures
The primary steps LogRhythm uses to harden an appliance are:
Build current appliances using hardening from previous appliance image version.
Perform STIG (CAT 1, 2, and 3) and CIS (Level 1 and 2) scans against sample systems.
Manual validation against software that does not have scanning tooling (STIG for Microsoft SQL Server).
Review all findings and implement remediations into the appliance image, where those remediations are reasonable to be applied and will not impact functionality of the LogRhythm software.
Ongoing operating system and software patching and vulnerability testing against appliance images with every image update.
Defense Information System Agency Hardening
The Defense Information System Agency (DISA) publishes Security Technical Implementation Guides (STIG) for many operating systems and applications. The guides are intended to offer guidance for securing information systems for the Department of Defense. Many of the STIGs are now offered in the Security Content Automation Protocol (S-CAP) format to provide automated compliance scanning and reporting.
Windows Server 2022 STIG
LogRhythm leverages the SCAP Compliance Checker (SCC) tool provided by DISA through the public DoD Cyber Exchange. This tool performs a compliance check against the local operating system using the Windows 2022 Server STIG Benchmark to further harden appliances. The MAC-1 Classified (most secure) profile of the benchmark describes 273 checks for securing Windows. Where possible, and where the usability of the product for the majority of customers will not be impacted, LogRhythm applies these settings in the factory. Full audit reports are available upon request.
SQL Server 2019 STIG
DISA provides Security Technical Implementation Guides (STIG) for Microsoft SQL 2019 published as two documents, one covering the database management system and one covering the individual databases. The STIG provides technical security policies, requirements, and implementation details for applying security concepts to Microsoft SQL 2019. Where possible, LogRhythm applies these settings from the factory as part of appliance imaging. In some cases, recommendations cannot be applied due to performance or functionality impact of the LogRhythm software. In some cases, findings cannot be applied from the factory and are up to the customer to implement. Full audit reports are available upon request.
Rocky 9 STIG
LogRhythm uses the OpenSCAP tool combined with the DISA Red Hat Enterprise Linux 9 STIG benchmarks for appliance hardening. Where possible, LogRhythm applies these settings from the factory as part of appliance imaging. In some cases, recommendations cannot be applied due to performance or functionality impact of the LogRhythm software. In some cases, findings cannot be applied from the factory and are up to the customer to implement. Full audit reports are available upon request.
CIS Hardening
Center for Internet Security (CIS) Benchmarks provide standards for internet security which are recognized as the global standard and best practice for securing IT systems and data against attacks. LogRhythm uses CIS benchmarks as an additional layer of security in appliance hardening.
Windows Server 2022 CIS
LogRhythm leverages the Windows Server 2022 Levels 1 and 2 benchmark for automated assessment. Scans are conducted using tenable with a local agent on the test host, reviewed, and findings are mitigated where possible. Full audit reports are available upon request.
Rocky 9.x CIS
The CIS Rocky Linux 9 Benchmark version 1.0.0 is used for automated assessment. Scans are conducted using tenable with a local agent on the test host, reviewed, and Medium/High severity findings are reviewed. Where possible, LogRhythm applies these settings from the factory as part of appliance imaging. In some cases, recommendations cannot be applied due to performance or functionality impact of the LogRhythm software. In some cases, findings cannot be applied from the factory and are up to the customer to implement. Full audit reports are available upon request.
Ongoing Patching and Vulnerability Detection
In order to maintain a system hardened against security vulnerabilities, LogRhythm tests each new appliance version with the latest patches for Windows and SQL Server, along with the latest packages and kernel for Rocky 9.x. LogRhythm recommends that customers apply patches to existing appliances as operating system vendors make them available.
Frequently Asked Questions
“I need a copy of the detailed scan results for LogRhythm appliances to provide to my auditor.”
These can be requested through a support ticket and provided via our engineering department.
“I received a LogRhythm appliance and it is missing the latest Microsoft patches. I thought you patched the system in imaging, what happened?”
LogRhythm appliances are imaged when they arrive from our suppliers, these can sit in warehouse prior to shipment to customers for weeks. With the time it takes for an appliance to arrive and be installed, we conclude it's highly likely your appliance may be out by a patch cycle or more. We recommend running a patch cycle on your appliances on receipt.
“I am hardening my own imaged system. Can LogRhythm provide scripts to harden to their standards?”
Hardening code/scripts for most findings can be provided; however, there are many findings which are required to be remediated during the OS build process that will not provide full coverage. These scripts are designed to be used in our imaging environment, so while we can provide them, there is an expectation that you should have your own knowledge of these operating systems to implement them. OS support for customer-provided operating systems or images is the responsibility of the customer.
“I have a specific finding, and I need an explanation on why it can't be patched. Can LogRhythm assist?”
As part of the audit report process, we have per-finding explanations on why we have or have not remediated the finding. You can review this. If you have a specific finding that is not covered, or you are hardening to a standard other than CIS/STIG, we can provide best-effort advice, but we do not test every possible individual hardening recommendation.