Configure LogRhythm DX
This section explains how to configure the LogRhythm DX (Data Indexer) to run in FIPS mode and communicate with the LogRhythm DPAWC machine using FIPs-approved algorithms.
Download and Install the LogRhythm FIPS Package
Download the LogRhythm FIPS package (lrdx_fips.tar), available on the LogRhythm Community.
The package consists of several applications that are required for running the LogRhythm in FIPS mode.
- Create the directory /usr/local/logrhythm/LogRhythmFIPS (with no space between LogRhythm and FIPS).
- Untar the contents of lrdx_fips.tar into that directory.
The package contains:- LogRhythm stunnel application and configuration files – stunnel and lrdx_stunnel.conf.
- LogRhythm FIPS SIT application and .hsh file – lrsitapp and dxsvcs.hsh
- OpenSSL 1.0.2u with FIPS Module 2.0.16 - libcrypto.so.1.0.0 and libssl.so.1.0.0. Used by stunnel and lrsitapp
Make the lrsitapp and OpenSSL libraries executable:
CODEsudo chmod a+x /usr/local/logrhythm/LogRhythmFIPS/lrsitapp
CODEsudo chmod a+x libcrypto.so.1.0.0
CODEsudo chmod a+x libssl.so.1.0.0
Configure the Stunnel Solution for DPAWC Communications
The LogRhythm services use stunnel to encrypt the DX/DPAWC communications using FIPS-approved algorithms.
- Edit the stunnel configuration file /usr/local/logrhythm/LogRhythmFIPS/lrdx_stunnel.conf:
- Change all instances of LR_DPAWC_IPADDRESS to the IP address of the LR DPAWC machine.
- Change all instances of LR_DX_IPADDRESS to the IP address of the LR DX machine.
- Create the stunnel client and server certificates using your organization's Certificate Authority or the Red Hat 7 system's OpenSSL application:
- Copy the lr_stunnel.pem file to /usr/local/logrhythm/LogRhythmFIPS/lr_stunnel.pem.
- Configure iptables for SQL Server JDBC clients to use stunnel (bulldozer and carpenter):
Configure iptables for the SQL Server client connection:
CODEiptables -t nat -A OUTPUT -p tcp --dport 1433 -j DNAT --to-destination LR_DX_IPADDRESS:14330
Set the library path to the provided OpenSSL shared libraries:
CODEsudo cp /usr/local/logrhythm/LogRhythmFIPS/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0
CODEsudo cp /usr/local/logrhythm/LogRhythmFIPS/libssl.so.1.0.0 /lib64/libssl.so.1.0.0
Start stunnel:
CODEsudo /usr/local/logrhythm/LogRhythmFIPS/stunnel /usr/local/logrhythm/LogRhythmFIPS/lrdx_stunnel.conf
You must manually start stunnel each time the machine restarts.
Configure the LogRhythm API Gateway to Use the Stunnel Solution
Configuring the LogRhythm API Gateway involves setting the following system environment variables for the LogRhythm Service Registry to use:
Variable | Description | Values |
---|---|---|
FIPS_GATEWAY_ENABLED | When set to "true", the LR API Gateway uses the FIPS_GATEWAY_IP and FIPS_GATEWAY_PORT settings instead of the default remote IP and default port of 8501. This forces all remote traffic to send to a specific IP port, expecting only one other instance of API Gateway. | True/false |
FIPS_GATEWAY_IP | IP address to forward all non-loopback (remote) requests for LR API Gateway. | A valid IPv4 address |
FIPS_GATEWAY_PORT | Port to forward all non-loopback (remote) requests for LR API Gateway. | A valid TCP port |
To set the environment variables:
Create a fips_config environment variable file containing the ENV variables using the following command (replace the 10.5.0.147 below with the DX IP address):
CODEIP=10.4.0.157;printf "FIPS_GATEWAY_ENABLED=true\nFIPS_GATEWAY_IP=${IP}\nFIPS_GATEWAY_PORT=8503\n" > /tmp/fips_config sudo mv /tmp/fips_config /usr/local/logrhythm/env/fips_config
Set permissions:
CODEsudo chown persistent:persistent /usr/local/logrhythm/env/fips_config
Verify the file was created:
CODEsudo cat /usr/local/logrhythm/env/fips_config
Update the LogRhythmAPIGateway system service config to use the new fips_config environment file:
CODEsudo vi /usr/lib/systemd/system/LogRhythmAPIGateway.service
Add the following line to the bottom of the [Service] section (just below the "KillSignal=SIGINT" line):
EnvironmentFile=/usr/local/logrhythm/env/fips_config
Create the firewall rule for the incoming stunnel connection to API Gateway. (The first command will add an immediate rule, the second will set it as permanent that will be set after a restart):
CODEsudo firewall-cmd --add-port=8502/tcp --zone=internal
CODEsudo firewall-cmd --add-port=8502/tcp --zone=internal --permanent
Apply and reload the LogRhythmAPIGateway service changes:
CODEsudo systemctl daemon-reload
CODEsudo systemctl restart LogRhythmAPIGateway
Restart all the LogRhythm DX services.
Each LogRhythm service will indicate it is operating in FIPS-approved mode in its respective application log.