000037582 - How Data-At-Rest security works with RSA NetWitness Log and Packet Data in 11.x

Document created by RSA Customer Support Employee on Jul 9, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037582
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Decoder, Packet Decoder
RSA Version/Condition: 11.x
 
IssueData-at-rest refers to data integrity, or the ensured integrity of all recorded data is not modified by an outside party or accessed (confidentiality) except by authorized parties.
CauseSecurity audits may require information related to data-at-rest be provided for auditing purposes.
ResolutionData-at-rest refers to how data is recorded on the target system and how it is secured. In order to discuss data-at-rest, it must be understood what format data is written in. These files are not directly monitored by the operating system due to the performance hit since these files are constantly read/write and are optimized for fast performance.

Packet Decoder

A packet decoder records data in the following location:
/var/netwitness/decoder


There are a few subfolders that contain the session data recorded from complete sessions, raw packet data, metadata captured, and stats and index data. This data is recorded in a custom format for each data type that makes it difficult to reverse engineer.

The file permissions related to these files are always root, and only have read-write permissions for the root user enabled.

Remediation: Ensure the root user is protected and accessible only to authorized users. Use full disk encryption to protect the disk itself from theft.

Log Decoder
The log decoder records the log events in a similar custom format with the raw data being somewhat readable if the file is opened in a file editor like vim. The location of the log files can be seen in:

/var/netwitness/logdecoder


The file permissions related to these files are always root, and only have read-write permissions for the root user enabled.

Remediation: Ensure the root user is protected and accessible only to authorized users. Use full disk encryption to protect the disk itself from theft.

Attachments

    Outcomes