Working with Preferences on

Viewing System Monitor on OS Console

Mon, 01 Jan 0001 00:00:00 +0000

You can choose to show a performance monitor before switching to OS Console. If you choose to show the monitor, then the dialog delays for one second before the initialization of the OS Console. The value must be set to Yes or No.

Setting Password Requirements for CLI System Tools

Mon, 01 Jan 0001 00:00:00 +0000

Many CLI tools and utilities require different credentials, such as root and admin user credentials. You can choose to require or not to require a password for CLI system tools. The value must be set to Yes or No.

Specifying No here will allow the user to execute these tools without having to enter the system passwords. This can be useful when the system administrator is the security manager as well. This setting is not recommended since it makes the Appliance less secure.

Viewing user notifications on CLI load

Mon, 01 Jan 0001 00:00:00 +0000

You can choose to display notifications in the CLI home screen every time a user logs in to the ESA. These notifications are specific to the user. The value must be set to Yes or No.

Minimizing the Timing Differences

Mon, 01 Jan 0001 00:00:00 +0000

Sign in to the appliance to access different features provided. If incorrect credentials are used to sign in, the request is denied and the server sends an appropriate response indicating the reason for failure to log in. The time taken to send the response varies based on the different authentication failures, such as invalid password, invalid username, expired username, and so on. This time interval is vulnerable to security attacks for obtaining valid users from the system. Thus, to mitigate such attacks, the time interval to reduce the response time between an incorrect sign-in and server response can be minimized. To enable this setting, toggle the value of the Minimize the timing differences option from the ESA CLI Manager to Yes.

Setting a Uniform Response Time

Mon, 01 Jan 0001 00:00:00 +0000

If invalid credentials are used to login to the ESA Web UI, then the time taken to respond to various authentication scenario failures, varies. The various scenarios can be invalid username, invalid password, expired username, and so on. This variable time interval may introduce a timing attack on the system.

To reduce the risk of a timing attack, reduce the variable time interval and specify a response time to handle invalid credentials. Thus, the response time for the authentication scenarios remains the same.

Limiting Incorrect root Login

Mon, 01 Jan 0001 00:00:00 +0000

If an incorrect password is used to log in to a system, the permission to access the system is denied. Multiple attempts to log in with an incorrect password opens a route to brute force attacks on the system. Brute force is an exhaustive hacking method, where a hacker guesses a user password over successive incorrect attempts. Using this method, a hacker gains access to a system for malicious purposes.

Enabling Mandatory Access Control

Mon, 01 Jan 0001 00:00:00 +0000

For implementing Mandatory Access Control, the AppArmor module is introduced on Protegrity appliances. Define the profiles for protecting files that are present in the appliance.

FIPS Mode

Mon, 01 Jan 0001 00:00:00 +0000

The Federal Information Processing Standards (FIPS) defines guidelines for data processing. These guidelines outline the usage of the encryption algorithms and other data security measures before accessing the data. Only a user with administrative privileges can access this functionality.

For more information about the FIPS, refer to https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips.

Enabling the FIPS Mode

To enable the FIPS mode:

Log in to the ESA CLI Manager and navigate to Preferences.
Enter the root password and click OK.

Basic Authentication for REST APIs

Mon, 01 Jan 0001 00:00:00 +0000

The Basic Authentication mechanism provides only the user credentials to access protected resources on the server. The user credentials are provided in an authorization header to the server. If the credentials are accurate, then the server provides the required response to access the APIs.

For more information about the Basic Authentication, refer here.

Disabling the Basic Authentication

To disable the Basic Authentication: