Nagios XI Hardening Guide

[chipngc_nagios]

Is there a Nagios XI hardening guide to support something like STIG (Security Technical Implementation Guide) compliance? My customer requires everything on the box to be secure from web interfaces, databases, etc, and need to make sure this application is as buttoned up as possible. Thanks.

[tmcdonald]

That's a tough one. STIG is pretty strict and comprehensive, and while there are guides for individual portions (database, webserver, OS) it gets tricky when you deal with individual applications.

I can give you what documentation we have available, and we can help with other individual questions relating to security, but we don't have a STIG guide (SRG) specifically for Nagios.

http://assets.nagios.com/downloads/nagi ... s%20XI.pdf - SSL in XI
http://assets.nagios.com/downloads/nagi ... _Notes.pdf - Notes on VM defaults

[chipngc_nagios]

Is there a way to export the Nagios XI audit logs or set them to be sent to a syslog server? If they can't be set to send to syslog where are they located (flat file, database, etc) ?

[abrist]

The audit log is saved to a postgres table:

Code: Select all

echo "select * from xi_auditlog;" | psql nagiosxi nagiosxi

[chipngc_nagios]

If we go to NagiosXI 5 is there updated guidance on how to harden? Or become STIG complaint between the OS and application? We noticed there were a few embedded passwords in the install scripts for XI version 4 which we needed to modify during install time to make our security folks happy.

[tmcdonald]

The links in the above post are still valid for the most part, except that we don't install phpMyAdmin anymore (I actually was not aware that we ever did). As I mentioned back in May, STIG is a fairly in-depth compliance and we don't have any documentation for it specifically. For that we would need to hire a STIG expert/auditor and likely revamp/rework/break a lot of our code base.