Chat now with support
Chat with Support

Foglight 6.3.0 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight FIPS-compliant mode Disclaimer
Usage feedback Appendix: FISMA compliance

NIST 800-53 categories

This section presents the 17 categories listed in the NIST Special Publication 800-53 and describes how Foglight addresses those that apply.

The secure employment of Foglight® forms only one part of an information security program. A statement in this appendix that a particular security category is “applicable” to Foglight means only that Foglight contains security features that are or may be relevant to some or all aspects of the security category in question. It does not necessarily mean that Foglight fully meets all of the requirements described in that security category, or that the use of Foglight by itself guarantees compliance with any particular information security standards or control programs. The selection, specification, and implementation of security controls in accordance with a customer-specific security program is ultimately dependent upon the manner in which the customer deploys, operates, and maintains all of its network and physical infrastructure, including Foglight.

 
* 
NOTE: Under the NIST Special Publication 800-53, the 17 categories listed in this table define general security control “families” (for example, AC), and each family in turn contains several subcategories (for example, AC-1, AC-2, AC-3, etc.) that further detail related aspects of information security and assurance. For additional information, see Appendix F of NIST Special Publication 800-53.
 
Table 1. NIST 800-53 Categories
Category
Applicable
Description
Additional Details

Access Control (AC)

Yes

Foglight 5 has an internal security service through which all requests must pass regardless of whether they originate from the user interface, the command-line or external APIs. The security service is user and role based and can be linked to LDAP or Active Directory®, enabling the storage and management of the user accounts, roles, and passwords, through those directories.
Foglight users and groups
Role-based access control

Awareness and Training (AT)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own security awareness and training policy.

N/A

Audit and Accountability (AU)

Yes

Foglight can display security and change audit logs for select time periods, including information about login history as well as any administrative and configuration changes made. Audit log entries contain identifying information such as a timestamp, user name, service name, and operation name.

A separate log file records troubleshooting data, debut information, lifecycle information, and agent information. No user names or passwords are included in the log file.
Audit log
Log files

Certification, Accreditation and Assessments (CA)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own security assessment, accreditation, and certification policy.

N/A

Configuration Management (CM)

Yes

The audit and log files contain information about any configuration changes made to Foglight. Role-based access control is enforced to limit users' ability to make changes. Foglight's configuration parameters are stored in local files and are read and cached internally upon startup.

The Foglight communication ports are restricted and configurable by administrators only.
Network ports
Network ports
Configuration parameters
Audit log

Contingency Planning (CP)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to design and implement their own contingency plans. As defined by NIST (publication 800-34), disruptive events to IT systems include power-outages, fire and equipment damage, and can be caused by natural disasters or terrorist actions.

N/A

Identification and Authentication (IA)

Yes

Foglight enforces identification, authentication, and password policies, providing well-defined rules for controlling how user names and passwords are created, as well as ensuring that only authorized users are able to log into the system.

The customer can also choose to authenticate users against an LDAP or AD supported directory, or against a SAML 2.0 identity provider.
Foglight users and groups
Role-based access control
Password policies

Incident Response (IR)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own incident response policy and procedures.

N/A

Maintenance (MA)

Yes

Quest Software Inc. monitors the embedded PostgreSQL® database included in Foglight developments for security developments and flaws and provides product updates and patches to customers when necessary.
Monitoring patches for the embedded database

Media Protection (MP)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own media protection policies.

N/A

Physical and Environmental Protection (PE)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own physical and environmental policies.

N/A

Planning (PL)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own security planning policies.

N/A

Personnel Security (PS)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to enforce their own personnel security policies, including personnel screening and employment termination.

N/A

Risk Assessment (RA)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own risk assessment policies.

N/A

System and Services Acquisition (SA)

Yes

Quest Software Inc. has performed an internal security and compliance assessment of Foglight, including a risk analysis. A security checklist was completed with the help of the development team. This document is the result of the assessment.

N/A

System and Communications Protection (SC)

Yes

The Management Server's Web application server supports the use of TLS to protect user communication. A self-signed TLS certificate is used by default, and the customers have the ability to upload their own TLS certificate. Agent Manager communication between agents and the Management Server can also be protected with TLS. Secure connections between the Management Server and an external database can be enabled when supported by the database.The network ports over which Foglight components and protocols communicate are configurable.

Protection of data collection infrastructure
Protection of communicated data
Network ports

System and Information Integrity (SI)

Yes

The Management Server and Cartridges/Agents use the JavaTM Cryptographic Extension library for cryptographic operations. The AES-256-bit algorithm in Galois/Counter mode. User passwords are hashed with the SHA-256-bit algorithm and stored in the Foglight database. Agent properties marked as sensitive are masked during display and encrypted during storage.
Protection of stored data
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating