How-to Guide: Wiping Data from Appliances Post-PoC

Summary:

This document provides a comprehensive guide on how to securely erase data from ArcSight appliances after completing a Proof of Concept (PoC). It outlines the use of the Linux Shred utility as a method to wipe out partitions following specific requirements such as 7 passes or DoD standards, despite limitations imposed by certain hardware configurations. The authors suggest automating this process through scripting and provide detailed instructions for both manual execution and scripting in a shell environment tailored for all-in-one (AIO) appliances. The document includes steps to follow when using the Linux Shred utility on an ArcSight Logger appliance, which involves stopping ArcSight services, finding and shredding all files within /opt/data or specified partitions, and optionally removing the directory if not needed anymore. The process is detailed for manual execution as well as scripting in a shell environment specific to AIO appliances. Additionally, the document mentions that this operation can take significant time depending on the size of the data being wiped out. It provides an example script designed to automate the process and stop ArcSight services before shredding all files within the /opt/data directory with seven passes of zero-filling, followed by removing the entire directory structure afterward. The script also logs the start and end of this operation in the /var/log/messages file. The document concludes by instructing users to kill the script after its execution is complete and suggests restoring the appliance to a factory image for further security measures. It recommends further reading on the topic from various sources, indicating that data wiping procedures are ongoing discussions among different individuals regarding specific Hewlett-Packard (HP) appliances.

Details:

The blog post "HOWTO: Wipe Data From Appliances After a PoC" discusses the challenge faced by many when needing to securely erase data from equipment after completing a Proof of Concept (PoC). While some customers may be satisfied with a factory restore, others require a more robust method. The authors suggest using the Linux Shred utility as a solution for wiping data off appliances after a PoC. They mention that traditional methods like Symantec Ghost Disk cannot be used due to specific hardware configurations. The article highlights the limitations and provides a detailed guide on how to safely wipe partitions using the Linux Shred utility, ensuring complete data destruction according to requirements such as 7 passes or DoD standards. The provided text outlines a method for securely deleting data on Linux systems, specifically in the context of wiping out all files within a directory using the "Find" command combined with the "Shred" utility. This process involves listing and shredding (wiping) all files in a specified directory, followed by removing the directory itself if needed. The procedure is adapted for use in an All-In-One (AIO) appliance under specific circumstances related to federal team requirements using DoD approved tools. The steps outlined include stopping ArcSight services, finding and shredding all files within /opt/data/ or a specified partition with 7 passes of data destruction, optionally removing the directory if not needed anymore. The process is detailed for both manual execution and scripting in a shell environment tailored for an AIO appliance. The text also mentions that this operation can take a significant amount of time, roughly 13 hours to wipe out 1.3 TB of data, which translates to about 1 hour per 100 GB. The script provided as an example is designed to automate the process and stop ArcSight services before proceeding with the wiping operation. The script you've provided outlines the process of wiping out ArcSight logger data on a system by shredding all files within the `/opt/data` directory with seven passes of zero-filling, deleting the entire directory structure afterward. It also logs the start and end of this operation in the `/var/log/messages` file. The script includes specific instructions for wiping an SD card (sda6) if needed but notes that customers should substitute these commands according to their system specifics. After completing the data wipe, it suggests restoring the appliance to a factory image as an additional measure for security and recommends further reading on the topic from various sources. The script concludes by instructing the user to kill the script with exit 0 after its execution is complete. The text provided seems to be part of an ongoing discussion among various individuals regarding data wiping procedures for specific Hewlett-Packard (HP) appliances. Here is a summary of the key points and responses from different participants in the thread: 1. **NEI Secure Wiping**: Steven Maxwell, referencing information from Support, mentioned that NEI now securely wipes every appliance returned to them post-Proof of Concept (PoC). This process involves wiping using the disc, which might not be at full speed, and starting with the logger first. A link is provided to a document for further reference: https://irock.arcsight.com/docs/DOC-4398. 2. **DBAN Compatibility**: Frank Lange asked if DBAN (Darik's Boot and Nuke) works with the HP DL380G7 SmartArray RAID controller or if any additional configuration is needed on the appliance for it to be effective. Gary, in response, indicated that there isn't specific information confirming compatibility but suggested reaching out directly to HP Support for more detailed assistance. 3. **Data Wiping Procedures**: Paul Carman inquired about updates to the data wiping procedure, particularly with regard to accessing root or command line interfaces on Logger boxes to run commands and scripts for wiping data. Steven Maxwell clarified that there are no specific wipe tools provided by Dell or HP for their appliances; however, if a customer has access to such tools, they can use them as an alternative. Users without direct root access would need to request it from Support in order to execute these commands. Additionally, Paul asked about the applicability of older steps (updated several years prior) on newer versions of Logger and Express appliances considering that drive devices might appear differently now. 4. **General Wiping Commands**: Paul Carman sought advice on wiping data without specifying which device or appliance is being referred to directly but mentioned using commands like "/usr/bin/shred -v -n7 -u -z `df /opt/data/|awk '{print $1}'`" for Dell or HP appliances. This command helps in deleting the `/opt/data` partition without knowing the exact drive device. 5. **Clarification on "AIO - All in One" Devices**: Paul Carman inquired whether "AIO - All in One" devices referred to Express models, and no specific clarification was provided directly in the text. Overall, the thread is focused on providing guidance for securely wiping data from HP appliances returned by customers or prospects, discussing various methods and tools available as well as accessing necessary permissions for execution. The text discusses the process of wiping data from an appliance after a Proof of Concept (PoC), specifically mentioning "Logger" and its related processes. Key points include: 1. **Access Restrictions**: Support will not generate a login code to allow access for customers, implying that onsite assistance is necessary. Customers must either gain root access to the Logger or arrange an alternate boot/USB method for accessing it. 2. **Technical Limitations**: The process might involve issues with the latest hardware in the trial pool, and there are no AIO (all-in-one) appliances available for testing. AIO was used when both Logger and Express were installed on a single physical appliance. 3. **Historical Context**: The term "AIO" refers to an older model where Logger and Express were combined on the same device, which is different from the current setup of separate products (Logger and web processes). In summary, for wiping data from a PoC involving the Logger process, it seems that gaining root access or using alternate boot/USB methods are necessary but not straightforward due to restrictions and potential hardware compatibility issues. This is a list of posts and topics about various aspects related to ArcSight appliances, including Logger UI messages, JDBC drivers for databases, setting up event archives, wiping data after a proof of concept (PoC), tips for trial processes, and information on specific software versions. The content seems to be focused around troubleshooting, updates, and best practices for using ArcSight appliances in a professional context.