Configure LCE for NIAP Compliance

If your organization requires your instance of LCE to meet National Information Assurance Partnership (NIAP) standards, you can configure relevant settings to be compliant with NIAP standards.

You must run LCE 6.0.6 to configure LCE for NIAP compliance.

For more information about LCE storage and communications encryption, see Encryption Strength. For more information about data gathered by the LCE Client, see LCE Clients.

Before you begin:

  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where LCE is installed.

  • Contact Tenable Support for access to the following required script file:
    • LCE-NIAPcompliance-Oct29-fixerPkg.tgz

To configure LCE for NIAP compliance:

  1. As the root user, run the following command to create a new directory for the script file:

    mkdir /path/to/fixer29/
  2. Run the following commands to download the script file into the directory you created:

    cp /path/to/download/LCE-NIAPcompliance-Oct29-fixerPkg.tgz /path/to/fixer29

  3. Run the following command to navigate to the fixer29 directory:

    cd /path/to/fixer29
  4. Run the following command to extract the script:

    tar zxf LCE-NIAPcompliance-Oct29-fixerPkg.tgz
  5. Run the following command to start LCE-NIAPcompliance-Oct29-fixer:

    ./LCE-NIAPcompliance-Oct29-fixer
  6. Run the following commands to enable NIAP-compliant settings:

    . /opt/lce/tools/exigent-sessions.bashrc

    enable_NIAP_Mode

    LCE restarts.

    LCE secures communications with TLS 1.2 and the following cipher suites: ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA384, or ECDHE-RSA-AES256-GCM-SHA384.

    Note: Enabling NIAP mode encrypts communications for the following:

    • Receiving the encrypted TCP syslog. For more information, see Receiving Encrypted Syslog.
    • Sending vulnerability reports to Tenable.sc.
    • Downloading plugin updates.
    • Web UI server and desktop browser.
  7. (Optional) Run the following commands to view your NIAP settings and enabled ciper suites:

    undoc-config --get wwwd NIAP_COMPLIANT

  8. If you connect LCE to Tenable.sc, you must use certificates to authenticate the connection. For more information, see Manual Key Exchange with Tenable.sc.