Best Practices

This page groups the security and optimal usage recommendations to get the most out of CoreSight, while ensuring your data protection.

1. Account Security

Enable Two-Factor Authentication (2FA)

It is highly recommended to enable 2FA for all accounts with administration privileges.

Go to My Account > Security.
Scan the QR Code with an app like Google Authenticator or FreeOTP.
Administrators can force the use of 2FA for all users from Administration > Security Settings.

Password Policy

Ensure the password complexity option is enabled in the administration settings.
Never share generic accounts (e.g., admin@coresight.io). Create a named account for each user.

2. Deployment and Network

Isolate the CoreSight Server

As CoreSight contains sensitive data about your infrastructure, the server must be isolated:

Place the server in a restricted Management Zone (dedicated VLAN).
Restrict access to port 443 (HTTPS) to the IP addresses of administrators and ingestion tools only.

SSL/TLS Certificates

Always use the HTTPS protocol.
If the server is accessible on the Internet or has a domain name (e.g., coresight.my-company.com), generate a certificate via Let's Encrypt during installation (--domain).
For an air-gapped internal network, install the root certificate of your enterprise PKI, or deploy the CoreSight self-signed certificate on client workstations to avoid security warnings.

3. Data Management and Backups

Regular Backups

CoreSight's SQLite database contains all your cartographies.

Configure automatic backups of /opt/coresight/server/data/coresight.db.
The deployment tool creates local backups before each update, but you should regularly export these files (/opt/coresight/backups/) to secure remote storage.

Encryption Key Preservation

The database is encrypted with the DB_ENCRYPTION_KEY located in /opt/coresight/server/.env.

Save this key in a safe place (e.g., in a password vault).
Without this key, no database backup can be read.

4. Cartography Organization

Naming Conventions

Use clear naming conventions for your diagrams to facilitate search and collaboration:

[ZONE] - [APPLICATION/SERVICE] - [ENVIRONMENT]
Example: DMZ - Frontend Web Servers - PROD

Using Security Zones

Rather than linking all elements one by one, group similar assets into Security Zones (e.g., User VLAN, OT Server VLAN). This lightens the cartography and makes it more readable.

5. Ingestion and Maintenance

Automate Ingestion via REST API

For CoreSight to reflect the reality of your information system:

Create dedicated API keys for ingestion (with the "System / Ingest" role).
Automatically push data from your inventory tools (GLPI, Active Directory, vulnerability scanners) via the REST API.
Schedule regular imports.

Vulnerability Lifecycle (CVE)

Regularly update your CVE database if you import it manually, or ensure the connection with the NVD works.
Configure scheduled reports to receive the list of newly vulnerable assets every week.

Best Practices ​

1. Account Security ​

Enable Two-Factor Authentication (2FA) ​

Password Policy ​

2. Deployment and Network ​

Isolate the CoreSight Server ​

SSL/TLS Certificates ​

3. Data Management and Backups ​

Regular Backups ​

Encryption Key Preservation ​

4. Cartography Organization ​

Naming Conventions ​

Using Security Zones ​

5. Ingestion and Maintenance ​

Automate Ingestion via REST API ​

Vulnerability Lifecycle (CVE) ​