Server connector

BMC Helix Cloud Security supports running CIS Compliance checks on servers in multi-cloud environments. You can download and configure a Server connector, and validate policies using Cloud Security in two modes:

  • From the cloud, Cloud Security scans EC2 instances from your AWS account.
  • On-premise, Cloud Security scans a list of targets you specify in a comma-separated file. 

The Server Connector can be run using a batch file similar to other Cloud Security on-premise connectors. It can also be installed as a service which enables the connector to run continuously and collect data through Windows Services.

To onboard the Server connector, perform the following steps:

To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.

Understanding the Server connector

The Server connector communicates with the workloads, collects the information from the RSCD agents using the JNI-RSCD Plugin, and sends it to Cloud Security to evaluate against the selected standards.

The following policies are available for the Server connector:

  • CIS - Windows Server 2012 R2 DC(Domain Controller)This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28, 2016. For more information, see CIS Benchmarks.
  • CIS - Windows Server 2012 R2 MS(Member Server)This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28, 2016. For more information, see CIS Benchmarks.
  • CIS - Red Hat Enterprise Linux 6This Policy is based on the recommended settings defined by Red Hat Enterprise Security Configuration Benchmark Settings for Linux 6 Version 2.0.2, published June 2, 2016. For more information, see CIS Benchmarks.

In the diagram, the JNI-RSCD Plugin collects server/target information (such as registry, GPO, and Auditpol) using native JNI commands from the RSCD agent installed on EC2 servers and target machines. The following section details the prerequisites for each of these machines.

Note

This version of BMC Helix Cloud Security supports compliance with Server connectors for AWS EC2 instances or on-premise servers on Windows platforms only. Remediation is not yet supported.

Completing prerequisites

Ensure that the connector and target environments meet the following prerequisites before onboarding the Server connector.

Requirements for the computer on which the connector is downloaded (part of the Management VPC/Network)

The connector machine must have internet connectivity so that the connector can communicate with Cloud Security

Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.

Requirements for the target machine (part of the data network)

The target machine must have an RSCD agent v.8.9sp1 installed and configured on which you will run the EC2 compliance. The agent communicates on port 4750.

Note

You must have RSCD administrator privileges to collect all data.

Additionally, the Windows target machine requires a minimum version of .Net Framework 4.0.30319.

For information about installing the agent, see BMC documentation for Manually installing the stand-alone RSCD Agent and AWS documentation for Using Network Security
For information about configuring the agent, see Configuring the exports file.

Properties for CIS RHEL6

You must set the following properties in the asset.json file for the Server connector before running the connector:

Property NameMandatory/OptionalDescriptionDefault Value
EXCLUDE_HOME_DIR_USER_LISTMandatoryList of user need to be excluded from compliance where shared home directory is present
MEDIA_PARTITION_LISTMandatoryRemovable media partition list
SSH_ALLOW_GROUPSMandatorySpace separated list of group names,  used for Allow SSH
SSH_ALLOW_USERSMandatorySpace separated list of user names,  used for Allow SSH
SSH_DENY_GROUPSMandatorySpace separated list of group names,  used for Deny SSH
SSH_DENY_USERSMandatorySpace separated list of user names,  used for Deny SSH

There are some more properties which are optional. You can override default value of these properties as per your organization requirements. Here is the comphrehensive list of all properties.

Property NameMandatory/OptionalDescriptionDefault Value
AUDIT_RULES_FILEOptionalProperty used for storing Audit rules file/etc/audit/audit.rules
BSA_CONTENT_IPV_PROTOCOLOptionalProperty indicating IP protocol[IPV4/IPV6]IPV4
CACHE_HRSOptionalProperty Specifies number of hours the cache will be valid24
EO_TIMEOUTOptionalTime out in seconds for Extended Object execution0
EXCLUDED_DIROptionalDirectory to exclude from FindFiles caching. The value for this property can be a directory or multiple directories separated by comma\-1
EXCLUDED_USER_LISTOptionalComma separated list of the users to be excluded from compliance check.root,sync,shutdown,halt
FIND_FILES_TIMEOUTOptionalTime out value in seconds for find files extended object0
LOGHOSTS_SENDOptionalRemote host name where all logs are collected
LOGROTATE_FILESOptionalList of logs used for rotate/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron
MAC_ALGOSOptionalList of all supported and accepted MAC algorithms.hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
MAX_DISK_PERCENTAGEOptionalMaximum disk percentage in use before cache generation95
MAX_DISPLAYOptionalMaximum lines to be displayed in Extened Objects5000
MAX_DISPLAY_FINDINGOptionalMaximum display count for findings in tag files5000
MAX_INFO_LINESOptionalMaximum info lines to be displayedall
SHELL_CONFIGURATION_FILESOptionalComma separated list of configuration files for user UMASK check/etc/bashrc,/etc/profile
UNIX_EXCLUDE_HOME_DIR_USER_LISTOptionalUnix system user accounts where home should not be scanneddaemon,sys,lp,dladm,netadm,netcfg,smmsp,zfssnap,xvm,mysql,openldap,webservd,postgres,svctag,unknown,nobody,noaccess,nobody4,ftp,dhcpserv,aiuser,pkg5srv,uucp,nuucp,upnp
VAR_FINDFILES_TAG_LISTOptionalTemporary property used for rule evaluation.Syntax :Find files tags with excluded directories.ex:Tag1:Dir1;Tag2:Dir,Dir2fUnAuthWwfile;fSgid;fSuid;fUnownedUserdir;fUnownedGroupfile;fUnownedGroupdir;fUnownedUserfile;fWwdir;fSyslogperm;fRhosts
BANNER_MESSAGEOptionalBanner message on login screenAuthorized uses only. All activity may be monitored and reported
GDM_BANNER_MESSAGE_CONF_FILEOptionalBanner message configuration file/etc/dconf/db/gdm.d/01-banner-message
EXCLUDE_DAEMONS_LISTOptionalPipe separated list of daemons to be excluded in rule checktr|ps|egrep|bash|awk|rscd
WHEEL_GROUP_USERSOptionalUsers in wheel group for pam_wheel.soroot

Onboarding the Server connector

  1. Log on to Cloud Security with your registered credentials.
  2. Select Configure icon > Connectors.
  3. Click Add Connector.
  4. Under Connector Type > On Premise Connectors (Installable), click Server Connector and then click Continue.
  5. In the Connector Name tab, specify a name for the connector.
    This name must be unique and must not have already been created.
    If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
  6. From the Environment drop-down, choose On Premise (to execute compliance on on-premise servers) or AWS (to execute compliance on AWS EC2 instances).
  7. (On-premise only) Type the path where the on-premise targets file is located (for example, on Windows, C:\\Temp.servers.txt).
    This file specifies where the connector runs, and triggers the compliance against the server. Multiple servers can be added in the file with comma-separated endpoints that are each accessible by the connector. For example:

    34.234.72.40,cdp-pun-033450,53.143.246.110,cdp-pun-020969

    Note

    This targets file can be updated later to add or remove targets that you want Cloud Security to scan. The next time that the collection cycle begins (based on the schedule set for the connector when it was onboarded), it automatically reads the file with the updated server targets and collects the assets from those targets.
  8. (AWS only) Specify the following AWS properties for the account to be scanned.
    In this environment, you can run compliance on AWS EC2. The connector must be deployed on the host on which the RSCD agent connects to the EC2 instances.
    • AWS Account Access Key: The key that uniquely identifies the user who owns the account
    • AWS Account Secret Key: The key that plays the role of a password
    • AWS Account Region: The geographical area in which AWS compliance will run. 
      To search for a region, type the name in the Filter options search field. A minimum of 3 characters is required in the field.
      To select all regions, click Select all. The number of selected options displays at the top of the menu.
      (For currently selected items only) To clear your selections and return to the default menu, click Clear.
    • EC2(s) field to resolve hostname: The field in the AWS EC2 instance used to be used by the Server connector to connect to the agents. 
      The connector can communicate with AWS EC2s using one of the following options:
      Private DNSPrivate DNS name. For this option the connector must be deployed within the VPC from where it connects to the server endpoints using Private DNS as the hostname.
      Public DNS. Public DNS name. For this option the connector must be deployed within the network from where it connects to the server endpoints using Public DNS as the hostname.
      Private IPPrivate IP. For this option the connector must be deployed within the network from where it connects to the server endpoints using Private IP as the hostname.
      Public IPPublic IP. For this option the connector must be deployed within the network from where it connects to the server endpoints using Public IP as the hostname.
      Any. Any option. The connector attempts to communicate with AWS EC2s using any of the Private DNSPublic DNSPrivate IP, or Public IP options in that order until a connection is established. 
      For this option the connector must be deployed within the network from where it connects to the server endpoints using any of the options as the hostname
      .

      Best Practice

      The Server connector first attempts to connect using Private DNS then, failing that, it connects using Public DNS, Private IP, and then Public IP. If you are sure that EC2 instances can be accessed using any of the fields (for example, Public IP), BMC recommends that you select that option to minimize the potential performance impact caused by cycling through all options until a connection can be established.

  9. Specify the Schedule in hours or minutes for which Server resources will be periodically collected and evaluated.

  10. (Optional) Click Show Advanced configuration details and select one of the following modes that the connector will use for communication from the Communication Mode menu:

    • No Certificate. The connector does not use a certificate during communication. Note that this is an unsecured mode of communication.

    • Existing Certificate. The connector uses an existing certificate during communication. To establish this secured mode of communication, specify the following additional options:

      • Certificate File Path. The full directory path where the certificate file is located.

        Examples

        (Unix): /tmp/certificate.pem

        (Windows): C:\\user\\temp\\certificate.pem

        The connector will search this directory for the certificate and use it during communication when it runs.

      • Certificate User. The name of the user that created the certificate.
      • Certificate User Passphrase. The passphrase specified by the user that created the certificate.
      • Push certificate to agents using connector. Determines if the connector pushes the certificate to the agent when it connects. Select the True or False option button.
        For more information about pushing the connector to the agent, see Provisioning agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate (Windows).

        Note

        To push the certificate you must have Administrator user rights (rw,user=Administrator).

        If you select System-generated Certificate or Existing Certificate and the Push option is set to False, you must ensure that the Sha1 Fingerprint of the certificate is pushed onto the agent. If there is no certificate fingerprint on the agent, the connector will communicate to the target in No Certificate mode.

    • System-generated Certificate. The connector uses a system-generated certificate generated in the cloud, and the certificate downloaded and included with the connector for communication when it runs.
      To establish this secured mode of communication, specify if the connector pushes the certificate to the agent when it connects by selecting the True or False option button.

    To hide the advanced configuration options panel, click the Hide Advanced configuration details toggle.

    Note

    Advanced configuration options are the same for both on-premise and AWS environments.

  11. Click Continue.
  12. The next page will take you to the "Download" tab to download the RSCD agent.
  13. If the download does not start automatically, click Download Connector setup and unzip the Server Connector.zip file using any standard compression tool.
    The zip file will have the name that you specified for the connector in Step 4.
    1. (Windows) Double-click run.bat to run the connector in your target environment.
    2. (Linux) Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.

      Note

      The time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.

      In on-premise mode, the connector returns how many targets were located from the targets file specified in Step 6.

  14. Click Continue.
  15. Select the compliance policies that you want to use to evaluate your Server connector resources.
    To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears..
  16. Click Continue.
    The connector is authenticated, pushed to and available in Cloud Security, and the policies can be evaluated based on the schedule and communicate modes (if applicable) that you have set. 

    As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.

  17. If the user wants to download the RSCD files, you can still download from the server connector "Download RSCD files" for Windows and Linux files. 
    After clicking on the "Download RSCD files" there will be a pop up windows of "Download RSCD Agent" refer to the below screenshot.

Running the Server connector as a service (Windows)

As an alternative to running the Server connector with a batch file, you can run the connector as a service on Windows using the install.bat file that is downloaded with the connector during onboarding.

Note

To run the connector as a service, the install.bat file must be run as an Administrator.

  1. Locate the install.bat file in your connector setup location where you downloaded the Server connector.



  2. At a Command Prompt, at the same location as the install.bat file, type the following command:

    install.bat install

    The Server connector service is created and started.

  3. In the Windows Start menu, type services to open the Services dialog.
  4. Scroll down and locate BMC Server Connector in the list and verify that the Status is Running.



  5. To check the status of the service, at a Command Prompt, type install.bat status.
    To start or stop the service, type start or stop after the install.bat command.
    For help with all available commands with the service and their usage, type install.bat help.
    When the Server connector is started, it continues running and collecting data based on the schedule set during onboarding in the applications.properties file.

Running the Server connector as a service (Linux)

You can also run the connector as a service on Linux systems using the install.sh file that is downloaded with the connector during onboarding.

Note

To run the connector as a service, the install.sh file must be run as Administrator and as root.

  1. Locate the install.sh file in your connector setup location where you downloaded the Server connector.

  2. Install the connector using the install.sh command.
    The Server connector service is created and started.
    When the Server connector is started, it continues running and collecting data based on the schedule set during onboarding in the applications.properties file.

Performing next steps

To manage connector configuration and settings, see Managing connectors.

To assess the resources including why a rule failed, see Managing resources.

For troubleshooting common problems, see Troubleshooting Server connector issues.

Was this page helpful? Yes No Submitting... Thank you

Comments