Server connector


BMC Helix Cloud Security supports running CIS Compliance checks on servers in multi-cloud environments. You can download and configure a Server connector, and validate policies using Cloud Security in two modes:

  • From the cloud, Cloud Security scans EC2 instances from your AWS account.
  • On-premise, Cloud Security scans a list of targets you specify in a comma-separated file. 

The Server Connector can be run using a batch file similar to other Cloud Security on-premise connectors. It can also be installed as a service which enables the connector to run continuously and collect data through Windows Services.

To onboard the Server connector, perform the following steps:

To access the latest information about this topic and all Cloud Security releases, check out the Release-notes-and-notices.

Understanding the Server connector

The Server connector communicates with the workloads, collects the information from the RSCD agents using the JNI-RSCD Plugin, and sends it to Cloud Security to evaluate against the selected standards.

The following policies are available for the Server connector:

  • CIS - Windows Server 2012 R2 DC(Domain Controller)This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28, 2016. For more information, see CIS Benchmarks.
  • CIS - Windows Server 2012 R2 MS(Member Server)This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28, 2016. For more information, see CIS Benchmarks.
  • CIS - Red Hat Enterprise Linux 6This Policy is based on the recommended settings defined by Red Hat Enterprise Security Configuration Benchmark Settings for Linux 6 Version 2.0.2, published June 2, 2016. For more information, see CIS Benchmarks.

ServerConnector-Interactions.PNG

In the diagram, the JNI-RSCD Plugin collects server/target information (such as registry, GPO, and Auditpol) using native JNI commands from the RSCD agent installed on EC2 servers and target machines. The following section details the prerequisites for each of these machines.

Note

This version of BMC Helix Cloud Security supports compliance with Server connectors for AWS EC2 instances or on-premise servers on Windows platforms only. Remediation is not yet supported.

Completing prerequisites

Ensure that the connector and target environments meet the following prerequisites before onboarding the Server connector.

Requirements for the computer on which the connector is downloaded (part of the Management VPC/Network)

The connector machine must have internet connectivity so that the connector can communicate with Cloud Security

Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.

Requirements for the target machine (part of the data network)

The target machine must have an RSCD agent v.8.9sp1 installed and configured on which you will run the EC2 compliance. The agent communicates on port 4750.

Note

You must have RSCD administrator privileges to collect all data.

Additionally, the Windows target machine requires a minimum version of .Net Framework 4.0.30319.

For information about installing the agent, see BMC documentation for Manually installing the stand-alone RSCD Agent and AWS documentation for Using Network Security
For information about configuring the agent, see Configuring the exports file.

Properties for CIS RHEL6

You must set the following properties in the asset.json file for the Server connector before running the connector:

Property Name

Mandatory/Optional

Description

Default Value

EXCLUDE_HOME_DIR_USER_LIST

Mandatory

List of user need to be excluded from compliance where shared home directory is present


MEDIA_PARTITION_LIST

Mandatory

Removable media partition list


SSH_ALLOW_GROUPS

Mandatory

Space separated list of group names,  used for Allow SSH


SSH_ALLOW_USERS

Mandatory

Space separated list of user names,  used for Allow SSH


SSH_DENY_GROUPS

Mandatory

Space separated list of group names,  used for Deny SSH


SSH_DENY_USERS

Mandatory

Space separated list of user names,  used for Deny SSH


There are some more properties which are optional. You can override default value of these properties as per your organization requirements. Here is the comphrehensive list of all properties.

Property Name

Mandatory/Optional

Description

Default Value

AUDIT_RULES_FILE

Optional

Property used for storing Audit rules file

/etc/audit/audit.rules

BSA_CONTENT_IPV_PROTOCOL

Optional

Property indicating IP protocol[IPV4/IPV6]

IPV4

CACHE_HRS

Optional

Property Specifies number of hours the cache will be valid

24

EO_TIMEOUT

Optional

Time out in seconds for Extended Object execution

0

EXCLUDED_DIR

Optional

Directory to exclude from FindFiles caching. The value for this property can be a directory or multiple directories separated by comma

\-1

EXCLUDED_USER_LIST

Optional

Comma separated list of the users to be excluded from compliance check.

root,sync,shutdown,halt

FIND_FILES_TIMEOUT

Optional

Time out value in seconds for find files extended object

0

LOGHOSTS_SEND

Optional

Remote host name where all logs are collected


LOGROTATE_FILES

Optional

List of logs used for rotate

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron

MAC_ALGOS

Optional

List of all supported and accepted MAC algorithms.

hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

MAX_DISK_PERCENTAGE

Optional

Maximum disk percentage in use before cache generation

95

MAX_DISPLAY

Optional

Maximum lines to be displayed in Extened Objects

5000

MAX_DISPLAY_FINDING

Optional

Maximum display count for findings in tag files

5000

MAX_INFO_LINES

Optional

Maximum info lines to be displayed

all

SHELL_CONFIGURATION_FILES

Optional

Comma separated list of configuration files for user UMASK check

/etc/bashrc,/etc/profile

UNIX_EXCLUDE_HOME_DIR_USER_LIST

Optional

Unix system user accounts where home should not be scanned

daemon,sys,lp,dladm,netadm,netcfg,smmsp,zfssnap,xvm,mysql,openldap,webservd,postgres,svctag,unknown,nobody,noaccess,nobody4,ftp,dhcpserv,aiuser,pkg5srv,uucp,nuucp,upnp

VAR_FINDFILES_TAG_LIST

Optional

Temporary property used for rule evaluation.Syntax :Find files tags with excluded directories.ex:Tag1:Dir1;Tag2:Dir,Dir2

fUnAuthWwfile;fSgid;fSuid;fUnownedUserdir;fUnownedGroupfile;fUnownedGroupdir;fUnownedUserfile;fWwdir;fSyslogperm;fRhosts

BANNER_MESSAGE

Optional

Banner message on login screen

Authorized uses only. All activity may be monitored and reported

GDM_BANNER_MESSAGE_CONF_FILE

Optional

Banner message configuration file

/etc/dconf/db/gdm.d/01-banner-message

EXCLUDE_DAEMONS_LIST

Optional

Pipe separated list of daemons to be excluded in rule check

tr|ps|egrep|bash|awk|rscd

WHEEL_GROUP_USERS

Optional

Users in wheel group for pam_wheel.so

root

Onboarding the Server connector

  1. Log on to Cloud Security with your registered credentials.
  2. Select Configure icon > Connectors.
  3. Click Add Connector.
  4. Under Connector Type > On Premise Connectors (Installable), click Server Connector and then click Continue.
  5. In the Connector Name tab, specify a name for the connector.
    This name must be unique and must not have already been created.
    If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
  6. From the Environment drop-down, choose On Premise (to execute compliance on on-premise servers) or AWS (to execute compliance on AWS EC2 instances).
  7. (On-premise only) Type the path where the on-premise targets file is located (for example, on Windows, C:\\Temp.servers.txt).
    This file specifies where the connector runs, and triggers the compliance against the server. Multiple servers can be added in the file with comma-separated endpoints that are each accessible by the connector. For example:

    34.234.72.40,cdp-pun-033450,53.143.246.110,cdp-pun-020969

    Note

    This targets file can be updated later to add or remove targets that you want Cloud Security to scan. The next time that the collection cycle begins (based on the schedule set for the connector when it was onboarded), it automatically reads the file with the updated server targets and collects the assets from those targets.

  8. (AWS only) Specify the following AWS properties for the account to be scanned.
    In this environment, you can run compliance on AWS EC2. The connector must be deployed on the host on which the RSCD agent connects to the EC2 instances.
    • AWS Account Access Key: The key that uniquely identifies the user who owns the account
    • AWS Account Secret Key: The key that plays the role of a password
    • AWS Account Region: The geographical area in which AWS compliance will run. 
      To search for a region, type the name in the Filter options search field. A minimum of 3 characters is required in the field.
      To select all regions, click Select all. The number of selected options displays at the top of the menu.
      (For currently selected items only) To clear your selections and return to the default menu, click Clear.
    • EC2(s) field to resolve hostname: The field in the AWS EC2 instance used to be used by the Server connector to connect to the agents. 
      The connector can communicate with AWS EC2s using one of the following options:
      Private DNSPrivate DNS name. For this option the connector must be deployed within the VPC from where it connects to the server endpoints using Private DNS as the hostname.
      Public DNS. Public DNS name. For this option the connector must be deployed within the network from where it connects to the server endpoints using Public DNS as the hostname.
      Private IPPrivate IP. For this option the connector must be deployed within the network from where it connects to the server endpoints using Private IP as the hostname.
      Public IPPublic IP. For this option the connector must be deployed within the network from where it connects to the server endpoints using Public IP as the hostname.
      Any. Any option. The connector attempts to communicate with AWS EC2s using any of the Private DNSPublic DNSPrivate IP, or Public IP options in that order until a connection is established. 
      For this option the connector must be deployed within the network from where it connects to the server endpoints using any of the options as the hostname
      .

      Best Practice

      The Server connector first attempts to connect using Private DNS then, failing that, it connects using Public DNS, Private IP, and then Public IP. If you are sure that EC2 instances can be accessed using any of the fields (for example, Public IP), BMC recommends that you select that option to minimize the potential performance impact caused by cycling through all options until a connection can be established.

  9. Specify the Schedule in hours or minutes for which Server resources will be periodically collected and evaluated.
  10. (Optional) Click Show Advanced configuration details and select one of the following modes that the connector will use for communication from the Communication Mode menu:

    • No Certificate. The connector does not use a certificate during communication. Note that this is an unsecured mode of communication.
    • Existing Certificate. The connector uses an existing certificate during communication. To establish this secured mode of communication, specify the following additional options:
      • Certificate File Path. The full directory path where the certificate file is located.

        (Unix): /tmp/certificate.pem

        (Windows): C:\\user\\temp\\certificate.pem

        The connector will search this directory for the certificate and use it during communication when it runs.

      • Certificate User. The name of the user that created the certificate.
      • Certificate User Passphrase. The passphrase specified by the user that created the certificate.
      • Push certificate to agents using connector. Determines if the connector pushes the certificate to the agent when it connects. Select the True or False option button.
        For more information about pushing the connector to the agent, see Provisioning agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate (Windows).

        Note

        To push the certificate you must have Administrator user rights (rw,user=Administrator).

        If you select System-generated Certificate or Existing Certificate and the Push option is set to False, you must ensure that the Sha1 Fingerprint of the certificate is pushed onto the agent. If there is no certificate fingerprint on the agent, the connector will communicate to the target in No Certificate mode.

    • System-generated Certificate. The connector uses a system-generated certificate generated in the cloud, and the certificate downloaded and included with the connector for communication when it runs.
      To establish this secured mode of communication, specify if the connector pushes the certificate to the agent when it connects by selecting the True or False option button.

    To hide the advanced configuration options panel, click the Hide Advanced configuration details toggle.

    Note

    Advanced configuration options are the same for both on-premise and AWS environments.

  11. Click Continue.
  12. The next page will take you to the "Download" tab to download the RSCD agent.
    image2019-4-12_14-12-57.png
  13. If the download does not start automatically, click Download Connector setup and unzip the Server Connector.zip file using any standard compression tool.
    The zip file will have the name that you specified for the connector in Step 4.
    1. (Windows) Double-click run.bat to run the connector in your target environment.
    2. (Linux) Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.

      Note

      The time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.

      In on-premise mode, the connector returns how many targets were located from the targets file specified in Step 6.

  14. Click Continue.
  15. Select the compliance policies that you want to use to evaluate your Server connector resources.
    To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears..
    policy_version_updateinfobanner_msgonly.PNG
  16. Click Continue.
    The connector is authenticated, pushed to and available in Cloud Security, and the policies can be evaluated based on the schedule and communicate modes (if applicable) that you have set. 
    image2019-3-19_10-29-46.png
    As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.
  17. If the user wants to download the RSCD files, you can still download from the server connector "Download RSCD files" for Windows and Linux files. 
    After clicking on the "Download RSCD files" there will be a pop up windows of "Download RSCD Agent" refer to the below screenshot.
    image2019-4-12_14-21-46.png

Running the Server connector as a service (Windows)

As an alternative to running the Server connector with a batch file, you can run the connector as a service on Windows using the install.bat file that is downloaded with the connector during onboarding.

Note

To run the connector as a service, the install.bat file must be run as an Administrator.

  1. Locate the install.bat file in your connector setup location where you downloaded the Server connector.

    server_connector_service1.PNG

  2. At a Command Prompt, at the same location as the install.bat file, type the following command:

    install.bat installThe Server connector service is created and started.

  3. In the Windows Start menu, type services to open the Services dialog.
  4. Scroll down and locate BMC Server Connector in the list and verify that the Status is Running.

    server_connector_service2.PNG

  5. To check the status of the service, at a Command Prompt, type install.bat status.
    To start or stop the service, type start or stop after the install.bat command.
    For help with all available commands with the service and their usage, type install.bat help.
    When the Server connector is started, it continues running and collecting data based on the schedule set during onboarding in the applications.properties file.

Running the Server connector as a service (Linux)

You can also run the connector as a service on Linux systems using the install.sh file that is downloaded with the connector during onboarding.

Note

To run the connector as a service, the install.sh file must be run as Administrator and as root.

  1. Locate the install.sh file in your connector setup location where you downloaded the Server connector.

    server_connector_service1_Linux.png
  2. Install the connector using the install.sh command.
    The Server connector service is created and started.
    When the Server connector is started, it continues running and collecting data based on the schedule set during onboarding in the applications.properties file.

Performing next steps

To manage connector configuration and settings, see Managing-connectors.

To assess the resources including why a rule failed, see Managing resources.

For troubleshooting common problems, see Troubleshooting Server connector issues.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*