Server connector
BMC Helix Cloud Security supports running CIS Compliance checks on servers in multi-cloud environments. You can download and configure a Server connector, and validate policies using Cloud Security in two modes:
- From the cloud, Cloud Security scans EC2 instances from your AWS account.
- On-premise, Cloud Security scans a list of targets you specify in a comma-separated file.
The Server Connector can be run using a batch file similar to other Cloud Security on-premise connectors. It can also be installed as a service which enables the connector to run continuously and collect data through Windows Services.
To onboard the Server connector, perform the following steps:
Understanding the Server connector
The Server connector communicates with the workloads, collects the information from the RSCD agents using the JNI-RSCD Plugin, and sends it to Cloud Security to evaluate against the selected standards.
The following policies are available for the Server connector:
- CIS - Windows Server 2012 R2 DC(Domain Controller). This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28, 2016. For more information, see CIS Benchmarks.
- CIS - Windows Server 2012 R2 MS(Member Server). This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28, 2016. For more information, see CIS Benchmarks.
- CIS - Red Hat Enterprise Linux 6. This Policy is based on the recommended settings defined by Red Hat Enterprise Security Configuration Benchmark Settings for Linux 6 Version 2.0.2, published June 2, 2016. For more information, see CIS Benchmarks.
In the diagram, the JNI-RSCD Plugin collects server/target information (such as registry, GPO, and Auditpol) using native JNI commands from the RSCD agent installed on EC2 servers and target machines. The following section details the prerequisites for each of these machines.
Completing prerequisites
Ensure that the connector and target environments meet the following prerequisites before onboarding the Server connector.
Requirements for the computer on which the connector is downloaded (part of the Management VPC/Network)
The connector machine must have internet connectivity so that the connector can communicate with Cloud Security.
Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.
Requirements for the target machine (part of the data network)
The target machine must have an RSCD agent v.8.9sp1 installed and configured on which you will run the EC2 compliance. The agent communicates on port 4750.
Additionally, the Windows target machine requires a minimum version of .Net Framework 4.0.30319.
For information about installing the agent, see BMC documentation for Manually installing the stand-alone RSCD Agent and AWS documentation for Using Network Security.
For information about configuring the agent, see Configuring the exports file.
Properties for CIS RHEL6
You must set the following properties in the asset.json file for the Server connector before running the connector:
Property Name | Mandatory/Optional | Description | Default Value |
|---|---|---|---|
EXCLUDE_HOME_DIR_USER_LIST | Mandatory | List of user need to be excluded from compliance where shared home directory is present | |
MEDIA_PARTITION_LIST | Mandatory | Removable media partition list | |
SSH_ALLOW_GROUPS | Mandatory | Space separated list of group names, used for Allow SSH | |
SSH_ALLOW_USERS | Mandatory | Space separated list of user names, used for Allow SSH | |
SSH_DENY_GROUPS | Mandatory | Space separated list of group names, used for Deny SSH | |
SSH_DENY_USERS | Mandatory | Space separated list of user names, used for Deny SSH |
There are some more properties which are optional. You can override default value of these properties as per your organization requirements. Here is the comphrehensive list of all properties.
Property Name | Mandatory/Optional | Description | Default Value |
|---|---|---|---|
AUDIT_RULES_FILE | Optional | Property used for storing Audit rules file | /etc/audit/audit.rules |
BSA_CONTENT_IPV_PROTOCOL | Optional | Property indicating IP protocol[IPV4/IPV6] | IPV4 |
CACHE_HRS | Optional | Property Specifies number of hours the cache will be valid | 24 |
EO_TIMEOUT | Optional | Time out in seconds for Extended Object execution | 0 |
EXCLUDED_DIR | Optional | Directory to exclude from FindFiles caching. The value for this property can be a directory or multiple directories separated by comma | \-1 |
EXCLUDED_USER_LIST | Optional | Comma separated list of the users to be excluded from compliance check. | root,sync,shutdown,halt |
FIND_FILES_TIMEOUT | Optional | Time out value in seconds for find files extended object | 0 |
LOGHOSTS_SEND | Optional | Remote host name where all logs are collected | |
LOGROTATE_FILES | Optional | List of logs used for rotate | /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron |
MAC_ALGOS | Optional | List of all supported and accepted MAC algorithms. | hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
MAX_DISK_PERCENTAGE | Optional | Maximum disk percentage in use before cache generation | 95 |
MAX_DISPLAY | Optional | Maximum lines to be displayed in Extened Objects | 5000 |
MAX_DISPLAY_FINDING | Optional | Maximum display count for findings in tag files | 5000 |
MAX_INFO_LINES | Optional | Maximum info lines to be displayed | all |
SHELL_CONFIGURATION_FILES | Optional | Comma separated list of configuration files for user UMASK check | /etc/bashrc,/etc/profile |
UNIX_EXCLUDE_HOME_DIR_USER_LIST | Optional | Unix system user accounts where home should not be scanned | daemon,sys,lp,dladm,netadm,netcfg,smmsp,zfssnap,xvm,mysql,openldap,webservd,postgres,svctag,unknown,nobody,noaccess,nobody4,ftp,dhcpserv,aiuser,pkg5srv,uucp,nuucp,upnp |
VAR_FINDFILES_TAG_LIST | Optional | Temporary property used for rule evaluation.Syntax :Find files tags with excluded directories.ex:Tag1:Dir1;Tag2:Dir,Dir2 | fUnAuthWwfile;fSgid;fSuid;fUnownedUserdir;fUnownedGroupfile;fUnownedGroupdir;fUnownedUserfile;fWwdir;fSyslogperm;fRhosts |
BANNER_MESSAGE | Optional | Banner message on login screen | Authorized uses only. All activity may be monitored and reported |
GDM_BANNER_MESSAGE_CONF_FILE | Optional | Banner message configuration file | /etc/dconf/db/gdm.d/01-banner-message |
EXCLUDE_DAEMONS_LIST | Optional | Pipe separated list of daemons to be excluded in rule check | tr|ps|egrep|bash|awk|rscd |
WHEEL_GROUP_USERS | Optional | Users in wheel group for pam_wheel.so | root |
Onboarding the Server connector
- Log on to Cloud Security with your registered credentials.
- Select Configure icon > Connectors.
- Click Add Connector.
- Under Connector Type > On Premise Connectors (Installable), click Server Connector and then click Continue.
- In the Connector Name tab, specify a name for the connector.
This name must be unique and must not have already been created.
If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field. - From the Environment drop-down, choose On Premise (to execute compliance on on-premise servers) or AWS (to execute compliance on AWS EC2 instances).
(On-premise only) Type the path where the on-premise targets file is located (for example, on Windows, C:\\Temp.servers.txt).
This file specifies where the connector runs, and triggers the compliance against the server. Multiple servers can be added in the file with comma-separated endpoints that are each accessible by the connector. For example:- (AWS only) Specify the following AWS properties for the account to be scanned.
In this environment, you can run compliance on AWS EC2. The connector must be deployed on the host on which the RSCD agent connects to the EC2 instances.- AWS Account Access Key: The key that uniquely identifies the user who owns the account
- AWS Account Secret Key: The key that plays the role of a password
- AWS Account Region: The geographical area in which AWS compliance will run.
To search for a region, type the name in the Filter options search field. A minimum of 3 characters is required in the field.
To select all regions, click Select all. The number of selected options displays at the top of the menu.
(For currently selected items only) To clear your selections and return to the default menu, click Clear. EC2(s) field to resolve hostname: The field in the AWS EC2 instance used to be used by the Server connector to connect to the agents.
The connector can communicate with AWS EC2s using one of the following options:
Private DNS. Private DNS name. For this option the connector must be deployed within the VPC from where it connects to the server endpoints using Private DNS as the hostname.
Public DNS. Public DNS name. For this option the connector must be deployed within the network from where it connects to the server endpoints using Public DNS as the hostname.
Private IP. Private IP. For this option the connector must be deployed within the network from where it connects to the server endpoints using Private IP as the hostname.
Public IP. Public IP. For this option the connector must be deployed within the network from where it connects to the server endpoints using Public IP as the hostname.
Any. Any option. The connector attempts to communicate with AWS EC2s using any of the Private DNS, Public DNS, Private IP, or Public IP options in that order until a connection is established.
For this option the connector must be deployed within the network from where it connects to the server endpoints using any of the options as the hostname.
- Specify the Schedule in hours or minutes for which Server resources will be periodically collected and evaluated.
(Optional) Click Show Advanced configuration details and select one of the following modes that the connector will use for communication from the Communication Mode menu:
- No Certificate. The connector does not use a certificate during communication. Note that this is an unsecured mode of communication.
- Existing Certificate. The connector uses an existing certificate during communication. To establish this secured mode of communication, specify the following additional options:
Certificate File Path. The full directory path where the certificate file is located.
The connector will search this directory for the certificate and use it during communication when it runs.
- Certificate User. The name of the user that created the certificate.
- Certificate User Passphrase. The passphrase specified by the user that created the certificate.
Push certificate to agents using connector. Determines if the connector pushes the certificate to the agent when it connects. Select the True or False option button.
For more information about pushing the connector to the agent, see Provisioning agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate (Windows).
- System-generated Certificate. The connector uses a system-generated certificate generated in the cloud, and the certificate downloaded and included with the connector for communication when it runs.
To establish this secured mode of communication, specify if the connector pushes the certificate to the agent when it connects by selecting the True or False option button.
To hide the advanced configuration options panel, click the Hide Advanced configuration details toggle.
- Click Continue.
- The next page will take you to the "Download" tab to download the RSCD agent.
- If the download does not start automatically, click Download Connector setup and unzip the Server Connector.zip file using any standard compression tool.
The zip file will have the name that you specified for the connector in Step 4.- (Windows) Double-click run.bat to run the connector in your target environment.
(Linux) Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.
In on-premise mode, the connector returns how many targets were located from the targets file specified in Step 6.
- Click Continue.
- Select the compliance policies that you want to use to evaluate your Server connector resources.
To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears..
- Click Continue.
The connector is authenticated, pushed to and available in Cloud Security, and the policies can be evaluated based on the schedule and communicate modes (if applicable) that you have set.
As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security. - If the user wants to download the RSCD files, you can still download from the server connector "Download RSCD files" for Windows and Linux files.
After clicking on the "Download RSCD files" there will be a pop up windows of "Download RSCD Agent" refer to the below screenshot.
Running the Server connector as a service (Windows)
As an alternative to running the Server connector with a batch file, you can run the connector as a service on Windows using the install.bat file that is downloaded with the connector during onboarding.
- Locate the install.bat file in your connector setup location where you downloaded the Server connector.
At a Command Prompt, at the same location as the install.bat file, type the following command:
The Server connector service is created and started.
- In the Windows Start menu, type services to open the Services dialog.
- Scroll down and locate BMC Server Connector in the list and verify that the Status is Running.
- To check the status of the service, at a Command Prompt, type install.bat status.
To start or stop the service, type start or stop after the install.bat command.
For help with all available commands with the service and their usage, type install.bat help.
When the Server connector is started, it continues running and collecting data based on the schedule set during onboarding in the applications.properties file.
Running the Server connector as a service (Linux)
You can also run the connector as a service on Linux systems using the install.sh file that is downloaded with the connector during onboarding.
- Locate the install.sh file in your connector setup location where you downloaded the Server connector.
- Install the connector using the install.sh command.
The Server connector service is created and started.
When the Server connector is started, it continues running and collecting data based on the schedule set during onboarding in the applications.properties file.
Performing next steps
To manage connector configuration and settings, see Managing-connectors.
To assess the resources including why a rule failed, see Managing resources.
For troubleshooting common problems, see Troubleshooting Server connector issues.