System requirements

This topic describes the system requirements for implementing BMC Helix Cloud Security  in your environment. Requirements fall into the following categories:

Operating systems and browsers

The following table lists the requirements for the various components required to use Cloud Security:

Component

Operating systems

Disk space required

Computer on which the connector is downloadedJava OpenJDK 11.0.210 MB or more to allow the logs to grow
Browsers

Google Chrome (Versions 64 to Chrome 80 beta)

Microsoft Edge (Versions 41.16 to 42.17)

Note

Currently, Edge browsers do not support the ability to export data to PDF. Therefore, in Policy, the Export to PDF functionality is unavailable on the Dashboard and Transaction Utilization page. This feature is still available using Chrome browsers.
 

Connector prerequisites and CIS Benchmarks

ConnectorRequirements
AWS On-Premises

Ensure that you have the minimum permissions required to run compliance. You specify these permissions in the Permissions tab in AWS, which lists the minimum set of AWS Policies that an IAM user must have for the AWS connector to run.

Azure

Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it, and that all Azure prerequisites detailed in Microsoft's documentation are met, including a Subscription ID, Active Directory permissions, a tenant ID, and key vault permissions.

This version of Cloud Security supports the Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark version 1.0.0 for Microsoft Azure.

For more information, see Azure On-Premise Connector.

Chef

Ensure that the computer on which the connector is downloaded meets prerequisites for both the Chef Workstation and the Chef Development Kit.

For more information, see Chef connector.

Docker

The Docker connector enables you to collect data from Docker Containers, Docker Hosts, and Docker Daemons, and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark. This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on August 8th, 2016.

Ensure that the computer on which the connector is downloaded meets prerequisites for either single host or clustered (Kubernetes) deployments.

This release supports CIS Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.

For more information, see Docker Connector.

Server

Ensure that the connector and target environments meet required prerequisites before onboarding the Server connector.

For more information, see Server connector.

Policies for remediation actions

Currently, remediation actions are available and supported for the following AWS policies:

PolicyResource TypeCurrent Limitations

CIS Amazon Web Services Foundations Benchmark 



CloudTrail

Before remediating violations, you must provide the name of the SNS topic from your AWS account as a remediation parameter.

The SNS topic must:

  • Reside in the same AWS region as the corresponding CloudTrail and CloudWatch LogGroup.
    For example, if the CloudTrail and CloudWatch log groups are in the us-east-1 region, the SNS topic in which the name is provided in remediation must also be in that region.
  • Contain at least one subscription that is confirmed, so that a subscription entry in the Subscription ID column has an ARN value (for example, arn:aws:sns:us-east-1:875062582069:East1_Topic:26aa2d24-aa85-471f-812b-d9f7ca4fa2b1).
IAM Credentials

After a rule is remediated:

  • The SDK/API queries take 4 hours to return the remediation values to Cloud Security
  • The key should be deleted and a new one created. Instead, Cloud Security deactivates the key so that you can take appropriate measures before deleting and creating a new one.
KMS
  • Although the KMS key might contain multiple aliases, the UI displays only one.
  • If the KMS key is in the Disabled state, the UI shows a status of Compliant with the KMS key disabled.

  • If the KMS key is in the Pending Deletion state, the UI shows a status of Compliant with the KMS key pending deletion.


Was this page helpful? Yes No Submitting... Thank you

Comments