This topic describes the system requirements for implementing BMC Helix Cloud Security in your environment. Requirements fall into the following categories:
Operating systems and browsers
The following table lists the requirements for the various components required to use Cloud Security:
Disk space required
|Computer on which the connector is downloaded||Java OpenJDK 11.0.2||10 MB or more to allow the logs to grow|
Google Chrome (Versions 64 to Chrome 80 beta)
Microsoft Edge (Versions 41.16 to 42.17)
Currently, Edge browsers do not support the ability to export data to PDF. Therefore, in Policy, the Export to PDF functionality is unavailable on the Dashboard and Transaction Utilization page. This feature is still available using Chrome browsers.
Connector prerequisites and CIS Benchmarks
Ensure that you have the minimum permissions required to run compliance. You specify these permissions in the Permissions tab in AWS, which lists the minimum set of AWS Policies that an IAM user must have for the AWS connector to run.
Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it, and that all Azure prerequisites detailed in Microsoft's documentation are met, including a Subscription ID, Active Directory permissions, a tenant ID, and key vault permissions.
This version of Cloud Security supports the Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark version 1.0.0 for Microsoft Azure.
For more information, see Azure On-Premise Connector.
The Docker connector enables you to collect data from Docker Containers, Docker Hosts, and Docker Daemons, and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark. This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on August 8th, 2016.
Ensure that the computer on which the connector is downloaded meets prerequisites for either single host or clustered (Kubernetes) deployments.
This release supports CIS Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.
For more information, see Docker Connector.
Ensure that you have the minimum permissions required to run the connector.
For more information, see Minimum Permissions for GCP Connector.
The Kubernetes connector enables you to collect data from Docker Containers, Docker Hosts & Docker Daemons and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.
Kubernetes connector requires that the HTTPS (default 443) port is opened for outbound connectivity to internet. If URLs are whitelisted, provide access to the following URLs to communicate to BMC Helix Cloud Security -
OpenShift connector requires that the HTTPS (default 443) port is opened for outbound connectivity to internet. If URLs are whitelisted, provide access to the following URLs to communicate to BMC Helix Cloud Security:
The connector machine must have internet connectivity so that the connector can communicate with Cloud Security. The connector machine must also be synced to the BMC Helix Orchestration instance and must have Java OpenJDK 11.0.2 and Google Chrome browser installed.
If you installation OpenJDK 11.0.2 using the zip, set the global path. You will have to restart the machine if you want to configure Orchestration Connector as a Service.
An on-premise TSO with TSO workflows should be readily available at the customer end, which will communicate with the ITSM already imported.
Ensure that the connector and target environments meet required prerequisites before onboarding the Server connector.For more information, see Server connector.
Policies for remediation actions
Currently, remediation actions are available and supported for the following AWS policies:
|Policy||Resource Type||Current Limitations|
CIS Amazon Web Services Foundations Benchmark
Before remediating violations, you must provide the name of the SNS topic from your AWS account as a remediation parameter.
The SNS topic must:
After a rule is remediated: