×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Helix Cloud Security Getting Started

System requirements

This topic describes the system requirements for implementing BMC Helix Cloud Security  in your environment. Requirements fall into the following categories:

Operating systems and browsers

The following table lists the requirements for the various components required to use Cloud Security:

Component

Operating systems

Disk space required

Computer on which the connector is downloadedJava OpenJDK 11.0.210 MB or more to allow the logs to grow
Browsers

Google Chrome (Versions 64 to Chrome 80 beta)

Microsoft Edge (Versions 41.16 to 42.17)

Note

Currently, Edge browsers do not support the ability to export data to PDF. Therefore, in Policy, the Export to PDF functionality is unavailable on the Dashboard and Transaction Utilization page. This feature is still available using Chrome browsers.
 

Connector prerequisites and CIS Benchmarks

ConnectorRequirements
AWS On-Premises

Ensure that you have the minimum permissions required to run compliance. You specify these permissions in the Permissions tab in AWS, which lists the minimum set of AWS Policies that an IAM user must have for the AWS connector to run.

Azure

Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it, and that all Azure prerequisites detailed in Microsoft's documentation are met, including a Subscription ID, Active Directory permissions, a tenant ID, and key vault permissions.

This version of Cloud Security supports the Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark version 1.0.0 for Microsoft Azure.

For more information, see Azure On-Premise Connector.

Docker

The Docker connector enables you to collect data from Docker Containers, Docker Hosts, and Docker Daemons, and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark. This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on August 8th, 2016.

Ensure that the computer on which the connector is downloaded meets prerequisites for either single host or clustered (Kubernetes) deployments.

This release supports CIS Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.

For more information, see Docker Connector.

GCP

Ensure that you have the minimum permissions required to run the connector.

For more information, see Minimum Permissions for GCP Connector.

Kubernetes

The Kubernetes connector enables you to collect data from Docker Containers, Docker Hosts & Docker Daemons and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.

Kubernetes connector requires that the HTTPS (default 443) port is opened for outbound connectivity to internet. If URLs are whitelisted, provide access to the following URLs to communicate to BMC Helix Cloud Security - 

    • SSH (default 22) port outbound to the Kubernetes hosts is configured.
OpenShift
  • Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.
  • This release supports CIS Docker 1.12.0 and 1.13.0.
  • The OS on the Docker host must be Ubuntu 16, Red Hat Enterprise Linux 7, or CentOS 7
  • For this release, BMC Helix Cloud Security supports OKD 3.11 on CentOS 7

OpenShift connector requires that the HTTPS (default 443) port is opened for outbound connectivity to internet. If URLs are whitelisted, provide access to the following URLs to communicate to BMC Helix Cloud Security:

  • Connector needs minimum of 100 MB disk space
  • sudo with no password must be configured for the user from which OpenShift connector needs to be run.
  • The connector must be deployed on the Linux machine with SSH connectivity to the master and worker nodes.
  • The connector machine should have kubectl and oc (OpenShift CLI)configured on it.
Orchestration

The connector machine must have internet connectivity so that the connector can communicate with Cloud Security.  The connector machine must also be synced to the BMC Helix Orchestration instance and must have Java OpenJDK 11.0.2 and Google Chrome browser installed.

If you installation OpenJDK 11.0.2 using the zip, set the global path. You will have to restart the machine if you want to configure Orchestration Connector as a Service.

An on-premise TSO with TSO workflows should be readily available at the customer end, which will communicate with the ITSM already imported.

Server

Ensure that the connector and target environments meet required prerequisites before onboarding the Server connector.

For more information, see Server connector.

Policies for remediation actions

Currently, remediation actions are available and supported for the following AWS policies:

PolicyResource TypeCurrent Limitations

CIS Amazon Web Services Foundations Benchmark 



CloudTrail

Before remediating violations, you must provide the name of the SNS topic from your AWS account as a remediation parameter.

The SNS topic must:

  • Reside in the same AWS region as the corresponding CloudTrail and CloudWatch LogGroup.
    For example, if the CloudTrail and CloudWatch log groups are in the us-east-1 region, the SNS topic in which the name is provided in remediation must also be in that region.
  • Contain at least one subscription that is confirmed, so that a subscription entry in the Subscription ID column has an ARN value (for example, arn:aws:sns:us-east-1:875062582069:East1_Topic:26aa2d24-aa85-471f-812b-d9f7ca4fa2b1).
IAM Credentials

After a rule is remediated:

  • The SDK/API queries take 4 hours to return the remediation values to Cloud Security
  • The key should be deleted and a new one created. Instead, Cloud Security deactivates the key so that you can take appropriate measures before deleting and creating a new one.
KMS
  • Although the KMS key might contain multiple aliases, the UI displays only one.

  • If the KMS key is in the Disabled state, the UI shows a status of Compliant with the KMS key disabled.

  • If the KMS key is in the Pending Deletion state, the UI shows a status of Compliant with the KMS key pending deletion.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Shweta Hardikar on Apr 04, 2021

Comments

Log in or register to comment.

Free Trial
Key concepts
© Copyright 2017-2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.