Security guidelines for the PATROL Agent

This topic lists the security guidelines for the PATROL Agent and related components.

Securing files with sensitive information

  • Restrict access to files containing sensitive information such as certificates, or user credentials must be secured by restricting the access to all types of users except the owner.
  • Lock down the access to files that provide the capability to encrypt or decrypt the data containing sensitive or confidential information, such as sec_encrypt_p3x.exe or mcxpagent.exe.
  • Do not store the files containing sensitive data on the network shares with an open access.

Note

The above security guidelines are applicable for all the PATROL components.

Securing access to the PATROL Agent

  • Use the Agent Access Control List (ACL) to restrict the access to the PATROL Agent. For more information, see Controlling access to the agent.

    Notes

    • The above security guideline is applicable only to PATROL Agent-side ACL.
    • Applicable only to PATROL 3.x and PATROL 7.x architecture environments, except the client connection for configurations.
  • Use the PATROL Agent selection criteria in the Infrastructure Monitoring Administration authorization profile for policy management. For more information, see the following topics:

    • Creating, editing, and deleting PATROL Agent ACLs
    • Policy management

Note

  • The PATROL Agent ACL defined in Infrastructure Monitoring Administration doesn't overlap with the Agent ACLs defined within the PATROL Agent
  • Use a valid username and password for the PATROL Agent configuration utility (pconfig). For more information, see the following topics:

  • Control the PATROL Agent access for configurations using Agent ACLs.

  • Allow the connection to the PATROL Agent from a specific host, a specific user, and with a required connection mode. For more information, see Controlling access to the agent.

  • Use the role-based access control to restrict the operations performed by an operator. For more information, see the following topics:

    • Role-based access  for TrueSight Presentation Server, TrueSight Infrastructure Management Server, and the Infrastructure Monitoring Administration.
    • PATROL Console Server and RTserver Getting Started for PATROL Console Server.

Securing the communication

  • Configure the PATROL Agent with the minimum security level set as 3. For more information, see PATROL Security User Guide.
  • Generate signed certificates for the secure communication. For more information, see the following:

Securing the system running PATROL Agent

  • Disable the system output window (SOW) in PATROL consoles. For more information, see Controlling the system output window display.
  • Set the following permissions for authenticating users to run the agent query tool from Infrastructure Monitoring Administration to the PATROL Agent:
    • Allow execution of Agent Actions
    • Allow trusted connections to PATROL Agents

           For more information, see the following:

    • Performing actions on a PATROL Agent
    • Permissions reference

Securing monitored resources

Provide read-only access to the user accounts used for monitoring the resources such as Oracle, WebSphere, vCenter, and so on. Refer to the individual documentation spaces of the various knowledge modules for the similar set of security recommendations.

Related topics

Security planning for Infrastructure Management

Best practices for Infrastructure Management

Best practices for deploying TrueSight Operations Management

Considerations and best practices for interoperability with PATROL components

Was this page helpful? Yes No Submitting... Thank you

Comments