Security requirements

This section presents the following topics:

Do not store clear text passwords

The KM must not store clear text passwords in external files, the PATROL Agent namespace, or PATROL Agent configuration.

Use KM defaultAccount encryption method (PATROL Agent 3.7. x and earlier versions)

If the KM stores passwords in the agent configuration database, the KM must use configuration variables with the suffix, defaultAccount.


This requirement facilitates the migration of encrypted information in the event that the internal encryption key, used by misc_encrypt() and misc_decrypt(), is changed or when it is required to move storage of all sensitive data to a Secure Key Store (SKS).

Use Secure Key Store to store password (PATROL Agent version 3.8 and later)

The Secure Key Store (SKS) is an extended configuration database in which PATROL Agent stores the configuration data securely. The data stored is secured in a key format. The SKS data is stored in the %BMC_ROOT%\common\security\SKS\sks-hostName-portNumber.db file.

PATROL Agent enables you to configure SKS settings by using pconfig.

You can modify secure store data by using pconfig and store secured information. PATROL Agent adds a new branch, /SecureStore, to enable communication with the secure store data. The /SecureStore branch dispatches the SET/REPLACE requests on that branch to the secure store, after which the pconfig interface enables you to set data in the secure store.

You can add the /SecureStore branch by using pconfig, wpconfig (Windows), xpconfig (UNIX), PATROL Configuration Manager, or a PSL pconfig script by using the following format:

/SecureStore/var = { REPLACE = "context/data" }

For more information about using SKS, see BMC PATROL for Microsoft Windows Servers version 4.2.20 Release Notes.

Ensure passwords are not exposed

If the KM spawns a process that requires a password as a command-line argument, the KM must ensure that the password is not visible.

On UNIX, ensure the password is not viewable in the process list when the ps command is executed.

On Windows, ensure that the password is not viewable when the OS KM retrieves the command-line arguments.


This requirement applies to both PATROL Agents and consoles.

Use KM protocol security

If the KM uses protocols other than the PATROL protocols, the KM must document the use of the protocols so that customers can understand their level of security risk.

This item only applies to protocols that are used to communicate over the network. For example, if a KM uses HTTP to retrieve information from a Web server, the documentation must state that the KM uses HTTP to retrieve information over the network.

Document Windows advanced rights

If the KM runs on Windows, the KM must document the need for advanced user rights and what functionality will be disabled (loss of functionality) if each of the advanced rights does not exist.

Document group use

The KM must document the need for the agent default account to belong to administrator type groups (Administrators, Domain Admin, etc.) and what functionality will be disabled (loss of functionality) if the agent default account is not a member of the group.

Was this page helpful? Yes No Submitting... Thank you