Important

   

This documentation space contains information about PATROL Agents when deployed in a BMC Helix Operations Management environment. If you are a TrueSight Operations Management user, see PATROL Agent 21.02. Open link

Security planning

This topic gives background information about the methods of maintaining security for the PATROL Agent, lists default ownership and permissions for the PATROL Agent, and tells you how to change the ownership and permissions. This topic contains the following sections:

Access control list

The Access Control List (ACL) controls which users are authorized to connect to a PATROL Agent, in which modes and from which hosts. An agent configuration variable defines the ACL. The ACL configuration variable is described in Defining Access Control ListsFor information about setting up an ACL, see Controlling access to the Agent.

Security levels

Allows you to install one of the five security-level policies to secure the data flow. For more information, see Chapter 1 of PATROL Security User Guide.

PATROL access control

You can control the access by setting the definitions in patrol.conf file. For more information, see Securing PATROL Agent from the pconfig clients.

Application accounts

You can instruct the PATROL Agent to use separate accounts for individual applications and instances. For more information about how to specify which accounts are used for which commands, see Establishing accounts and ports.

User accounts

The default account for the PATROL Agent to run commands is specified by the defaultAccount variable in the agent configuration file. The PATROL Agent cannot run application discovery and parameters properly without a valid user name. For more information, see Default ownership and permissions for files.

Firewall requirements

If your environment is protected by firewalls, you may have to modify the firewall configuration to accommodate the PATROL. For information about installing and configuring a PATROL Agent in an environment with firewalls, see Installing PATROL Agents.

Ownership and permissions

The PATROL_HOME/log and PATROL_HOME/config directories are created when the PATROL Agent process is run for the first time. At that time, the ownership and permissions of the PATROL Agent log and configuration directories are set. If the PATROL_ADMIN environment variable is set, it specifies the user who owns the newly created log and configuration files. If the PATROL_ADMIN environment variable is not set, the PATROL default account user owns all the files.

For more information, see Default ownership and permissions for files.

The default ownership and permissions of the PATROL Agent log and configuration directories are set according to the following table:

Directories for ownership and permissions of agent log

Directory Name

Owner

Permissions

WindowsUnixWindowsUnix

log

SYSTEM, Administrators Group, defaultAccount, Users

defaultAccount

Full Control

0755

bin

SYSTEM, Administrators Group, defaultAccount, Users

defaultAccount

Full Control

0755

config

SYSTEM, Administrators Group, defaultAccount, Users

defaultAccount

Full Control

0755

The following table shows the default ownership and permissions of the log and configuration files: 

Default owner and permissions of log and configuration files

Fine name

Owner

Permissions

WindowsUnixWindowsUnix

config/config_<host>-<port>

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/PatrolAgent_<host>-<port>_.errs

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/history/<host>/<port>/dir

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/history/<host>/<port>/annotate.dat

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/history/<host>/<port>/param.hist

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/PEM_<host>-<port>.log

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

Enhanced encryption mechanism

PATROL Agents use the Advanced Encryption Standard with Galois/Counter Mode (AES-GCM) to decrypt the BMC Helix Operations Management policy passwords.

Note

Current version of the PATROL Agent is backward compatible with the older encryption mechanisms.

Was this page helpful? Yes No Submitting... Thank you

Comments