Security planning
Review the following topics for information about how BMC Database Automation provides security and for recommendations on deploying securely:
Security overview
Security within the BMC Database Automation product is comprised of robust authentication mechanisms, flexible and granular Role Based Access Controls (RBAC), and comprehensive monitoring. This makes BMC Database Automation well suited for complex enterprise organizations, such as financial institutions or service providers, where portions of the database infrastructure are managed by different teams that must operate autonomously due to regulatory separation of duty policies.
BMC Database Automation is handled at multiple tiers:
- Using the management GUI, users can access the web interface based on the product's RBAC mechanisms.
- At a transport level, all of the communications between the management server and the agents are encrypted using SSL, with both server and client certificates being presented. This means that a malicious party cannot masquerade as an agent nor a manager, and that all of the communications are secured against third-party discovery or injections.
- Application-level security is provided by encryption and digital signatures of all of the workflow libraries on the management server (these libraries are what interpret, for example, how to run the Oracle installer), with the keys embedded in the management server code and the agent. This prevents a malicious party from gaining privileged access to the management server and modifying the instructions the management server sends to the agents.
All of the commands that are run are centrally logged and audited on the management server. For any job that is run, a user with the correct privileges can bring up a log file with the commands, arguments, outputs, and associated log files. For information about this and other security-based administrative tasks that can be managed and configured in BMC Database Automation, see Performing security administration tasks.
Note
Beginning with BDA 8.8, an optional sample_rbac_setup.pl
script is provided in /app/clarity/manager_scripts/bin that automatically generates a pre-defined set of roles containing pre-defined capabilities in each role. This enables you to instantly configure a comprehensive default RBAC starting point (for Roles only) on a new Manager so that you do not have to define the entire Security plan using the GUI.
Security assessment FAQs
Question | Response |
---|---|
Does product development follow a Security Development Lifecycle (SDL) Process? | No. The BMC Database Automation product does not follow a formal SDL process. However, many aspects of the SDL process are done during our development lifecycle and are documented as follows. |
Do you conduct security reviews? If so, what? | Yes. Security-related product testing is done as part of each release. In addition, the BMC AppSec team performs penetration and other security tests on our product prior to each release. |
Do you use any tools to test for vulnerabilities? | Yes. Although most of of the testing is done manually, the BMC AppSec team also uses Burp Suite(Pro), a web proxy tool. |
Can you provide the results of these vulnerability reviews performed? | Yes. We can provide the report from the BMC AppSec team upon request. |
Have you closed on vulnerabilities found for the subject application using these application security reviews? | Yes. All High/Severe issues are required to be closed before releasing the software as part of our Quality Certification (QCert) checkpoint; low/medium issues are reviewed and assessed on a case-by-case basis. |
Are you committed to perform regular security reviews of the application and resolving vulnerabilities identified? | Yes, BMC is committed to resolve all Common Vulnerability Scoring System (CVSS) High and Critical vulnerabilities found in our code and remediate any found in 3rd party components we include and ship with our product. BMC's AppSec team performs regular penetration tests during the product's release lifecycle. See www.bmc.com/security for BMC's disclosure and alert details. BMC and the BMC Database Automation product are committed to monitor, find, and resolve security-related product issues both during our release process and after releases are available to customers. For the BMC Network Automation Product:
|
Is the product FIPS-140 compliant? | No. |
What type of encryption is used for storing sensitive data? | Communication between the management server and the agents are encrypted using SSL, with both server and client certificates being presented. This means that a malicious party cannot masquerade as an agent nor a BMC Database Automation manager, and that all of the communications are secured against third-party discovery or injections. |
What kind of encryption is used when the database is not fully encrypted, for example, when using Oracle? | Application-level security is provided by encryption and digital signatures of all of the workflow libraries on the management server (these libraries are what understand, for example, how to run the Oracle installer), with the keys embedded in the management server code and the agent. This prevents a malicious party from gaining privileged access to the management server and modifying the instructions the management server sends to the agents. Users can be centrally authenticated against LDAP or AD, so when a user leaves the company, simply disabling their user in AD will prevent them from logging in to the GUI. |
RBAC access control
Role Based Access Controls (RBAC), separate from the database server OS-level permissions, enable users to control access to execute commands in BMC Database Automation against servers where they do not have OS-level access. RBAC provides a mechanism for restricting user access and defining segregation of duties based on the concept of roles, groups, and capabilities, where BMC Database Automation users are members of groups and groups are assigned roles (which contains one or more capabilities). For more information about managing RBAC, see Managing the RBAC access controls.
Roles
Groups
A group consists of one or more users. Each group has roles assigned and is granted access to domains. A user can be a member of more than one group. Groups can be granted different roles in different domains or the same role in different domains. When more than one role is granted to the same group on the same domain, the result is cumulative capabilities.
Note
Because roles are assigned to groups rather than to individual users, a user must be a member of a group to be assigned a role.
To create a group, do the following:
- From the Management Console main page, select Security > Groups within the Context Frame.
- In the Groups Content page, click Create New Group.
- In the Group Information page, enter a Name and Description for the group, and click Next.
To select an available role, click add corresponding to the role in the Grants page.
You are prompted with the list of domains for granting access.Select the check boxes for the associated domains or subdomains and click OK. Repeat for each role added.
Notes
- Selecting Grid, the root level, grants access to all domains and subdomains.
- Selecting all subdomains in a domain is not equivalent to selecting the parent domain. Selecting the parent domain grants access on all current subdomains and subdomains added to this domain going forward.
- Roles and domain grants appear in the Modified Grants section at the bottom of the page.
- Click Next.
- In the Users Information page, add members to this group by clicking the add link next to the appropriate users.
Information about the selected users appear in the Modified Users section at the bottom of the page. - Click Next.
The Summary page displays the configuration details. - In the Summary page, click Go to to make changes for that section.
- Click Create Group.
Users
BMC Database Automation user accounts include the full name, user name, password and the groups in which a user is a member. Users must be members of a group to be granted permissions. The group membership for a user determines their assigned roles and granted domains. A user can be a member of more than one group.
Note
Users who do not have group assignments are only allowed to edit their own password.
To create a user, do the following:
- From the Management Console main page, select Security > Users in the Context Frame.
- Click Create New User.
- In the User Information page, enter the following information in the Create User form, and click Next.
- Username
First Name
Last Name
Department (optional)
Password
Confirm Password
Note
When using internal authentication, passwords must meet the requirements specified. See Configuring internal authentication for details.
Available Groups
In the Available Groups section of the Group page, assign group membership for this user by clicking the add link next to the wanted groups.
Any groups selected are moved to the Modified Groups section.Modified Groups
- Click Create User.
Security implementation examples
Typical enterprise level implementations of BDA include the setup of Roles and Groups that segregate the activities of engineering and operational DBAs. For example, engineering DBAs might only be allowed to create and test patch packages on non-production servers that are published to operational DBAs. As a result, the operational DBAs would only be able to apply or roll back patch packages to production servers but not modify those packages.
Another common example is for non-DBAs (such as DBA Managers) to be granted access to BMC Database Automation only to view DBA activity, check OS and database versions and physical CPU counts, or to run reports without the ability to initiate any other intrusive database-related activities (such as patching or provisioning).
Best practice
For example, they might start a model whereby all Oracle DBAs can see all Oracle servers for activities such as provisioning and patching, but not be able to view any Actions that have already been created. Over time, those Actions might be published to certain groups, users, and databases, according to specifications enforced by security teams and management.
Authentication
BMC Database Automation includes its own credential store internally by default. However, in a large enterprise implementation, it is very common to want to authenticate off of a central authentication mechanism.
BMC Database Automation provides the ability to authenticate off of LDAP or Active Directory, and to configure authentication settings including password expiration time and grace period, password complexity requirements, and password lockout policy. For more information, see Configuring authentication.
Data security
All of the communications between the management server and the agents are encrypted using SSL, with both server and client certificates being presented. This means that a malicious party cannot masquerade as an agent nor a BDA manager, and that all of the communications are secured against third-party discovery or injections. All of the workflow libraries on the management server require digital signatures and are encrypted with the keys embedded in the management server code and the agent. This prevents a malicious party from gaining privileged access to the management server and modifying the instructions the management server sends to the agents.
Additional security considerations
The following sections detail additional measures you can take to ensure the security of your BMC Database Automation implementation.
Scanning for malicious files
Disabling the Autocomplete browser feature
Browsers implement the Autocomplete feature that keeps track of information that has been recently and repetitively submitted, such as web addresses, information in forms (user name and passwords), and search queries. Enabling Autocomplete by default prevents the web browser from specifically caching the login_password fields. To disable the web browser Autocomplete feature, open the /app/clarity/dmanager/etc/d2500_config file on the Manager with a text editor and set prevent_password_auto_complete
to true
.
Comments
Log in or register to comment.