Configuring security settings
This topic provides basic suggestions for configuring generic antivirus and intrusion prevention client software on systems that make up a BMC Cloud Lifecycle Management environment. It includes the following subsections:
Antivirus and intrusion prevention clients focus on the assessment and prevention of malicious attacks against the systems they protect. This assessment scrutinizes any files, connectivity, or behavior that the software determines are a potential risk, including unrecognized materials or an attempt to control other systems.
The nature of automation requires access and control of other systems as well as the use of use of various utilities and installers that could be mistakenly classified as a threat, so it is not unusual to see conflicts with intrusion prevention and automation efforts. Because each environment and antivirus software combination can result in unique results, supplying a detailed list of configuration settings that will meet all customer requirements is not possible. However the settings listed below can be used as a base line for initial settings that should minimize disruption of BMC Cloud Lifecycle Management services. If a full hardening exercise is desired or required to fully lock down BMC Cloud Lifecycle Management services using third party products without a disruption to services, a full environment assessment and time to test and monitor specific third-party features and functions with BMC Cloud Lifecycle Management systems is required.
Directories to exclude
This section provides a list of basic directories that should be excluded from Antivirus and Intrusion prevention scans. The intent is to keep CLM files/directories from being quarantined, blocked, or deleted by Antivirus or Intrusion Detection services. Some of these systems may not apply to your specific environment depending on the BMC build/services that have been implemented. If the installations did not use the default installation directories, then the paths below would be replaced with the paths that were used.
Core systems
System | Directories to exclude |
---|---|
BMC Server Automation servers | C:\Program Files\BMC Software\ |
BMC Server Automation file servers | C:\Program Files\BMC Software\ |
BMC Cloud Lifecycle Management cloud platform manager | C:\Program Files\BMC Software\ |
BMC Remedy AR System enterprise servers and web servers | C:\Program Files\BMC Software\ |
BMC Cloud Lifecycle Management cloud database server | C:\Program Files\BMC Software\ |
BMC Atrium Orchestrator servers | C:\Program Files\BMC Software\ |
BMC Network Automation | C:\Program Files\BMC Software\ |
Supplemental systems
System | Directories to exclude |
---|---|
BMC Server Automation PXE servers | C:\Program Files\BMC Software\ |
BMC Server Automation repeaters | C:\Program Files\BMC Software\ |
BMC Server Automation | C:\Program Files\BMC Software\ |
Target systems
System | Directories to exclude |
---|---|
Target VMware vCenter servers | C:\Program Files\BMC Software\ |
Services
BMC recommends that you set security software to not run real time scans against the following trusted services that run as part of BMC Cloud Lifecycle Management.
Products | Services |
---|---|
BMC AR System Server - Cloud Portal and Database | Apache Tomcat Tomcat6 |
BMC Atrium Web Registry | Apache Tomcat atriumTomcat6 |
BMC Remedy AR Mid-Tier | Apache Tomcat Tomcat6 |
BMC Server Automation | BladeLogic Application Server |
BMC Atrium Orchestrator | BMC Atrium Orchestrator Access Manager and Repository |
BMC Network Automation | BCA-Networks TFTP Server |
Platform Manager | BMC CSM |
PXE Server | BladeLogic PXE Server |
BMC Network Device Agent | BCA-Networks Agent |
BBSA repeaters | BMC BladeLogic Advanced Repeater Service |
VCenter Server(s) | BMC BladeLogic RSCD Service |
Ports
As part of your BMC Cloud Lifecycle Management implementation, the applications require different ports for authentication, communication, etc. See Port mappings for more information. If the default ports were modified as part of your installation or if additional systems were added for HA/DR considerations, take those ports into account.
Security information for component products
For security information for component products, see the following topics in the component products' documentation spaces:
Comments
Log in or register to comment.