The passwords used to access the BMC Atrium Discovery UI (such as for the system user) are salted, hashed with SHA-256 and stored in a file.
Credential vault security
The passwords used to scan the network are stored in an encrypted vault that is secured with a default passphrase when the appliance is built. The vault provides a secure mechanism for storing credential information. Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI or at the command line). The content of the vault is secured using 128 bit AES encryption.
Optionally, the vault can be locked with a manually entered passphrase. When the passphrase is set, the vault is automatically in a locked state when the appliance starts, and requires the passphrase to be unlocked. The encryption key used for encrypting the vault is derived from the passphrase. The passphrase is not stored anywhere on the appliance, and if lost, the contents of the vault cannot be recovered.
The default passphrase used is a random string of 64 characters/512 bits. If you decide to use a manually entered passphrase you should ensure that it of a similar complexity, or that it is changed at regular intervals.
A "Security Best Practice" may be to defer credential management to the in house security team who would manage credentials according to their own requirements. Permission could be granted for the security team to update the passwords stored in the vault, and for other users to run discovery using the stored passwords.
Sensitive data filters
Data returned from discovery targets may contain sensitive data. For example, the command used to start the process may contain a clear text password. This data is stored in a DiscoveredProcess node and could be viewed through the UI. This can be prevented using sensitive data filters.
A sensitive data filter is a regular expression to define data that you do not want displayed. When matched, the sensitive portion of the data is encrypted using an MD5 hash. The encrypted data can be compared with earlier versions to determine whether it has changed, while the actual data remains hidden from users.