Appliance hardening

The following measures are taken to harden the BMC Discovery appliance when it is built:

Build the OS using only a small number of packages, all of which are required
Only the required services are enabled
Firewall specifically tuned for the appliance
Unnecessary user accounts are removed
Disable telnet and ftp (access is through ssh only)
No remote logins as root
Set specific kernel parameters such as ICMP echo broadcast
Set permissions on logging, cron, and configuration to require a privileged user
Mount options configured to permit only certain operations on specific partitions
Password quality criteria set
Remove SETUID privileges from certain applications

The appliance is equipped with its own baseline monitoring system (based on the open source Tripwire product) which can be configured to automatically take action in case of unauthorized changes, such as shutting down the appliance or disabling access.

The complete package list is included in the Release Notes rather than this document as they can be upgraded between minor releases.

User management

BMC Discovery application's internal user management service offers all the features required to support ISO 27002 guidelines, specifically:

Account management
Password management policies (strength, reuse, lifecycle)
Granular groups permissions
Account blocking after authentication failures
Automatic account lockout (for example, an account not used for 60 consecutive days)
Automatic session lockout (for example, a session left idle for more than 30 minutes)

Many firms have invested in identity and access management solutions to centralize user management and the permissions to the applications they can access. BMC Discovery can also integrate with a corporate LDAP solution such as Active Directory so that user accounts and group permissions can be managed directly from the LDAP. LDAP groups can be mapped as desired to BMC Discovery groups to simplify overall administration.

BS7799, ISO 17799, and ISO 27002

BS7799 was an early two part information security standard.

BS7799-1 was a code of practice which when adopted by ISO became ISO 17799. It was renamed ISO 27002 in 2007.
BS7799-2 was the specification against which a system could be certified. This became ISO 27001.

Appliance firewall

The appliance firewall is pre-configured to ensure only the following incoming traffic is allowed. Windows proxy communication is always initiated from the appliance so is not listed here.

The open ports listed below are incoming TCP ports to the appliance.

Port Number	Description	Reason
22	Secure Shell Login	For remote management of the appliance OS.
80	HTTP	For accessing the appliance web user interface, if enabled.
443	HTTPS	For accessing the appliance secure user interface, if enabled.
25030-25032	CORBA over TLS	To enable appliance clustering.
25032	CORBA over TLS	To enable discovery consolidation.

The appliance approach provides a known and understood system in which the interaction between components is designed; the firewall is one of those components. Consequently the appliance is expected to have full control over the firewall. Local Linux system administrators should not make any changes to the appliance firewall as this can compromise the appliance security and any changes will be lost when the it is upgraded.

The only supported change to the appliance firewall is that required to install BMC PATROL. Where such changes are made, the default firewall is used as a fallback.

Where further monitoring or protection is required then it should be placed behind an additional firewall.

Windows proxy hardening

Windows discovery requires a Windows proxy or proxy running on a Windows host to provide the methods (WMI and RemQuery) of accessing Windows systems. The Windows proxy host should be configured to allow the following incoming traffic on the chosen ports.

The ports can be chosen in the proxy manager. The defaults are:

Port Number	Description
4321	Used to connect to a Active Directory Windows proxy from the BMC Discovery appliance.
4323	Used to connect to a Credential Windows proxy from BMC Discovery appliance.

Security testing

To ensure BMC Discovery data integrity and confidentiality, the BMC Quality Assurance group performs a thorough assessment on each major and minor release. The assessment include continuously running SAST and DAST tool tests. Additional information can be found at the BMC Trust Center.

Limited/hardened CentOS Linux distribution and security scanners

It is important to note that BMC Discovery does not include a full CentOS Linux build with all of its various packages. In order to improve the security of the product, BMC Discovery only includes those components needed for the operation of the product, rather than those required for a general purpose OS. Omitting unnecessary components decreases risk and increases the overall security of the product.

However, the fact that BMC Discovery doesn't include the full OS can often confuse general purpose security scanners. When the scanner checks the OS, it will report that it is missing patches for components that were never included in the distribution. For example, if BMC Discovery does not include component xyz, it certainly would not include a patch for that component. Since general purpose tools do not first check to see if the component for a patch is present, it simply reports the patch missing without realizing it would make no sense for it to be included on that server.

The next section describes ways in which you can identify false positives.