Page tree

Skip to end of metadata
Go to start of metadata

The following measures are taken to harden the BMC Atrium Discovery appliance when it is built:

  • Build the OS using only a small number of packages, all of which are required
  • Only the required services are enabled
  • Firewall specifically tuned for the appliance
  • Unnecessary user accounts are removed
  • Disable telnet and ftp (access is via ssh only)
  • No remote logins as root
  • Set specific kernel parameters such as ICMP echo broadcast
  • Set permissions on logging, cron, and configuration to require a privileged user
  • Mount options configured to permit only certain operations on specific partitions
  • Password quality criteria set
  • Remove SETUID privileges from certain applications

The appliance is equipped with its own baseline monitoring system (based on the open source Tripwire product) which can be configured to automatically take action in case of unauthorized changes, such as shutting down the appliance or disabling access.

The complete package list is included in the Release Notes rather than this document as they can be upgraded between minor releases.

User management

BMC Atrium Discovery application's internal user management service offers all the features required to support ISO 17799 guidelines, specifically:

  • Account management
  • Password management policies (strength, reuse, lifecycle)
  • Granular groups permissions
  • Account blocking after authentication failures
  • Automatic account lockout (for example, an account not used for 60 consecutive days)
  • Automatic session lockout (for example, a session left idle for more than 30 minutes)

Many firms have invested in identity and access management solutions to centralize user management and the permissions to the applications they can access. BMC Atrium Discovery can also integrate with a corporate LDAP solution such as Active Directory so that user accounts and group permissions can be managed directly from the LDAP. LDAP groups can be mapped as desired to BMC Atrium Discovery groups to simplify overall administration.

Appliance firewall

The appliance firewall is pre-configured to ensure only the following incoming traffic is allowed. Windows proxy communication is always initiated from the appliance so is not listed here.

The open ports listed below are incoming TCP ports to the appliance.

Port Number

Description

Reason

22

Secure Shell Login

For remote management of the appliance OS.

80

HTTP

For accessing the appliance web user interface, if enabled.

443

HTTPS

For accessing the appliance secure user interface, if enabled.

25032

CORBA over SSL

To enable discovery consolidation.

The appliance approach provides a known and understood system in which the interaction between components is designed; the firewall is one of those components. Consequently the appliance is expected to have full control over the firewall. Local Linux system administrators should not make any changes to the appliance firewall as this may compromise the appliance security and any changes will be lost when the it is upgraded.

Where further monitoring or protection is required then it should be placed behind an additional firewall.

Windows proxy hardening

Windows discovery requires a Windows proxy or proxy running on a Windows host to provide the methods (WMI and RemQuery) of accessing Windows systems. The Windows proxy host should be configured to allow the following incoming traffic.

Proxy port changes in 8.3 SP2 and later

Starting from BMC Atrium Discovery 8.3 SP2, proxies are not limited to the default ports. It is also possible to install multiple proxies of each type on a single host. Consequently, in BMC Atrium Discovery 8.3 SP2 you must check the proxy manager to determine which ports the proxies are using. The defaults are the same as previous releases, but installations of additional proxies use incremental ports. You can also use the proxy manager to modify the port that each proxy uses.

The ports given are incoming TCP ports to the Windows proxy host.

Port Number

Description

4321

Used to connect to a Active Directory Windows proxy from the BMC Atrium Discovery appliance.

4322

Used to connect to a Workgroup Windows proxy from BMC Atrium Discovery appliance.

4323

Used to connect to a Credential Windows proxy from BMC Atrium Discovery appliance.

Penetration testing

To ensure BMC Atrium Discovery data integrity and confidentiality, the BMC Quality Assurance group performs a thorough assessment on each major and minor release.

UI penetration tests are made with IBM® AppScan®.

System penetration tests are made with Tenable Nessus. Bastille Linux is used in assessment mode to confirm the security configuration of the system.

Limited/hardened Red Hat Enterprise Linux distribution and security scanners

It is important to note that BMC Atrium Discovery does not include a full Red Hat Enterprise Linux build with all of its various packages. In order to improve the security of the product, BMC Atrium Discovery only includes those components needed for the operation of the product, rather than those required for a general purpose operating system. Omitting unnecessary components decreases risk and increases the overall security of the product.

However, the fact that BMC Atrium Discovery doesn’t include the full operating system can often confuse general purpose security scanners. When the scanner checks the operating system, it will report that it is missing patches for components that were never included in the distribution. For example, if BMC Atrium Discovery does not include component xyz, it certainly would not include a patch for that component. Since general purpose tools do not first check to see if the component for a patch is present, it simply reports the patch missing without realizing it would make no sense for it to be included on that server.

Known false positives flagged by security scanners

The following security issues have been flagged in the past by some security scanners. In each case they can be shown as not being applicable to BMC Atrium Discovery.

  • Cyrus SASL Library Base64 Encoder Buffer Overflow – Cyrus IMAP is not part of the BMC Atrium Discovery appliance.
  • LibPNG could cause denial of service – as there is no UI method of uploading PNG files, the exploit requires command line access as the tideway user.
  • LibXML issues could cause crashes – as there is no UI exposure of the XML system, the exploit requires command line access as the tideway user.
  • WLAN issue with Kernel – the exploit requires WLAN to be enabled and WLAN kernel extensions to be installed. Neither of these are installed on the appliance.
  • OpenSSH X11 Port forwarding hijack – X11 is not installed on the appliance.
  • OpenSSL Record of death – not applicable to the version of OpenSSL installed on the appliance.
  • Sudo RunAs Group – not applicable to the version of sudo installed on the appliance.
  • SQL injection errors – the data store does not use SQL.

The next section describes ways in which you can identify similar false positives.

  • No labels