Security planning

This topic gives background information about the methods of maintaining security for the BMC PATROL Agent, lists default ownership and permissions for the PATROL Agent, and tells you how to change the ownership and permissions. This topic contains the following sections:

Access control list

The Access Control List (ACL) controls which users are authorized to connect to an agent, in which modes and from which hosts. An agent configuration variable defines the ACL. The ACL configuration variable is described in Defining Access Control Lists. For information about setting up an ACL, see Controlling access to the Agent.

Security certificate options

Select the following level of security when deploying a package:

No Certificate Validation(default)
Certificate Validation

When you select the options, the following process happens:

No Certificate Validation(default)

Certificate Validation

./executetlscommand.sh /opt/bmc/ 0
./set_unset_tls.sh $1 SET_TLS 2

The data in the security key access file:

cat /opt/bmc/common/security/keys/access

[SSL_SERVER]

;

ALLOW_ACL = *@bmc.com,*@abc.COM

NSS_DB_HOME = none

[SSL_CLIENT]

NSS_DB_HOME = none

./executetlscommand.sh /opt/bmc/ 1
./set_unset_tls.sh $1 SET_TLS 2 -serverDbPath "$1/common/security/config_v3.0/demo_certs/nss/demo_server" -clientDbPath "$1/common/security/config_v3.0/demo_certs/nss/demo_client" -identity "PatrolServer - BMC"

The data in the security key access file:

cat /opt/bmc/common/security/keys/access

[SSL_SERVER]

;

ALLOW_ACL = *@bmc.com,*@abc.COM

NSS_DB_HOME = sql:/opt/bmc//common/security/config_v3.0/demo_certs/nss/demo_server

[SSL_CLIENT]

NSS_DB_HOME = sql:/opt/bmc//common/security/config_v3.0/demo_certs/nss/demo_client

Important

While upgrading, if you have custom certificates, then those will be retained and validated as per the selection of certificate options.

To change the security certificate options, see Changing the security certificate configuration options.

Tips

TLS 1.2 without certificate validation is the equivalent of old security level 2.

TLS1.2 with certificate validation is the equivalent of old security level 3.

PATROL access control

You can control the access by setting the definitions in patrol.conf file. For more information, see Securing PATROL Agent from the pconfig clients.

Application accounts

You can instruct the PATROL Agent to use separate accounts for individual applications and instances. For more information about how to specify which accounts are used for which commands, see Establishing accounts and ports.

User accounts

The default account for the PATROL Agent to run commands is specified by the defaultAccount variable in the agent configuration file. The agent cannot run application discovery and parameters properly without a valid user name. For more information, see Default ownership and permissions for files.

Ownership and permissions

The PATROL_HOME/log and PATROL_HOME/config directories are created when the PATROL Agent process is run for the first time. At that time, the ownership and permissions of the PATROL Agent log and configuration directories are set. If the PATROL_ADMIN environment variable is set, it specifies the user who owns the newly created log and configuration files. If the PATROL_ADMIN environment variable is not set, the PATROL default account user owns all the files.

For more information, see Default ownership and permissions for files.

The default ownership and permissions of the PATROL Agent log and configuration directories are set according to the following table:

Directories for ownership and permissions of agent log

Directory Name	Owner		Permissions
Directory Name	Windows	Unix	Windows	Unix
log	SYSTEM, Administrators Group, defaultAccount, Users	defaultAccount	Full Control	0755
bin	SYSTEM, Administrators Group, defaultAccount, Users	defaultAccount	Full Control	0755
config	SYSTEM, Administrators Group, defaultAccount, Users	defaultAccount	Full Control	0755

The following table shows the default ownership and permissions of the log and configuration files:

Default owner and permissions of log and configuration files

Fine name	Owner		Permissions
Fine name	Windows	Unix	Windows	Unix
config/config_<host>-<port>	SYSTEM, Administrators, /AgentSetup/defaultAccount	defaultAccount	Change	0644
log/PatrolAgent_<host>-<port>_.errs	SYSTEM, Administrators, /AgentSetup/defaultAccount	defaultAccount	Change	0644
log/history/<host>/<port>/dir	SYSTEM, Administrators, /AgentSetup/defaultAccount	defaultAccount	Change	0644
log/history/<host>/<port>/annotate.dat	SYSTEM, Administrators, /AgentSetup/defaultAccount	defaultAccount	Change	0644
log/history/<host>/<port>/param.hist	SYSTEM, Administrators, /AgentSetup/defaultAccount	defaultAccount	Change	0644
log/PEM_<host>-<port>.log	SYSTEM, Administrators, /AgentSetup/defaultAccount	defaultAccount	Change	0644

TLS security considerations for the PATROL Agent

For an improved authentication and security mechanism, the PATROL Agent can be configured to use the Transport Layer Security (TLS) 1.2. The following architecture diagram explains the communication between the PATROL Agent and the other components:

Security Architecture - PATROL Agent communication

By default, the PATROL Agent uses either Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) protocol for communication. To configure the PATROL Agent to enable TLS 1.2, see Configuring the PATROL Agent to enable TLS 1.2.