Best Practices for securing BMC TrueSight Server Automation

• Restrict Access: The RCP console should only be accessible from a terminal server, which provides and additional layer of authorization and allows the administrator to limit connectivity to the application servers.
• Enforce Secure Communication: All RCP-to-app server connections must use TLS 1.2 to make sure encrypted communication. (bladsadmin EnabledSecureProtocols setting: Configuring the TLS protocol - BMC Documentation) 

• Use External Authentication: Where possible, prefer using Active Directory (AD), LDAP, or other external authentication providers for user verification rather than relying on built-in authentication.  https://docs.bmc.com/xwiki/bin/view/Automation-DevSecOps/Server-Automation/TrueSight-Server-Automation/tssa244/Configuring-after-installation/Administering-security/Implementing-authentication/
• Secure Built-in Authentication: If Secure Remote Password (SRP) is used, make sure:
  • Set various password complexity and aging values: Setting logon requirements - BMC Documentation

• Review Securing the RSCD Agent:
  • Walkthrough: Securing an RSCD agent - BMC Documentation.
  • Never include a wildcard (*) or allow user=root or unrestricted (rw) access.
• Restrict Users File:
  • The user’s file should contain nousers as the default setting to prevent unauthorized user mappings.
  • Regularly push Access Control Lists (ACLs) to enforce security policies.
  • Configuring the users or users.local files - BMC Documentation
• Minimize users.local entries:
  • users.local should have only minimal entries, ideally used only for recovering from a bad ACL push.
• Secure Communications:
  • TLS 1.2 should be enforced for secure communication. (blasadmin EnabledRscdProtocols) Configuring the TLS protocol - BMC Documentation
  • Consider setting up X.509 certificate authentication for additional security.  https://docs.bmc.com/xwiki/bin/view/Automation-DevSecOps/Server-Automation/TrueSight-Server-Automation/tssa244/Configuring-after-installation/Administering-security/Implementing-security-for-communication-legs/
• Restrict Root Access:
  • If all users map to root, enable the root-only mode of the RSCD agent to prevent unintended privilege escalation.
  • Managing world writable permissions of files and directories in TrueSight Server Automation - BMC Documentation
• Network-Level Security:
  • Configure host-based firewalls to allow connections to the RSCD port only from the TSSA infrastructure, reducing the risk of unauthorized access.

Use strong cryptographic ciphers and enforce TLS 1.2 for all connections. 

• Restrict local system access to OS administrators only.
• Do not install the RCP console on an application server or use it as a jump host.
• Enable the lowpriv account. Restricting access to the Application Server file system - BMC Documentation
• Regularly update security certificates.  Implementing private certificates in TrueSight Server Automation - BMC Documentation
• Restrict app server port access to TSSA users via network or host-based firewalls.
• Enable TLSv1.2 for other communication legs: Configuring the TLS protocol - BMC Documentation
•  

• Remote sites should use a SOCKS proxy as a single point of entry.
• Consider implementing a repeater for payload caching.