Security guidelines for the PATROL Agent

This topic lists the security guidelines for the PATROL Agent and related components.

Securing files with sensitive information

• Restrict access to files containing sensitive information such as certificates, or user credentials must be secured by restricting access to all types of users except the owner.
• Lock down the access to files that provide the capability to encrypt or decrypt the data containing sensitive or confidential information, such as sec_encrypt_p3x.exe or mcxpagent.exe.
• Do not store the files containing sensitive data on the network shares with open access.

Securing access to the PATROL Agent

• Use the Agent Access Control List (ACL) to restrict the access to the PATROL Agent. For more information, see Controlling-access-to-the-agent.

  Warning

  Notes

  The above security guideline is applicable only to PATROL Agent-side ACL.

• Use the PATROL Agent selection criteria in the BMC Helix Operations Management authorization profile for policy management. For more information, see the following topics:

  • Configuring PATROL Agent ACLs

  • Infrastructure policies

• Use a valid username and password for the PATROL Agent configuration utility (pconfig). For more information, see the following topics:
  • Controlling-pconfig-access-to-the-agent
  • PATROL configuration utility (pconfig)
• Control the PATROL Agent access for configurations using Agent ACLs.
• Allow the connection to the PATROL Agent from a specific host, a specific user, and with a required connection mode. For more information, see Controlling-access-to-the-agent.

• Use the role-based access control to restrict the operations performed by an operator. For more information, see Configuring authorization profiles for BMC Helix Operations Management.

Securing the system running PATROL Agent

• Set the following permissions for authenticating users to run the agent query tool from BMC Helix Operations Management to the PATROL Agent:
  
  • Allow execution of Agent Actions
  • Allow trusted connections to PATROL Agents

           For more information, see Running a query on the PATROL Agent.

• Use the application account for the PATROL Agent default account by disabling the shell. For more information, see the following topics:
  
  • Running the Patrol Agent with a non-interactive shell
  • Using the application account for the PATROL Agent default account
  • Perform data monitoring through the PATROL Agent with a disabled shell
• Use the username with limited privileges, wherever possible, to reduce the impact of unintended exposure of passwords. For more information, see Installation-account.
• Use the application account for the client connection to restrict unintended access to the computer on which the PATROL Agent is running.
• Use the application account to monitor the PATROL Agent data. For more information, see the following topics:
  
  • Using-the-application-specific-account-for-commands
  • Setting-the-PATROL-Agent-account-for-applications

Securing monitored resources

Provide read-only access to the user accounts used for monitoring the resources such as Oracle, WebSphere, vCenter, and so on. Refer to the individual documentation spaces of the various knowledge modules for a similar set of security recommendations.