Securing the PATROL Agent components

This topic lists the security guidelines for the PATROL Agent and related components.

Securing files with sensitive information

To effectively secure sensitive information within PATROL components, it's essential to implement strict file access controls. This includes the following key practices:

Restrict access to files containing sensitive information, such as certificates and user credentials. These files must be secured by restricting access to all users except the owner.
Lock down the access to files that can encrypt or decrypt the data containing sensitive or confidential information, such as sec_encrypt_p3x.exe or mcxpagent.exe.
Do not store the files containing sensitive data on the network shares with open access.
Warning
Important
The above security guidelines apply to all the PATROL components.

Securing access to the PATROL Agent

To ensure secure access to the PATROL Agent and maintain proper authorization within your environment, follow these best practices:

Use the Agent Access Control List (ACL) to restrict the access to the PATROL Agent. For more information, see Controlling-access-to-the-agent.
Use the PATROL Agent selection criteria in the BMC Helix Operations Management authorization profile for policy management. The PATROL Agent ACL defined in the BMC Helix Operations Management Administration doesn't overlap with the Agent ACLs defined within the PATROL Agent.
For more information, see the following topics:
- Configuring PATROL Agent ACLs
- Infrastructure policies

Use a valid user name and password for the PATROL Agent configuration utility (pconfig). For more information, see the following topics:
- Controlling-pconfig-access-to-the-agent
- PATROL configuration utility (pconfig)
Control the PATROL Agent access for configurations by using Agent ACLs.
Allow the connection to the PATROL Agent from a specific host, a specific user, and with a required connection mode. For more information, see Controlling-access-to-the-agent.
Use role-based access control to restrict the operations performed by an operator. For more information, see Configuring authorization profiles for BMC Helix Operations Management.

Securing the system running PATROL Agent

To secure the PATROL Agent system, set appropriate permissions to authenticate users and manage trusted connections. Use an application account for the PATROL Agent's default account, disable unnecessary shells, and perform data monitoring with restricted access. To minimize security risks and prevent client connections to unauthorized users, use user names with limited privileges. To further secure the PATROL Agent system, implement the following best practices:

Set the following permissions for authenticating users to run the agent query tool between BMC Helix Operations Management and the PATROL Agent:
- Allow execution of Agent Actions
- Allow only trusted connections to PATROL Agents

For more information, see Running a query on the PATROL Agent.

Use the application account for the PATROL Agent default account by disabling the shell. For more information, see the following topics:
Wherever possible, use a user name with limited privileges to reduce the effect of unintended exposure to passwords. For more information, see Installation-account.
Use the application account for the client connection to restrict unintended access to the computer on which the PATROL Agent is running.
Use the application account to monitor the PATROL Agent data. For more information, see the following topics:
- Using-the-application-specific-account-for-commands
- Setting-the-PATROL-Agent-account-for-applications

Securing monitored resources

Provide read-only access to user accounts for monitoring resources like Oracle, WebSphere, and vCenter. For detailed security recommendations, refer to the documentation for each specific knowledge module.