Security guidelines for the PATROL Agent

This topic lists the security guidelines for the PATROL Agent and related components.

Securing files with sensitive information

Restrict access to files containing sensitive information such as certificates, or user credentials must be secured by restricting the access to all types of users except the owner.
Lock down the access to files that provide the capability to encrypt or decrypt the data containing sensitive or confidential information, such as sec_encrypt_p3x.exe or mcxpagent.exe.
Do not store the files containing sensitive data on the network shares with an open access.

Note

The above security guidelines are applicable for all the PATROL components.

Securing access to the PATROL Agent

Use the Agent Access Control List (ACL) to restrict the access to the PATROL Agent. For more information, see Controlling-access-to-the-agent.
Notes
- The above security guideline is applicable only to PATROL Agent-side ACL.
- Applicable only to PATROL 3.x and PATROL 7.x architecture environments, except the client connection for configurations.
Use the PATROL Agent selection criteria in the Infrastructure Monitoring Administration authorization profile for policy management. For more information, see the following topics:
- Creating, editing, and deleting PATROL Agent ACLs
- Policy management

Note

The PATROL Agent ACL defined in Infrastructure Monitoring Administration doesn't overlap with the Agent ACLs defined within the PATROL Agent

Use a valid username and password for the PATROL Agent configuration utility (pconfig). For more information, see the following topics:
- Controlling-pconfig-access-to-the-agent
- PATROL configuration utility (pconfig)
Control the PATROL Agent access for configurations using Agent ACLs.
Allow the connection to the PATROL Agent from a specific host, a specific user, and with a required connection mode. For more information, see Controlling-access-to-the-agent.
Use the role-based access control to restrict the operations performed by an operator. For more information, see the following topics:
- Role-based access for TrueSight Presentation Server, TrueSight Infrastructure Management Server, and the Infrastructure Monitoring Administration.
- PATROL Console Server and RTserver Getting Started for PATROL Console Server.

Securing the communication

Configure the PATROL Agent with the minimum security level set as 3. For more information, see PATROL Security User Guide.
Generate signed certificates for the secure communication. For more information, see the following:
- Generating an SSL key database
- Implementing private certificates in TrueSight Operations Management

Securing the system running PATROL Agent

Disable the system output window (SOW) in PATROL consoles. For more information, see Controlling-the-system-output-window-display.
Set the following permissions for authenticating users to run the agent query tool from Infrastructure Monitoring Administration to the PATROL Agent:
- Allow execution of Agent Actions
- Allow trusted connections to PATROL Agents

For more information, see the following:

- Performing actions on a PATROL Agent
- Permissions reference

Use the application account for the PATROL Agent default account by disabling the shell. For more information, see the following topics:
Use the username with limited privileges, wherever possible, to reduce the impact of unintended exposure of passwords. For more information, see PATROL-default-account.
Use the application account for the client connection to restrict the unintended access to the computer on which the PATROL Agent is running.
Use the application account to monitor the PATROL Agent data. For more information, see the following topics:
- Using-the-application-specific-account-for-commands
- Setting-the-PATROL-Agent-account-for-applications

Securing monitored resources

Provide read-only access to the user accounts used for monitoring the resources such as Oracle, WebSphere, vCenter, and so on. Refer to the individual documentation spaces of the various knowledge modules for the similar set of security recommendations.