Security guidelines for the PATROL Agent
This topic lists the security guidelines for the PATROL Agent and related components.
Securing files with sensitive information
- Restrict access to files containing sensitive information such as certificates, or user credentials must be secured by restricting the access to all types of users except the owner.
- Lock down the access to files that provide the capability to encrypt or decrypt the data containing sensitive or confidential information, such as sec_encrypt_p3x.exe or mcxpagent.exe.
- Do not store the files containing sensitive data on the network shares with an open access.
Securing access to the PATROL Agent
Use the Agent Access Control List (ACL) to restrict the access to the PATROL Agent. For more information, see Controlling-access-to-the-agent.
- Use the PATROL Agent selection criteria in the Infrastructure Monitoring Administration authorization profile for policy management. For more information, see the following topics:
- Use a valid username and password for the PATROL Agent configuration utility (pconfig). For more information, see the following topics:
- Control the PATROL Agent access for configurations using Agent ACLs.
- Allow the connection to the PATROL Agent from a specific host, a specific user, and with a required connection mode. For more information, see Controlling-access-to-the-agent.
Use the role-based access control to restrict the operations performed by an operator. For more information, see the following:
Role-based access for TrueSight Presentation Server, TrueSight Infrastructure Management Server, and the Infrastructure Monitoring Administration.
Securing the communication
- Configure the PATROL Agent with the minimum security level set as 3. For more information, see PATROL Security User Guide.
- Generate signed certificates for the secure communication. For more information, see the following:
Securing the system running PATROL Agent
- Disable the system output window (SOW) in PATROL consoles. For more information, see Controlling-the-system-output-window-display.
- Set the following permissions for authenticating users to run the agent query tool from Infrastructure Monitoring Administration to the PATROL Agent:
- Allow execution of Agent Actions
- Allow trusted connections to PATROL Agents
For more information, see the following:
- Use the application account for the PATROL Agent default account by disabling the shell. For more information, see the following topics:
- When installing the PATROL Agent, it is recommended to create an installation package without specifying the default account. After the installation, you must create a policy to set up the default account.
- Use the username with limited privileges, wherever possible, to reduce the impact of unintended exposure of passwords. For more information, see PATROL-default-account.
- Use the application account for the client connection to restrict the unintended access to the computer on which the PATROL Agent is running.
- Use the application account to monitor the PATROL Agent data. For more information, see the following topics:
Securing monitored resources
Provide read-only access to the user accounts used for monitoring the resources such as Oracle, WebSphere, vCenter, and so on. Refer to the individual documentation spaces of the various knowledge modules for the similar set of security recommendations.