Authentication of remote configuration requests

BMC Defender Agent programs listen for remote configuration requests at special TCP ports:

• CO-logmon listens for requests at port 55514. 
• CO-fmon listens for requests at port 55515. 

The configuration file for the program includes this port number, which is not easy to change. If this port is busy when an agent program starts or if the ListenPort directive is commented out of the file, no remote configuration is possible.

The following modes of operation are possible, as determined by the ListenAuthMode setting in the configuration file:

• Auth Mode 0 disables authentication of requests. BMC does not recommend using this value except in special circumstances (for example, if executing CO-logmon or CO-fmon on a detached network where security is not a concern).
• Auth Mode 1 authenticates remote configuration requests based on the IP address of the requesting platform. Using this mode rejects any remote configuration request to the agent program that originates on a platform other than either local host 127.0.0.1 or the value of the DestinationAddress directive. The requesting program must be at the location that receives the syslog messages, or on the local host.
• Auth Mode 2 authenticates remote configuration requests based solely on the configured passkey. The value of the ListenPassKey value must agree precisely with the value passed to the rsmconf.exe program or the value configured at the BMC Defender SIEM Server platform on the System > Parms screen. Initially, both of these passkey values set to the keystring Default, so no special configuration is required out-of-box.
• Auth Mode 3 authenticates remote configuration requests to occur based on both the passkey (used in Auth Mode 2) and the source IP address (used in Auth Mode 1). This method is the most secure way of managing the remote configuration process and is the default setting for the CO-logmon program.

The values of DestinationAddress, DestinationPort, ListenAuthMode, ListenPassKey, and ListenPort cannot change the remote configuration process. Each of these values can be changed only by manually editing the CO-logmon or CO-fmon configuration file. Attempts to modify any of these values are silently bypassed. This method enhances security by ensuring that these values can be changed only by remotely logging into the host platform with an administrative login, editing the configuration file manually, and then restarting CO-logmon.