Manualshelf

HP Servicecontrol Manager 3.0 User's Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
61626364656667686970
Increasing Servicecontrol Manager Security
Manage SCM Software
Chapter 4
63
Manage SCM Software
Inspect the Audit Log Regularly
The SCM audit log contains a record of all tasks performed by SCM users on all
managed nodes. This log should be inspected regularly for unexpected use of sensitive
tools or for access to sensitive managed nodes. See administering SCM - audit log in the
SCM online help for more information about the audit log.
Restrict root access on the CMS
It is essential to SCM security to restrict root access on the CMS. A user logged in as root
can change the SCM configuration, add authorizations for others to run tools, and can
run any tool on any managed node. To reduce the risk of unauthorized root access on the
CMS, enforce strict password selection and change policies.
Change Generated Passwords
At installation time, SCM generates four passwords used for purposes described below.
These passwords are assigned randomly generated values at least ten characters long
when SCM is installed. For improved security, these passwords should be changed
immediately after installation to a different value at least ten characters long. The
mxpassword command is used to display or change the values for these passwords. See
the mxpassword manual page for details.
There are two passwords that restrict access to the SCM database through MySQL.
—The DBAdminPassword is analogous to the root password under HP-UX, and it
protects all access to the databases under the control of MySQL.
—The MxDBUserPassword protects access to just the SCM database under MySQL.
•The MxConfigPassword is used to provide DTF Agent and CMS authentication. For
convenience, this value should be changed before adding any managed nodes. If it is
changed after adding managed nodes, all the DTF agents on the managed nodes will
need to be re-authenticated using the mxagentconfig command.
•The MxKeystorePassword is used for the Tomcat certificate keystore. If it is
changed, you need to restart the Tomcat Web server using the command on page 62.
Closely Manage SCM Authorizations
Consider carefully the implications of allowing an SCM user to be a trusted user or
assigning a user to the master role on the CMS.
An SCM trusted user can potentially run any tool on any managed node, including
the CMS.
An SCM user assigned the master role on the CMS, can run any tool on the CMS.
In addition, the SCM model for allowing tools to be developed by non-trusted users
requires that the user have the master role on the managed node being used to develop
the tool. Do not use the CMS node for this purpose.