Operating-system dependencies, User accounts and authentication, File system – HP Systems Insight Manager User Manual

Operating-system dependencies

User accounts and authentication

Systems Insight Manager accounts are authenticated against the CMS host operating system. Any
operating system features that affect user authentication affect signing into Systems Insight Manager.
The operating system of the CMS can implement a lock-out policy to disable an account after a
specified number of invalid sign in attempts. Additionally, an account can be manually disabled
in the Microsoft Windows domain. Any account that cannot authenticate against the operating
system prevents signing into Systems Insight Manager using that account. For automatic sign-in to
Systems Insight Manager,

user accounts

must be domain accounts.

NOTE:

A user who is already signed into Systems Insight Manager is not re-authenticated against

the operating system until the next sign in attempt and continues to remain signed into Systems
Insight Manager, retaining all rights and privileges therein, until signing out of Systems Insight
Manager.

IMPORTANT:

If creating operating system accounts exclusively for Systems Insight Manager

accounts, give users the most limited set of operating system privileges required. Any root or
administrator accounts should be properly guarded. Configure any password restrictions, lock-out
policies, and so on, in the operating system.

File system

Access to the file system should be restricted to protect the object code of Systems Insight Manager.
Inadvertent modifications to the object code can adversely affect the operation of Systems Insight
Manager. Malicious modification can allow for covert attacks, such as capturing sign in credentials
or modifying commands to managed systems. Read-level access to the file system should also be
controlled to protect sensitive data such as private keys and passwords, which are stored in a
recoverable format on the file system. Systems Insight Manager does not store user account
passwords for users signing into Systems Insight Manager.

IMPORTANT:

Systems Insight Manager sets appropriate restrictions on the application files. These

restrictions should not be changed because this could affect the operation of Systems Insight
Manager or allow unintended access to the files.

Background processes

On Windows, Systems Insight Manager is installed and runs as a Windows service. The service
account requires administrator privileges on the CMS and the database, and can be either a local
or a domain account. For automatic sign-in to Systems Insight Manager, a domain account must
be used. On UNIX, Systems Insight Manager is installed and runs as daemons running as root.

Windows Cygwin

The version of

Cygwin

provided with the

SSH server

for Windows, for CMS and the managed

systems, has been modified with security enhancements to restrict access to the shared memory
segment. As a result, it does not interoperate with the generally available version of Cygwin. Only
administrative users can connect to a system running the modified SSH server.

HP-UX and Linux

The device /dev/random command is used, if available on the CMS, as a source for random
numbers within Systems Insight Manager.

98

Understanding Systems Insight Manager security