Agent Installation And Maintenance; File And Directory Access Controls Prevent Tampering; Access Control On Machine Configuration Prevents Tampering; The Agent Is Available For Collection - VMware VCM 5.3 - CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS Configuration

11.0 Agent Installation and Maintenance

The VCM Agent is the software installed on the managed machine to collect configuration information and securely
return it to the VCM Collector. Each managed machine is its own trust zone controlled by the domain and local
machine administrator. Agents do not trust other Agents, but do trust the machines in the server zone like the
collector. Machines in the server zone trust the Agent to manage and return its machine's configuration data, but the
Agent is not trusted as a source of data or changes to other machines, or to the VCM configuration.
The Agent is subject to its local security policies and security environment of the managed machine. The trust by the
server zone in the Agent depends on the environment protecting four classes of assets:
Agent executable code
l
Machine configuration
l
Collected machine data
l
Agent/Collector Credentials
l
The Agent's executable code consists of the programs and libraries shipped in the VCM Agent installation kit. These
kits and updates are signed by the VMware software publisher certificate described previously. The machine
configuration is the local settings that activate the VCM Agent, grant it execution and data storage rights, and allow it
to utilize infrastructure services like networking and DNS. Collected data is the settings the Agent acquires by
inspecting the managed machine. Collected data is transmitted to the VCM Collector. Credentials are the certificates
and private key the Agent uses to authenticate the Collector, and itself when configured for Mutual Authentication.

11.1 File and directory access controls prevent tampering

The Agent's executable code, collection results, and credentials are stored in files within the Agent installation
directory. This directory and its contents must be owned by an administrative account and configured to deny read-
access or modification by non-administrators.

11.2 Access control on machine configuration prevents tampering

The Agent depends on the integrity of settings in system configuration files like the Windows registry and Unix /etc
directory. These settings activate the Agent and grant it access to infrastructure services like networking and DNS, as
well as access to the data sources and files from which the Agent collects data. These settings must be protected
from unauthorized modification.

11.3 The Agent is available for collection

The Agent operates in response to requests from the Collector service. VCM does not require the Agent to be available
at all times, but it must be routinely available for collection of timely data. The environment must guarantee that the
Agent is not disabled or permanently disconnected from network access or from connection requests by the Collector.
The environment must also ensure the network infrastructure required for Agent-Collector communication is
maintained.
vCenter Configuration Manager Security Environment Requirements
TECHNICAL WHITE PAPER / 23