RSA Authentication Manager 8.X (virtual) appliances - all versions

Original KB question: Does RSA support the installation of third party monitoring Agents on their 8.x (virtual) appliances?
Examples: System Center Operations Manager (SCOM) , BMC ProactiveNet Performance Management (BPPM), Nagios etc.

Expanded Questions for keyword search: Does RSA support the installation of 3rd party applications on their 8.x (virtual) appliances?

Does RSA support the installation of third party software on their 8.x (virtual) appliances?

Does RSA support the installation of additional software on their 8.x (virtual) appliances?

Does RSA support the installation of third party application software on their 8.x (virtual) appliances?

Short Answer: No.

Risk assessment: If you modify the RSA Authentication Manager appliance in any way, your risk is that any reported bugs will not be worked on by RSA Engineering until the bug is reproduced on a supported configuration. An additional risk is that you could spend additional time troubleshooting problems.

This is a hardened appliance system. It has a standardized environment, firewall and scheduled patches to update the entire system (RSA Authentication Manager (AM), OS files and libraries the included database). Installing any additional 3rd party software or application is not supported.

The AM 8.x appliance has some built-in monitoring tools described in Chapter 14: Logging and Reporting and page:375 of the "RSA AM Administrator's Guide" https://knowledge.rsasecurity.com/docs/rsa_securid/rsa_auth_mgr/81/am_administrators_guide.pdf
This chapter describes in detail how to activate SNMP monitoring, remote syslog configuration and triggering an emial if critical events occur.

1) Go to the Security Console

2) Setup - > System Settings

3) Select "Basic Setting"

- Configure Critical System Event Notification:
Will send emails about envents to configured users(A SMTP Mail server has to be already configured for this to work.)

- Logging : Will write logs to an the internal DB and OS and to a remote Syslog system:

"Save to internal database and remote SysLog at the following hostname or IP address:"

4) Select "Advanced Settings"

- Network Monitoring (SNMP), will provide a configuration screen for a SNMP v. 3 agent and the MIB for RSA AM (and will add the neccessary rules in the background)

Conclusion: modifying the AM appliance in Linux is not supported, and is not tested, so there is risk in doing so. Therefore, it is expected that installing 3rd party software, or connecting the AM appliance to use 3rd party products, especially products that monitor and send feedback or reports to external servers, cannot realistically be supported as there are an endless list of such products.

Context:
There is also risk involved in installing unsupported products on the Authentication Manager Appliance. In Support we use the term ‘unsupported’ to indicate software or configuration changes that are not part of the AM patching procedure. This essentially does not mean it won’t work, it might, but it means RSA does not test that configuration, it could be overwritten by our patches, and if you report a bug and Engineering cannot reproduce your bug on their ‘supported’ system, then no fix can be expected.

Having said that, in the experience of Support, some modifications are much less risky than others. One example is using a Strong Password Generator for use with Linux SSH accounts. RSA only supports a single userID in Linux for console of SSH access, the rsaadmin account created during Deployment/Quick Setup. However, many customers have modified Linux to include multiple SSH accounts as a way to track and enforce non-repudiation.

Adding strong passwords to the Linux logon is a simple, very low risk addition to this practice, even though it is unsupported.
Another approach would be to install the RSA PAM agent for Suse Linux on the AM server, to enforce 2FA for SSH logons.