COLLECTOR

What is the collector?

The collector is used by IBM Z® Security and Compliance Center to gather information about your resource configurations and validate that information against your specific security standards. The collector acts as an intermediary between your resources and IBM Z Security and Compliance Center.

The collector is a software module, packaged as a container image, that is installed on infrastructure that has access to your resources. Figure 1 shows how the collector fits into IBM Z Security and Compliance Center processing.

When it is time for a scheduled scan to run, the orchestrator sends a signal to the collector to initiate the scan. Using the credentials that are stored in the orchestrator, the collector gathers the configuration information from the resources in your defined scope. Then, the collector validates the information by using your selected profile and returns the results to the orchestrator.

Understanding collector deployment

When you work with the collector, IBM Z Security and Compliance Center manages it on your behalf; it is a managed collector. Only one collector can be created.

The collector is installed in IBM Z Security and Compliance Center, which is responsible for the installation and management for the lifecycle of the collector. This option gives you the ability to focus on just the health and security of your resources. You are responsible only for providing the credentials that the collector needs to access your resources.

Understanding communication

The collector acts as an intermediary between your resources and the service. The following sections detail how the communication takes place and how it is secured.

Between the collector and IBM Z Security and Compliance Center

All communication between the collector and IBM Z Security and Compliance Center is encrypted and signed with the collector's public key. Traffic is transported only in the intranet of your systems. Although the transportation takes place through trusted systems, be sure that you consider this as part of your security and risk assessment when you deploy the collector.

The collector sends a regular "heartbeat" notification every minute to notify the service that it is active and ready to run commands. As a response to that heartbeat, the service might send a command for the collector to run, such as running a discovery scan.

Between the collector and your resources

To gather information about your resources, the collector must be able to connect to them by using a combination of methods, including API calls, SSH, and shell commands. The communication is able to occur only because the collector uses credentials that you associate with it through the IBM Z Security and Compliance Center dashboard. To communicate with them, the collector needs to use credentials that have read access to your resources.

For Linux operating systems, the collector uses a network-mapping tool that is called Nmap to scan and discover resources. The collector uses SSH or the equivalent to connect to and query the resources for the configurations. The network and ports for the Linux operating systems must allow the connectivity.

For z/OS systems, the collector uses z/OSMF REST services to connect to and query the resources for the configurations.

Tip: For more information about granting the authorization between the collector and your resources, see Managing credentials.

Understanding how collected data is used

The collector validates the data that is collected against regulatory controls and then sends the results to IBM Z Security and Compliance Center for storage and reporting. The data that is collected varies depending on the environment that you're working with and the type of credentials that you provide. Collected data includes the properties and configurations for supported services, network objects, hosts, databases, and operating systems.