The PGP Encryption Server (Symantec Encryption Management Server) at the core is a Linux Server based on CentOS, a Red Hat clone. However, it is customized and contains packages and binaries developed by Broadcom, including the encryption Software Development Kit (SDK).

The PGP Encryption Server is considered a locked box which in this context means that by default there is no method to access the command line shell. The built-in root user has no password set by default. However, if necessary, it is possible for administrators with the "SuperUser" role to ssh to the server as root using key based authentication.

Note that there are no users on the system with interactive permissions apart from root. This is because the product is not designed for multi-user interactive use.

Clearly, as with any Linux system, the root user has permissions to perform any operation, including setting a root password, creating new users and groups, installing applications and creating custom scripts.

Symantec Encryption Management Server release 10.5 and above.

Each update of The PGP Encryption Server relies upon the version being updated being in a known state. For example, having specific versions of CentOS packages installed. If additional packages are installed, updates may fail because of failed dependencies.

Third party applications and additional packages could in theory be installed on the server but doing so is not supported. Installing third party applications, or using custom scripts that are not approved or supplied by Broadcom is not supported. Making changes to the system could introduce security-related issues.

Any changes made to the server using the command line must be:

• Authorized in writing by Broadcom Technical Support or published as an approved and documented process on the Broadcom Knowledge Base.
• Implemented by a Broadcom Partner contractually, reseller or Broadcom Technical Support.
• Summarized and documented in a text file in the /var/lib/ovid/customization directory on the Encryption Management Server itself.

Outside of the above circumstances, changes to the server should not be made.

Contact Symantec Encryption Support to make this request

In addition to installing third party packages as mentioned above, running security scans in an "authenticated" fashion should be done with extreme care.  Never provide SuperUser credentials or root credentials to the command line interface in order to perform a scan. If the server needs to be scanned for packages, scan as an unauthenticated user or with the credentials of an end user. Alternatively, run a command to dump all the RPM packages that reside on the server and provide this to the appropriate security team for review. Providing root credentials gives too much access to confidential data and other critical components on the system and should never be given to anyone who is not directly responsible for safeguarding that data. For more information about Security Reports, please see the following article:

157729 - Common Vulnerabilities and Exposures (CVEs) applicable to Symantec Encryption Management Server and Symantec Endpoint Encryption

EPG-23615
ISFR-1797