Foglight 7.1.0 - Security and Compliance Guide

Running Foglight Management Server

Foglight® requires administrative privileges to configure the server to run as a service (a Windows® service or a UNIX®/Linux® init.d script). Once it is configured, the service can be launched with a regular user account.

Manual database configuration

When installing the Foglight® Management Server for use with an external database, the database can be set up later (that is, after the Management Server installation is complete). In this case, the database must be manually configured prior to starting the Management Server. This configuration requires executing the scripts in the <foglight_home>/scripts/sql directory as described in the Installation and Setup Guide applicable to the system and database. Some scripts must be run using an account with administrative privileges.

Controlling remote system access with credentials

Foglight® can control access to specific elements of a monitored system through a built-in credential management system. If an organization has specific policies in place regarding system access, such policies can be implemented using credentials managed by the Management Server.

Foglight supports a set of commonly used credentials such as:

Each credential can have one or more authentication policies associated with it, based on the desired usage count, failure rate, the time range during which the credential can be used, and the amount of time during which the credential information is cached locally. Credentials can apply to specific parts of the monitored environment, such as hosts and ports.

Foglight agents need access to this information when monitoring systems that require credential verification. Credentials are stored encrypted in lockboxes. Lockboxes are released to credential clients, such as agent managers.

Protection of data collection infrastructure

There are many types of Foglight® agents; most communicate with the Management Server through a provided client component—the Foglight Agent Manager (FglAM).

The Agent Manager can be installed without administrator access, but such access is required to enable startup scripts or Windows® services to allow automatic launching of the Agent Manager upon machine reboot. The Agent Manager can be initially installed on a monitored host through an installer GUI, a text-based console installer, or a command-line silent mode (suitable for mass deployment using customer-provided tools).

Once installed, the Agent Manager component manages the life cycle of a number of hosted agents and provides a central communications link between those agents and the Management Server. Hosted agents and the Agent Manager can be upgraded from the Management Server using this central communications link.