Foglight 5.9.7 - Security and Compliance Guide

Protection of data collection infrastructure

There are many types of Foglight® agents; most communicate with the Management Server through a provided client component—the Foglight Agent Manager (FglAM).

The Agent Manager can be installed without administrator access, but such access is required to enable startup scripts or Windows® services to allow automatic launching of the Agent Manager upon machine reboot. The Agent Manager can be initially installed on a monitored host through an installer GUI, a text-based console installer, or a command-line silent mode (suitable for mass deployment using customer-provided tools).

Once installed, the Agent Manager component manages the life cycle of a number of hosted agents and provides a central communications link between those agents and the Management Server. Hosted agents and the Agent Manager can be upgraded from the Management Server using this central communications link.

Installation of data collection clients

There are many types of Foglight® agents; most communicate with the Management Server through a provided client component—the Foglight Agent Manager (FglAM).

The Agent Manager can be installed without administrator access, but such access is required to enable startup scripts or Windows® services to allow automatic launching of the Agent Manager upon machine reboot. The Agent Manager can be initially installed on a monitored host through an installer GUI, a text-based console installer, or a command-line silent mode (suitable for mass deployment using customer-provided tools).

Once installed, the Agent Manager component manages the life cycle of a number of hosted agents and provides a central communications link between those agents and the Management Server. Hosted agents and the Agent Manager can be upgraded from the Management Server using this central communications link.

Agents requiring privilege escalation

Some data collection agents hosted by the Agent Manager require administrator privileges to perform their assigned tasks. In order to avoid running the entire client host with the required privileges, Foglight® uses a privilege escalation mechanism to create the required access for the agents that need it.

The Agent Manager, by default, uses the well known sudo facility (a very fine-grained configurable system) to implement privilege escalation. Sudo can be configured to allow only specific applications to be launched with escalated privileges, and the privileges provided to each launched application can be independently controlled. In addition, sudo allows the administrator to limit the parameters passed to each application; this facility is central to configuring a secure system with the Agent Manager.

The Agent Manager also provides an alternative setuid root-based launcher. This launcher is only intended for use in demonstration installations with minimal security needs, where the burden of properly configuring sudo for fine-grained access control would hinder a timely demonstration. Quest does not recommend that this setuid root-based launcher be configured as part of Foglight’s standard installation instructions.

Protection of stored data

The Foglight® Management Server and Foglight cartridges use the JavaTM Cryptographic Extension library for cryptographic operations.

NOTE: The default Foglight encryption key is stored in a Java keystore protected by a Foglight master password. Customers can change the encryption key after installation by using Foglight to generate a new key. It is recommended to change the default Java keystore password upon the installation of the Management Server. After changing the default key, re-entering the LDAP password is required. Then the key will be encrypted under the new key. After changing the password, the Management Server can no longer decrypt the existing cipher texts under the old key.

Foglight Agent Manager uses the Java Cryptographic Extension library for cryptographic operations.