Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Foglight 5.9.1 - Security and Compliance Guide

Table of Contents

Security overview

Foglight security measures Customer security measures Security features in Foglight

Service accounts

Agent credentials

Foglight users and groups Role-based access control Password policies

Setting password complexity levels

Required privileges

Installing Foglight Management Server Running Foglight Management Server Installing agent Components Manual database configuration

Controlling remote system access with credentials Protection of data collection infrastructure

Installation of data collection clients Agents requiring privilege escalation

Protection of stored data

Credentials for Foglight users LDAP credentials Management Server repository database credentials Foglight agent credentials Database repository

Protection of communicated data

Web application security Communication between Management Server and agents Communication between Management Server and clients Communication between Management Server and Java EE technology agents Communication between Management Server and XML over HTTP(S) agents Communication between Management Server and repository database

Enabling FIPS 140-2 mode for HTTPS traffic Network ports

Default port assignments Agent adapter ports Client communication

Configuration parameters Audit log Log files Masking sensitive input data Uninstalling Foglight IPv6 Monitoring patches for the embedded database Daylight savings time extension QuestClick scripts Understanding the Foglight platform's relationship to Java "Clickjacking" vulnerability

Security features for APM appliances

Overview of APM appliances Trust model Multiple layers of defense

Layer 1: Firewall Layer 2: Port scan detection and blocking tool Layer 3: Customized operating system distribution Layer 4: Apache Tomcat server configuration

Restricted access to appliances

No root access User authentication on appliances Secure remote access Restricted network ports for appliances Defense against Denial-of-Service attacks

Logs for appliances Data entry validation for APM dashboards Installation of upgrades and patches Customer data protection on appliances

Restricted access to sensitive captured data Secure data storage in the Archiver database Secure data transfer between software components Secure use of customers' private keys

Usage feedback Appendix: FISMA compliance

NIST 800-53 categories

Data entry validation for APM dashboards

For the APM dashboards, Foglight™ validates user input in its browser interface and on its back-end. This includes checking that the correct data type is entered (for example, no numbers are entered in a text-only box) and restricting the length of input, such as to avoid certain potential buffer overflow attacks.

Installation of upgrades and patches

When the appliance software needs to be updated, the upgrade or patch package is digitally signed with a PGP key to prevent customers from uploading unauthorized materials. Upgrades and patches are installed using the APM > Support > Upgrade Appliances dashboard. All registered appliances are updated. Alternatively, individual appliances can be updated using an appliance’s Console Program.

Customer data protection on appliances

The following measures are implemented to protect access to customer data:

•

Restricted access to sensitive captured data

•

Secure data storage in the Archiver database

•

Secure data transfer between software components

•

Secure use of customers’ private keys

Restricted access to sensitive captured data

Appliances can be configured to hide, mask, or discard (not store) sensitive data found in hit details and in the body of HTML pages.

•

When sensitive data rules hide or mask data, the sensitive data is stored unaltered in the Archiver database. The sensitive data rules are applied whenever a query for data is received by the Archiver database. When returning results, sensitive data is hidden or masked in views or replay according to the user-defined rules.


	IMPORTANT: There is a special Foglight user role, called APM Sensitive Data Viewer, that allows users to view sensitive data in views and replay. Customers can restrict users with this role from viewing some types of sensitive data by selecting the Always Sensitive option when defining a sensitive data rule.

•

Customers can discard sensitive data, rather than storing it in the Archiver database. In this case, the sensitive data can never be displayed in the browser interface. The sensitive data rules are applied as hits are captured.


	IMPORTANT: Applying sensitive data rules at capture time can degrade capture performance significantly.

Foglight™ implements its sensitive data rules using two types of user-defined rules: Sensitive Hit Details and Sensitive Content Expression. Sensitive hit details refer to private information, such as login names and passwords, that are contained within request fields, request headers, response headers, and cookies. Sensitive content refers to private information located in the body of HTML pages, such as credit card numbers, social security numbers (or other government identification numbers), and passwords. When defining the rules, customers identify the sensitive data, specify whether the data is hidden or masked, and specify whether the data should be considered Always Sensitive. For more information, see the “Managing Security Policies” topics in the Foglight APM Administration and Configuration Guide.

When customers want to discard sensitive data before storing a hit in the Archiver, they define the sensitive data rules and define a hit analyzer with a Do not store storage policy set. The policy determines whether the entire hit is discarded or only the details or content marked Always Sensitive. For each hit that matches the hit analyzer condition, Foglight evaluates the sensitive data rules and applies the storage policy. For more information, see “Defining Hit Storage Restrictions for Hit Analyzers” in the Foglight APM Administration and Configuration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center