Foglight Experience Monitor 5.8.1 - Security and Compliance Field Guide

FxM user authentication

At the present time, FxM does not utilize any external mechanisms for identity management. User accounts that allow access to FxM’s web console are defined through the user interface (UI) by FxM administrators. Administrators may configure the system to require strong passwords for these user accounts.

For an additional level of security in this regard, the Apache™ Server on the appliance can be configured to use Secure Socket Layer (SSL). FxM utilizes the Linux® Pluggable Authentication Modules (PAM) as the underlying authentication mechanism for all types of user access to the system (web console, SSH, database, and terminal). Account passwords are stored in encrypted form, in Linux system files.

Foglight user authentication

Foglight Management Server (FMS) allows users to navigate from displays within its browser interface into the FxM web console. If the Foglight user account matches an account name in FxM, the user is automatically authenticated and does not have to login a second time in FxM.

This is accomplished by passing a unique token specific to the user account and the time of day in the URL that is used to access the FxM web console. FxM receives the token and issues a SOAP request to the Foglight Management Server to authenticate the token. If successful, that request returns the name of the user account that the Foglight user was logged into. FxM then attempts to automatically log the user into the web console, using that account name. If the user account is not found, the user is redirected to the FxM login page. If the account is found, the user will see the intended page of the FxM web console.

User authorization and privileges

FxM enforces access control by providing distinct groups of user accounts that are determined by their type (administrative, power user, secured power user, general, and guest). Each group has a different set of permissions associated with their accounts, thereby controlling what actions users can perform and what data they have access to. For detailed information about managing user accounts, see section “User accounts” in the Foglight Experience Monitor Installation and Administration Guide.

In addition, FxM processes run in user accounts with limited rights. For example, the Apache™ Web Server runs as a user which does not have read or write access to system files. This adds an additional layer of security in the scenario that an attacker somehow manages to execute commands through Apache.

The following table presents the role-based access control in Foglight Experience Monitor.

Each user account also has an additional setting that determines whether that user can examine metrics in FxM, metrics that may contain personal information of end users accessing the servers that FxM is monitoring. This may include information such as IP address, login name, ISP, and geographic location.

Strong passwords

FxM requires the use of strong passwords for accounts that have SSH access enabled at all times. In addition, the administrator may configure the system so that strong passwords are required for all accounts, regardless of the type of access enabled for the account.

The FxM console program is available via a terminal that is connected to the appliance’s VGA connector. Using the terminal and a keyboard that is also connected to a USB port on the appliance, administrators perform initial setup and configuration tasks with the appliance (such as supplying it with an IP address). The Linux® user account setup must be used to login to the appliance through the terminal to access the FxM console program. The password for the setup account is configurable. It is recommended that customers assign a strong password for this account.

For detailed information about strong passwords, see section “Configuring strong passwords” in the Foglight Experience Monitor Installation and Administration Guide.