Chat now with support
Chat with Support

Foglight 5.9.5 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight Disclaimer
Security features for APM appliances Usage feedback Appendix: FISMA compliance

Database repository

Collected data from Foglight® agents is stored in the repository database, which is protected through user access control. This data contains collected metrics and statistics about the systems on the monitored hosts, as well as agent configuration parameters.

Protection of communicated data

The Management Server's Web application server supports the use of SSL, in order to protect Foglight® users' login credentials. Foglight provides its own self-signed SSL certificate on the Web application server, and enables customers to provide a replacement SSL certificate of their choice. SSL certificates are managed through the JavaTM keystore on the Management Server.

Basic HTTP (non-SSL) access can be disabled by disabling the HTTP port on the server. This disables both HTTP access to the Management Server browser interface and HTTP communication for agents that use the XML-over-HTTP protocol, forcing the use of HTTPS connections.

When running a security scan on the Management Server, customers may discover that ServerTokens for the Apache HTTP Server has not been set.

Synopsis: The Apache HTTP Server could allow a remote attacker to obtain sensitive information. The Apache HTTP Server uses a configuration directive called ServerTokens to control what information the server discloses about itself in the HTTP header lines of the banner in a response to a query. The information disclosed includes the operating system and the software versions running on the server. When ServerTokens has not been set, an attacker could launch attacks.

2
Navigate to the <foglight_home>/server/tomcat/server.xml directory.
3
Open the server.xml file for editing.
4
In the server.xml file, locate the following Connector elements:
5
Add the server="hidden" attribute to each Connector element. For example:
server="false"/>
6
Save and close the server.xml file and restart the Management Server.

Web application security

The Management Server's Web application server supports the use of SSL, in order to protect Foglight® users' login credentials. Foglight provides its own self-signed SSL certificate on the Web application server, and enables customers to provide a replacement SSL certificate of their choice. SSL certificates are managed through the JavaTM keystore on the Management Server.

Basic HTTP (non-SSL) access can be disabled by disabling the HTTP port on the server. This disables both HTTP access to the Management Server browser interface and HTTP communication for agents that use the XML-over-HTTP protocol, forcing the use of HTTPS connections.

When running a security scan on the Management Server, customers may discover that ServerTokens for the Apache HTTP Server has not been set.

Synopsis: The Apache HTTP Server could allow a remote attacker to obtain sensitive information. The Apache HTTP Server uses a configuration directive called ServerTokens to control what information the server discloses about itself in the HTTP header lines of the banner in a response to a query. The information disclosed includes the operating system and the software versions running on the server. When ServerTokens has not been set, an attacker could launch attacks.

2
Navigate to the <foglight_home>/server/tomcat/server.xml directory.
3
Open the server.xml file for editing.
4
In the server.xml file, locate the following Connector elements:
5
Add the server="hidden" attribute to each Connector element. For example:
server="false"/>
6
Save and close the server.xml file and restart the Management Server.

Communication between Management Server and agents

Most Foglight® agents communicate with the Management Server through the included client application, the Agent Manager. The exceptions are the Java EE Technology agents that communicate with the Management Server across a separate binary protocol, and agents that use the low level XML over HTTP(S) data submission option. When activating an agent it is necessary to communicate its properties, which may include login credentials for accounts on the monitored host.

Related Documents