Chat now with support
Chat with Support

Please note, you may experience access issues between 6am - 7am Eastern time on Saturday, May 28 2022 due to planned maintenance

Foglight 6.0.0 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight FIPS-compliant mode Disclaimer
Security features for APM appliances Usage feedback Appendix: FISMA compliance

Protection of data collection infrastructure

There are many types of Foglight® agents; most communicate with the Management Server through a provided client component—the Foglight Agent Manager (FglAM).

The Agent Manager can be installed without administrator access, but such access is required to enable startup scripts or Windows® services to allow automatic launching of the Agent Manager upon machine reboot. The Agent Manager can be initially installed on a monitored host through an installer GUI, a text-based console installer, or a command-line silent mode (suitable for mass deployment using customer-provided tools).

Once installed, the Agent Manager component manages the life cycle of a number of hosted agents and provides a central communications link between those agents and the Management Server. Hosted agents and the Agent Manager can be upgraded from the Management Server using this central communications link.

Installation of data collection clients

There are many types of Foglight® agents; most communicate with the Management Server through a provided client component—the Foglight Agent Manager (FglAM).

The Agent Manager can be installed without administrator access, but such access is required to enable startup scripts or Windows® services to allow automatic launching of the Agent Manager upon machine reboot. The Agent Manager can be initially installed on a monitored host through an installer GUI, a text-based console installer, or a command-line silent mode (suitable for mass deployment using customer-provided tools).

Once installed, the Agent Manager component manages the life cycle of a number of hosted agents and provides a central communications link between those agents and the Management Server. Hosted agents and the Agent Manager can be upgraded from the Management Server using this central communications link.

Agents requiring privilege escalation

Some data collection agents hosted by the Agent Manager require administrator privileges to perform their assigned tasks. In order to avoid running the entire client host with the required privileges, Foglight® uses a privilege escalation mechanism to create the required access for the agents that need it.

The Agent Manager, by default, uses the well known sudo facility (a very fine-grained configurable system) to implement privilege escalation. Sudo can be configured to allow only specific applications to be launched with escalated privileges, and the privileges provided to each launched application can be independently controlled. In addition, sudo allows the administrator to limit the parameters passed to each application; this facility is central to configuring a secure system with the Agent Manager.

The Agent Manager also provides an alternative setuid root-based launcher. This launcher is only intended for use in demonstration installations with minimal security needs, where the burden of properly configuring sudo for fine-grained access control would hinder a timely demonstration. Quest does not recommend that this setuid root-based launcher be configured as part of Foglight’s standard installation instructions.

Protection of stored data

The Foglight® Management Server and Foglight cartridges use the JavaTM Cryptographic Extension library for cryptographic operations.

Foglight user Credential

MD5 for existing users migrated from Foglight 5.9.5 or earlier version.

SHA256 for new or updated passwords.

SHA256

Password is hashed with MD5 or SHA256 and the resulting digest is stored in Foglight database. User passwords are therefore not stored anywhere, in encrypted or in clear text form.

LDAP Credential

Triple DES 112-bit

AES 128-bit

Using default Foglight encryption key.

Repository Database Credentials

Triple DES 112-bit

AES 128-bit

Using default Foglight encryption key.

Agent Credentials

RSA 2048-bit

RSA 2048-bit

Using automatically generated RSA key as encryption key, the key is protected by lockbox password

Lockbox Credentials

Triple DES 112-bit

AES 128-bit

Using default Foglight encryption key.

Sensitive data in ASP

Triple DES 112-bit

AES 128-bit

Using default Foglight encryption key.

Database repository

-

-

Protected by user access control and database software.

 

Foglight Agent Manager uses the Java Cryptographic Extension library for cryptographic operations.

Keystore password

Triple DES 192-bit

AES 256-bit

Using default Agent Manager encryption key for encrypting keystore passwords.

Agent Credential

RSA 2048-bit

RSA 2048-bit

Using the lockbox key for decrypting the agent credentials retrieved from Foglight Management Server.

DH Key Exchange

DH 1024-bit

DH 2048-bit

Using 2048-bit modulus to exchange DH session key between Foglight Management Server and Agent Manager.

Lockbox key

Triple DES 192-bit

AES 256-bit

Using the DH session key for encrypting or decrypting the lockbox key.

Agent Properties Cache

PBEWithMD5AndDES

AES 256-bit

Encrypting or decrypting the cached agent properties data.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating