User account running Agent / MC
Windows
Create a dedicated user account for Agent / MC, ensure they do not run as LOCAL SYSTEM.
Linux
Do not run as root unless you need to sync POSIX permissions. It is advisable to make a dedicated user account to run the Agent. Such an account is created automatically for package installations.
Storage folder and data access
- Ensure that minimum other users / groups has access to Agent's or Management Console's storage folder, ideally - only user account that runs Agent or Management Console. Note, that the user account running the Agent must have enough permissions to operate data and permissions that the Agent synchronises.
- Ensure that only user account running Management Console can write data to the audit.log.
- For extra protection of Agent's service data on Linux-based OS ensure that your VM / hardware provides access to TPM. Agent on Windows uses Data protection API and macOS Agent uses Keychain features automatically. If TPM is not available or Agent runs in a docker container - please use this article to set encryption key manually.
- Delete the sync-<version-<UNXtimestamp>.backup folder in agent's storage folder since it may contain non-encrypted data from previous version.
- For extra protection of MC service data - please follow this article to set encryption key manually.
It is recommended to set the env var insrvctrl
start/stop script as in this case it will only be available for the Management Console processes only.
Also, it is recommended to customize env var name via MC configuration file. - Delete Management Console backups after encrypting sensitive data since it may contain non-encrypted data.
Agent to Management Console communications
- Set Management Console TLS cipher to ECDHE-ECDSA-AES256-GCM-SHA384
- Ensure "Identify agent by name" setting is disabled in Management Console advanced settings.
-
Ensure to use agent configuration file with defined certificate fingerprint, do not connect agents using IP:PORT simplified method.
- Once all agents are connected - delete the bootstrap token from MC
- Ensure to apply your custom certificate to agents connection (port 8444 by default).
Agent to Agent communications
- Set agent TLS ciphers to DHE-PSK-AES256-GCM-SHA384
- Ensure "Encrypt on LAN" setting of all agents profiles is enabled
- Set "Key token rotation policy" of all job profiles set to "Enforced"
- Ensure that ATA tokens rotate at least every hour with the overlap no more than 30 minutes.
Login to Management Console
- Ensure to apply your custom certificate to both WebUI connection (default port 8443).
- Ensure to have proper Management Console password policy matching your organization demands
- If you are using Azure AD authentication and do not require local users - disable local users login.
- If you are using local Management Console accounts - enable 2FA for all users.
Other security tweaks and checks to be done
- If you are using Console API, use separate API tokens for different cases and users. Don't let several users share same token, and don't use same token, for example, for testing and production purposes.
- Disable Agent and Console debug logging.
- Disabled core dumps / process dumps in our OS (actual instructions depends on OS type and version).