How to Secure the Agent Installer Platform Configuration File
The Agent Installer Platform configuration file, config.json, contains potentially sensitive information, such as the agent access key used by the Java and Machine Agent to connect to the Controller. By default, the Agent Installer Platform can be read by any user of the system after it is installed. The default permissions allow the Agent Installer Platform to auto-instrument new processes started on your system by any user.
Block Access to the Agent Installer Platform
You can block access to the Agent Installer Platform configuration file and still allow the agent to auto-instrument processes for authorized users or groups.
Change the default permissions:
Define an authorized group.
groupadd appdynamics-zero-agent
BASH
Add users to the authorized group. For example, the usermod command adds a user named tomcat-user to the appdynamics-zero-agent group. Run this command for each user that creates Java processes you want the Agent Installer Platform to auto-instrument.
usermod -a -G appdynamics-zero-agent tomcat-user
BASH
Navigate to the directory where the Agent Installer Platform was installed; the default directory is /opt/appdynamics/zeroagent.
cd <zero-agent-install-directory>
BASH
Change directories to the Agent Installer Platform's configuration file directory.
cd configs
BASH
Change the group ownership of the config.json file to the authorized group created in Step 1.
chgrp appdynamics-zero-agent config.json
BASH
Change the permissions associated with the config.json file.
chmod 640 config.json
BASH
Configuration File Access
The Agent Installer Platform configuration file has the following access:
Owning user - read and write
Authorized group - read only
All other users - no access
Unauthorized access to the file is not permitted. If a non-authorized user starts a Java process, it is not auto-instrumented by the Agent Installer Platform. However, it does not prevent the new Java process from starting.
