cm-agent stores sensitive data in several locations. These files and directories must be configured properly to avoid information leakage. The following files and directories must be owned by the root user and must not be readable by global users:
/etc/cm-agent.yaml– Default configuration file.
/var/log/cm-agent.log– Default log file.
The default configuration has a permission set to writeable and readable for the root user only.
ConfigFiles is a SaaS product, whereby users need to establish an outbound connection from their network to the public internet in order to submit monitoring data. Traffic is always initiated by the
cm-agent to ConfigFiles via HTTPS connections. No sessions are ever initiated from ConfigFiles back to the
Outbound connection via proxy is not supported at the moment.
The bartender agent periodically pulls the configuration (default is every 30 seconds) from a number of API endpoints:
agent-api.s9s.io:443– Agent configuration and reporting.
agent-auth-api.s9s.io:443– Agent authentication.
All communication to the API endpoints must be accompanied by a security token (retrievable under
/etc/cm-agent.yaml), which is uniquely generated by ConfigFiles when users add their database host.
ConfigFiles stores some information about the node where it is running:
- Operating System
- Network information
- Database Names