Security configurations
The security-related elements and settings in the agent configuration file are listed below.
For an overview of the contents of the agent configuration file, see Agent configuration file. For the complete specifications of the agent configuration file, see configuration-doc.html.
Note that the security configurations for the Oracle Scanners are described in Oracle Scanners.
Endpoint
The Server element is used to specify which Snow Inventory endpoint the agent will send the .snowpack
files to. The element contains the security-related endpoint configuration options described in the following sections.
Client certificates
If a client certificate is used to secure the connection between the agent and the endpoint, this is configured in <Server><Endpoint><ClientCertificate>
. For more information, see Client certificates.
Proxy credentials
If the endpoint is a proxy server, the credentials for authenticating the connection with the proxy server can be specified in <Server><Endpoint><Proxy>
.
EXAMPLE
<Server>
<Endpoint>
<Proxy>
<Credentials>
<UserName>user123</UserName>
<Password>encryptedpassword</Password>
</Credentials>
</Proxy>
</Endpoint>
</Server>
Key for public key pinning
When using public key pinning to prevent man-in-the-middle attacks on the link between the agent and the endpoint, <Server><Endpoint><ServerPublicKeyHash>
is used to store the key. For more information, see Public key pinning.
Drop location
The DropLocation element is used to specify locations that the agent will send the .snowpack
files to in addition to the endpoints specified in the Server element. The element contains the security-related configuration option described in the following section.
Network credentials
For the Windows agent, the credentials for connecting to a network share as a specific user can be specified in <DropLocation><Network><Credentials>
.
EXAMPLE
<DropLocation>
<Network>
<Credentials>
<Domain>domainname</Domain>
<UserName>username</UserName>
<Password>encryptedpassword</Password>
</Credentials>
</Network>
</DropLocation>
System settings
The SystemSettings element contains various settings changing the behavior of the agent in different ways.
The following system settings are security-related:
-
privacy.hide_user
Anonymizes user names in the
.snowpack
file. For more information, see Configure the agent to anonymize user data. -
privacy.hide_ip
Anonymizes IP addresses in the
.snowpack
file. For more information, see Configure the agent to anonymize IP addresses. -
http.ssl_verify
Verifies that the certificate used to secure communication is issued by a trusted certificate authority (CA). For more information, see Self-signed or self-issued certificates.
-
http.ssl_capath
Specifies the path to the PEM file containing the certificate or certificate bundle when communicating via SSL/TLS for Linux and macOS agents. For more information, see Communication using TLS.
-
powershell.encryption_key
Enables encryption with a custom encryption key. For more information, see PowerShell script integrity modes and custom encryption prior to version 7.
Note that this setting is only applicable to Snow Inventory Agent for Windows prior to version 7. The setting has been deprecated and from version 7, certificates are used instead.
-
snowpack.encryption_fingerprint
Defines the AES key used for the encryption of
.snowpack
files. -
snowpack.encryption_path
Defines the path to where the encryption keys specified in snowpack.encryption_fingerprint are stored.
-
disable_all_updates
Prevents the agent from performing any updates. Ensures that no authorized changes are being made to the environment.