Security configurations

The security-related elements and settings in the agent configuration file are listed below.

For an overview of the contents of the agent configuration file, see Agent configuration file. For the complete specifications of the agent configuration file, see configuration-doc.html.

Note that the security configurations for the Oracle Scanners are described in Oracle Scanners.

Endpoint

The Server element is used to specify which Snow Inventory endpoint the agent will send the .snowpack files to. The element contains the security-related endpoint configuration options described in the following sections.

Client certificates

If a client certificate is used to secure the connection between the agent and the endpoint, this is configured in <Server><Endpoint><ClientCertificate>. For more information, see Client certificates.

Proxy credentials

If the endpoint is a proxy server, the credentials for authenticating the connection with the proxy server can be specified in <Server><Endpoint><Proxy>.

EXAMPLE

<Server>
    <Endpoint>
        <Proxy>
          <Credentials>
            <UserName>user123</UserName>
            <Password>encryptedpassword</Password>
          </Credentials>
        </Proxy>
    </Endpoint>
</Server>

Key for public key pinning

When using public key pinning to prevent man-in-the-middle attacks on the link between the agent and the endpoint, <Server><Endpoint><ServerPublicKeyHash> is used to store the key. For more information, see Public key pinning.

Drop location

The DropLocation element is used to specify locations that the agent will send the .snowpack files to in addition to the endpoints specified in the Server element. The element contains the security-related configuration option described in the following section.

Network credentials

For the Windows agent, the credentials for connecting to a network share as a specific user can be specified in <DropLocation><Network><Credentials>.

EXAMPLE

<DropLocation>
    <Network>
        <Credentials>
            <Domain>domainname</Domain>
            <UserName>username</UserName>
            <Password>encryptedpassword</Password>
        </Credentials>
    </Network>
</DropLocation>

System settings

The SystemSettings element contains various settings changing the behavior of the agent in different ways.

The following system settings are security-related:

• privacy.hide_user

  Anonymizes user names in the .snowpack file. For more information, see Configure the agent to anonymize user data.

• privacy.hide_ip

  Anonymizes IP addresses in the .snowpack file. For more information, see Configure the agent to anonymize IP addresses.

• http.ssl_verify

  Verifies that the certificate used to secure communication is issued by a trusted certificate authority (CA). For more information, see Self-signed or self-issued certificates.

• http.ssl_capath

  Specifies the path to the PEM file containing the certificate or certificate bundle when communicating via SSL/TLS for Linux and macOS agents. For more information, see Communication using TLS.

• powershell.encryption_key

  Enables encryption with a custom encryption key. For more information, see PowerShell script integrity modes and custom encryption prior to version 7.

  Note that this setting is only applicable to Snow Inventory Agent for Windows prior to version 7. The setting has been deprecated and from version 7, certificates are used instead.

• snowpack.encryption_fingerprint

  Defines the AES key used for the encryption of .snowpack files.

• snowpack.encryption_path

  Defines the path to where the encryption keys specified in snowpack.encryption_fingerprint are stored.

• disable_all_updates

  Prevents the agent from performing any updates. Ensures that no authorized changes are being made to the environment.