Best Practice: Privilege Separation in Monitoring Agents

It is a Best Practice to run monitoring agents with privilege separation. This means that the user ID that you run the monitoring agent should be a different user ID than the applications run as.

But privilege separation makes it challenging to check the application, run application commands, access application logs, etc.

There are some tricks you can use though which aren’t too difficult, and once you get the hang of them, should not be too much a burden to add.

  1. Use a well-known directory that the agent has read access to, and the application has write access to.
  2. For commands that must be run as the application, write simple “helper” scripts which run as the application out of cron or other schedulers, to deliver the data to the well-known directory from step 1.
  3. For checks that must be run as the application, develop the check so that it is able to run as the agent User ID and get the data it needs by reading the output from Step 2 as its input.
  4. Ensure that the agent has only access to the well-known directory from step 1, and no other access to application file systems.
  5. This step should be obvious, but the effective running user that the agent runs as should be a different user ID than the agent user ID.