Host agent security considerations
The Instana agent has deep access into the observed system where it is installed. For security considerations when the agent is running, see the following information:
TLS encrypted Agent Endpoint
The agent can be configured to accept TLS encrypted requests on its HTTP port
42699 and on its gRPC port
4317. See Setting up TLS Encryption for Agent Endpoint for more details.
During runtime, the agent creates temporary files, and stores additional libraries in
$TMP/.instana on the host machine where it runs or inside application containers that the agent monitors. These files are accessed by monitored
processes during runtime. Because monitored applications run with various user permissions, these files have wide access permissions. On Linux-based hosts and on container environments, the permissions are
777. On Windows-based
hosts, these files are located in
%TEMP%/instana, and have full access permissions for the user account that runs the application.
Temporary files details
Most of the temporary files are used for monitoring and tracing of Java-based workloads. The basic files that are required for metrics and tracing of Java-based workloads are:
|file name||file size||process specific|
- File sizes can vary for later versions.
javaagent-loaderis required only once for multiple Java processes that run on the same host.
- For containerized Java workloads, the whole set of files is copied into each individual container.
- The effective number of files depends on the number and kind of Java-based workloads. For certain Java frameworks and runtimes, Instana can provide more detailed information on top of the basic JVM monitoring. Depending on the used Java
technology (e.g. SpringBoot, Wildfly, WebSphere, Tomcat, etc.), additional
sensor-<technology>-javaagent-...files are copied.
See Kubernetes security considerations for more details.