Host agent security considerations

The Instana agent has deep access into the observed system where it is installed. For security considerations when the agent is running, see the following information:

TLS encrypted Agent Endpoint

The agent can be configured to accept TLS encrypted requests on its HTTP port 42699 and on its gRPC port 4317. See Setting up TLS Encryption for Agent Endpoint for more details.

Temporary files

During runtime, the agent creates temporary files, and stores additional libraries in $TMP/.instana on the host machine where it runs or inside application containers that the agent monitors. These files are accessed by monitored processes during runtime. Because monitored applications run with various user permissions, these files have wide access permissions. On Linux-based hosts and on container environments, the permissions are 777. On Windows-based hosts, these files are located in %TEMP%/instana, and have full access permissions for the user account that runs the application.

Temporary files details

Most of the temporary files are used for monitoring and tracing of Java-based workloads. The basic files that are required for metrics and tracing of Java-based workloads are:

file name file size process specific
javaagent-loader-<version>.jar 221KB no
instrumentation-boot-<version>-<pid>-<uid>.jar 50KB yes
instrumentation-shared-<version>-<pid>-<uid>.jar 4.1MB yes
sensor-java-javaagent-<version>-<pid>-<uid>.jar 153KB yes
sensor-java-trace-javaagent-<version>-<pid>-<uid>.jar 3MB yes

Notes:

  • File sizes can vary for later versions.
  • javaagent-loader is required only once for multiple Java processes that run on the same host.
  • For containerized Java workloads, the whole set of files is copied into each individual container.
  • The effective number of files depends on the number and kind of Java-based workloads. For certain Java frameworks and runtimes, Instana can provide more detailed information on top of the basic JVM monitoring. Depending on the used Java technology (e.g. SpringBoot, Wildfly, WebSphere, Tomcat, etc.), additional sensor-<technology>-javaagent-... files are copied.

Kubernetes

See Kubernetes security considerations for more details.