Agent configuration recommendations

2 minute readReference

To mitigate vulnerabilities, CloudBees recommends the following essential measures and recommendations for agent configuration in a non-clustered mode.

Run the agent under a distinct user

Separating privileges is essential for narrowing the potential impact of security breaches. You must enforce that the agent operates under a dedicated user account, separate from the server’s user account.

Below are two examples of configuring the agent to run under a distinct user account. Your implementation may vary depending on your use case and requirements.

  • Run the server as 'serveruser'.

    sudo -u serveruser /etc/init.d/commanderServer start
  • Run the agent as 'agentuser'.

    sudo -u agentuser /etc/init.d/commanderAgent start

Restrict agent user access

The user account under which the agent operates must have restricted access, so this user should not be able to access directories outside of the designated workspace. This limitation is vital in preventing unauthorized file system access.

Below are two examples of restricting a user’s access to a specific directory in Linux. Your implementation may vary depending on your use case and requirements.

  • Change ownership of the directory to 'myuser' and 'mygroup'.

    sudo chown -R myuser:mygroup /path/to/directory
  • Set read, write, and execute permissions for the owner only.

    sudo chmod -R 700 /path/to/directory

Implement an isolation strategy

To enhance security through isolation, consider implementing one of the following strategies.

Use of chroot command

The chroot command achieves a secure and isolated environment for the agent. This approach changes the apparent root directory for the current running process and its children, creating an isolated environment. Refer to BasicChroot for more infomrmation.Refer to Ubuntu documentation, BasicChroot for more information.

Docker container

Run the agent inside the controlled environment of a Docker container. A Docker container limits the agent’s access to the host system and reduces the risk of unauthorized access to critical parts of the file system.

Implementing these measures, can significantly improve your system’s security posture and effectively mitigate potential vulnerabilities.