Security Advisories

You can enable the Security Advisories column in the Fleet Overview table to surface potential security concerns related to your collector configurations. These advisories highlight settings that might introduce security risks to your environment which should be reviewed and resolved where possible.

To view Security Advisories:

  1. Navigate to Fleet Overview and select Columns.

  2. Select Security Advisories from the column options. If any hosts have advisories, these are then shown in the Security Advisories column:

Security Advisories column in Fleet Overview

Figure 15. Security Advisories column in Fleet Overview


Full details on each type of advisory and how to resolve it is shown below.

Security Advisory Types

  • allowRemoteCMD Enabled

    Advisory text: allowRemoteCMD enabled — flag set in local configuration for collector, allows arbitrary commands to be run on the host.

    Risk: When enabled, this flag permits the use of cmd sources when using remote configuration. This allows arbitrary commands to be executed on the host, representing a significant security risk.

    Resolution: Ensure that allowRemoteCMD is set to false or removed entirely from your collector's local configuration under the flags section:

    yaml
    flags:
  # enable to allow the use of 'cmd' sources when using remote configuration.
  allowRemoteCMD: false

  • allowInsecureHTTP Enabled

    Advisory text: allowInsecureHTTP enabled — allows connection without encryption.

    Risk: When enabled, this flag permits non-HTTPS addresses to be used in Fleet Management and sinks. This means data might be transmitted without encryption, exposing it to interception.

    Resolution: Ensure that allowInsecureHTTP is set to false or removed entirely from your collector's local configuration under the flags section:

    yaml
    flags:
  # enable to allow non-https addresses in fleet management and sinks. defaults to false
  allowInsecureHTTP: false

  • Certificate Verification Disabled (Insecure TLS)

    Advisory text: Certificate verification is disabled — this allows connections without certificate validation.

    Risk: When insecure: true is set in a sink's TLS configuration, certificate verification is skipped when establishing a secure connection. This leaves the connection vulnerable to man-in-the-middle (MITM) attacks, where a malicious actor could intercept or tamper with data in transit. This advisory is triggered by any sink configuration containing tls: insecure: true, for example:

    yaml
    sources:
  file_source:
    type: file
    include:
      - "/var/log/myapp/*.log"
    sink: logscale

sinks:
  logscale:
    type: humio
    url: "https://cloud.humio.com/"
    token: <REDACTED>
    tls:
      insecure: true

    Resolution: Remove the tls.insecure property from the affected sink configuration, or set it to false. This ensures that certificate validation is enforced when establishing connections:

    yaml
    sinks:
  logscale:
    type: humio
    url: "https://cloud.humio.com/"
    token: <REDACTED>

Note

The allowRemoteCMD and allowInsecureHTTP flags are intended for optional use or testing purposes only. It is strongly recommended that these are disabled in production environments.

To learn more, see: Optional Flags(flags).