What permissions does the agent require?

Evolven's recommendation is that the agent runs under an account that has "global-read" permissions. If this is not easily configurable a commonly used alternative is to run under the local system account (Windows) or root (*NIX).

When these permissions are not provided the burden is on the security team to efficiently add permissions when necessary. Evolven can be used to determine what permissions may be missing in this situation:
  • Provide a DEV environment where a more open security model (e.g. root/local system account) is provided
  • Run collections in DEV and all other environments. The systems should be matched closely (same components, applications deployed, etc.)
  • Analyze the differences:
    • Value differences don't matter (e.g. 8GB RAM vs. 16GB RAM), only differences where the prod side is not reporting results
    • Close differences which are expected so that only differences related to security remain
    • Remediate the security issues and re-run the plan. Repeat as necessary.
  • Do the same for each OS and technology, and regularly test to ensure permissions are not removed.