Infrastructure agent security

New Relic's infrastructure agent runs on your hosts and provides comprehensive data, especially when running with administrator privileges. What follows is an overview of our infrastructure agent's security and some recommendations.

Secure agent communication

Every piece of information exchanged between your hosts and the infrastructure agent is delivered securely. All communication from the agent occurs over HTTPS, using Transport Layer Security (TLS). To ensure secure communication, the infrastructure agent was designed with the following protective measures:

All communication is established directly from the agent to the service.
The agent does not require any incoming ports to be opened.
The agent is read-only and cannot make changes to your system.

The infrastructure agent does not support high security mode.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Running modes

New Relic is committed to the security of your data. All data derived while running the infrastructure agent is protected, and used only to deliver information related to your infrastructure back to you.

Linux

You can run the infrastructure Linux agent in three different modes:

The agent runs a non-privileged user, named the nri-agent, which is granted extended kernel capabilities during the installation process. The privileged nri-agent user is therefore able to collect some metrics and most of the inventory. These permissions are read-only.

The installation scripts in privileged mode will make the following changes in your system:

Create the nri-agent user and group.
Set the nri-agent user and group as the owners of the following directories:
- /var/run/newrelic-infra
- /var/db/newrelic-infra
- /var/log/newrelic-infra
- /etc/newrelic-infra
Add the following kernel capabilities to the /usr/bin/newrelic-infra executable:
- CAP_SYS_PTRACE, which allows inspecting and tracing arbitrary processes
- CAP_DAC_READ_SEARCH, to bypass file and directory read and execute permission checks

The agent runs with a non-privileged user, nri-agent, which is automatically created during the upgrade/installation process, and will not have read access to all the system metrics. This provides visibility into environments with very strict security or regulatory policies. There are no special permissions or access granted to the user in this run mode.

The installation scripts in unprivileged mode will make the following changes in your system:

Create the nri-agent user and group.
Set the nri-agent and group as the owners of the following system files and folders:
- /var/run/newrelic-infra
- /var/db/newrelic-infra
- /var/log/newrelic-infra
- /etc/newrelic-infra

For more details on the different running modes, see the comparison in the Infrastructure installation documentation.

Windows

In Windows systems, the agent must be executed with Administrator permissions.

Sources of data collection

The infrastructure agent gathers metrics, events, and inventory data from a variety of OS sources. While some of these sources can be read from a non-privileged account, others require elevated privileges.

For current agent versions, New Relic requires that it run as the root user (on Linux) or with full Administrator access (Windows). Here are additional details about how the infrastructure agent accesses default directories and what packages and commands it uses.

Unless otherwise noted, this information applies to any Linux operating system.

Directory or file	Purpose	Linux OS
`/etc/newrelic-infra.yml`	Default configuration file	Any
`/usr/bin/newrelic-infra-service`	Default agent service wrapper binary install location	Any
`/usr/bin/newrelic-infra`	Default agent binary install location	Any
`/usr/bin/newrelic-infra-ctl`	Default CLI agent control binary location	Any
`/var/db/newrelic-infra/`	Default inventory cache and plugin binaries	Any
`/var/run/newrelic-infra.pid`	Default pid file	Any
`stdout`, `stderr`, `logs`	Depending on configuration, the agent writes logs to `stdout`, which may connect to your system logging service	Any

Some data sources are specific to particular operating systems. Unless otherwise mentioned, New Relic uses the source on all variations of an operating system when the related software is detected. Many of the tools are on a path accessible to the agent. If not otherwise indicated, the infrastructure agent typically searches for them in /usr/bin, /bin, or /sbin.

New Relic uses some tools or data sources to gather information for multiple infrastructure features. Here are some primary use cases. Unless otherwise noted, New Relic uses this information primarily for the Inventory page.

Plugin or data	Tool, directory, or file	Linux OS
`systemd`	`initctl list`	Any
`upstart`	`systemctl -l`, `systemctl show`, `modinfo`, `lsmod`	Any
`selinux`	`sestatus -b, semodule -l`	Any
`dpkg`	`dpkg-query -W -f`	Debian
`rpm`	`rpm -qa`	Redhat
`hostinfo`	`/sys/devices/virtual/dmi/id/sys_vendor, /sys/devices/virtual/dmi/id/product_name`	Any
`hostinfo`	`/proc/sys/kernel/osrelease`	Any
`hostinfo`	`uptime -s`	Any
`hostinfo`	/etc/lsb_release	Debian
`hostinfo`	`/etc/redhat-release`	Redhat
`facter`	`facter -p -j`	Any
`daemontool`	`svstat`	Any
`kernel_modules`	`/sbin/modinfo`, `/sbin/lsmod`	Any
`users`	`/usr/bin/env who`	Any
Various plugins gather system-wide details through this directory. Used for infrastructure Inventory and metrics.	`/proc/`	Any
Various plugins gather `sysctl` settings through this directory. Used for infrastructure Inventory and metrics.	`/sys/`	Any
Various plugins (`sshd_config`, `hostinfo`) read specific configs in this directory. Used for infrastructure Inventory and metrics.	`/etc/`	Any

Proxies

New Relic includes optional settings so that you can configure the agent to communicate through a proxy. To define proxy settings, see the configuration documentation for infrastructure monitoring.

External agent connections

The agent periodically sends JSON-formatted data describing compute metrics, events, and your inventory configuration to the infrastructure endpoint at New Relic. These communications are associated with the agent using the license key generated for your account. Once New Relic receives data from any external agent, it will display the new metrics, events, or configuration data in the infrastructure monitoring UI.

External agent commands

The agent handles two different sources of commands, newrelic-infra-ctl and command-API:

CLI commands submitted with newrelic-infra-ctl are sent into the agent with Linux or Docker signaling or with Windows named-pipes.
Using New Relic's platform command-API endpoint, the agent polls for platform-provided commands every 60 seconds. The connection is always open from the agent into the New Relic platform command-API endpoint, never the opposite way. The command-API endpoint is used only to force enable or disable of dynamic entities' registration. It also applies to the Docker integration that comes with the infrastructure agent version 1.9.0 or higher.

Deliverables

The infrastructure agent and all on-host integrations that run on top of it are provided using standard operating system repositories and packages. New Relic cryptographically signs all packages, and verification steps are provided by default in the installation scripts.

All code is checked for dependency vulnerabilities through standard security tools (Snyk, Dependabot, Trivy).

New Relic official downloads site is hosted on AWS via S3, and fronted with Fastly, our trusted CDN provider.

Secure agent communication

Running modes

Linux

Run as root

Run as privileged user

Run as unprivileged user