There are two methods to scan nodes with Cloudhouse Guardian. This page documents the differences between these methods, the pros and cons, and how to decide which method you should use in your deployment.
Overview
Guardian performs its node configuration scanning by running commands on the node to gather configuration data. The commands can be run by an agent installed on the node or through a remote connection performed by a connection manager. While a node can only be collected using one method (agent or agentless), your environment can use any combination of agent and agentless collection methods.
Note
Many nodes only offer an Agentless option, please navigate to Discover
Agent
A service is installed on a specific node, and can only perform a scan on the node where it is installed. The agent connects back to the Guardian Appliance over port 443 to communicate work.
Benefits
- Troubleshooting can be easier since a single node can be isolated (for example, when a timeout needs to be changed)
- No extra VMs are required (besides the Guardian appliance) to use as connection managers
- Windows: No service account is required, the Guardian service can run as Local System
- Linux: For scanning files as root, no connections need to be made to the system as root (the agent can run as root)
Potential Issues
- Deploying and updating the agents can be time-consuming
- Updating the configuration file (such as changing a timeout) can be time-consuming
Agentless
A connection manager, either onboard the Guardian Appliance or deployed as a satellite connection manager, is used to connect to a node, either via an SSH connection, a WinRM connection or via an API, depending on the node type.
Benefits
- Configuration changes happen in one location (on the connection manager)
- No software deployment or configuration on your nodes
- The Guardian Appliance comes with a built-in Default connection manager - no setup required.
Potential Issues
- Requires a connection manager (Windows and Linux require separate connection managers) that can access the nodes
- Windows: A service account is required that has local administrator rights on all nodes
- Linux: For scanning files as root, you will need to use the remote helper, which allows connections from the connection manager asĀ root. This is only used during scans (generally once a day), so the risk is limited
What should I use?
While it mostly depends on your environment and deployment methods, most Guardian users go with the agentless scanning. In general, this is because:
- There is less management overhead in deploying and maintaining nodes in Guardian
- Configuration changes are trivial
- New nodes can easily be added, without the need to install any software on the node
However, you may want to use the agent when:
- You have a node that cannot be accessed remotely (but can communicate to the appliance on port 443)
- If you have a node with an unreliable connection to the appliance or connection manager, scans may not run as expected
- You are unable to deploy a connection manager that can reach a node
For further discussion on which method to choose, please contact your Account Manager.