Diamond is often used in legacy Graphite stacks and should be locked down at collector and output layers.
- Disable unused collectors and custom scripts.
- Run Diamond under non-root user with least privileges.
- Validate custom collector code before deployment.
¶ Transport and Backend Security
- Protect metric transport channels with network restrictions.
- Use encrypted transport where supported by backend.
- Restrict write privileges on Graphite/TSDB side.