Performance Co-Pilot (PCP) is a powerful system performance monitoring and analysis framework. It provides distributed monitoring capabilities with agents, collectors, and visualization tools. As a system with deep access to system metrics and potential remote execution capabilities, PCP requires proper security configuration. This guide covers security measures for production PCP deployments.
PCP architecture includes these security-sensitive components:
Key security concerns include PMCD access control, API security, metrics exposure, remote execution prevention, and data protection.
Configure firewall rules for PCP:
# PMCD (default port 44321)
ufw allow from 10.0.0.0/8 to any port 44321 proto tcp
# PMProxy (default port 44322)
ufw allow from 10.0.0.0/8 to any port 44322 proto tcp
# Web interface (if enabled)
ufw allow from 10.0.0.0/8 to any port 44323 proto tcp
# Block external access
ufw deny from any to any port 44321 proto tcp
ufw deny from any to any port 44322 proto tcp
ufw deny from any to any port 44323 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: pcp-network-policy
spec:
podSelector:
matchLabels:
app: pcp
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 44321
- protocol: TCP
port: 44322
Configure PMCD binding:
# /etc/pcp/pmcd/pmcd.conf
# Bind to specific interface
PCD_HOST=localhost
# Or for network access
# PCD_HOST=10.0.1.100
# Port
PCD_PORT=44321
Configure PMProxy:
# /etc/pcp/pmproxy/pmproxy.conf
bind=127.0.0.1
port=44322
# Or for network access
# bind=10.0.1.100
# port=44322
Configure PMCD access control:
# /etc/pcp/pmcd/pmcd.access
# Format: host_pattern authentication_type [encryption_type]
# Allow localhost without auth
localhost cert
# Allow internal network with SASL
10.0.0.0/8 sasl
# Deny all others
* reject
Configure SASL authentication:
# /etc/pcp/sasl/pmcd.conf
mech_list: plain scram-sha-256
log_level: 3
# Create users
saslpasswd2 -c -u PCP pcp_user
Configure metric access permissions:
# /etc/pcp/pmcd/pmcd.access
# Full access for admins
admin-host cert
admin-user sasl
# Read-only for viewers
viewer-host cert readonly
viewer-user sasl readonly
Configure authentication for web interface:
# /etc/nginx/sites-available/pcp
location / {
auth_basic "PCP Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:44323;
}
Configure TLS for PMCD:
# /etc/pcp/pmcd/pmcd.options
-l ssl
-c /etc/pcp/ssl/pmcd.crt
-k /etc/pcp/ssl/pmcd.key
-C /etc/pcp/ssl/ca.crt
Generate certificates:
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
-subj "/CN=PCP CA/O=Company"
# Create PMCD certificate
openssl req -new -nodes -newkey rsa:2048 \
-keyout pmcd.key -out pmcd.csr \
-subj "/CN=pmcd.company.com"
openssl x509 -req -days 365 -in pmcd.csr \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-out pmcd.crt
Configure TLS for PMProxy:
# /etc/pcp/pmproxy/pmproxy.conf
bind=127.0.0.1
port=44322
ssl_cert=/etc/pcp/ssl/pmproxy.crt
ssl_key=/etc/pcp/ssl/pmproxy.key
ssl_ca=/etc/pcp/ssl/ca.crt
Configure TLS for PCP clients:
# /etc/pcp/pmcd/pmcd.options (client side)
-l ssl
-c /etc/pcp/ssl/client.crt
-k /etc/pcp/ssl/client.key
-C /etc/pcp/ssl/ca.crt
Secure PMAPI access:
| Endpoint | Risk Level | Access Control |
|---|---|---|
pmGetIndom |
Low | Authenticated |
pmFetch |
Low | Authenticated |
pmStore |
High | Admin only |
pmControlLog |
High | Admin only |
pmNewContext |
Medium | Authenticated |
Implement access control:
# /etc/pcp/pmcd/pmcd.access
# Restrict write operations
admin-host cert write
viewer-host cert read
Restrict metric access:
# /etc/pcp/pmcd/pmcd.access
# Allow specific metrics only
* sasl metrics=pmcd.*,kernel.*,mem.*
# Deny sensitive metrics
* reject metrics=proc.*,network.tcp.*
Disable remote execution:
# /etc/pcp/pmcd/pmcd.options
# Disable agent execution
-x no_exec
# Restrict agent access
-a /etc/pcp/pmda/allowed_agents
Configure web interface security:
# /etc/nginx/sites-available/pcp
server {
listen 443 ssl http2;
server_name pcp.company.com;
ssl_certificate /etc/nginx/certs/pcp.crt;
ssl_certificate_key /etc/nginx/certs/pcp.key;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
auth_basic "PCP Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:44323;
}
}
Secure PCP archives:
# Set restrictive permissions
chown -R pcp:pcp /var/log/pcp/pmcd
chmod -R 750 /var/log/pcp/pmcd
# Use encrypted filesystem
# Mount /var/log/pcp on encrypted volume
Protect PCP configuration:
# Set restrictive permissions
chown root:pcp /etc/pcp/pmcd/pmcd.conf
chmod 640 /etc/pcp/pmcd/pmcd.conf
chown root:pcp /etc/pcp/pmcd/pmcd.access
chmod 640 /etc/pcp/pmcd/pmcd.access
# Encrypt sensitive configuration
gpg -c /etc/pcp/pmcd/pmcd.access
Secure SASL credentials:
# SASL password database
chown root:pcp /etc/sasl2/pmcd.db
chmod 640 /etc/sasl2/pmcd.db
# Use environment variables for automation
export PCP_SASL_USER="pcp_user"
export PCP_SASL_PASS="${PCP_SASL_PASSWORD}"
Secure PCP logs:
# Set restrictive permissions
chown pcp:adm /var/log/pcp
chmod 750 /var/log/pcp
# Configure log rotation
cat > /etc/logrotate.d/pcp << EOF
/var/log/pcp/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 pcp adm
}
EOF
Enable logging:
# /etc/pcp/pmcd/pmcd.options
-l debug
-f /var/log/pcp/pmcd.log
Configure PMCD access logging:
# /etc/pcp/pmcd/pmcd.options
-l access
-f /var/log/pcp/pmcd_access.log
Monitor PCP for security events:
#!/bin/bash
# /usr/local/bin/check-pcp-security.sh
# Check for unauthorized access attempts
UNAUTH=$(grep -c "reject" /var/log/pcp/pmcd.log 2>/dev/null || echo 0)
if [ "$UNAUTH" -gt 20 ]; then
echo "WARNING: Multiple unauthorized access attempts"
exit 1
fi
# Check for authentication failures
AUTH_FAIL=$(grep -c "authentication failed" /var/log/pcp/pmcd.log 2>/dev/null || echo 0)
if [ "$AUTH_FAIL" -gt 10 ]; then
echo "CRITICAL: Multiple authentication failures"
exit 2
fi
Use PCP metrics for security monitoring:
# Monitor failed authentication attempts
pmfetch -s 60 'security.auth.failures'
# Monitor connection attempts
pmfetch -s 60 'pmcd.client.connect'
Forward logs to SIEM:
# /etc/rsyslog.d/pcp.conf
:programname, isequal, "pmcd" /var/log/pcp/pmcd.log
:programname, isequal, "pmcd" @siem.company.com:514