Security Thoughts and Idea around Agent Updates

[DMSnz]

This is not a criticism as such more just thoughts.

I believe and could be wrong, that by default on a new installation, Agent Auto Update is enabled.
My thoughts are that due these coming from the source on Internet, in theory worst case scenario there could be a supply side attack that by whatever means creates a bad agent version and downloads to an entire corporate network where TRMM is running.

Could it be, that code signing helps with this (although in theory still a possibility - 3CX hack good example).

I would suggest at the very least, agent auto update is disabled by default.
But further to this could it be possible to have a more detailed agent update page, that would show the available agent versions (both existing and those new yet to install, when released and so on).
It could go one step further, that agent update page could allow an auto install after X number of days of updated agent release, for example maybe say 60 days, on the thought a delay like that should give time for any exploits to be found if it should happen.

Am I crazy and alone with my thoughts?

[wh1te909]

if the main concern here is supply chain attack, agent update is probably the least of your concerns. what about the dozens of 3rd party python packages the software uses, or the hundreds of npm packages?

[DMSnz]

well unless I am wrong, our build as it is now will not automatically update and pull down new python code / npm packages?

Therefore my point around agents updating automatically still in my opinion is greater risk.
I can control updates to my main instance can I not?

[wh1te909]

Agent updates are tied to a new instance release, on a new release the python/npm packages are updated and if there also happens to be a new version of an agent, it's pinned to that release. There is never a scenario where there will be an agent update without a new instance release, so by update your instance you'll also be updating your agents.

[DMSnz]

OK in that case its likely just a misunderstanding of the "Automatically update agents" option.
Does that option then simply automatically update agents ONCE and ONLY if the instance is updated?
And if disabled, when getting a new instance version it wont update agents likely ending in problems with compatibility and so on?

[wh1te909]

yes that's exactly correct. if you're on an old instance version and you don't update, as far as the instance is concerned, a new agent update doesn't even exist yet and the instance isn't aware of it, because the latest agent version is hardcoded into the code on your server, which of course hasn't been updated yet.

[DMSnz]

Thanks, my misunderstanding on the whole agent update side of it :)
Appreciate the help, can close this out.