cPGuard with Enhance

chml

Hey guys,

I’m considering installing and testing cPGuard with Enhance. I read their Enhance installation guide here:

https://opsshield.com/help/cpguard/installation-on-enhance-control-panel/

From my understanding, cPGuard is installed on the app/web server, for example an Apache/OpenLiteSpeed server, and it requires an Enhance System Administrator token in order to read the information it needs from the master server.

If cPGuard is installed on multiple app servers, I assume each of those servers would need access to the same type of token.

Before testing this, I wanted to clarify the security implications. If one app server were ever compromised, wouldn’t an attacker potentially be able to access that System Administrator token and then have cluster-level access through the Enhance API?

Maybe I’m misunderstanding how the integration works, or maybe there is a safer recommended setup for this scenario.

Has anyone tested this, or is there an official/recommended way to limit the token permissions for cPGuard so that a compromised app server would not expose the whole cluster?

Thanks!

Aliysa_Enhance

Hi chml, this is best asked over on the cpguard forum.