Keep Knowledge Discovery Up to Date. New releases may include security updates, including updates to third-party libraries.
Run Knowledge Discovery with Minimal Privileges. In the event that a malicious actor causes Knowledge Discovery to behave dangerously, the potential damage is limited if Knowledge Discovery components are running with minimal privileges. There is no need to run Knowledge Discovery with administrative privileges.
Protect the Application Directory. Knowledge Discovery installation directories contain libraries and other files that are necessary for normal operation. If a malicious actor tampers with these files, they might cause Knowledge Discovery to behave dangerously. You can set directory permissions to allow access only to trusted users.
PATH and LD_LIBRARY_PATH should not include temporary directories, or directories where Knowledge Discovery is permitted to write output, because this creates a potential security vulnerability. ACI servers can, by default, write output to the output subdirectory of the directory where the server is running (see the AllowedOutputDirectoryCSVs parameter).
(Media Server) Specify input and output directories. Media Server can, by default, read from any accessible local file system or network share, and write to any directory. This behavior is deprecated and might change in a future release; with the current version of Media Server you can improve security by setting the parameters AllowedInputDirectories and AllowedEngineOutputDirectories in the [Paths] section of the Media Server configuration file. Setting these parameters ensures that Media Server can only read from, and write to, specified directories and their subdirectories. The default configuration file supplied with Media Server sets these parameters, but if you are upgrading from an earlier version you might need to set them yourself.