https://community.dynatrace.com/t5/Open-Q-A/Non-root-dtuser-file-with-perm-o-777-o-rwx-in-OneAgent-dir-var/m-p/196747#M22955 <P>Hello.</P> <P>At some stage I got such a file on a OneAgent'ed Unix system AIX full-stack (though my sysadmins tell me it happened also on Linux infra-only system) with other+rwx Unix file permission :</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">/var/lib/dynatrace/oneagent/agent/runtime/0x18eba097bca4a740_java_901179/dump/classes/original/com/ibm/mq/MQEnvironment.class, Octal permissions: 0777, Text Permissions: -rwxrwxrwx-, owner: &lt;AppUnixTechUser&gt;, group: &lt;AppUnixTechUserGroup&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;with &lt;AppUnixTechUser&gt; and&lt;AppUnixTechUserGroup&gt; *<STRONG>not*</STRONG> being root:root (neither dtuser:dtuser, which btw does not exist on AIX system).</P> <P>&nbsp;</P> <P>It makes unix file permission compliance health check raise incidents.</P> <P>&nbsp;</P> <P>Is see this type of question is not really new. I can find in RFE and Questions, things relating to <EM>log</EM> files though, not <EM>/var/lib/dynatrace</EM> :</P> <UL> <LI> <DIV class=""> <P><SPAN><A class="" href="https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/oneagent-file-permissions/m-p/54099/highlight/true#M2749" target="_blank" rel="noopener">Dynatrace Forum: oneagent file permissions</A> </SPAN></P> </DIV> </LI> <LI> <DIV class=""><A class="" href="https://community.dynatrace.com/t5/Dynatrace-product-ideas/world-writable-directories-and-logs/idi-p/151641" target="_blank" rel="noopener">Dynatrace RFE: Réalisée : world writable directories and logs </A></DIV> </LI> <LI> <DIV class=""><SPAN><A class="" href="https://community.dynatrace.com/t5/Dynatrace-product-ideas/dtuser-file-access-permission-is-breaching-security-compliance/idi-p/191547" target="_blank" rel="noopener">Dynatrace RFE: dtuser file access permission is breaching security compliance requirement for RHEL8</A> </SPAN></DIV> </LI> </UL> <P><SPAN class="">Is anyone facing this issue? </SPAN><SPAN class="">Anything we can do? Removing o-wx permission would be nice.<BR /></SPAN></P> <P><SPAN class="">Regards.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="">For the record: ticket: <A href="https://one.dynatrace.com/hc/en-us/requests/83978" target="_blank" rel="noopener">https://one.dynatrace.com/hc/en-us/requests/83978</A></SPAN></P> Thu, 20 Oct 2022 07:54:56 GMT gilles_tabary 2022-10-20T07:54:56Z https://community.dynatrace.com/t5/Open-Q-A/Non-root-dtuser-file-with-perm-o-777-o-rwx-in-OneAgent-dir-var/m-p/196747#M22955 <P>Hello.</P> <P>At some stage I got such a file on a OneAgent'ed Unix system AIX full-stack (though my sysadmins tell me it happened also on Linux infra-only system) with other+rwx Unix file permission :</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">/var/lib/dynatrace/oneagent/agent/runtime/0x18eba097bca4a740_java_901179/dump/classes/original/com/ibm/mq/MQEnvironment.class, Octal permissions: 0777, Text Permissions: -rwxrwxrwx-, owner: &lt;AppUnixTechUser&gt;, group: &lt;AppUnixTechUserGroup&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;with &lt;AppUnixTechUser&gt; and&lt;AppUnixTechUserGroup&gt; *<STRONG>not*</STRONG> being root:root (neither dtuser:dtuser, which btw does not exist on AIX system).</P> <P>&nbsp;</P> <P>It makes unix file permission compliance health check raise incidents.</P> <P>&nbsp;</P> <P>Is see this type of question is not really new. I can find in RFE and Questions, things relating to <EM>log</EM> files though, not <EM>/var/lib/dynatrace</EM> :</P> <UL> <LI> <DIV class=""> <P><SPAN><A class="" href="https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/oneagent-file-permissions/m-p/54099/highlight/true#M2749" target="_blank" rel="noopener">Dynatrace Forum: oneagent file permissions</A> </SPAN></P> </DIV> </LI> <LI> <DIV class=""><A class="" href="https://community.dynatrace.com/t5/Dynatrace-product-ideas/world-writable-directories-and-logs/idi-p/151641" target="_blank" rel="noopener">Dynatrace RFE: Réalisée : world writable directories and logs </A></DIV> </LI> <LI> <DIV class=""><SPAN><A class="" href="https://community.dynatrace.com/t5/Dynatrace-product-ideas/dtuser-file-access-permission-is-breaching-security-compliance/idi-p/191547" target="_blank" rel="noopener">Dynatrace RFE: dtuser file access permission is breaching security compliance requirement for RHEL8</A> </SPAN></DIV> </LI> </UL> <P><SPAN class="">Is anyone facing this issue? </SPAN><SPAN class="">Anything we can do? Removing o-wx permission would be nice.<BR /></SPAN></P> <P><SPAN class="">Regards.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="">For the record: ticket: <A href="https://one.dynatrace.com/hc/en-us/requests/83978" target="_blank" rel="noopener">https://one.dynatrace.com/hc/en-us/requests/83978</A></SPAN></P> Thu, 20 Oct 2022 07:54:56 GMT https://community.dynatrace.com/t5/Open-Q-A/Non-root-dtuser-file-with-perm-o-777-o-rwx-in-OneAgent-dir-var/m-p/196747#M22955 gilles_tabary 2022-10-20T07:54:56Z https://community.dynatrace.com/t5/Open-Q-A/Non-root-dtuser-file-with-perm-o-777-o-rwx-in-OneAgent-dir-var/m-p/196814#M22974 <P>Hmmm... there... in the Manual :&nbsp;</P><P><A class="" href="https://www.dynatrace.com/support/help/shortlink/oneagent-security-linux#globally-writable-directories" target="_blank" rel="nofollow noopener">https://www.dynatrace.com/support/help/shortlink/oneagent-security-linux#globally-writable-directories</A><BR /><A class="" href="https://www.dynatrace.com/support/help/shortlink/oneagent-security-aix#globally-writable-directories" target="_blank" rel="nofollow noopener">https://www.dynatrace.com/support/help/shortlink/oneagent-security-aix#globally-writable-directories</A></P><P>&nbsp;</P><P>"Globally writable directories<BR />The OneAgent directory structure contains globally writable directories (1777 permissions). Changing these permissions by users is not supported."</P><P>&nbsp;</P><P>Sorryyyy. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 19 Oct 2022 11:24:05 GMT https://community.dynatrace.com/t5/Open-Q-A/Non-root-dtuser-file-with-perm-o-777-o-rwx-in-OneAgent-dir-var/m-p/196814#M22974 gilles_tabary 2022-10-19T11:24:05Z