https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54099#M2749 <P>hi Chris,</P><P>currently it will not be possible to lock all those directories down, as it's not possible to know upfront which processes the OneAgent will be injected into and which users those processes are running as.</P><P>the "process" directory is the easiest example: this has of course to be world writeable to allow every process to write to this directory.</P><P>so for some technologies, e.g. Java, you might be able to limit the permissions if you know exactly upfront which user/group *all* your monitored Java processes are running as.</P><P>but as I said, you probably won't be able to lock down all directories.</P><P>also please keep in mind: those are "only" log directories and we take care to not place any sensitive information in those log files. also you cannot compromise the system by modifying content inside those directories.</P><P>HTH,<BR />Christian</P> Mon, 12 Feb 2018 09:50:39 GMT c_schwarzbauer 2018-02-12T09:50:39Z https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54098#M2748 <P>Hi, </P><P>We're using the latest version of oneagent on RHEL servers. We're also pushing these servers to be CIS hardened. Nessus is picking up several '777'd directories - which makes it unhappy;</P><P>[root@ewoksaglprdap39 log]# ls -al</P><P>total 24</P><P>drwxrwxrwt. 12 root dtuser 193 Jan 30 02:41 .</P><P>drwxr-xr-x. 7 root root 98<BR />Feb 1 22:48 ..</P><P>drwxrwxrwx. 3 root dtuser 33 Feb 5<BR />13:18 crashreports</P><P>drwxrwxr-x. 2 root dtuser 119 Feb 1 22:47<BR />installer</P><P>drwxrwxrwx. 2 root dtuser 4096 Jan 25 16:44 java</P><P>drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48 loganalytics</P><P>drwxrwxrwx. 2 root dtuser 6<BR />Dec 8 13:27 memorydump</P><P>drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48<BR />network</P><P>drwxrwxr-x. 2 root dtuser 4096 Feb 6 16:55 os</P><P>drwxrwxrwx. 2 root dtuser 4096 Feb 1 22:49<BR />plugin</P><P>drwxrwxrwx. 2 root dtuser 80 Feb 1<BR />22:48 process</P><P>-rw-rw-rw-. 1 root root 1494 Feb 5<BR />13:18 ruxitdumpproc.log</P><P>drwxrwxrwx. 3 root dtuser 33 Feb 6<BR />02:42 supportalerts</P><P>[root@ewoksaglprdap39 log]# pwd</P><P>/opt/dynatrace/oneagent/log</P><P>Does anyone have any experience in locking these down and still having a working application afterwards?</P><P>Thanks in Advance,</P><P>Chris</P> Thu, 08 Feb 2018 09:06:13 GMT https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54098#M2748 chris_kirby 2018-02-08T09:06:13Z https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54099#M2749 <P>hi Chris,</P><P>currently it will not be possible to lock all those directories down, as it's not possible to know upfront which processes the OneAgent will be injected into and which users those processes are running as.</P><P>the "process" directory is the easiest example: this has of course to be world writeable to allow every process to write to this directory.</P><P>so for some technologies, e.g. Java, you might be able to limit the permissions if you know exactly upfront which user/group *all* your monitored Java processes are running as.</P><P>but as I said, you probably won't be able to lock down all directories.</P><P>also please keep in mind: those are "only" log directories and we take care to not place any sensitive information in those log files. also you cannot compromise the system by modifying content inside those directories.</P><P>HTH,<BR />Christian</P> Mon, 12 Feb 2018 09:50:39 GMT https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54099#M2749 c_schwarzbauer 2018-02-12T09:50:39Z https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54100#M2750 <P>Thanks Christian, appreciate you taking the time to reply. I'm going to recommend we waiver this, I'm concerned that if we start locking down directories performance will take a hit - leading to more debug time. </P> Mon, 12 Feb 2018 14:40:33 GMT https://community.dynatrace.com/t5/Open-Q-A/oneagent-file-permissions/m-p/54100#M2750 chris_kirby 2018-02-12T14:40:33Z