We're using the latest version of oneagent on RHEL servers. We're also pushing these servers to be CIS hardened. Nessus is picking up several '777'd directories - which makes it unhappy;
[root@ewoksaglprdap39 log]# ls -al
drwxrwxrwt. 12 root dtuser 193 Jan 30 02:41 .
drwxr-xr-x. 7 root root 98
Feb 1 22:48 ..
drwxrwxrwx. 3 root dtuser 33 Feb 5
drwxrwxr-x. 2 root dtuser 119 Feb 1 22:47
drwxrwxrwx. 2 root dtuser 4096 Jan 25 16:44 java
drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48 loganalytics
drwxrwxrwx. 2 root dtuser 6
Dec 8 13:27 memorydump
drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48
drwxrwxr-x. 2 root dtuser 4096 Feb 6 16:55 os
drwxrwxrwx. 2 root dtuser 4096 Feb 1 22:49
drwxrwxrwx. 2 root dtuser 80 Feb 1
-rw-rw-rw-. 1 root root 1494 Feb 5
drwxrwxrwx. 3 root dtuser 33 Feb 6
[root@ewoksaglprdap39 log]# pwd
Does anyone have any experience in locking these down and still having a working application afterwards?
Thanks in Advance,
Solved! Go to Solution.
currently it will not be possible to lock all those directories down, as it's not possible to know upfront which processes the OneAgent will be injected into and which users those processes are running as.
the "process" directory is the easiest example: this has of course to be world writeable to allow every process to write to this directory.
so for some technologies, e.g. Java, you might be able to limit the permissions if you know exactly upfront which user/group *all* your monitored Java processes are running as.
but as I said, you probably won't be able to lock down all directories.
also please keep in mind: those are "only" log directories and we take care to not place any sensitive information in those log files. also you cannot compromise the system by modifying content inside those directories.