Showing results for 
Show  only  | Search instead for 
Did you mean: 

oneagent file permissions



We're using the latest version of oneagent on RHEL servers. We're also pushing these servers to be CIS hardened. Nessus is picking up several '777'd directories - which makes it unhappy;

[root@ewoksaglprdap39 log]# ls -al

total 24

drwxrwxrwt. 12 root dtuser 193 Jan 30 02:41 .

drwxr-xr-x. 7 root root 98
Feb 1 22:48 ..

drwxrwxrwx. 3 root dtuser 33 Feb 5
13:18 crashreports

drwxrwxr-x. 2 root dtuser 119 Feb 1 22:47

drwxrwxrwx. 2 root dtuser 4096 Jan 25 16:44 java

drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48 loganalytics

drwxrwxrwx. 2 root dtuser 6
Dec 8 13:27 memorydump

drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48

drwxrwxr-x. 2 root dtuser 4096 Feb 6 16:55 os

drwxrwxrwx. 2 root dtuser 4096 Feb 1 22:49

drwxrwxrwx. 2 root dtuser 80 Feb 1
22:48 process

-rw-rw-rw-. 1 root root 1494 Feb 5
13:18 ruxitdumpproc.log

drwxrwxrwx. 3 root dtuser 33 Feb 6
02:42 supportalerts

[root@ewoksaglprdap39 log]# pwd


Does anyone have any experience in locking these down and still having a working application afterwards?

Thanks in Advance,



Dynatrace Champion
Dynatrace Champion

hi Chris,

currently it will not be possible to lock all those directories down, as it's not possible to know upfront which processes the OneAgent will be injected into and which users those processes are running as.

the "process" directory is the easiest example: this has of course to be world writeable to allow every process to write to this directory.

so for some technologies, e.g. Java, you might be able to limit the permissions if you know exactly upfront which user/group *all* your monitored Java processes are running as.

but as I said, you probably won't be able to lock down all directories.

also please keep in mind: those are "only" log directories and we take care to not place any sensitive information in those log files. also you cannot compromise the system by modifying content inside those directories.



Thanks Christian, appreciate you taking the time to reply. I'm going to recommend we waiver this, I'm concerned that if we start locking down directories performance will take a hit - leading to more debug time.

Featured Posts