This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

oneagent file permissions

Go to solution
chris_kirby
Newcomer

‎08 Feb 2018 09:06 AM

Hi,

We're using the latest version of oneagent on RHEL servers. We're also pushing these servers to be CIS hardened. Nessus is picking up several '777'd directories - which makes it unhappy;

[root@ewoksaglprdap39 log]# ls -al

total 24

drwxrwxrwt. 12 root dtuser 193 Jan 30 02:41 .

drwxr-xr-x. 7 root root 98
Feb 1 22:48 ..

drwxrwxrwx. 3 root dtuser 33 Feb 5
13:18 crashreports

drwxrwxr-x. 2 root dtuser 119 Feb 1 22:47
installer

drwxrwxrwx. 2 root dtuser 4096 Jan 25 16:44 java

drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48 loganalytics

drwxrwxrwx. 2 root dtuser 6
Dec 8 13:27 memorydump

drwxrwxr-x. 2 root dtuser 4096 Feb 1 22:48
network

drwxrwxr-x. 2 root dtuser 4096 Feb 6 16:55 os

drwxrwxrwx. 2 root dtuser 4096 Feb 1 22:49
plugin

drwxrwxrwx. 2 root dtuser 80 Feb 1
22:48 process

-rw-rw-rw-. 1 root root 1494 Feb 5
13:18 ruxitdumpproc.log

drwxrwxrwx. 3 root dtuser 33 Feb 6
02:42 supportalerts

[root@ewoksaglprdap39 log]# pwd

/opt/dynatrace/oneagent/log

Does anyone have any experience in locking these down and still having a working application afterwards?

Thanks in Advance,

Chris

Labels:
Reply
2 REPLIES 2

Go to solution
c_schwarzbauer
Dynatrace Champion
Dynatrace Champion

‎12 Feb 2018 09:50 AM

hi Chris,

currently it will not be possible to lock all those directories down, as it's not possible to know upfront which processes the OneAgent will be injected into and which users those processes are running as.

the "process" directory is the easiest example: this has of course to be world writeable to allow every process to write to this directory.

so for some technologies, e.g. Java, you might be able to limit the permissions if you know exactly upfront which user/group *all* your monitored Java processes are running as.

but as I said, you probably won't be able to lock down all directories.

also please keep in mind: those are "only" log directories and we take care to not place any sensitive information in those log files. also you cannot compromise the system by modifying content inside those directories.

HTH,
Christian

Reply

Go to solution
chris_kirby
Newcomer

‎12 Feb 2018 02:40 PM

Thanks Christian, appreciate you taking the time to reply. I'm going to recommend we waiver this, I'm concerned that if we start locking down directories performance will take a hit - leading to more debug time.

0 Kudos
Reply
Ask a question

Featured Posts