Deployment Architecture

Are there any recommended settings for file permissions of .conf files in deployment apps?

joshuapetitt
Path Finder

Is there any recommended settings for file permissions of .conf files in deployment apps?

For example, I am looking at a deployment app I created using the GUI, and I see in the local folder:

-rwxr-xr-x app.conf
-rw------- inputs.conf

It seems odd that the owner, group, and all users x bit is set for .conf files?

It also seems odd that the group r bit is not set for inputs.conf?

Finally, should any bits be ever set for all users?

I'm leaning toward 664 or 660 for .conf files?

1 Solution

iandrews_splunk
Splunk Employee
Splunk Employee

Here's what Splunk recommends

Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.

Of course, you can always go more restrictive.

View solution in original post

iandrews_splunk
Splunk Employee
Splunk Employee

Here's what Splunk recommends

Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.

Of course, you can always go more restrictive.

m2oswald
Explorer
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I generally go for 750. I believe execute permission is required for scripted inputs and other executables, so for deployment apps, I set that, regardless they've executable or not.

joshuapetitt
Path Finder

thanks! is there any reason you would not give write access to the group?
I only say this because I have given ownership to the splunk user. I am part of the splunk group, and I'd like to edit the files without having to sudo everytime. But I'm unsure if there is a good reason not to allow group write access.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't see a reason where group members will update deployed apps (in etc/apps). Changes to deployment apps should be centralized only from deployment server. For us, it's a best practice reason so that changes are only made (only on DS) when someone sudo to splunk user.

0 Karma

joshuapetitt
Path Finder

gotcha, that makes sense. I am editing the app on the deployment server, not the deployed apps. I see now what you mean about when it gets deployed

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...