Deployment Architecture

Are there any recommended settings for file permissions of .conf files in deployment apps?

joshuapetitt
Path Finder

Is there any recommended settings for file permissions of .conf files in deployment apps?

For example, I am looking at a deployment app I created using the GUI, and I see in the local folder:

-rwxr-xr-x app.conf
-rw------- inputs.conf

It seems odd that the owner, group, and all users x bit is set for .conf files?

It also seems odd that the group r bit is not set for inputs.conf?

Finally, should any bits be ever set for all users?

I'm leaning toward 664 or 660 for .conf files?

1 Solution

iandrews_splunk
Splunk Employee
Splunk Employee

Here's what Splunk recommends

Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.

Of course, you can always go more restrictive.

View solution in original post

iandrews_splunk
Splunk Employee
Splunk Employee

Here's what Splunk recommends

Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.

Of course, you can always go more restrictive.

m2oswald
Explorer
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I generally go for 750. I believe execute permission is required for scripted inputs and other executables, so for deployment apps, I set that, regardless they've executable or not.

joshuapetitt
Path Finder

thanks! is there any reason you would not give write access to the group?
I only say this because I have given ownership to the splunk user. I am part of the splunk group, and I'd like to edit the files without having to sudo everytime. But I'm unsure if there is a good reason not to allow group write access.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't see a reason where group members will update deployed apps (in etc/apps). Changes to deployment apps should be centralized only from deployment server. For us, it's a best practice reason so that changes are only made (only on DS) when someone sudo to splunk user.

0 Karma

joshuapetitt
Path Finder

gotcha, that makes sense. I am editing the app on the deployment server, not the deployed apps. I see now what you mean about when it gets deployed

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...