Deployment Architecture
Highlighted

Are there any recommended settings for file permissions of .conf files in deployment apps?

Path Finder

Is there any recommended settings for file permissions of .conf files in deployment apps?

For example, I am looking at a deployment app I created using the GUI, and I see in the local folder:

-rwxr-xr-x app.conf
-rw------- inputs.conf

It seems odd that the owner, group, and all users x bit is set for .conf files?

It also seems odd that the group r bit is not set for inputs.conf?

Finally, should any bits be ever set for all users?

I'm leaning toward 664 or 660 for .conf files?

Highlighted

Re: Are there any recommended settings for file permissions of .conf files in deployment apps?

SplunkTrust
SplunkTrust

I generally go for 750. I believe execute permission is required for scripted inputs and other executables, so for deployment apps, I set that, regardless they've executable or not.

Highlighted

Re: Are there any recommended settings for file permissions of .conf files in deployment apps?

Path Finder

thanks! is there any reason you would not give write access to the group?
I only say this because I have given ownership to the splunk user. I am part of the splunk group, and I'd like to edit the files without having to sudo everytime. But I'm unsure if there is a good reason not to allow group write access.

0 Karma
Highlighted

Re: Are there any recommended settings for file permissions of .conf files in deployment apps?

SplunkTrust
SplunkTrust

I don't see a reason where group members will update deployed apps (in etc/apps). Changes to deployment apps should be centralized only from deployment server. For us, it's a best practice reason so that changes are only made (only on DS) when someone sudo to splunk user.

0 Karma
Highlighted

Re: Are there any recommended settings for file permissions of .conf files in deployment apps?

Path Finder

gotcha, that makes sense. I am editing the app on the deployment server, not the deployed apps. I see now what you mean about when it gets deployed

0 Karma
Highlighted

Re: Are there any recommended settings for file permissions of .conf files in deployment apps?

Splunk Employee
Splunk Employee

Here's what Splunk recommends

Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.

Of course, you can always go more restrictive.

View solution in original post