ansible-role-for-splunk icon indicating copy to clipboard operation
ansible-role-for-splunk copied to clipboard

Published 20 hours ago verified publisher icon splunk

feat(cron): set permissions on cron scripts/jobs to splunk

Open zyphermonkey opened this issue 2 years ago • 3 comments

Following the "least privilege" model we should only be running things as root when absolutely necessary.

Also migrate from crontab to cron.d to isolate jobs into separate files for more granular management.

zyphermonkey avatar Feb 09 '23 13:02 zyphermonkey

Since this changes the location of the cron configuration do we want to add cleanup tasks for the crontab entries?

I couldn't find any other references for cleanup for any other changes so I assume the idea is that this just needs to work on a fresh system.

I can add the cleanup tasks though if requested, just being cautious of adding tasks that will go unused almost all the time.

zyphermonkey avatar Feb 09 '23 14:02 zyphermonkey

Following the "least privilege" model we should only be running things as root when absolutely necessary.

There are a lot of things that need to be done with securing this playbook, and making it more safe. This is a good idea to implement.

Also migrate from crontab to cron.d to isolate jobs into separate files for more granular management

Agreed, it makes it a lot cleaner.

Since this changes the location of the cron configuration do we want to add cleanup tasks for the crontab entries?

This is the only problem with moving it to cron.d. People using this playbook for upgrades, will end up having duplicate cron jobs. The cleanup task will have to remain there forever.

If we keep the old cron job which runs as root, and change the owner to splunk_nix_user, that will allow the splunk user to modify the script, and let it do nasty stuff as the root user. This is a lot more dangerous than leaving it the way it is now.

jewnix avatar Feb 10 '23 15:02 jewnix

@zyphermonkey

If we keep the old cron job which runs as root, and change the owner to splunk_nix_user, that will allow the splunk user to modify the script, and let it do nasty stuff as the root user. This is a lot more dangerous than leaving it the way it is now.

On second thought, we can change the mode to 0555 so the splunk user cannot modify that file. But I think there should be something there to at least attempt to clean up the old cron job.

jewnix avatar Mar 20 '23 20:03 jewnix