Skip to content

feat(cron): set permissions on cron scripts/jobs to splunk#174

Open
zyphermonkey wants to merge 1 commit intosplunk:masterfrom
zyphermonkey:cron-permissions
Open

feat(cron): set permissions on cron scripts/jobs to splunk#174
zyphermonkey wants to merge 1 commit intosplunk:masterfrom
zyphermonkey:cron-permissions

Conversation

@zyphermonkey
Copy link
Copy Markdown
Contributor

@zyphermonkey zyphermonkey commented Feb 9, 2023

Following the "least privilege" model we should only be running things as root when absolutely necessary.

Also migrate from crontab to cron.d to isolate jobs into separate files for more granular management.

@zyphermonkey
feat(cron): set permissions on cron scripts/jobs to splunk
bc5f7cd 
Following the "least privilege" model
we should only be running things as root when absolutely necessary.
@zyphermonkey
Copy link
Copy Markdown
Contributor Author

zyphermonkey commented Feb 9, 2023

Since this changes the location of the cron configuration do we want to add cleanup tasks for the crontab entries?

I couldn't find any other references for cleanup for any other changes so I assume the idea is that this just needs to work on a fresh system.

I can add the cleanup tasks though if requested, just being cautious of adding tasks that will go unused almost all the time.

@jewnix jewnix requested a review from dtwersky February 9, 2023 14:58
@jewnix
Copy link
Copy Markdown
Collaborator

jewnix commented Feb 10, 2023

Following the "least privilege" model we should only be running things as root when absolutely necessary.

There are a lot of things that need to be done with securing this playbook, and making it more safe. This is a good idea to implement.

Also migrate from crontab to cron.d to isolate jobs into separate files for more granular management

Agreed, it makes it a lot cleaner.

Since this changes the location of the cron configuration do we want to add cleanup tasks for the crontab entries?

This is the only problem with moving it to cron.d. People using this playbook for upgrades, will end up having duplicate cron jobs. The cleanup task will have to remain there forever.

If we keep the old cron job which runs as root, and change the owner to splunk_nix_user, that will allow the splunk user to modify the script, and let it do nasty stuff as the root user. This is a lot more dangerous than leaving it the way it is now.

@jewnix
Copy link
Copy Markdown
Collaborator

jewnix commented Mar 20, 2023

@zyphermonkey

If we keep the old cron job which runs as root, and change the owner to splunk_nix_user, that will allow the splunk user to modify the script, and let it do nasty stuff as the root user. This is a lot more dangerous than leaving it the way it is now.

On second thought, we can change the mode to 0555 so the splunk user cannot modify that file. But I think there should be something there to at least attempt to clean up the old cron job.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dtwersky dtwersky Awaiting requested review from dtwersky

At least 1 approving review is required to merge this pull request.

Assignees

@dtwersky dtwersky

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zyphermonkey @jewnix @dtwersky