• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
  • Home /
  • Public Forums /
  • Dynatrace /
  • Dynatrace Open Q&A /
avatar image
Question by Sigmund C. · Sep 22, 2020 at 03:24 AM · oneagent permissions linux

OneAgent Permissions (in particular the 777 of the log directories)

I have to write a technical justification for a customer, in regards to the 777 permissions, especially in the dynatrace log directory. They would like to change it and lock it down but base on experience and from documentation, I know that this is not recommended. I came up with this, anybody has any inputs to this?

"In regard to the 777 permissions visible in certain Dynatrace directories (especially the log directory within the dynatrace install directory), at this point in time there is no recommended way (or supported way) to lock all those directories down. One reason is, that at the time of instrumenting, you do not know yet all the processes that OneAgent will be injected into when Full Stack mode is turned on, neither do you know what users those potential processes are running as. The user under which potential apps or processes that are being instrumented are running, will actually be the user that writes into those directories, hence, if that user would not have the proper permissions, no logs could be written, and certain procedures, such as the health check, will fail. Hence, these directories must be world writeable to ensure that every needed process will always be able to write into them.

Another reason is to ensure that every instrumented process will be able to write data into certain log directories (e.g. the crash report directory) since the instrumented processes do not run as the dtuser (or whatever user you have used when you installed OneAgent). Instrumentation may on occasion fail and not produce the expected outcome if those directory permissions are changed.

Also note that these directories are log directories, by definition, Dynatrace does not place any sensitive information into these directories, and there is no way to compromise the system by modifying files and content within those directories.

Modifying these permissions will potentially stop Dynatrace from investigating errors and incidents on OneAgent, ass logs that cannot be written because of permission issues, will be missing. Same goes for utilities such as the health check, that will fail when detecting unsupported permission sets."


Any comments welcome :D

Comment

People who like this

0 Show 0
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

4 Replies

  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image
Best Answer

Answer by Tomasz G. · Nov 20, 2020 at 05:18 AM

Hello @Sigmund B.

We've just recently published official documentation on this matter, you can find it here:

  1. https://www.dynatrace.com/support/help/shortlink/oneagent-security-linux#globally-writable-directories
  2. https://www.dynatrace.com/support/help/shortlink/oneagent-security-aix#globally-writable-directories
  3. https://www.dynatrace.com/support/help/shortlink/oneagent-security-windows#globally-writable-directories

Furthermore, the log files are now stored in /var/log by default. You can read more in the following blog post: https://www.dynatrace.com/news/blog/further-improved-handling-and-reliability-of-oneagent-deployments/

Comment
Sigmund C.
Antonio S.

People who like this

2 Show 2 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Sigmund C. · Nov 20, 2020 at 05:23 AM 0
Share

Thank you for this one @Tomasz G. - good stuff!

avatar image Antonio S. · Nov 20, 2020 at 02:48 PM 0
Share

Very nice documentation! Thanks!

avatar image

Answer by Dave M. · Sep 23, 2020 at 10:59 PM

Further information that might be useful:

https://answers.dynatrace.com/answers/196821/view.html

https://www.dynatrace.com/news/blog/faster-time-to-value-with-enhanced-handling-of-oneagent-runtime-data/

Comment
Sigmund C.

People who like this

1 Show 1 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Sigmund C. · Sep 23, 2020 at 11:03 PM 0
Share

Thank's - yes I also found these. That and the email we got from Dynatrace Support saying that you can not change the permissions, and that if you do, the installation will become unsupported, will have to do I guess, wish they would add that somewhere in the documentation, including the reason why.

avatar image

Answer by Antonio S. · Sep 23, 2020 at 09:48 PM

Just my two cents on this... as I also work in security...

First of all, not sure what position you are in, but presuming your are a consultant/partner. I would suggest you contact Dynatrace on this positioning, as it might hurt only having your position and the Community's.... If a customer has asked for it, they are probably very knowledgeable in this domain...

I would also check that you are using OneAgent in non privileged mode. I have not checked it in that mode, but would say some of the restrictions you are seeing might not apply. Please note that you have used some comments in this Community made before this applied, so they might not be current:

https://www.dynatrace.com/support/help/technology-support/operating-systems/linux/installation/customize-oneagent-installation-on-linux/#non-privileged-mode

Now, 777 permissions is definitely not a good thing, especially at the directory level. But given some restrictions, it might be necessary. And in all cases, restricting it without checking with Dynatrace could give even worse results... 622 would probably be sufficient at the file level, and 633 at the directory level, with the correct ownership.

Having 777 permissions at the directory/file level in /opt directory might compromise your system indirectly in several ways. One quick example is just a DoS, with the creation of such a file that it occupies all disk space. Depending on configuration, it might bring the system down. Don't forget that most sysadmins expect logs to be in /var/log, and even there, not everyone has full write access. Other situations might apply. Please check with Dynatrace directly!

Comment
Laima V.

People who like this

1 Show 1 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Sigmund C. · Sep 23, 2020 at 10:53 PM 1
Share

Thanks for your inputs, actually, Security is my main Domain as well which is why i have been asked to explain this to the customer :)

The above is actually coming out of a discussion we had with Dynatrace One Premium Support, over a few weeks, who in the end sticked to the statement that changing the permissions renders the installation unsupported.

That said, there is not much we can do then to explain that to the customer, and provide some justification, to which we have attached the written comments of Dynatrace support. Of course i would first utilize One Premium support before considering to justify something that i personally do not agree to.

And since unfortunately there is no other article, white paper, or write up that Support could point me to, that explains why the permissions are needed as they are and can not be changed without rendering the installation unsupported, all i can do is try to write something myself.

Personally I agree with the Customer on not having 777 permissions, but since the take of support is, if we change it, it will become unsupported, will for now have to live with it.

Aslo, yes, we did install OneAgent in privileged mode, however, that does not change the fact that some directories under /opt/dynatrace still do have the 777 permissions. And of course those will trigger on certain tools as a finding.

In regards to this:

"622 would probably be sufficient at the file level, and 633 at the directory level, with the correct ownership. "

In fact, we tested this extensively in our own managed cluster in in the lab, and had different outcomes on different Linux flavours interestingly, in 2 out of 3, after locking down directories in the same way that the customer wanted, there was no issue at all and instrumentation worked, but in one case, instrumentation failed.

Lastly, even I myself would also expect logs to be in /var/log, however, as far as i know, there is no way of changing only the log directory at this time, and that was also what support told us.


avatar image

Answer by Chad T. · Sep 22, 2020 at 08:18 PM

That looks good!

Comment
Sigmund C.

People who like this

1 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

How to get started

First steps in the forum
Read Community User Guide
Best practices of using forum

NAM 2019 SP5 is available


Check the RHEL support added in the latest NAM service pack.

Learn more

LIVE WEBINAR

"Performance Clinic - Monitoring as a Self Service with Dynatrace"


JANUARY 15, 3:00 PM GMT / 10:00 AM ET

Register here

Follow this Question

Answers Answers and Comments

31 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Question about OneAgent files on Linux

oneagentctl for PPC BE Linux

What's the difference between system load 5 and system load 15?

Change level permission of log part

RPM for OneAgent

Forum Tags

mobile monitoring dotnet iis chat kubernetes servicenow amazon web services feedback mysql mainframe application rules rest api cassandra dashboard oneagent sdk cmc waterfall chart application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo opentelemetry integrations activegate auto-detection high five award uem webserver usql iib test automation license ios news migration management zones ibm mq web services notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming resource javascript appmon ai availability tipstricks automation extensions diagnostic tools session replay permissions search davis assistant auto-update faq documentation problem detection http monitors easytravel apdex network docker tags and metadata cloud foundry google cloud platform synthetic monitoring lambda process groups account usability dynatrace saas gui paas openshift key user actions administration production user actions postgresql synthetic locations upgrade oneagent security Dynatrace Managed user management python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting performance monitoring NGINX action naming geolocation linux nam installation error reporting database mission control apache slo mobileapp RUM php azure purepath davis scripting aix nodejs android
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A