Currently, apps on our universal forwarders are controlled by the deployment server, and the forwarder RPM & deploymentClient.conf are installed by Puppet. Even with this setup, you can still put an app in the local forwarder's app directory, and the forwarder will run it.
What can I do to only allow apps from the universal forwarder to run?
Pretty much you would have to do it like you'd protect any other application (or the OS itself) on the remote machine: set up user and file system (and other) permissions to prevent modification of the application. This may mean installing and running Splunk as a a special user.
I do note that using puppet, you can fairly easily ensure that the $SPLUNK_HOME/etc/apps
(and in fact the entire etc
folder) does not get modified, and that if it does, puppet brings it back into sync.
Pretty much you would have to do it like you'd protect any other application (or the OS itself) on the remote machine: set up user and file system (and other) permissions to prevent modification of the application. This may mean installing and running Splunk as a a special user.
I do note that using puppet, you can fairly easily ensure that the $SPLUNK_HOME/etc/apps
(and in fact the entire etc
folder) does not get modified, and that if it does, puppet brings it back into sync.