Solved: Prevent local install of app in universal forwarde...

sf_user_199 · ‎12-27-2011

Currently, apps on our universal forwarders are controlled by the deployment server, and the forwarder RPM & deploymentClient.conf are installed by Puppet. Even with this setup, you can still put an app in the local forwarder's app directory, and the forwarder will run it.

What can I do to only allow apps from the universal forwarder to run?

gkanapathy · ‎12-27-2011

Pretty much you would have to do it like you'd protect any other application (or the OS itself) on the remote machine: set up user and file system (and other) permissions to prevent modification of the application. This may mean installing and running Splunk as a a special user.

I do note that using puppet, you can fairly easily ensure that the $SPLUNK_HOME/etc/apps (and in fact the entire etc folder) does not get modified, and that if it does, puppet brings it back into sync.

View solution in original post

gkanapathy · ‎12-27-2011

Pretty much you would have to do it like you'd protect any other application (or the OS itself) on the remote machine: set up user and file system (and other) permissions to prevent modification of the application. This may mean installing and running Splunk as a a special user.

I do note that using puppet, you can fairly easily ensure that the $SPLUNK_HOME/etc/apps (and in fact the entire etc folder) does not get modified, and that if it does, puppet brings it back into sync.

Prevent local install of app in universal forwarders

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor