-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed least priv mode #144
Conversation
when: | ||
- least_privileged == false or "'full' in group_names" | ||
- splunk_nix_user != 'root' | ||
when: not least_privileged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved over the conditional to main.yml
so it can be re-used if needed.
@@ -51,7 +51,9 @@ | |||
- name: Setting least priviledged mode | |||
set_fact: | |||
least_privileged: true | |||
when: splunk_package_version is version(9.0, '>=') | |||
when: > |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In version 9.0.0, a least privileged mode was introduced aromatically adding CAP_DAC_READ_SEARCH
to the systemd unit file, which allows the forwarder to read all files on the filesystem, even it is running as a non-root user, therefore we don't need the configure_facl.yml
task for those instances.
This feature is currently only available on the Universal Forwarder, therefore a full
install will only be in least_privileged
if it is running as root.
No description provided.