From bc5f7cd7131acfeed8407f8784a00a58621372d9 Mon Sep 17 00:00:00 2001 From: zyphermonkey Date: Thu, 9 Feb 2023 13:53:55 +0000 Subject: [PATCH] feat(cron): set permissions on cron scripts/jobs to splunk Following the "least privilege" model we should only be running things as root when absolutely necessary. --- roles/splunk/tasks/add_crashlog_script.yml | 6 ++++-- roles/splunk/tasks/add_diag_script.yml | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/splunk/tasks/add_crashlog_script.yml b/roles/splunk/tasks/add_crashlog_script.yml index 5184f696..82dea7a5 100644 --- a/roles/splunk/tasks/add_crashlog_script.yml +++ b/roles/splunk/tasks/add_crashlog_script.yml @@ -3,8 +3,8 @@ template: src: cleanup_crashlogs.sh.j2 dest: "{{ splunk_home }}/cleanup_crashlogs.sh" - owner: root - group: root + owner: "{{ splunk_nix_user }}" + group: "{{ splunk_nix_group }}" mode: 0755 become: true @@ -12,6 +12,8 @@ cron: name: "Run cleanup_crashlogs.sh" state: present + cron_file: cleanup_crashlogs + user: "{{ splunk_nix_user }}" job: "{{ splunk_home }}/cleanup_crashlogs.sh" hour: 0 minute: 0 diff --git a/roles/splunk/tasks/add_diag_script.yml b/roles/splunk/tasks/add_diag_script.yml index 18674f73..517e86b3 100644 --- a/roles/splunk/tasks/add_diag_script.yml +++ b/roles/splunk/tasks/add_diag_script.yml @@ -3,8 +3,8 @@ template: src: cleanup_diags.sh.j2 dest: "{{ splunk_home }}/cleanup_diags.sh" - owner: root - group: root + owner: "{{ splunk_nix_user }}" + group: "{{ splunk_nix_group }}" mode: 0755 become: true @@ -12,6 +12,8 @@ cron: name: "Run cleanup_diags.sh" state: present + cron_file: cleanup_diags + user: "{{ splunk_nix_user }}" job: "{{ splunk_home }}/cleanup_diags.sh" hour: 0 minute: 0