Closed deadstick6 closed 5 years ago
Thanks! I'll address this.
Is this the only remark they had for Cloud vetting ?
This is the rest of the email chain for your reference. It's interesting that they've stated that external_cmd is not permitted, yet they seem to be looking to verify its functionality.
Thank you for your recent Splunk Cloud App request. Our Splunk Cloud operations and security teams have determined that the App you've requested is not compatible and/or secure within the Splunk Cloud service architecture. Please see their comments below:
Check that transforms.conf does not contain any transforms with an external_cmd=
transforms.conf
may not contain any transforms with an external_cmd=<string>
attribute. The transforms.conf
stanza [vtLookup] is using the external_cmd
property, but the vtLookup_wrapper.py file can't be found in the app. File: default/transforms.conf, Line: 4. File: default/transforms.conf Line Number: 4
Source code and binaries standards
[failure] Check that files outside of the bin/ and appserver/controllers directory do not have execute permissions and are not .exe files. Splunk recommends 644 for all app files outside of the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (e.g. ./my_script.sh or ./my_script).If you wish to make changes to the app, you can find documentation and utilities to assist you here: http://dev.splunk.com/view/appinspect/SP-CAAAE9U
We look forward to working with you in the future to develop and install Apps that will further improve your Splunk Cloud experience.?If you have any immediate questions or concerns, please let me know. If there are no questions at this time, please let me know
cool thanks, as the python script isn't used yet I'll remove it from the conf files as well for now, that'll make it easier :D thanks for pointing it out!
Hi there - We have just rejected to get Threathunting installed in our Splunk Cloud:
This is in regards to v1.4.1. Our Splunk Cloud operations and security teams have determined that the App you've requested is not compatible and/or secure within the Splunk Cloud service architecture. Please see their comments below:
Check that files outside of the bin/ and appserver/controllers directory do not have execute permissions and are not .exe files. Splunk recommends 644 for all app files outside of the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (e.g. ./my_script.sh or ./my_script).
This file has execute permissions for owners, groups, or others. File: README.md File: README.md
The previous version 1.3.4 failed due to the above as well as:
Check that transforms.conf does not contain any transforms with an external_cmd=transforms.conf
may not contain any transforms with an external_cmd=<string>
attribute. The transforms.conf
stanza [vtLookup] is using the external_cmd
property, but the vtLookup_wrapper.py file can't be found in the app. File: default/transforms.conf, Line: 4. File: default/transforms.conf Line Number: 4
Any way to make this Splunk Cloud Compatible?
(I'll reply to this one, since there's no idea creating duplicate issue, although this closed one could be opened again.)
We are also looking to have this application in Splunk Cloud environment. At the moment there seems to be no 'native' support for this via splunkbase. So everyone who wants to have this within their Splunk Cloud environments would need to modify application based on appinspect results (varies by version).
.
@SuperFunks did you manage to get vetting process trough? Are the file permission only issues in the vetting report? Seems like a minor issue which @olafhartong could be able to fix to make this awesome application Splunk Cloud compatible.
ThreatHunting (v1.3.4) uploaded to Splunkbase is failing to pass Splunk Cloud vetting due to the following issues:
This is the commentary from Splunk Support:
The version of the app our Vetting Team reviewed was the latest version available on Splunkbase (v1.3.4). I took a look through the the apps directory and it appears the Developer missed including the required Python file that is being called out in the transforms.conf file. Would the Developer be able to upload the latest version to Splunkbase?
This is only affecting Splunk Cloud.