Open merillr opened 2 years ago
@merillr I don't see an issue with this being implemented, and as you said, this can be done by adding an option to install the package or adding a custom rule. I would rather have it install the package, and not have to create rules, because we will have to update the SHA for every executable it will be executing, and I'm not sure how many we will need to add to that rule, and if additional executables are added in the future, we will need to edit the playbook every time.
You are welcome to open a PR to add the RPM functionality, or wait till I have some time to work on this, since this will require quite a bit of work for it to be future proof and easily configurable.
Would this be something that would need to be done for both UFs and Full installs, or just Full? Last I heard from Splunk support, they don't have OOTB support for STIG-compliant systems, which is fairly disheartening from a company that works with the government a lot.
Since the installation only supports tgz, systems running fapolicyd (such as DISA STIG-compliant RHEL8+ servers) block splunk from executing. Below is a snippet of the rules preventing execution after running
fapolicyd --debug-deny
:Some options are:
References: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230523