From a78a4b0d1e37421798a07e5b0a31cbb6cc91465f Mon Sep 17 00:00:00 2001 From: Henrik Hansson Date: Tue, 20 Jul 2021 13:40:07 +0200 Subject: [PATCH 1/2] Use logstash_user and logstash_group Instead of root --- manifests/config.pp | 4 ++-- manifests/configfile.pp | 2 +- manifests/patternfile.pp | 2 +- manifests/service.pp | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 606e021a..9d4f1763 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -9,8 +9,8 @@ require logstash::package File { - owner => 'root', - group => 'root', + owner => $logstash::logstash_user, + group => $logstash::logstash_group, } # Configuration "fragment" directories for pipeline config and pattern files. diff --git a/manifests/configfile.pp b/manifests/configfile.pp index df3484dc..b0698d76 100644 --- a/manifests/configfile.pp +++ b/manifests/configfile.pp @@ -50,7 +50,7 @@ { include logstash - $owner = 'root' + $owner = $logstash::logstash_user $group = $logstash::logstash_group $mode = '0640' $require = Package['logstash'] # So that we have '/etc/logstash/conf.d'. diff --git a/manifests/patternfile.pp b/manifests/patternfile.pp index 4490ff15..959a4bc1 100644 --- a/manifests/patternfile.pp +++ b/manifests/patternfile.pp @@ -30,7 +30,7 @@ file { "${logstash::config_dir}/patterns/${destination}": ensure => file, source => $source, - owner => 'root', + owner => $logstash::logstash_user, group => $logstash::logstash_group, mode => '0640', tag => ['logstash_config'], diff --git a/manifests/service.pp b/manifests/service.pp index d3b15b6a..ffe4d226 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -50,8 +50,8 @@ $pipelines = $logstash::pipelines File { - owner => 'root', - group => 'root', + owner => $logstash::logstash_user, + group => $logstash::logstash_group, mode => '0644', notify => Exec['logstash-system-install'], } From 0b52c98e8966dd90e1e74b9ee0e2dc806d69df23 Mon Sep 17 00:00:00 2001 From: Henrik Hansson Date: Tue, 20 Jul 2021 13:44:08 +0200 Subject: [PATCH 2/2] Restrict access for "others" --- manifests/config.pp | 6 +++--- manifests/service.pp | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 9d4f1763..a0167caf 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -21,14 +21,14 @@ if($logstash::ensure == 'present') { file { $logstash::config_dir: ensure => directory, - mode => '0755', + mode => '0750', } file { "${logstash::config_dir}/conf.d": ensure => directory, purge => $logstash::purge_config, recurse => $logstash::purge_config, - mode => '0775', + mode => '0770', notify => Service['logstash'], } @@ -36,7 +36,7 @@ ensure => directory, purge => $logstash::purge_config, recurse => $logstash::purge_config, - mode => '0755', + mode => '0750', } } elsif($logstash::ensure == 'absent') { diff --git a/manifests/service.pp b/manifests/service.pp index ffe4d226..591caf82 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -52,7 +52,7 @@ File { owner => $logstash::logstash_user, group => $logstash::logstash_group, - mode => '0644', + mode => '0640', notify => Exec['logstash-system-install'], }