[DOCS] RHEL Security TMP override #77285
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -123,6 +123,17 @@ endif::[] | |||||||||||||||
|
|
||||||||||||||||
| include::skip-set-kernel-parameters.asciidoc[] | ||||||||||||||||
|
|
||||||||||||||||
| [[install-rhel-security]] | ||||||||||||||||
| ==== Override Red Hat TMP if Security Compliance | ||||||||||||||||
|
|
||||||||||||||||
| If you are applying a security compliance in your RHEL installation | ||||||||||||||||
| you must change the path of the TMP directory that will use elasticsearch as Java. | ||||||||||||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||||||||||||
|
|
||||||||||||||||
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` | ||||||||||||||||
|
There was a problem hiding this comment. I think we shouldn't be telling users to edit But then I think this isn't necessary anyway, we already copy There was a problem hiding this comment. Yes, we tell people to add custom options files. If this step is necessary, I'd cross reference the info on setting JVM options (https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-options). Something like: In a <<set-jvm-options, custom JVM options>> file, override the -Djava.io.tempdir setting: -Djava.io.tmpdir=${ES_TMPDIR} There was a problem hiding this comment. I can confirm this is unnecessary: we already have this setting in the default elasticsearch/distribution/src/config/jvm.options Lines 64 to 65 in f8793c6 |
||||||||||||||||
| 2. Add `ES_TMPDIR=/usr/share/elasticsearch/tmp` under `/etc/sysconfig/elasticsearch` | ||||||||||||||||
|
There was a problem hiding this comment. I'd make this the first step, even if you do need to explicitly set the JVM TMP directory to ES_TMPDIR.
Suggested change
|
||||||||||||||||
| 3. Create the /usr/share/elasticsearch/tmp directory and make sure that the owner and group are elasticsearch and the permissions are `0755` | ||||||||||||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. If step 4 is deemed unacceptable, I'd add a note to this step indicating that no users other than the elasticsearch user should have access to this directory. |
||||||||||||||||
| 4. Lastly make sure that `/dev/shm` doesn't have the noexec attribute with command: `mount | grep tmpfs | grep '/dev/shm'` | ||||||||||||||||
|
There was a problem hiding this comment. This is probably unacceptable to many users of locked-down systems. Instead we should set |
||||||||||||||||
|
|
||||||||||||||||
| ifdef::include-xpack[] | ||||||||||||||||
| [role="xpack"] | ||||||||||||||||
| [[rpm-enable-indices]] | ||||||||||||||||
|
|
||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be something like the following? This feels convoluted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Compliant is better than Compliance, but "Security Compliant" is still vague. Can we be more specific here and say something like, "Override Red Hat TMP if FIPS mode is enabled"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately it's nothing to do with FIPS mode - these steps are necessary today if the user is using SELinux with a particular config (which we don't test and haven't even fully characterised). Admittedly there will be significant overlap between users of FIPS mode and users of this kind of SELinux config.