topic Re: [systemd] splunk start keeps on asking to enter password in Security

[systemd] splunk start keeps on asking to enter password

sylim_splunk — Wed, 30 Sep 2020 04:11:11 GMT

I am running 7.3.3 using systemd and running into issues with running splunk restart as splunk user.
I ran "splunk enable boot-start -systemd-managed 1 -user splunk"
According to the splunk docs in https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/RunSplunkassystemdservice it reads as below;

*You must use sudo to run splunk start|stop|restart commands. If you do not use sudo, you must authenticate. *
I've read several articles below, but it doesn't appear to fix the issue.

[splunk]$ sudo splunk restart
Send restart to systemctl
*==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===**
Authentication is required to manage system services or units.*

I followed the steps below and added the commands to sudoers.

https://answers.splunk.com/answers/724473/major-boot-start-change-with-723-1.html
https://answers.splunk.com/answers/710045/splunk-722-systemd-root-privileges-required-when-s.html

Here's my current systemd script
[root]# cat /etc/systemd/system/Splunkd.service

This unit file replaces the traditional start-up script for systemd

configurations, and is used when enabling boot-start for Splunk on

systemd-based Linux distributions.

[Unit]
Description=Systemd service file for Splunk, generated by 'splunk enable boot-start'
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd
LimitNOFILE=65536
SuccessExitStatus=51 52
RestartPreventExitStatus=51
RestartForceExitStatus=52
User=splunk
Delegate=true
CPUShares=1024
MemoryLimit=7831937024
PermissionsStartOnly=true
ExecStartPost=/bin/bash -c "chown -R 1003:1003 /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R 1003:1003 /sys/fs/cgroup/memory/system.slice/%n"

[Install]
WantedBy=multi-user.target

I also tried adding the following in my /etc/sudoers
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service

Re: [systemd] splunk start keeps on asking to enter password

sylim_splunk — Thu, 13 Feb 2020 01:16:22 GMT

Here's what you need to do to achieve what you want,

[root]$visudo "to add the below further to the what you have done earlier"
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk restart
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk stop
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk start

Then, "sudo ./splunk start" or "sudo /opt/splunk/bin/splunk start" will work without requesting password. And still "sudo splunk start" will needs authentication.

To make "sudo splunk start" work passwordless then add /opt/splunk/bin to secure_path.

visudo & locate "secure_path", then add "/opt/splunk/bin" to the end. i.e that would look like as below;

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/splunk/bin

Save the change, confirm it has been configured Okay by "$ visudo -c "

Use sudo command to splunk start/stop/restart, such as
$sudo splunk start

If you have concerns about the Security by using secure_path you better use systemctl or just use /opt/splunk/bin/splunk command with full path.

Re: [systemd] splunk start keeps on asking to enter password

gjanders — Thu, 13 Feb 2020 07:25:50 GMT

Also refer to Splunk systemd unit file in versions 7.2.2 and newer - how do I stop this prompting for the root password? (Q&A)

Re: [systemd] splunk start keeps on asking to enter password

maraman_splunk — Thu, 13 Feb 2020 08:46:51 GMT

Hmm, The first lines are fine but they require to call sudo
The last 2 lines seems risky.
Adding a sudo sentence that run the splunk binary as root is kind of defeating the whole initial thing of not having splunk run as root
If you are the attacker running as splunk, you could just replace the splunk binary with whatever you want and become easily root....
The proper and secure way is to use to the os way of allowing a unpriviledge process to call systemd, which is policykit.
Unfortunaltely, it is os systemd and policykit dependent and requir some conf but that' perfectly work on at least the RH7/8 + Centos7/8 + AWS2 distributions.
The answer post linked below is pointing at this solution

Re: [systemd] splunk start keeps on asking to enter password

maraman_splunk — Thu, 13 Feb 2020 08:48:07 GMT

The solution in the linked answer is much more safer to use as leverage the os mechanism to give access to systemd from splunk. (with a little bit of help of a additional script to be more fine grained)

Re: [systemd] splunk start keeps on asking to enter password

sylim_splunk — Thu, 13 Feb 2020 20:14:37 GMT

I agree on your points. That'd be the same, as risky as adding systemctl command to sudo which eventually runs splunk as root, then setuid to splunk..

Re: [systemd] splunk start keeps on asking to enter password

kringo — Fri, 11 Aug 2023 14:18:19 GMT

IF YOU NEED TO SET THE USER AS ROOT THEN WHY IS THERE EVEN A **bleep**ING USER?

Re: [systemd] splunk start keeps on asking to enter password

evinasco08 — Wed, 20 Mar 2024 17:41:14 GMT

hi,

Did u find the secure solution ??

Regards