https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143573#M4397 <P>&gt; Splunk recommends that you don't run as root. </P> <P>I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/installation/RunSplunkasadifferentornon-rootuser">Run Splunk Enterprise as a different or non-root user</A></P> Thu, 28 May 2015 14:24:30 GMT jspears 2015-05-28T14:24:30Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143565#M4389 <P>Should we run Splunk as root or non-root user? Which way is better?</P> <P>Thanks<BR /> -Ha</P> Tue, 15 Jul 2014 16:50:24 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143565#M4389 hadinh 2014-07-15T16:50:24Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143566#M4390 <P>Splunk recommends that you don't run as root. </P> <P>Other info: <A href="http://wiki.splunk.com/Community:DeployHardenedSplunk">Deploying Splunk</A></P> Tue, 15 Jul 2014 17:09:46 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143566#M4390 rmorlen 2014-07-15T17:09:46Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143567#M4391 <P>Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.</P> Tue, 15 Jul 2014 17:19:36 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143567#M4391 Ayn 2014-07-15T17:19:36Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143568#M4392 <P>Thanks for the information.</P> Wed, 16 Jul 2014 02:43:27 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143568#M4392 strive 2014-07-16T02:43:27Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143569#M4393 <P>Thanks for the information.</P> Wed, 16 Jul 2014 02:43:29 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143569#M4393 strive 2014-07-16T02:43:29Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143570#M4394 <P>Thanks for your info.</P> Wed, 16 Jul 2014 12:12:10 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143570#M4394 hadinh 2014-07-16T12:12:10Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143571#M4395 <P>Seems the local system account on Windows (default for Splunk Windows installs) is a very near equivalent of root on Unix, however I don't think that is called out as a security risk the same way as root is.</P> Mon, 25 Aug 2014 13:49:32 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143571#M4395 bandit 2014-08-25T13:49:32Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143572#M4396 <P>Great topic. I'd love to see more details in the documentation on best security practices for collection methods. Maybe a matrix?</P> <UL> <LI>syslog - Great for many network devices, however doesn't usually work for Webservers/App Servers which don't write out in the syslog format on Unix</LI> <LI>Running as root (security implications)</LI> <LI>Making logs world readable (security implications)</LI> <LI>Add Splunk to a group which has read permissions to logs (My first choice, however there is usually a limit of 16 groups per Unix ID and sometimes an entprise may have hundreds of groups that log files are owned by)</LI> <LI>Unix ACLs - May be a great alternative, however how difficult are they to manage?</LI> <LI>Mounting logs remotely?</LI> </UL> Mon, 25 Aug 2014 14:18:56 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143572#M4396 bandit 2014-08-25T14:18:56Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143573#M4397 <P>&gt; Splunk recommends that you don't run as root. </P> <P>I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/installation/RunSplunkasadifferentornon-rootuser">Run Splunk Enterprise as a different or non-root user</A></P> Thu, 28 May 2015 14:24:30 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/143573#M4397 jspears 2015-05-28T14:24:30Z https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/537983#M12068 <P>Here's the source from docs:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser</A></P><P>In section "Run Splunk Enterprise as a different or non-root user":</P><P>It says:</P><P>"<SPAN>On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and <STRONG>you should configure</STRONG> your systems to run the software <STRONG>as a non-root</STRONG> user where possible.</SPAN>"</P><P>&nbsp;</P> Sat, 30 Jan 2021 16:32:38 GMT https://community.splunk.com/t5/Security/Should-we-run-Splunk-as-root-or-non-root-user/m-p/537983#M12068 highsplunker 2021-01-30T16:32:38Z