topic How to change the user Splunk runs scripts as? in Security

How to change the user Splunk runs scripts as?

Myelin — Wed, 10 Feb 2016 16:14:45 GMT

We've been using the functionality in Splunk to have it kick off a script when certain search criteria is met. However, we noticed Splunk is executing those scripts as root. How can we change the user it runs scripts as? Note, that Splunk itself is not running from the root user, but a Splunk user.

Re: How to change the user Splunk runs scripts as?

LewisWheeler — Wed, 10 Feb 2016 16:20:52 GMT

Splunk should be running scripts as the user which splunkd runs as as far as I am aware - do you have the scripts in the $SPLUNK_HOME/bin/scripts directory? or are they part of a custom app?

What sort of scripts are we talking about? Shell, VBS, Powershell?

Re: How to change the user Splunk runs scripts as?

Myelin — Wed, 10 Feb 2016 16:27:56 GMT

The scripts are in fact in the $SPLUNK_HOME/bin/scripts directory and these are shell scripts.

Re: How to change the user Splunk runs scripts as?

lycollicott — Wed, 10 Feb 2016 17:46:23 GMT

If your scripts run as root then modify your scripts to "su - desired_user -c commands".

There are actually two ways to go about that.

If your script is short and has let's say one command in it to run as another user then you could change this:

some_command_or_script_to_run

to this:

su - desired_user -c some_command_or_script_to_run

Or if your script is quite long with many different commands in it then you could make a wrapper script that had a line in it like this:

su - desired_user -c that_long_script_ with_too_many_lines_to_edit