topic Re: Permissions on /var/log in Security

Permissions on /var/log

rmcook84 — Wed, 08 Jun 2011 20:25:07 GMT

To maintain correct permissions how do you allow for splunk to read /var/log? I keep getting the following error
06-08-2011 16:17:16.355 -0400 WARN FilesystemChangeWatcher - error reading directory "/var/log": Permission denied

I am very reluctant to change /var/log to 640. Any help would be appreciated.

Re: Permissions on /var/log

rmcook84 — Wed, 08 Jun 2011 20:25:38 GMT

This is on rhel 5.6

Re: Permissions on /var/log

mw — Wed, 08 Jun 2011 20:57:45 GMT

You need to run splunk as the root user in order to read files that only root has access to, as well as to listen on privileged network ports.

Re: Permissions on /var/log

rmcook84 — Wed, 08 Jun 2011 21:50:09 GMT

Could you describe the best way to present access to the splunk account to do this. I would + security would prefer if it ran as splunk. I was thinking possibly make a modification to sudoers but I am unsure if it does a cat or a tail or other to the logs.

Re: Permissions on /var/log

mw — Wed, 08 Jun 2011 22:18:28 GMT

I don't know of any way to use sudo to only provide read permissions to the splunk process. You could add the splunk user to various groups that have read permission of the files.

Re: Permissions on /var/log

rmcook84 — Thu, 09 Jun 2011 01:35:51 GMT

Ok for all future purposes or anyone needing to use splunk without running it as root. You will need to set acls on the /var/log directory. You only need to set read for the splunk user which will still keep you in a very secure setup as long as you keep splunk as a /sbin/nologin account also.

Re: Permissions on /var/log

tfpblanchard — Fri, 27 Jun 2014 19:16:28 GMT

Re: Permissions on /var/log

tfpblanchard — Fri, 27 Jun 2014 19:16:50 GMT

Re: Permissions on /var/log

bandit — Tue, 22 Dec 2015 19:30:54 GMT

I would recommend adding the ID that splunk runs as to a group which has read permissions to those logs. Running splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.

example: the following log has read permissions for the owner root and the group root. Adding the splunk id to the group root should allow the splunk id to read a log with 640 permissions as shown below.
ls -l /var/log/messages
-rw-r----- 1 root root 2500271 Dec 15 15:03 messages

Another option would be to have the log set to world readable. ie. permissions of 644.

Ultimately, you will need to speak to the sys admin as permissions may have higher/lower security levels at different companies.

Re: Permissions on /var/log

quixand — Tue, 24 May 2016 15:42:18 GMT

I downvoted this post because running any applications as root is considered a severe security risk and most organisations with any sense will laugh at this recommendation. use acls on the host or add the splunk user to a group that has read access

Re: Permissions on /var/log

quixand — Wed, 01 Jun 2016 15:31:34 GMT

see: https://answers.splunk.com/answers/4253/how-to-monitor-root-owned-logs-while-running-splunk-as-a-non-root-user.html#answer-408258

Re: Permissions on /var/log

jawaharas — Wed, 01 May 2019 02:32:06 GMT

Use ACL command to grant permission to 'splunk' user only.

sudo setfacl -R -m u:splunk:r-x /var/log

Re: Permissions on /var/log

bandit — Wed, 20 Nov 2019 19:52:49 GMT

For privileged ports, I prefer either a reverse proxy server or an iptables redirect https://www.cyberciti.biz/faq/linux-port-redirection-with-iptables