topic Re: Privilege checks for Script in Splunk Enterprise

Privilege checks for Script

msmadhu — Fri, 24 Jan 2025 13:44:08 GMT

Hello, team

I've made script, which uses the sudo command. I've deployed it on my forwarders and I get the error:

message from "/opt/splunkforwarder/etc/apps/app/bin/script.sh" sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Please help to fix this issue.

Re: Privilege checks for Script

PickleRick — Fri, 24 Jan 2025 15:33:27 GMT

And did you check what sudo told you? Does your sudo work at all?

Re: Privilege checks for Script

msmadhu — Fri, 24 Jan 2025 15:56:01 GMT

Yes, my script is working with sudo only
below script for reference
#!/bin/bash
# Set the working directory to the script's directory

cd "$(dirname "$0")" || exit 1

# Full paths for commands

CRICTL_PATH="/usr/bin/crictl" # Adjust the path if necessary

# Get container list

container_list=$(sudo "$CRICTL_PATH" ps -a)

echo "$container_list" | sed '1s/POD ID/POD_ID/g'

IFS=$'\n'

for container_info in $(echo "$container_list" | tail -n +2); do

container_id=$(echo "$container_info" | awk '{print $1}')

container_name=$(echo "$container_info" | awk '{print $4}')

done

##############
cat /etc/sudoers.d/splunk
splunk ALL=(ALL) NOPASSWD: /usr/bin/crictl,/usr/bin/podman

Re: Privilege checks for Script

PickleRick — Fri, 24 Jan 2025 16:02:29 GMT

OK. So first steps to debug such issue would be to:

1) Run (as splunk user)

sudo /usr/bin/crictl

I'm assuming you already checked that

2) Run (again - as splunk user)

splunk cmd sudo /usr/bin/crictl

(the actual parameters for crictl are not important here, we just want to see if the command will be properly spawned at all).

Having said that - I'm not a very big fan of escalating privileges that way from splunk. As I understand, this is a scripted input. I'd rather have a script spawned by cron and capture its output and then ingest that output file with a normal monitor input.

Re: Privilege checks for Script

msmadhu — Fri, 24 Jan 2025 16:08:31 GMT

Yes, am getting output for below commands,

sudo /usr/bin/crictl ps -a

splunk cmd sudo /usr/bin/crictl ps -a

Re: Privilege checks for Script

PickleRick — Fri, 24 Jan 2025 16:33:21 GMT

Hmm...

And if you run your whole script with `splunk cmd`?

Re: Privilege checks for Script

msmadhu — Mon, 27 Jan 2025 05:27:50 GMT

Yes, script is woking with "splunk cmd" also

splunk cmd ./crio_simple_ps.sh

Re: Privilege checks for Script

PickleRick — Mon, 27 Jan 2025 10:54:12 GMT

Thay is puzzling there because assuming that you're running it with the same user as your forwarder runs with you should be having the same environment.

The things I'd check would be:

1) selinux alerts (if anything which should work doesn't it's often selinux ;-))

2) dump the environment to a file at the beginning of your script and compare the version you get from running it with "splunk cmd" with the output from when it's actually run by thr forwarder.

Re: Privilege checks for Script

msmadhu — Mon, 27 Jan 2025 11:29:45 GMT

Selinux alerts is disabled and not getting on second point.

But when i comment #NoNewPrivileges=Yes line from file /etc/systemd/system/SplunkForwarder.service. It will work. But not sure why Splunk service privilege is stoping this.

Re: Privilege checks for Script

PickleRick — Mon, 27 Jan 2025 13:36:26 GMT

Makes sense

https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

Security

NoNewPrivileges=

Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false. In case the service will be run in a new mount namespace anyway and SELinux is disabled, all file systems are mounted with MS_NOSUID flag. Also see No New Privileges Flag.

Re: Privilege checks for Script

muhammad_luthfi — Sun, 23 Mar 2025 18:57:34 GMT

Hi, i have same case also, but now it's solved, bellow my workaround :

1. Add splunk user to /etc/sudoers

splunk-user ALL=(ALL) NOPASSWD: ALL

2. Add !requiretty for splunk user

Defaults:splunk-user !requiretty

For point no. 2, basically splunk running script on non-interactive environment by defaults, so we need add permission to pass it.

Running manual the command in CLI is interactive, thats why we don't need !requiretty

Re: Privilege checks for Script

muhammad_luthfi — Sun, 23 Mar 2025 19:16:34 GMT

Continuoing last reply :

Bellow my error during troubleshoot :

1. sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' -> Because splunk running as a root user, i have change back splunk to non-root user and see bellow error.

2. sudo: sorry, you must have a tty to run sudo -> Required !requiretty permission on /etc/sudoers

for me Splunk is powerfull tools, since i got this workaround, Ansible task can be done with splunk directly 🙂

Re: Privilege checks for Script

PickleRick — Sun, 23 Mar 2025 20:53:40 GMT

OMG. Don't do that!

This way you're allowing anyone who has permission to run local programs (and I can think of several ways to do so) effectively do anything with your system. This is like saying "Oh, I solved the problem with my front door lock by leaving the door wide open".

Re: Privilege checks for Script

isoutamo — Sun, 23 Mar 2025 21:44:28 GMT

This is exactly like @PickleRick said, never do it like this! You lost all security in your system!

If/when you need that information then better way is to use e.g. cron and export output to some file which are read by splunk. Just give needed access to that file with setfacl. And down use chmod with 777!

Re: Privilege checks for Script

muhammad_luthfi — Mon, 24 Mar 2025 01:48:18 GMT

Hi @isoutamo @PickleRick ,

Yes, you are correct, thats solution will be impact to security, i run this for testing purpose on Dev, just to see how splunk works with custom script sudo.

My implementation is read log file based on crontab.