topic Re: Running as non-root and still able to read root logs in Getting Data In

Running as non-root and still able to read root logs

BlueQ — Wed, 10 Jul 2024 04:34:37 GMT

Bit of a reverse error here, splunk is working when it shouldn't.

I followed these instructions to run Splunk as non-root - https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Installleastprivileged

systemctl stop splunk
/opt/splunkforwarder/bin/splunk disable boot-start
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 -user blueq -group blueq
systemctl start splunk

Splunk is running as this user and the user cannot view /var/log/messages

[root@host1 ~]# ps -ef|grep splunk
blueq 137095 1 24 14:22 ? 00:00:00 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
blueq 137134 137095 0 14:22 ? 00:00:00 [splunkd pid=137095] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
root 137154 6813 0 14:22 pts/0 00:00:00 grep --color=auto splunk

[root@host1 ~]# ls -l /opt/splunkforwarder/
total 172
drwxr-xr-x. 3 blueq blueq 4096 Jun 25 22:11 bin
drwxr-xr-x. 2 blueq blueq 66 Jun 25 22:11 cmake
-r--r--r--. 1 blueq blueq 57 Mar 21 09:38 copyright.txt
...

[root@host1 ~]# su - blueq
Last login: Wed Jul 10 14:24:24 AEST 2024 on pts/0

[blueq@host1 ~]$ ls -l /var/log/messages
-rw-------. 1 root root 4898581 Jul 10 14:24 /var/log/messages

[blueq@host1 ~]$ cat /var/log/messages
cat: /var/log/messages: Permission denied

Yet I see no errors in /opt/splunkforwarder/var/log/splunk/splunkd.log and the logs are still uploaded to splunk cloud, why???

Re: Running as non-root and still able to read root logs

gcusello — Wed, 10 Jul 2024 06:14:30 GMT

Hi @BlueQ ,

I'm not a Linux expert so I don't knpow how to do, but you have two solutions:

configure ACLs on your servers to permit to not root user to read root files,
insert Splunk in the system group to read root logs.

As I said, you should ask the solution to this requirement to a Linux expert.

Ciao.

Giuseppe

Re: Running as non-root and still able to read root logs

inventsekar — Wed, 10 Jul 2024 10:18:51 GMT

Hi @BlueQ

when you search, do you get the results?

index=linuxORsomething source=/var/log/messages*

on Splunk, pls show us a search result with the /var/log/messages as events please, thanks.

Re: Running as non-root and still able to read root logs

BlueQ — Wed, 10 Jul 2024 22:13:06 GMT

Hi @inventsekar,

I don't want to show the actual results but here you can see there are results. Hope this helps.

Re: Running as non-root and still able to read root logs

BlueQ — Wed, 10 Jul 2024 22:15:23 GMT

Hi @gcusello,

The funny part is I have the opposite problem. I haven't given the user access to read /var/log/messages yet it seems like splunk still reads them.

How do I ask a Linux expert specifically? Do you mean on this forum or elsewhere?

Thanks

Re: Running as non-root and still able to read root logs

BlueQ — Thu, 11 Jul 2024 00:53:28 GMT

Found it. CAP_DAC_READ_SEARCH means splunk can read anything. Now I have to decide if I want to keep this setting.

https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649047/highlight/true

Re: Running as non-root and still able to read root logs

gcusello — Thu, 11 Jul 2024 05:52:36 GMT

Hi @BlueQ ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉