https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649049#M13044 <P>well, good catch&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194518">@schose</a>&nbsp;!&nbsp;</P><P>nice learning, sir!&nbsp;</P> Tue, 04 Jul 2023 02:07:56 GMT inventsekar 2023-07-04T02:07:56Z https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649047#M13043 <P>Hi all,</P><P>Splunk UF since 9.x is setting&nbsp;</P><PRE>[Service] NoNewPrivileges=yes AmbientCapabilities=CAP_DAC_READ_SEARCH</PRE><P>in systemd unit file (/etc/systemd/system/SplunkForwarder.service). This enables splunkforwarder to bypass Filesystems permissions and acls and read every file on harddisk - yes, every file: every ssh key, every private key, confidential data.. the&nbsp;<SPAN>opposite of the "least-to-know" principle.&nbsp;</SPAN></P><P>As we have correct filesystem permissions in place we decided to remove those settings from systemd unit file. When we now run e.g.: "/opt/splunkforwarder/bin/splunk stop" command the systemd file is rewritten by the splunk command. This will start splunkforwarder with enabled&nbsp;CAP_DAC_READ_SEARCH capability.</P><P>To make is more visual we uploaded a video to&nbsp;<A href="https://asciinema.org/a/FAYFPJYrKaizfL3alzvm3uNGF" target="_self">https://asciinema.org/a/FAYFPJYrKaizfL3alzvm3uNGF .&nbsp;</A></P><P>Are you able to reproduce the issue? What do you think?</P><P>For us this looks like a secuity issue, as we would never expect a command like "splunk stop" manipulate systemd files. I'm also not aware which other command might rewrite the systemd unit. I also do not seed any usecase for this.&nbsp;<BR /><BR /></P><P>steps to reproduce:<BR />install-splunkuf.sh</P><PRE>#!/bin/bash # break if errors set -e # add system user sudo groupadd splunk sudo useradd splunk --system --home-dir /opt/splunk --create-home -g splunk wget -O /tmp/splunkuf.tgz https://download.splunk.com/products/universalforwarder/releases/9.1.0/linux/splunkforwarder-9.1.0-1c86ca0bacc3-Linux-x86_64.tgz #wget -O /tmp/splunkuf.tgz https://download.splunk.com/products/universalforwarder/releases/9.0.5/linux/splunkforwarder-9.0.5-e9494146ae5c-Linux-armv8.tgz tar zxfv /tmp/splunkuf.tgz -C /opt echo -e "[user_info]\nUSERNAME=admin\nPASSWORD=Password01" &gt; /opt/splunkforwarder/etc/system/local/user-seed.conf /opt/splunkforwarder/bin/splunk start --accept-license &amp;&amp; /opt/splunkforwarder/bin/splunk stop -f /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -group splunk -systemd-managed 1 # remove capabilities from systemd service sed -i '/^NoNewPrivileges\|^AmbientCapabilities/s/^/#/' /etc/systemd/system/SplunkForwarder.service systemctl daemon-reload systemctl start SplunkForwarder systemctl status SplunkForwarder # systemd file is still fine echo -n "systemd unit file after starting splunk" cat /etc/systemd/system/SplunkForwarder.service pid=$(systemctl show -p MainPID --value SplunkForwarder.service) &amp;&amp; getpcaps $pid</PRE><P>&nbsp;</P><P>when you now run&nbsp;</P><P>&nbsp;</P><PRE>/opt/splunkforwarder/bin/splunk stop cat /etc/systemd/system/SplunkForwarder.service</PRE><P>you see that lines</P><PRE>NoNewPrivileges=yes AmbientCapabilities=CAP_DAC_READ_SEARCH</PRE><P>are re-added to&nbsp;/etc/systemd/system/SplunkForwarder.service and next time the service is started caps are set. A backup file is also placed&nbsp;/etc/systemd/system/SplunkForwarder.service_TIMESTAMP.</P><P>when running a strace</P><PRE>strace -s 0 -o /tmp/910stop.strace -f /opt/splunkforwarder/bin/splunk stop</PRE><P>we clearly see the splunk process manipulating the systemd file.</P><PRE>2120 rename("/etc/systemd/system/SplunkForwarder.service", "/etc/systemd/system/SplunkForwarder.service_2023_07_03_21_47_00") = 0 2120 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7feb05354f10) = 2122 2120 wait4(2122, 2122 set_robust_list(0x7feb05354f20, 24) = 0</PRE><P>&nbsp;</P><P>This happens on all 9.x versions of UF.&nbsp;</P><P>best regards,</P><P>Andreas</P> Mon, 03 Jul 2023 21:51:23 GMT https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649047#M13043 schose 2023-07-03T21:51:23Z https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649049#M13044 <P>well, good catch&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194518">@schose</a>&nbsp;!&nbsp;</P><P>nice learning, sir!&nbsp;</P> Tue, 04 Jul 2023 02:07:56 GMT https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649049#M13044 inventsekar 2023-07-04T02:07:56Z https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/652236#M13109 <P>Hi all,</P><P>To ensure that CAP_DAC_READ_SEARCH is not set, systemd overwrite mechanism could be used.</P><P>create&nbsp;/etc/systemd/system/SplunkForwarder.service.d/override.conf with content:</P><LI-CODE lang="markup">[Service] NoNewPrivileges=yes AmbientCapabilities=</LI-CODE><P>&nbsp;</P><P>this ensures, that even if /etc/systemd/system/SplunkForwarder.service is rewritten - which still looks like an issue to me - the&nbsp;AmbientCapabilities are still empty.&nbsp;</P><P>Best regards,</P><P>Andreas</P> Thu, 27 Jul 2023 15:22:03 GMT https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/652236#M13109 schose 2023-07-27T15:22:03Z