topic Re: Want to confine splunk process running on servers as required by our audit. How to achieve? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Want-to-confine-splunk-process-running-on-servers-as-required-by/m-p/418728#M173531 <P>Background on how things working on Linux:</P> <P>1.All processes and files are labeled. SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.</P> <P>2.Fine-grained access control. Stepping beyond traditional UNIX permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a security level.<BR /> SELinux policy is administratively-defined and enforced system-wide.</P> <P>What is the meaning of confining a process? Explain confined.<BR /> * When a process is confined, it runs in its own domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited</P> <P>For those who are interested to know more about SElinux(confined/unconfed process) please read <A href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes</A>.</P> <P>Solution :<BR /> I tried below steps to confine Splunk process. Please find the before and after output below. I tried the exact steps listed below. For information about the commands used below use 'man command' or read <A href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes</A>.</P> <P>Before: <BR /> [root@selinux_policy_for_splunk-master]# ps -eZ| grep splunk <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5039 ? 1-04:37:17 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5041 ? 00:03:15 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5285 ? 00:33:43 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13110 ? 00:00:00 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13111 ? 00:00:00 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13112 ? 00:00:00 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13114 ? 00:00:00 splunkd <BR /> [root@selinux_policy_for_splunk-master]# semodule -i splunk.pp <BR /> [root@sselinux_policy_for_splunk-master]# restorecon -R /opt/splunk <BR /> [root@sselinux_policy_for_splunk-master]# restorecon /etc/init.d/splunk <BR /> [root@selinux_policy_for_splunk-master]# /etc/init.d/splunk restart <BR /> Restarting splunk (via systemctl): [ OK ] </P> <P>After: <BR /> [root@selinux_policy_for_splunk-master]# ps -eZ| grep splunk <BR /> system_u:system_r:splunk_t:s0 13521 ? 00:00:11 splunkd <BR /> system_u:system_r:splunk_t:s0 13524 ? 00:00:00 splunkd <BR /> system_u:system_r:splunk_t:s0 13725 ? 00:00:00 mongod <BR /> system_u:system_r:splunk_t:s0 13821 ? 00:00:00 python <BR /> system_u:system_r:splunk_t:s0 13828 ? 00:00:00 python <BR /> system_u:system_r:splunk_t:s0 13847 ? 00:00:00 splunkd <BR /> system_u:system_r:splunk_t:s0 13861 ? 00:00:01 python <BR /> system_u:system_r:splunk_t:s0 13863 ? 00:00:19 java <BR /> system_u:system_r:splunk_t:s0 14074 ? 00:00:00 splunkd <BR /> system_u:system_r:splunk_t:s0 14075 ? 00:00:00 splunkd </P> Tue, 29 Sep 2020 22:52:45 GMT sdubey_splunk 2020-09-29T22:52:45Z Want to confine splunk process running on servers as required by our audit. How to achieve? https://community.splunk.com/t5/Splunk-Search/Want-to-confine-splunk-process-running-on-servers-as-required-by/m-p/418727#M173530 <P>Issue:<BR /> Splunk is running as unconfiged daemon</P> <H1>ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'</H1> <P>splunkd<BR /> (Truncated output, I am interested in confining Splunk Process)</P> <P>We have an audit requirement to confine Splunk process. How to achieve?</P> Sat, 19 Jan 2019 08:53:39 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-confine-splunk-process-running-on-servers-as-required-by/m-p/418727#M173530 sdubey_splunk 2019-01-19T08:53:39Z Re: Want to confine splunk process running on servers as required by our audit. How to achieve? https://community.splunk.com/t5/Splunk-Search/Want-to-confine-splunk-process-running-on-servers-as-required-by/m-p/418728#M173531 <P>Background on how things working on Linux:</P> <P>1.All processes and files are labeled. SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.</P> <P>2.Fine-grained access control. Stepping beyond traditional UNIX permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a security level.<BR /> SELinux policy is administratively-defined and enforced system-wide.</P> <P>What is the meaning of confining a process? Explain confined.<BR /> * When a process is confined, it runs in its own domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited</P> <P>For those who are interested to know more about SElinux(confined/unconfed process) please read <A href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes</A>.</P> <P>Solution :<BR /> I tried below steps to confine Splunk process. Please find the before and after output below. I tried the exact steps listed below. For information about the commands used below use 'man command' or read <A href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-targeted_policy#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes</A>.</P> <P>Before: <BR /> [root@selinux_policy_for_splunk-master]# ps -eZ| grep splunk <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5039 ? 1-04:37:17 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5041 ? 00:03:15 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5285 ? 00:33:43 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13110 ? 00:00:00 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13111 ? 00:00:00 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13112 ? 00:00:00 splunkd <BR /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13114 ? 00:00:00 splunkd <BR /> [root@selinux_policy_for_splunk-master]# semodule -i splunk.pp <BR /> [root@sselinux_policy_for_splunk-master]# restorecon -R /opt/splunk <BR /> [root@sselinux_policy_for_splunk-master]# restorecon /etc/init.d/splunk <BR /> [root@selinux_policy_for_splunk-master]# /etc/init.d/splunk restart <BR /> Restarting splunk (via systemctl): [ OK ] </P> <P>After: <BR /> [root@selinux_policy_for_splunk-master]# ps -eZ| grep splunk <BR /> system_u:system_r:splunk_t:s0 13521 ? 00:00:11 splunkd <BR /> system_u:system_r:splunk_t:s0 13524 ? 00:00:00 splunkd <BR /> system_u:system_r:splunk_t:s0 13725 ? 00:00:00 mongod <BR /> system_u:system_r:splunk_t:s0 13821 ? 00:00:00 python <BR /> system_u:system_r:splunk_t:s0 13828 ? 00:00:00 python <BR /> system_u:system_r:splunk_t:s0 13847 ? 00:00:00 splunkd <BR /> system_u:system_r:splunk_t:s0 13861 ? 00:00:01 python <BR /> system_u:system_r:splunk_t:s0 13863 ? 00:00:19 java <BR /> system_u:system_r:splunk_t:s0 14074 ? 00:00:00 splunkd <BR /> system_u:system_r:splunk_t:s0 14075 ? 00:00:00 splunkd </P> Tue, 29 Sep 2020 22:52:45 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-confine-splunk-process-running-on-servers-as-required-by/m-p/418728#M173531 sdubey_splunk 2020-09-29T22:52:45Z