I was wondering how enterprises were handling this situation. I know within my organization, the /var/log subdirectories, especially teh system ones are locked down to root access only. How is your enterprising handling the Splunking of these logs. We run Splunk with a service account that we deploy across the Infrastructure that has a non-expiry password, but doesn't have sudo rights.
I have spent some time undoing a lot of installations that were accidentally done by root because I know it is against best practices. So I was looking for some advice on how to best handle this one 🙂
DO NOT run splunk as root! This is a huge security risk. Create a new user splunk
and add him to the root
group and run as user splunk
. But you still may have problems accessing files. You can try to make sure that new files get +gr
("Group Read") permission in that directory (assuming user splunk
is in the root
group). The group ownership can be inherited by new files and folders created in your folder /path/to/parent
by setting the setgid bit using chmod g+s
like this:
chmod g+s /file/location/
Now, all new files and folder created under /file/location/
will have the same group assigned as is set /file/location
has.
POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask
value and you can use POSIX ACLs to control this; to set the default ACL on a directory:
setfacl -d -m u::rwX,g::rX,o::- /file/location/
This will apply setfacl
to the /file/location/
directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x
bit.)
For more detail, check out this Q&A:
https://answers.splunk.com/answers/240717/how-to-get-splunk-user-to-read-root-user-owned-fil.html
DO NOT run splunk as root! This is a huge security risk. Create a new user splunk
and add him to the root
group and run as user splunk
. But you still may have problems accessing files. You can try to make sure that new files get +gr
("Group Read") permission in that directory (assuming user splunk
is in the root
group). The group ownership can be inherited by new files and folders created in your folder /path/to/parent
by setting the setgid bit using chmod g+s
like this:
chmod g+s /file/location/
Now, all new files and folder created under /file/location/
will have the same group assigned as is set /file/location
has.
POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask
value and you can use POSIX ACLs to control this; to set the default ACL on a directory:
setfacl -d -m u::rwX,g::rX,o::- /file/location/
This will apply setfacl
to the /file/location/
directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x
bit.)
For more detail, check out this Q&A:
https://answers.splunk.com/answers/240717/how-to-get-splunk-user-to-read-root-user-owned-fil.html
@woodcock To my rescue again, thanks!