- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are deploying the Linux App and Add-on. The client has requested that we enable all input.
The forwarder is running as a splunk user (basic configuration with no permissions modified).
The Linux Add-on has monitors configured for the /etc/ and /var/log directories but the splunk user (by default) does not have permissions to read all the files in those directories.
If I use the setfacl command to add read permissions to files and directories of the /etc/ folder to the splunk group , linux breaks. I can' run any more sudo commands due to permission issues and can't eventually ssh back to the host. I read some articles and people suggest that running a UF as root is a security concert.
What is the best solution for this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:
sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*
Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:
sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*
Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can simplify it into a single command, assuming you want to traverse further than a single level. I usually format my setfacl as I tend to set user, group, other, mask along with multiple specific user/group permissions at the same time.
Items of note:
- -R --recursive
- -b --remove-all
- -k --remove-default
- -m --modify
- As things are being set recursively using an uppercase X will set x on directories but not execute on files unless they already have the permission.
- Include -bk as I like to have a fresh slate when setting File ACLs
- Spaces and lack of are important to the command and formatting.
setfacl -Rbkm \
d:g:splunk:r-X,\
d:m::rwX,\
\
g:splunk:r-X,\
m::rwX,\
-- \
/var/{log,etc}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is execute (x) included?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@johnansett - an uppercase " X " will grant the execute permission on directories allowing you to cd, etc.; however, unlike a lowercase " x ", it only grants execute permissions to files if that permission already exists, otherwise it is ignored. This is a safer option than a blanket +x in case you inadvertently allow execution to something that shouldn't be such as a plain file which someone could modify into a script.
It could simplify this answer from multiple setfacl commands to a single command.
My common case is python scripts (lookups) which Splunk requires execute permissions to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk needs read permission on a directory it will collect data from.
I would recommend adding the ID that Splunk runs as to a group which has read permissions to those logs. Running Splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.
Another option would be to have the logs set to world readable. ie. permissions of 644.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The group that has read permissions over those logs is the root group so I would have to add the splunk user to the root group to resolve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey MedralaG,
You can try running as a non-root user.
Refer the doc below:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/ConfigureSplunktostartatboottime
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't , the problem is that I can't get the UF to read files in the /etc/ dorectory of Linux and if I give read permissions to the splunk user that breaks the Linux instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
setfacl -R -m u:splunk:r /var/log or whatever path splunk needs to be able to read. It is not best practice to run splunk as root
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately once you do that on the /etc/ directory it breaks linux.
