All Apps and Add-ons

Permissions for splunk user on universal forwarder for Linux Add-on

MedralaG
Communicator

We are deploying the Linux App and Add-on. The client has requested that we enable all input.
The forwarder is running as a splunk user (basic configuration with no permissions modified).
The Linux Add-on has monitors configured for the /etc/ and /var/log directories but the splunk user (by default) does not have permissions to read all the files in those directories.

If I use the setfacl command to add read permissions to files and directories of the /etc/ folder to the splunk group , linux breaks. I can' run any more sudo commands due to permission issues and can't eventually ssh back to the host. I read some articles and people suggest that running a UF as root is a security concert.

What is the best solution for this issue?

0 Karma
1 Solution

MedralaG
Communicator

I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*

Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...

View solution in original post

MedralaG
Communicator

I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*

Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...

View solution in original post

twhitehead
New Member

You can simplify it into a single command, assuming you want to traverse further than a single level. I usually format my setfacl as I tend to set user, group, other, mask along with multiple specific user/group permissions at the same time.

Items of note:
- -R --recursive
- -b --remove-all
- -k --remove-default
- -m --modify
- As things are being set recursively using an uppercase X will set x on directories but not execute on files unless they already have the permission.
- Include -bk as I like to have a fresh slate when setting File ACLs
- Spaces and lack of are important to the command and formatting.

setfacl -Rbkm \
d:g:splunk:r-X,\
d:m::rwX,\
\
g:splunk:r-X,\
m::rwX,\
-- \
/var/{log,etc}
0 Karma

johnansett
Communicator

Why is execute (x) included?

0 Karma

twhitehead
New Member

@johnansett - an uppercase " X " will grant the execute permission on directories allowing you to cd, etc.; however, unlike a lowercase " x ", it only grants execute permissions to files if that permission already exists, otherwise it is ignored. This is a safer option than a blanket +x in case you inadvertently allow execution to something that shouldn't be such as a plain file which someone could modify into a script.

It could simplify this answer from multiple setfacl commands to a single command.

My common case is python scripts (lookups) which Splunk requires execute permissions to.

0 Karma

bcyates
Communicator

Splunk needs read permission on a directory it will collect data from.

I would recommend adding the ID that Splunk runs as to a group which has read permissions to those logs. Running Splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.

Another option would be to have the logs set to world readable. ie. permissions of 644.

0 Karma

MedralaG
Communicator

The group that has read permissions over those logs is the root group so I would have to add the splunk user to the root group to resolve this.

0 Karma

deepashri_123
Motivator
0 Karma

MedralaG
Communicator

It doesn't , the problem is that I can't get the UF to read files in the /etc/ dorectory of Linux and if I give read permissions to the splunk user that breaks the Linux instance.

0 Karma

bcyates
Communicator

setfacl -R -m u:splunk:r /var/log or whatever path splunk needs to be able to read. It is not best practice to run splunk as root

0 Karma

MedralaG
Communicator

Unfortunately once you do that on the /etc/ directory it breaks linux.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.