All Apps and Add-ons
Highlighted

Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

We are deploying the Linux App and Add-on. The client has requested that we enable all input.
The forwarder is running as a splunk user (basic configuration with no permissions modified).
The Linux Add-on has monitors configured for the /etc/ and /var/log directories but the splunk user (by default) does not have permissions to read all the files in those directories.

If I use the setfacl command to add read permissions to files and directories of the /etc/ folder to the splunk group , linux breaks. I can' run any more sudo commands due to permission issues and can't eventually ssh back to the host. I read some articles and people suggest that running a UF as root is a security concert.

What is the best solution for this issue?

0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

setfacl -R -m u:splunk:r /var/log or whatever path splunk needs to be able to read. It is not best practice to run splunk as root

0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

Unfortunately once you do that on the /etc/ directory it breaks linux.

0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Motivator
0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

It doesn't , the problem is that I can't get the UF to read files in the /etc/ dorectory of Linux and if I give read permissions to the splunk user that breaks the Linux instance.

0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

Splunk needs read permission on a directory it will collect data from.

I would recommend adding the ID that Splunk runs as to a group which has read permissions to those logs. Running Splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.

Another option would be to have the logs set to world readable. ie. permissions of 644.

0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

The group that has read permissions over those logs is the root group so I would have to add the splunk user to the root group to resolve this.

0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Communicator

I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*

Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...

View solution in original post

Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

New Member

You can simplify it into a single command, assuming you want to traverse further than a single level. I usually format my setfacl as I tend to set user, group, other, mask along with multiple specific user/group permissions at the same time.

Items of note:
- -R --recursive
- -b --remove-all
- -k --remove-default
- -m --modify
- As things are being set recursively using an uppercase X will set x on directories but not execute on files unless they already have the permission.
- Include -bk as I like to have a fresh slate when setting File ACLs
- Spaces and lack of are important to the command and formatting.

setfacl -Rbkm \
d:g:splunk:r-X,\
d:m::rwX,\
\
g:splunk:r-X,\
m::rwX,\
-- \
/var/{log,etc}
0 Karma
Highlighted

Re: Permissions for splunk user on universal forwarder for Linux Add-on

Path Finder

Why is execute (x) included?

0 Karma