When trying to get the Jboss add-on working on servers, I noticed that the configuration requires uid and pwd to connect to the jboss instance. But what's worse, it shows the credentials when doing a ps -ef|grep splunk
in plain text.
splunk 7087 7042 0 Aug17 ? 00:00:00 /bin/sh /opt/splunkforwarder/etc/apps/Jboss_addon/bin/jmxstats -u splunk -p uid@pwd statistics service:jmx:remoting-jmx://localhost:99xx
The internal/local jboss account uid/pwd is said to be only accessible in Jboss console for readonly and statistics retrieval (so no alleged credentials, logs, stop/start possibilities). Haven't found any way to work around this. Yes, running the app/addon from the Splunk server and pull (via JMX) data from the jboss servers is an option, but by using a deployment server and a generic config for all jboss servers/instances, this uid/pwd looks to outsiders as non-secure. Which partly is true of course.
Any suggestions?
You could add a transform to zap that data during index time to ensure it's never indexed, however, it doesn't prevent someone with access to the server seeing that process via ps -ef also.
http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Anonymizedata