Deployment Architecture

Run Splunk as non-root user

mikefg
Communicator

I've been working on remediating this vulnerability https://www.splunk.com/view/SP-CAAAP3M "Potential Local Privilege Escalation through instructions to run Splunk as non-root user" and the 'fixes' don't seem to work. It seems like no matter the tactic - boot-start, init.d, systemd, etc. the requirements for the vulnerability always seem to be met; 1, 2, and 3a and/or 3b .

"Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)"

Is there a way to configure splunk to startup and run that will mitigate the vulnerability?

 

Labels (1)
0 Karma

meghasinghal
Engager

If you are working with linux system then create an AD service account or local account for the splunk services.

Then stop the splunk services and in $SPLUNKHOME/etc/splunk-launch.conf make below changes

# SPLUNK_OS_USER
SPLUNK_OS_USER=account_name

Change permissions of $SPLUNKHOME by chown -R account_name:account_name $SPLUNKHOME and start the splunk services.
 

0 Karma

mikefg
Communicator

Splunk Enterprise 8.0.5

I have a local 'splunk' user account that has all permissions (chown and chgrp) that is running Splunk. 

The problem is that the vulnerability conditions are satisfied with this configuration.

1. Is met with Splunk being run as non-root user 'splunk'

2. Is met because in order to run splunk, the user has to have permissions to the dirs.

3a. Is met when Splunk is set to run at boot as specified user.

3b. Is met because the splunk user has to be set in splunk-launch.conf.

I don't see a way out of this with the recommended mitigation configuration.

 

### vuln info from https://www.splunk.com/view/SP-CAAAP3M

Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)
Description: Specific configurations that have Splunk Enterprise, Splunk Light, or a Splunk Universal Forwarder running as non-root that match all the following characteristics:

1. Splunk Enterprise, Splunk Light, or the Universal Forwarder are running as non-root user.

2. $SPLUNK_HOME and $SPLUNK_HOME/etc both are owned by the running splunk user.

3. Satisfied one of the following conditions

a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –user <user> on Splunk 6.1.x or later.

b. A line with SPLUNK_OS_USER=<user> exists in $SPLUNK_HOME/etc/splunk-launch.conf

The above specific configurations of Splunk Enterprise, Splunk Light and Universal Forwarders, are vulnerable to the Splunk Administrator being able to induce code execution as root.

0 Karma

mattymo
Splunk Employee
Splunk Employee

What is your OS? can you use systemd unit file to avoid this?

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/RunSplunkassystemdservice

 

 

- MattyMo
0 Karma

mikefg
Communicator

OS is CentOS. I tried systemd and it didn't seem to work, Splunk is still shown as run by user 'splunk'. 

Tried both of these.

/opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk

/opt/splunk/bin/splunk enable boot-start -systemd-managed 0 -user splunk

 

0 Karma

mikefg
Communicator

Using systemd without specifying a user seems to run it as 'root'. 

0 Karma

mattymo
Splunk Employee
Splunk Employee

What OS are you using? Also, what version of Splunk, as systemd may be in play...

- MattyMo
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi, may i know if you face issue on UF or Light forwarder or splunk enterprise, please.

Your splunk version number, pls.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...