Deployment Architecture

Using Sudo as part of an input command

Engager

im trying to run an nmap scan as an input to splunk that is running as a non-root user. Ive setup sudo to allow passwordless root access to one command only. Entering an input via "data inputs > script".

Command: /usr/bin/sudo /usr/bin/nmap -A -O 192.168.0.0/24

But i get the following error

Encountered the following error while trying to save: In handler 'script': The command path "/usr/bin/sudo" is not allowed for scripted inputs.

How can i make this work?

Splunk Version:  6.1.3
Splunk Build: 220630
Search & Reporting App Version: 6.1.3 
Ubuntu Linux x64 12.10, fully updated
Tags (2)

Splunk Employee
Splunk Employee

We just want to know that someone administrator-like made the decision that splunk should run that program.
It's easy enough to put a shellscript into $SPLUNK_HOME/bin or in the bin directory of some app that runs the command you want, and then tell splunk to run that thing.

We also have .path files where you can place a one-command textfile called something.path in a Splunk bin dir, and then Splunk to run the .path. We will read the command from the path and run that. (I'm a little vague at the moment whether your args need to go in the .path or the conf -- It's been a while.) This achieves the same goal that the administrator has made it very clear to Splunk that they have filesystem control, so we will run the referenced program.

Ultra Champion

You could try using the Command Modular Input

0 Karma

Motivator

If you need this to operate on-demand in real time the correct approach is not to be found within Splunk. It is to make nmap user-executable but with suitable priveleges. Not knowing your particular system organisation I cannot provide specific instructions, but the answer probably involves the use of setuid priveleges for your nmap executable, group ownership and file attributes that restrict its execution to a limited range of users, and group membership for Splunk in that select set of users. That way you can include nmap in scripts without resorting to sudo.

Alternately, if scheduled scans are sufficient, you could have a regular job writing to a log file as already suggested.

0 Karma

SplunkTrust
SplunkTrust

Hi deadbot,

looks like this was hard coded into splunkd for security reasons.

I would suggest, that you run this as a normal script for user root and trigger it by crontab. The script then writes the scan result into a log file which then will be taken in by Splunk.

See the nmap docs about nmap output options

hope this helps ...

cheers, MuS