Deployment Architecture

What privileges does the splunk user need on Linux?

markakirkland
Path Finder

Splunk encouages the practices of least privilege when using the 'splunk' user in a Linux environment.

Based on the following link in Splunk Docs:
docs[dot]splunk[dot]com/Documentation/Splunk/6.5.2/Security/Secureyourserviceaccounts
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Secureyourserviceaccounts

Question: Is there a list of permissions the 'splunk' user will need to have on any folders outside of the $SPLUNK_HOME/ directories?

For example, I have seen posts refer to /udev/random. I have also encountered the occasional permissions issue while in Splunk, resulting in an inability to save and/or modify in a specific folder outside of $SPLUNK_HOME/

Thank you.

0 Karma
1 Solution

nickhills
Ultra Champion

A Splunk indexer, search head, deployment server, deployer, cluster manager etc should all run quite happily with the default "splunk:splunk" permissions only to the $SPLUNK_HOME/
(if your sticking to the standard TCP ports)

However, the permissions you need for a Universal or Heavy Forwarder will depend on what and how you are collecting data.

In our environment, our splunk servers all run as the splunk limited user. We use IPtables to forward 443 to splunk which means we don't have to run as root for access to the low port numbers.

Our forwarders run with a combination of permissions. In some cases we give the splunk user access to the folders, but in others we run them as root, as this provides the necessary file system log access without having to change system wide permissions. - We take extra care in these cases to make sure that traffic is very tightly controlled to/from these machines, and always use our own certificates and strong passwords

If my comment helps, please give it a thumbs up!

View solution in original post

starcher
Influencer

Try to never run as root if you can.
https://github.com/MattUebel/splunk_UF_hardening

nickhills
Ultra Champion

A Splunk indexer, search head, deployment server, deployer, cluster manager etc should all run quite happily with the default "splunk:splunk" permissions only to the $SPLUNK_HOME/
(if your sticking to the standard TCP ports)

However, the permissions you need for a Universal or Heavy Forwarder will depend on what and how you are collecting data.

In our environment, our splunk servers all run as the splunk limited user. We use IPtables to forward 443 to splunk which means we don't have to run as root for access to the low port numbers.

Our forwarders run with a combination of permissions. In some cases we give the splunk user access to the folders, but in others we run them as root, as this provides the necessary file system log access without having to change system wide permissions. - We take extra care in these cases to make sure that traffic is very tightly controlled to/from these machines, and always use our own certificates and strong passwords

If my comment helps, please give it a thumbs up!

markakirkland
Path Finder

Interesting... my recall may be failing me, but, I think I was on an indexer (creating an index via GUI... don't judge me too badly... :D) and trying to save a colddb to a location inside of $SPLUNK_HOME. It's possible that it may have been one directory higher...

Hmmm... maybe I didn't apply the correct permissions after after expanding the .tgz?

Unfortunately, there is no way for me to check, the system I built was only temporary.

Do you have any information on the /udev/random permission?

And, thank you for taking time to help me understand.

0 Karma

nickhills
Ultra Champion

When we first installed Splunk, keen and excited we originally ran it all as root. This meant that we had some permission housekeeping to do when we moved to using the splunk user.
Although if your other indexes were ok, my guess is that 'someone' may have fiddled with the perms in your deployment (I too have seen similar - their entrails are now hung from the ceiling as a reminder to others) 🙂

I have just checked out half a dozen of my servers (amazon, centos6.5, centos7) and all have permissions crw-rw-rw- on /dev/random so I cant see that it should ever be an issue... unless the previous owner of my ceiling decorations had been at your box too! 🙂

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Hello - If my answer or comments helped you, please accept the answer and upvote. This helps others know that you found a solution, and how it was fixed.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...