Deployment Architecture

Why does splunk need to be installed as root?

pbrunel_splunk
Splunk Employee
Splunk Employee

The docs mention installs need to be done as root (but don't really explain why)
- http://docs.splunk.com/Documentation/Splunk/6.2.0/Installation/RunSplunkasadifferentornon-rootuser

Some answers refer to the need to provide, to the user running splunk, access to /dev/urandom, though it isn't clear why that's necessary (encryption?)
- http://answers.splunk.com/answers/49153/install-splunk-as-non-root-user.html

What aspects of the installation of splunk require root privileges? For the more security conscious sysadmins out there, being able to install splunk without opening the root kimono would be much more preferable.

BTW, as a test, I installed splunk as a non-root user (on a host where splunk was already installed), then brought up this new instance as that user, and verified there weren't any errors during startup. I also verified that i could login to the UI and do basic navigation. So at first glance, it looks like the root privileges aren't a requirement. Then again, this was far from a thorough shake-out test, and could've missed something.

Labels (1)
1 Solution

jrodman
Splunk Employee
Splunk Employee

Splunk does not need to be installed as root, but you cannot install packages on Linux, Solaris, or FreeBSD as non-root, generally speaking. A tar-based install should work of course.

I think it was just easier to write the how-to in the scope of unpacking it as root in order to create a splunk user, since that's reasonable best-practice in any event, and the boot-start action will require root access, though you're free to set up init scripts or equivalent yourself.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

(Not sure if this counts as an answer or a comment as I'm kind of building off of the prior answer.)

I never install as root. Splunk has the ability to run scripts as scripted inputs and as the result of triggered alert. That, to me, is too high a risk to allow it to be run as root. Obviously running as non-root means you'll need to make sure any inputs have proper permissions and/or sudo where required - none of that has been complicated or labor intensive enough to dissuade me to install as root.

Here's what I do:

  1. root: create a "splunk" user account
  2. root: install with rpm
  3. root: chown and chmod to make sure the install is owned by the "splunk" account and can execute stuff in the bin directory, respectively (just to be super duper safe)
  4. splunk: Start splunk su - ${USER} -c "${SPLUNK_HOME}/bin/splunk start --answer-yes --no-prompt --accept-license"
  5. root: enable boot start AS splunk ${SPLUNK_HOME}/bin/splunk enable boot-start -user ${USER}

All of that should be in the documentation if you need further explanation on any of the params, etc...

Happy Splunking!

Jarohnimo
Builder

Changed to Kudos, not sure what I was thinking with my original comment

isoutamo
SplunkTrust
SplunkTrust

Hi
There are two separate thing

  • install as root (or at least partially)
  • running as another user

If you you want to use e.g. rpm package or automatic start on boot, it’s mandatory to use at least sudo (as root) when you are doing installation. BUT after that you can and actually should run splunk as a non root account like splunk or srv-splk or anything else than root.

Also UFs should run as non root user, but that needs quite a much fine tuning to access all needed log files.

Ismo

jrodman
Splunk Employee
Splunk Employee

Splunk does not need to be installed as root, but you cannot install packages on Linux, Solaris, or FreeBSD as non-root, generally speaking. A tar-based install should work of course.

I think it was just easier to write the how-to in the scope of unpacking it as root in order to create a splunk user, since that's reasonable best-practice in any event, and the boot-start action will require root access, though you're free to set up init scripts or equivalent yourself.

rob_gibson
Path Finder

I downvoted this post because boot-start can be enabled/disabled via sudo. it does not require root.

0 Karma

afx
Contributor

I downvoted this post because downvoting without a clue.

aa70627
Communicator

@rob.gibson, i'm not sure why you would down vote this post

‘sudo‘ is a root binary setuid, which executes root commands on behalf of authorized users and the users need to enter their own password to execute system command followed by ‘sudo‘.

jrodman
Splunk Employee
Splunk Employee

Sudo is a mechanism by which you can enable users to take actions as other users, typically to take actions as root.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...