To run the Docker Universal Forwarder container the environment variable SPLUNK_PASSWORD must be set.
In short, do I really need to keep secret the SPLUNK_PASSWORD used in a Docker Universal Forwarder container?
Hi richmanho,
You absolutely should keep the UF password secret. The password is to protect Splunk’s universal forwarder Access to its rest API on port 8089. The risk is that if someone who is knowledgeable with splunks rest api can gain access, they can then use this to execute scripts, hijack the machine, etc with the full privileges that the universal forwarder has on the docker. The rest api can be disabled if necessary. I suggest reading this article as it contains more details on the risks: https://splunktime.com/universal-forwarder-hardening-disable-the-management-port/
If the container is running in such a way that there are no incoming ports enabled, wouldn't that be sufficient to make the REST API and as a result make the issue of SPLUNK_PASSWORD moot?
Hi richmanho,
I would appreciate it if you could mark the question with accepted answer if I was able to do so.
yes it would richmanho.