Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does SPLUNK_PASSWORD in Docker UF need to be kept secret?

richmanho
New Member
‎05-22-2019 07:46 AM

To run the Docker Universal Forwarder container the environment variable SPLUNK_PASSWORD must be set.

  1. In this context, what is the purpose of SPLUNK_PASSWORD?
  2. If someone knows this value, what access can they gain to my Docker UF container?

In short, do I really need to keep secret the SPLUNK_PASSWORD used in a Docker Universal Forwarder container?

Tags (2)
0 Karma
Reply

damiensurat
Contributor
‎05-23-2019 05:23 AM

Hi richmanho,
You absolutely should keep the UF password secret. The password is to protect Splunk’s universal forwarder Access to its rest API on port 8089. The risk is that if someone who is knowledgeable with splunks rest api can gain access, they can then use this to execute scripts, hijack the machine, etc with the full privileges that the universal forwarder has on the docker. The rest api can be disabled if necessary. I suggest reading this article as it contains more details on the risks: https://splunktime.com/universal-forwarder-hardening-disable-the-management-port/

0 Karma
Reply

richmanho
New Member
‎05-23-2019 06:31 PM

If the container is running in such a way that there are no incoming ports enabled, wouldn't that be sufficient to make the REST API and as a result make the issue of SPLUNK_PASSWORD moot?

0 Karma
Reply

damiensurat
Contributor
‎05-28-2019 07:06 AM

Hi richmanho,
I would appreciate it if you could mark the question with accepted answer if I was able to do so.

0 Karma
Reply

damiensurat
Contributor
‎05-24-2019 06:43 AM

yes it would richmanho.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...