Does SPLUNK_PASSWORD in Docker UF need to be kept ...

richmanho · ‎05-22-2019

To run the Docker Universal Forwarder container the environment variable SPLUNK_PASSWORD must be set.

In this context, what is the purpose of SPLUNK_PASSWORD?
If someone knows this value, what access can they gain to my Docker UF container?

In short, do I really need to keep secret the SPLUNK_PASSWORD used in a Docker Universal Forwarder container?

damiensurat · ‎05-23-2019

Hi richmanho,
You absolutely should keep the UF password secret. The password is to protect Splunk’s universal forwarder Access to its rest API on port 8089. The risk is that if someone who is knowledgeable with splunks rest api can gain access, they can then use this to execute scripts, hijack the machine, etc with the full privileges that the universal forwarder has on the docker. The rest api can be disabled if necessary. I suggest reading this article as it contains more details on the risks: https://splunktime.com/universal-forwarder-hardening-disable-the-management-port/

richmanho · ‎05-23-2019

If the container is running in such a way that there are no incoming ports enabled, wouldn't that be sufficient to make the REST API and as a result make the issue of SPLUNK_PASSWORD moot?

damiensurat · ‎05-28-2019

Hi richmanho,
I would appreciate it if you could mark the question with accepted answer if I was able to do so.

damiensurat · ‎05-24-2019

yes it would richmanho.

Does SPLUNK_PASSWORD in Docker UF need to be kept secret?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability