Getting Data In

Does SPLUNK_PASSWORD in Docker UF need to be kept secret?

New Member

To run the Docker Universal Forwarder container the environment variable SPLUNK_PASSWORD must be set.

  1. In this context, what is the purpose of SPLUNK_PASSWORD?
  2. If someone knows this value, what access can they gain to my Docker UF container?

In short, do I really need to keep secret the SPLUNK_PASSWORD used in a Docker Universal Forwarder container?

Tags (2)
0 Karma

Contributor

Hi richmanho,
You absolutely should keep the UF password secret. The password is to protect Splunk’s universal forwarder Access to its rest API on port 8089. The risk is that if someone who is knowledgeable with splunks rest api can gain access, they can then use this to execute scripts, hijack the machine, etc with the full privileges that the universal forwarder has on the docker. The rest api can be disabled if necessary. I suggest reading this article as it contains more details on the risks: https://splunktime.com/universal-forwarder-hardening-disable-the-management-port/

0 Karma

New Member

If the container is running in such a way that there are no incoming ports enabled, wouldn't that be sufficient to make the REST API and as a result make the issue of SPLUNK_PASSWORD moot?

0 Karma

Contributor

Hi richmanho,
I would appreciate it if you could mark the question with accepted answer if I was able to do so.

0 Karma

Contributor

yes it would richmanho.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!