Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Linux: Splunk Universal Forwarder as non-root with supplementary groups

DATEVeG
Path Finder
‎09-01-2020 06:53 AM

Hi,

 

our splunk  universal forwarder is runnning under a non-root service account, which is defined in our central ldap.

 

We upgraded our universal forwarder from 7.3.7 to 8.0.5 and now our forwarder cannot monitor our file anymore.

 

The file to be monitored is set as following:

#ls -al /tmp/ldap-group-test

-rw-r-----. 1 root ldapgroup 100 Sep 1 09:27 /tmp/ldap-group-test

 

Our splunk service account user is a member of the group ldapgroup:

#id ldapsplunk
uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup),100009(ldapgroup)

 

In Splunk with a universal forwarder in version 8.0.5 we get a permission denied.

If we use a scripted input (inputs.conf) to display the user and group context of the currently running splunk forwarder session:

bin/display_groups.sh

#/bin/bash

hostname=$(hostname)
time=$(date +%s)
id=$(id)
rc=$?

echo "${time} - ${hostname} - ${id} - ${rc}"

we get as output:

1598967093 - splunkhost.bla.fasel.de - uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup) context=system_u:system_r:unconfined_service_t:s0 - 0

 

As you can see, the membership of ldapgroup is missing here.

It seems that during the start process of the universal forwarder, the permissions for ldap groups aren't passed correctly.

 

Has anyone already noticed this? Are there any workarounds other than downgrading to version 7.3?

Thanks

- Lorenz

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-01-2020 07:40 AM

I have tested your scenario, my splunk is running with user splunk and group splunk

I have created a new group added user to new group also.

I have created test.sh with code you shared.

when I ran test.sh using splunk cmd bash test.sh 

I can see old group and new group. 

I don't that is an issue with Splunk.

————————————
If this helps, give a like below.
0 Karma
Reply

DATEVeG
Path Finder
‎09-01-2020 08:41 AM

Hi,

 

local groups are working for me as well. The problem is only with groups from ldap.

Did you try with ldap groups?

And: Did you really try to run my script as a real scripted input via inputs.conf and not over regular cli?

 

- Lorenz

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...