Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Disable Management port on Universal Forwarder- other than most cli commands, will anything important to the UF break?

jplumsdaine22
Influencer
‎04-26-2021 03:14 AM

I've seen a few older posts on this, so I thought I might try and get a more recent answer. 

There are situations in which you might want to run the Universal forwarder as root.  Sensibly new versions of the uf remove the default password issue, but the existence of the Splunk management port running as root exposes the UF to the possibility of a remote and local  privilege escalation, whether through poor password management by an admin or some undiscovered authentication flaw in the UF itself. 

Disabling the management port altogether should remove that vector entirely.

There is a documented method in server.conf To save you looking it up here are the docs from 8.1.3

disableDefaultPort = <boolean>
* If set to "true", turns off listening on the splunkd management port,
  which is 8089 by default.
* NOTE: Changing this setting is not recommended.
  * This is the general communication path to splunkd.  If it is disabled,
    there is no way to communicate with a running splunk instance.
  * This means many command line splunk invocations cannot function,
    Splunk Web cannot function, the REST interface cannot function, etc.
  * If you choose to disable the port anyway, understand that you are
    selecting reduced Splunk functionality.
* Default: false

In my testing enabling it on an UF seems OK. Some CLI commands fail, notably anything that needs to authenticate.

My question is that other than most cli commands, will anything important to the UF break?

Labels (1)
Labels
0 Karma
Reply

kvm
Explorer
‎11-28-2022 09:06 PM 
Please read the complete config information:

disableDefaultPort = <boolean>
* If set to "true", turns off listening on the splunkd management port,
  which is 8089 by default.
* On Universal Forwarders, when  this value is "true" the value set 
  for mgmtHostPort in web.conf will be ignored. Similarly, when set to "false", 
  the value set for mgmtHostPort in web.conf will be used for binding management port.
* NOTE: On Universal Forwarders, to reduce the risk of exploitation Splunk recommends 
  the management port is disabled and local CLI is not used. If the management port is enabled, 
  a valid TLS certification should be installed and the port should be bound to localhost.
* NOTE: Changing this setting is not recommended on other Splunk instances.
  * This is the general communication path to splunkd.  If it is disabled,
    there is no way to communicate with a running splunk instance.
  * This means many command line splunk invocations cannot function,
    Splunk Web cannot function, the REST interface cannot function, etc.
  * If you choose to disable the port anyway, understand that you are
    selecting reduced Splunk functionality.
* Default: false
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2021 06:25 AM

The older posts on this topic are still valid.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...