Security

Disable Management port on Universal Forwarder- other than most cli commands, will anything important to the UF break?

jplumsdaine22
Influencer

I've seen a few older posts on this, so I thought I might try and get a more recent answer. 

There are situations in which you might want to run the Universal forwarder as root.  Sensibly new versions of the uf remove the default password issue, but the existence of the Splunk management port running as root exposes the UF to the possibility of a remote and local  privilege escalation, whether through poor password management by an admin or some undiscovered authentication flaw in the UF itself. 

Disabling the management port altogether should remove that vector entirely.

There is a documented method in server.conf To save you looking it up here are the docs from 8.1.3

disableDefaultPort = <boolean>
* If set to "true", turns off listening on the splunkd management port,
  which is 8089 by default.
* NOTE: Changing this setting is not recommended.
  * This is the general communication path to splunkd.  If it is disabled,
    there is no way to communicate with a running splunk instance.
  * This means many command line splunk invocations cannot function,
    Splunk Web cannot function, the REST interface cannot function, etc.
  * If you choose to disable the port anyway, understand that you are
    selecting reduced Splunk functionality.
* Default: false

In my testing enabling it on an UF seems OK. Some CLI commands fail, notably anything that needs to authenticate.

My question is that other than most cli commands, will anything important to the UF break?

Labels (1)
0 Karma

kvm
Explorer
Please read the complete config information:

disableDefaultPort = <boolean> * If set to "true", turns off listening on the splunkd management port, which is 8089 by default. * On Universal Forwarders, when this value is "true" the value set for mgmtHostPort in web.conf will be ignored. Similarly, when set to "false", the value set for mgmtHostPort in web.conf will be used for binding management port. * NOTE: On Universal Forwarders, to reduce the risk of exploitation Splunk recommends the management port is disabled and local CLI is not used. If the management port is enabled, a valid TLS certification should be installed and the port should be bound to localhost. * NOTE: Changing this setting is not recommended on other Splunk instances. * This is the general communication path to splunkd. If it is disabled, there is no way to communicate with a running splunk instance. * This means many command line splunk invocations cannot function, Splunk Web cannot function, the REST interface cannot function, etc. * If you choose to disable the port anyway, understand that you are selecting reduced Splunk functionality. * Default: false
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The older posts on this topic are still valid.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...