Security

How Do I start/stop splunkforwarder 6.2on AIX without access to startsrc or stopsrc as non root user.

harry_hodge
Explorer

I just installed Splunk forwarder 6.2 on AIX. It appears it now uses startsrc and stopsrc commands to stop and start splunk. These are privileged commands which the splunk user does not have access to so I can no longer start/stop splunk from the non-root user.

from non-root splunks user

Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
execve: Permission denied
  while running command /usr/bin/stopsrc
Could not kill pid 6619336.

So when I look at stopsrc as non root user

startsrc -g splunk
ksh: startsrc: 0403-006 Execute permission denied.

I have tried with and without the /etc/inittab entry with and without the -user tag.

0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Options:

  1. Use /opt/splunkforwarder/bin/splunk {start,stop}. This should start / stop Splunk without SRC's involvement.
  2. Have your system administrator use sudo to enable you to do this one thing.

I'm curious if you're actually doing #1 above already and still running into these issues.

View solution in original post

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Options:

  1. Use /opt/splunkforwarder/bin/splunk {start,stop}. This should start / stop Splunk without SRC's involvement.
  2. Have your system administrator use sudo to enable you to do this one thing.

I'm curious if you're actually doing #1 above already and still running into these issues.

0 Karma

rob_gibson
Path Finder

The message I'm hearing regarding this issue is you can use splunk start/stop as long as boot start is not enabled. That is not a workaround.

  • I want to have splunk start automatically on a system reboot.
  • I do not have root access and need to start and stop splunk on occasion.

Can this be accomplished?

Splunk support told me I need write access to /etc/inittab - is that the only way it is possible to use startsrc -s splunkd?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

So, apparently, Splunk has made some changes here with respect to how boot-start works. I don't have access to any AIX systems at this point to be able to fully test.

When you enable splunk boot-start, this causes Splunk to add itself to the SRC (subsystem resource controller) as a service, and it causes it to add an entry to /etc/inittab to do a startsrc -g splunk. From here, using the SRC commands to stop and start splunk is highly recommended.

As to whether or not your non-root user can run startsrc / stopsrc command, this is an AIX RBAC issue and / or a place for sudo. I would suggest talking to your sysadmin, and having her explain how the server's RBAC is configured and whether or not you can be given the rights to use the startsrc and stopsrc.

0 Karma

rob_gibson
Path Finder

Thanks for the reply dwaddle.

Splunk docs suggest a -s to start/stop with src but neither -g or -s works for me.

I'll try engaging a sysadmin to get some answers, as RBAC is completely foreign to me.

0 Karma

harry_hodge
Explorer

I went back to basics. If I just leave out the entry:

/opt/splunkforwarder/bin/splunk enable boot-start

I am OK.
I have replaced it with

root:2:once:su - splunk "-c splunk start" > /dev/console 2>&1

which bring back all the happiness. Thanks for the help.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...