If you disable the REST port as @acharlieh suggests that risk goes down a lot more, as there is little to no remote attack surface. But, there are other things to worry about too. My favorite is whether or not you use deployment server, and is your SSL configuration between the UF and the Deployment Server sufficiently robust? The person who controls deployment server controls the user running Splunk on every deployment client. Are you SURE nobody can impersonate your DS on the network, and push an app that runs a new script as root?

To expand on what @dwaddle said…

The ideal way to solve this would be to configure systemd to start the Splunk service with the CAP_DAC_READ_SEARCH capability, which bypasses file read permission checks and directory read and execute permission checks. Effectively, a process with CAP_DAC_READ_SEARCH can read any file or open and directory on the system.

(Depending on how Splunk uses fanotify(7), it might also need the CAP_SYS_ADMIN capability.)

Unfortunately, a bug in Splunk prevents this from working. Specifically, Splunk erroneously uses faccessat(2) to check whether it has read access to a log file before attempting to open it. Per access(2), when a non-root user calls any of access(2) family of system calls, the access test is performed using an empty capability set. Quoting the man page verbatim:

In other words, access() does not answer the "can I read/write/execute this file?" question. It answers a slightly different question: "(assuming I'm a setuid binary) can the user who invoked me read/write/execute this file?", which gives set-user-ID programs the possibility to prevent malicious users from causing them to read files which users shouldn't be able to read.

Splunk misunderstands this—it is using faccessat(2) to ask “can I read this log file?”, which is wrong; faccessat(2) will return EPERM even though opening the log file would succeed (because the Splunk process holds the CAP_DAC_READ_SEARCH capability).

On a Unix system, the correct way to test whether the current process has read access to a file is simply to attempt to open the file. If the attempt succeeds, you have read access; if the attempt fails with EPERM, you don’t. Using faccessat(2) to test whether the current process has read access is wrong.

I reported this to Splunk as a bug; Splunk refused to acknowledge it as such. The only option Splunk gave me to try to get this bug corrected was to file a Splunk idea, which I did: EID-I-759.

If anyone else would like to see this long-standing bug in Splunk finally fixed, I would encourage you to vote for EID-I-759.

Excellent answer! Thank you.

Sorry for the late response, I lost track of this...

We ended up creating a special group to which the "splunk" user can belong and giving that group read permissions on the files in question.

Hi,

I think I managed to get the setcap CAP_DAC_READ_SEARCH working but still very early to confirm.
In summary, this is what I've done to prevent those "error while loading shared libraries" you get when trying to start Splunk after the setcap:

As root
------------
setcap CAP_DAC_READ_SEARCH+ep /opt/splunkforwarder/bin/splunkd
echo "/opt/splunkforwarder/lib" >> /etc/ld.so.conf.d/splunk.conf
ldconfig

Now I'm trying to get all the different Linux and Unix App scripts working with the minimum set of permissions. Will probably post it somewhere if I ever manage to do so.

Thanks,
J

I would be happy if this works, but I'm guessing it does not. I did something similar in testing, and while it solves one issue, a new one pops up. Splunk uses the access() to test for ability to read files, and Linux interprets this differently when capabilities are enabled .. and not in the way we need it to be interpreted. So I think you're gonna hit a wall here.

Good news is I do have a case open on these types of issues and Splunk is at least looking at it. If you have a support agreement, I would strongly suggest that you file a support case of your own explaining how supporting capabilities like CAP_DAC_READ_SEARCH on Linux would make you so happy as a customer.

I think acharlieh is right. Assuming the log is being written by syslog you should be able have it write the correct permissions.

However if this isn't possible, you might be able to use 'setfacl' Unix command on the directory the file is in to add explicit perms for your Splunk user.

Something like this:
setfacl -m u:splunkuser:r /var/log

My data center tech tells me this about using the setfacl command on the particular file in question...

"The file rotates away, and along goes
the file acl with it. File access
permissions reside associated with the
file inode, and not the directory,
which means there is little chance of
the acl sticking, leaving the original
file intact upon rollover."

He says the same problem would exist if we used the setfacl on the directory that the file resides in.

Will the log's rotation really break any acl we set this way? Seems like that would basically defeat the purpose of the command...

(I suppose I could always just try it myself and see what happens.)

Splunk cannot override Unix security. If it could, that would be a Very Bad Thing. For Splunk to read a log, it must have permission to do so.

Therefore, if your logs are root:root 600, then you have two options: Run Splunk as root, or change the permissions on the logs.

Running a Splunk forwarder as root is somewhat common because of these permissions quandaries. It's simply an agent running locally which does not need to accept any incoming connections. (Everything a forwarder does is outbound initiated) Basically, the exposure of running a forwarder as root is relatively minimal. (Compared to the Splunk server which I would never recommend running as root) Yes, if Splunk is compromised the host is effectively rooted. But you have to be local to compromise Splunk, meaning you're likely rooted anyway.

There is also the fact that your application is writing logs to root:root 600 in the first place, which means your app runs as root. Just as much of a security risk as running Splunk as root, to be honest. That may not matter, but it's a precedence you can point to.

One note to @emiller42's comment: Actually you would not necessarily have to be local to compromise a UF. Just like full blown Splunk it opens port 8089 for the REST API. Now there are options around firewalls, turning this off, and other protections that could be taken, but by itself, a UF running as root opens a service as root that assuming the existence of an exploit, could be compromised and root the box.

I forgot about the REST endpoint. (In our setup, we don't allow that incoming traffic, so it's mitigated) Thanks for the catch!

Won't that run Splunk as the "root" user, though, not as the "splunk" user?

The other thing you can do is try to make sure that new files get +gr ("Group Read) permission in that directory (assuming user splunk is in the root group). The group ownership can be inherited by new files and folders created in your folder /path/to/parent by setting the setgid bit using chmod g+s like this:

chmod g+s /file/location/

Now, all new files and folder created under /file/location/ will have the same group assigned as is set on /file/location

POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask value and you can use POSIX ACLs to control this; to set the default ACL on a directory:

setfacl -d -m u::rwX,g::rX,o::- /file/location/

This will apply setfacl to the /file/location/ directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x bit.)

Also, If necessary, you can add a u:someuser:rwX or g:someuser:rwX – preferably a group – to the ACLs.

Yes, running Splunk as the root user is a problem.

We can't easily change the file permissions because it would require altering our application (we have all sorts of custom stuff under the hood)...and it's a piece of code that hasn't even been looked at by anyone in at least 5 years, probably longer. The current rotation resets permissions back to what I've listed in the post.