Security

Installing and running splunk as splunk user when user is in AD/LDAP

Builder

Couple of facts:

  • I am installing Splunk from the source (*.tgz file).
  • Our Splunk account is part of AD/LDAP

A few questions:
1. If I want it to be installed in /opt, what permissions do I set on the /opt directory w/o opening it up completely or making it owned by Splunk? Is there a better place to install this?
2. Can I use a service account that is in LDAP/AD to start Splunk? Would it work with:

/opt/splunk/bin/splunk enable boot-start -user splunk

Any suggestions on this is most welcome! Thank you in advance.

0 Karma

Contributor

We install Splunk on Solaris and AIX to run as user splunk, on Linux we run it as user root, this mainly as we have to logfiles protected on Linux so the forwarder would not be able to rad them. On Solaris wee start the splunk daemon with the privileges 'basic,file_dac_read,file_dac_search,net_privaddr' to allow it to rad all the log files, on AIX we grant it access via group permission.

This works all fine. In case you don't give it write access to /op/splunkforwarder, the you certainly have to make sure it can write to at least $SPLUNK_HOME/var, and $SPLUNK_HOME/etc, there might be even more issues.

0 Karma

Builder

Fritz - Thank you for taking the time to respond. It seems that you are more affected on the forward servers?!??! I am talking about running splunk exterprise server as splunk user. Does this change your comments or advice?

0 Karma

Contributor

All except one of our Splunk servers run under an userid splunk on Linux, for security reasons and to make the operations simpler. The team managing Splunk has no root access on this servers, but some sudo rules to become user splunk and control the service.
We changed the group of the local logfils we want to read to splunk and made them group readable.
For the indexer we have an apache webserver configured as proxy in front of Splunk as splunkweb can not bind to a low port if it is not running as root.
In the beginning Splunk has been stared a few times manually as root by issuing /opt/splunk/bin/splunk start. This changes the permission on the files Splunk writes and you can't start it as user Splunk afterwards. A chown splunk:splung -R /opt/splunk solves this.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!