Security

Is SELinux officially supported for Splunk Enterprise?

attilatar
Explorer

Hello,

Is SELinux officially supported for Splunk Enterprise ?

If yes, could you share instructions for 6.5.4 or 6.6.1 versions ?

Thank you!

Labels (1)
Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)

All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂

View solution in original post

ephemeric
Contributor

Always check the Security Policy before disabling SELinux! The above link to the SELinux policy, IMHO, is not the best. They run Splunk as root. Simply not running Splunk as root and disabling SELinux is far better IMHO.

The current Splunk rpm does not fully support SELinux as there is an issue with the non-standard homedir location in `/opt/splunk`.

The easiest thing to do is put SELinux in permissive mode and check what is denied. Work from there. It's not hard. Dan Walsh is so helpful and so is the community.

Don't muck about with commands, just do: `grep "denied" /var/log/audit/audit.log`.

edoardo_vicendo
Contributor

Thanks for the suggestion, I will probably install a Splunk server instance on RHEL 8 and check first with SELinux in permissive mode to see if something is blocked.

Anyway do you know if, as of today, the current situation is changed and now Splunk rpm fully support SELinux?

0 Karma

ephemeric
Contributor

I don't. I have not checked back on this topic in quite some time.

koshyk
Super Champion

The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)

All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂

woodcock
Esteemed Legend

I have never had anything but trouble with SELinux. I always do my own security hardening (and I am sure it is not as much as I ought) and disable SELinux (good riddance).

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...