- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Is SELinux officially supported for Splunk Enterpr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Is SELinux officially supported for Splunk Enterprise ?
If yes, could you share instructions for 6.5.4 or 6.6.1 versions ?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)
All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Always check the Security Policy before disabling SELinux! The above link to the SELinux policy, IMHO, is not the best. They run Splunk as root. Simply not running Splunk as root and disabling SELinux is far better IMHO.
The current Splunk rpm does not fully support SELinux as there is an issue with the non-standard homedir location in `/opt/splunk`.
The easiest thing to do is put SELinux in permissive mode and check what is denied. Work from there. It's not hard. Dan Walsh is so helpful and so is the community.
Don't muck about with commands, just do: `grep "denied" /var/log/audit/audit.log`.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion, I will probably install a Splunk server instance on RHEL 8 and check first with SELinux in permissive mode to see if something is blocked.
Anyway do you know if, as of today, the current situation is changed and now Splunk rpm fully support SELinux?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't. I have not checked back on this topic in quite some time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)
All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have never had anything but trouble with SELinux. I always do my own security hardening (and I am sure it is not as much as I ought) and disable SELinux (good riddance).
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
