Security

Is SELinux officially supported for Splunk Enterprise?

attilatar
Explorer

Hello,

Is SELinux officially supported for Splunk Enterprise ?

If yes, could you share instructions for 6.5.4 or 6.6.1 versions ?

Thank you!

Labels (1)
Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)

All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂

View solution in original post

ephemeric
Contributor

Always check the Security Policy before disabling SELinux! The above link to the SELinux policy, IMHO, is not the best. They run Splunk as root. Simply not running Splunk as root and disabling SELinux is far better IMHO.

The current Splunk rpm does not fully support SELinux as there is an issue with the non-standard homedir location in `/opt/splunk`.

The easiest thing to do is put SELinux in permissive mode and check what is denied. Work from there. It's not hard. Dan Walsh is so helpful and so is the community.

Don't muck about with commands, just do: `grep "denied" /var/log/audit/audit.log`.

edoardo_vicendo
Contributor

Thanks for the suggestion, I will probably install a Splunk server instance on RHEL 8 and check first with SELinux in permissive mode to see if something is blocked.

Anyway do you know if, as of today, the current situation is changed and now Splunk rpm fully support SELinux?

0 Karma

ephemeric
Contributor

I don't. I have not checked back on this topic in quite some time.

koshyk
Super Champion

The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)

All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂

woodcock
Esteemed Legend

I have never had anything but trouble with SELinux. I always do my own security hardening (and I am sure it is not as much as I ought) and disable SELinux (good riddance).

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...