Hello,
Is SELinux officially supported for Splunk Enterprise ?
If yes, could you share instructions for 6.5.4 or 6.6.1 versions ?
Thank you!
The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)
All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂
Always check the Security Policy before disabling SELinux! The above link to the SELinux policy, IMHO, is not the best. They run Splunk as root. Simply not running Splunk as root and disabling SELinux is far better IMHO.
The current Splunk rpm does not fully support SELinux as there is an issue with the non-standard homedir location in `/opt/splunk`.
The easiest thing to do is put SELinux in permissive mode and check what is denied. Work from there. It's not hard. Dan Walsh is so helpful and so is the community.
Don't muck about with commands, just do: `grep "denied" /var/log/audit/audit.log`.
Thanks for the suggestion, I will probably install a Splunk server instance on RHEL 8 and check first with SELinux in permissive mode to see if something is blocked.
Anyway do you know if, as of today, the current situation is changed and now Splunk rpm fully support SELinux?
I don't. I have not checked back on this topic in quite some time.
The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)
All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂
I have never had anything but trouble with SELinux. I always do my own security hardening (and I am sure it is not as much as I ought) and disable SELinux (good riddance).