Security

Is SELinux officially supported for Splunk Enterprise?

attilatar
Explorer

Hello,

Is SELinux officially supported for Splunk Enterprise ?

If yes, could you share instructions for 6.5.4 or 6.6.1 versions ?

Thank you!

Labels (1)
Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)

All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂

View solution in original post

ephemeric
Contributor

Always check the Security Policy before disabling SELinux! The above link to the SELinux policy, IMHO, is not the best. They run Splunk as root. Simply not running Splunk as root and disabling SELinux is far better IMHO.

The current Splunk rpm does not fully support SELinux as there is an issue with the non-standard homedir location in `/opt/splunk`.

The easiest thing to do is put SELinux in permissive mode and check what is denied. Work from there. It's not hard. Dan Walsh is so helpful and so is the community.

Don't muck about with commands, just do: `grep "denied" /var/log/audit/audit.log`.

edoardo_vicendo
Contributor

Thanks for the suggestion, I will probably install a Splunk server instance on RHEL 8 and check first with SELinux in permissive mode to see if something is blocked.

Anyway do you know if, as of today, the current situation is changed and now Splunk rpm fully support SELinux?

0 Karma

ephemeric
Contributor

I don't. I have not checked back on this topic in quite some time.

koshyk
Super Champion

The documentation we followed with one of the client is : https://github.com/doksu/selinux_policy_for_splunk . It was a painful experience with issues all around. At the end we decided to go with SElinux in permissive mode (So it will log, but not block)

All the best for you to implement SELinux 🙂
- It is painful to do data onboarding (especially using multiple ways like syslog/snmp with SElinux policies)
- Upgrades/backups you will encounter random issues. You will understand the root cauuse, but it will be guaranteed to be caused by SElinux
- Last but not the least: I would resign if I'm an adminstrator/data-onboarding guy in that company with SElinux enforced 🙂

woodcock
Esteemed Legend

I have never had anything but trouble with SELinux. I always do my own security hardening (and I am sure it is not as much as I ought) and disable SELinux (good riddance).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...