- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your info.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk recommends that you don't run as root.
Other info: Deploying Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great topic. I'd love to see more details in the documentation on best security practices for collection methods. Maybe a matrix?
- syslog - Great for many network devices, however doesn't usually work for Webservers/App Servers which don't write out in the syslog format on Unix
- Running as root (security implications)
- Making logs world readable (security implications)
- Add Splunk to a group which has read permissions to logs (My first choice, however there is usually a limit of 16 groups per Unix ID and sometimes an entprise may have hundreds of groups that log files are owned by)
- Unix ACLs - May be a great alternative, however how difficult are they to manage?
- Mounting logs remotely?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> Splunk recommends that you don't run as root.
I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is Run Splunk Enterprise as a different or non-root user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the source from docs:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser
In section "Run Splunk Enterprise as a different or non-root user":
It says:
"On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems the local system account on Windows (default for Splunk Windows installs) is a very near equivalent of root on Unix, however I don't think that is called out as a security risk the same way as root is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information.
