Security

Should we run Splunk as root or non-root user?

hadinh
Explorer

Should we run Splunk as root or non-root user? Which way is better?

Thanks
-Ha

Tags (2)
1 Solution

Ayn
Legend

Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.

View solution in original post

Ayn
Legend

Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.

hadinh
Explorer

Thanks for your info.

0 Karma

strive
Influencer

Thanks for the information.

0 Karma

rmorlen
Splunk Employee
Splunk Employee

Splunk recommends that you don't run as root.

Other info: Deploying Splunk

bandit
Motivator

Great topic. I'd love to see more details in the documentation on best security practices for collection methods. Maybe a matrix?

  • syslog - Great for many network devices, however doesn't usually work for Webservers/App Servers which don't write out in the syslog format on Unix
  • Running as root (security implications)
  • Making logs world readable (security implications)
  • Add Splunk to a group which has read permissions to logs (My first choice, however there is usually a limit of 16 groups per Unix ID and sometimes an entprise may have hundreds of groups that log files are owned by)
  • Unix ACLs - May be a great alternative, however how difficult are they to manage?
  • Mounting logs remotely?

jspears
Communicator

> Splunk recommends that you don't run as root.

I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is Run Splunk Enterprise as a different or non-root user

highsplunker
Contributor

Here's the source from docs:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser

In section "Run Splunk Enterprise as a different or non-root user":

It says:

"On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible."

 

0 Karma

bandit
Motivator

Seems the local system account on Windows (default for Splunk Windows installs) is a very near equivalent of root on Unix, however I don't think that is called out as a security risk the same way as root is.

0 Karma

strive
Influencer

Thanks for the information.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...