Security
Highlighted

Should we run Splunk as root or non-root user?

Explorer

Should we run Splunk as root or non-root user? Which way is better?

Thanks
-Ha

Tags (2)
Highlighted

Re: Should we run Splunk as root or non-root user?

Splunk Employee
Splunk Employee

Splunk recommends that you don't run as root.

Other info: Deploying Splunk

Highlighted

Re: Should we run Splunk as root or non-root user?

Influencer

Thanks for the information.

0 Karma
Highlighted

Re: Should we run Splunk as root or non-root user?

Motivator

Seems the local system account on Windows (default for Splunk Windows installs) is a very near equivalent of root on Unix, however I don't think that is called out as a security risk the same way as root is.

0 Karma
Highlighted

Re: Should we run Splunk as root or non-root user?

Motivator

Great topic. I'd love to see more details in the documentation on best security practices for collection methods. Maybe a matrix?

  • syslog - Great for many network devices, however doesn't usually work for Webservers/App Servers which don't write out in the syslog format on Unix
  • Running as root (security implications)
  • Making logs world readable (security implications)
  • Add Splunk to a group which has read permissions to logs (My first choice, however there is usually a limit of 16 groups per Unix ID and sometimes an entprise may have hundreds of groups that log files are owned by)
  • Unix ACLs - May be a great alternative, however how difficult are they to manage?
  • Mounting logs remotely?
Highlighted

Re: Should we run Splunk as root or non-root user?

Communicator

> Splunk recommends that you don't run as root.

I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is Run Splunk Enterprise as a different or non-root user

Highlighted

Re: Should we run Splunk as root or non-root user?

Legend

Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.

View solution in original post

Highlighted

Re: Should we run Splunk as root or non-root user?

Influencer

Thanks for the information.

0 Karma
Highlighted

Re: Should we run Splunk as root or non-root user?

Explorer

Thanks for your info.

0 Karma