Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Start splunk daemon as root then hand-off to splunk user

jizzmaster
Path Finder
‎05-14-2015 09:00 AM

I'd like Splunk to act like other services and be able to hand-off the service to a less privileged user after starting as root.

By default, the splunk service starts as root. Which means it can open privileged ports, such as port 443. However, since running a service as root is not the best security concept, it is desirable to hand it off to a less privileged user account (we have created a user called splunk for this). While I realize there is the splunk enable boot-start -user splunkcommand, it does not initially start as root and therefore cannot open the 443 port for the web interface. I'd like to use the splunk service similar to how any other web service functions (http, ftp, ssh) by initializing as root to open a privileged port and then handing off to a less privileged user account.

Or at the very least, can splunk forward port 80 or 443 to port 8000?

Tags (2)
0 Karma
Reply

mmccul
SplunkTrust
SplunkTrust
‎05-14-2015 09:08 AM

Starting as root and then handing off to a less privileged user is actually not a desired practice, but a kludge around the lack of traditional security role models in older *nix. It creates a security hole that actually needs correcting as there remains code that runs as root when you don't want that. Solaris, you can add priv_netaddr privilege to the Solaris account to allow opening a low numbered port with no other root privileges. Linux, you can try the Linux capability by a similar name to see if that works (I have not tested that).

If you want to port forward, just create the iptables NAT rules to do the port forwarding, outside Splunk. I've done that with many applications in a production operation without issue. There are a few issues about the NAT table size if the number of connections is measured in the thousands, but that is unlikely with the Splunk search web interface.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...