I need to make sure the AUP message pops up and is accepted anytime people log into the web interface on search heads. I have this working on a simple single server instance of Splunk. I need it to work on a distributed search head configuration. This is the process that works on single instances with user pw authentication only instead of the smart card authentication we use for our production environment.
Create tos app
Use web interface and go to manage apps
Create app, not visible
from cmd line
vi ./splunk/etc/apps/tos/tos.conf
Create the html file to hold the DoD Banner text
vi ./splunk/etc/system/static/46.html
Insert the banner text
save using ZZ
Check ownership and permissions
chown splunk ./splunk/etc/system/static/46.html
chgrp splunk ./splunk/etc/system/static/46.html
chmod 444 ./splunk/etc/system/static/46.html
Edit web.conf with vi to point to location of DoD html file
vi ./splunk/etc/system/local/web.conf
insert the following stanza:
[settings]
# Warning and Acceptance Banner
termsOfServiceDirectory = /opt/splunk/etc/system/static/
save using ZZ
check ownership and permissions
chown splunk ./splunk/etc/system/local/web.conf
chgrp splunk ./splunk/etc/system/local/web.conf
chmod 600 ./splunk/etc/system/local/web.conf
Restart Splunk
stop splunk
cd ./splunk/bin/
./splunk stop
wait
restart splunk
./splunk start
Log on through web interface to verify success
using btool
./splunk btool web list --debug
I see tons of entries and many web.conf paths that are in the ./splunk/etc/app/...... which one is the relevant one in a distributed system? I tried the ./splunk/etc/system/default. It killed our smart card authentication and did not pop up a banner.
Hey there, my inbox blew up this morning with all the comments. Thank you. I will try them out this evening when I am back online with work.
Put it in the local
directory of your tos
app here:
$SPLUNK_HOME/etc/apps/tos/local/web.conf
This is also where your tos.conf
file should go.
This isn't quite right. While the tos app's local directory should be used to house the web.conf and it's termsOfServiceDirectory pointer, and possibly the html file for that terms of service page, the tos.conf file is located under the $SPLUNK_HOME/etc/user context, containing the date of the tos acknowledgement for the individual.
There isn't a traditional tos.conf spec or documentation page, so while it is a .conf file, it doesn't operate in the traditional manner.
I Agree with you.
Part of the problem I see is that you're not creating the tos app correctly. .conf files need to go into a local/ or default/ directory and there's no need to create a tos.conf.
On a Search Head Cluster Deployer:
mkdir -p etc/shcluster/apps/tos/{default,metadata}
cd etc/shcluster/apps/tos/default
On a single instance:
mkdir -p etc/apps/tos/{default,metadata}
cd etc/apps/tos/default
Create web.conf (yes, you can and should create this file in the tos app. No need to go mucking about in etc/system/local/)
vim web.conf
Add the following two lines
[settings]
termsOfServiceDirectory = $SPLUNK_HOME/etc/apps/tos/default
Create 1.html (also in the tos/default/ directory)
vim 1.html
1.html example contents:
<p>These are the terms of service.</p>
Then restart Splunk. If you're on a SHC, initiate a rolling restart. After the restart completes, you will see the TOS after logging in.
I have tested this on a 7.3.4 SHC with SSO/SAML and a single instance 8.0.2.1 with normal Splunk authentication.
You can add an app.conf to the default/ directory to trigger a restart for you, as well:
[install]
is_configured = 1
[ui]
is_visible = 0
label = TOS
[launcher]
author = Me!
description = Terms of Service
version = 1.0
[triggers]
reload.web = simple
But keep in mind that this will cause a restart for every change to web.conf rather than the default behaviour of hitting a REST endpoint that silently applies the change.
This solution also lets you filter the results from btool
% splunk btool web list --debug | grep 'tos/'
/opt/splunk/etc/apps/tos/default/web.conf [settings]
/opt/splunk/etc/apps/tos/default/web.conf termsOfServiceDirectory = $SPLUNK_HOME/etc/apps/tos/default
I am working on seeing if I am allowed to post the btool output. We need to sanitize it due to our security posture here.