Privilege checks for Script

msmadhu · ‎01-24-2025

Hello, team

I've made script, which uses the sudo command. I've deployed it on my forwarders and I get the error:

message from "/opt/splunkforwarder/etc/apps/app/bin/script.sh" sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Please help to fix this issue.

muhammad_luthfi

Hi, i have same case also, but now it's solved, bellow my workaround :

1. Add splunk user to /etc/sudoers

splunk-user ALL=(ALL) NOPASSWD: ALL

2. Add !requiretty for splunk user

Defaults:splunk-user    !requiretty

For point no. 2, basically splunk running script on non-interactive environment by defaults, so we need add permission to pass it.

Running manual the command in CLI is interactive, thats why we don't need !requiretty

PickleRick

OMG. Don't do that!

This way you're allowing anyone who has permission to run local programs (and I can think of several ways to do so) effectively do anything with your system. This is like saying "Oh, I solved the problem with my front door lock by leaving the door wide open".

muhammad_luthfi

Continuoing last reply :

Bellow my error during troubleshoot :

1. sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' -> Because splunk running as a root user, i have change back splunk to non-root user and see bellow error.

2. sudo: sorry, you must have a tty to run sudo -> Required !requiretty permission on /etc/sudoers

for me Splunk is powerfull tools, since i got this workaround, Ansible task can be done with splunk directly 🙂

isoutamo

This is exactly like @PickleRick said, never do it like this! You lost all security in your system!

If/when you need that information then better way is to use e.g. cron and export output to some file which are read by splunk. Just give needed access to that file with setfacl. And down use chmod with 777!

muhammad_luthfi

Hi @isoutamo @PickleRick ,

Yes, you are correct, thats solution will be impact to security, i run this for testing purpose on Dev, just to see how splunk works with custom script sudo.

My implementation is read log file based on crontab.

msmadhu · ‎01-27-2025

Selinux alerts is disabled and not getting on second point.

But when i comment #NoNewPrivileges=Yes line from file /etc/systemd/system/SplunkForwarder.service. It will work. But not sure why Splunk service privilege is stoping this.

PickleRick · ‎01-27-2025

Makes sense

https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

Security

NoNewPrivileges=

Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false. In case the service will be run in a new mount namespace anyway and SELinux is disabled, all file systems are mounted with MS_NOSUID flag. Also see No New Privileges Flag.

msmadhu · ‎01-26-2025

Yes, script is woking with "splunk cmd" also

splunk cmd ./crio_simple_ps.sh

PickleRick · ‎01-27-2025

Thay is puzzling there because assuming that you're running it with the same user as your forwarder runs with you should be having the same environment.

The things I'd check would be:

1) selinux alerts (if anything which should work doesn't it's often selinux ;-))

2) dump the environment to a file at the beginning of your script and compare the version you get from running it with "splunk cmd" with the output from when it's actually run by thr forwarder.

msmadhu · ‎01-24-2025

Yes, am getting output for below commands,

sudo /usr/bin/crictl ps -a

splunk cmd sudo /usr/bin/crictl ps -a

PickleRick · ‎01-24-2025

Hmm...

And if you run your whole script with `splunk cmd`?

msmadhu · ‎01-24-2025

Yes, my script is working with sudo only
below script for reference
#!/bin/bash
# Set the working directory to the script's directory

cd "$(dirname "$0")" || exit 1

# Full paths for commands

CRICTL_PATH="/usr/bin/crictl" # Adjust the path if necessary

# Get container list

container_list=$(sudo "$CRICTL_PATH" ps -a)

echo "$container_list" | sed '1s/POD ID/POD_ID/g'

IFS=$'\n'

for container_info in $(echo "$container_list" | tail -n +2); do

container_id=$(echo "$container_info" | awk '{print $1}')

container_name=$(echo "$container_info" | awk '{print $4}')

done

##############
cat /etc/sudoers.d/splunk
splunk ALL=(ALL) NOPASSWD: /usr/bin/crictl,/usr/bin/podman

PickleRick · ‎01-24-2025

OK. So first steps to debug such issue would be to:

1) Run (as splunk user)

sudo /usr/bin/crictl

I'm assuming you already checked that

2) Run (again - as splunk user)

splunk cmd sudo /usr/bin/crictl

(the actual parameters for crictl are not important here, we just want to see if the command will be properly spawned at all).

Having said that - I'm not a very big fan of escalating privileges that way from splunk. As I understand, this is a scripted input. I'd rather have a script spawned by cron and capture its output and then ingest that output file with a normal monitor input.

PickleRick · ‎01-24-2025

And did you check what sudo told you? Does your sudo work at all?

Privilege checks for Script

using Splunk Enterprise

Security

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk