Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder runs unconfined

mristic
Engager
3 weeks ago

Has anyone managed to create an SELinux policy that confines Splunk Forwarder while not limiting it's functions?

I'm trying to address cis-benchmark "Ensure no unconfined services exist", as splunkd fails the test:

system_u:system_r:unconfined_service_t:s
0 11315 ? 00:00:40 splunkd

In #act, two process instances are seen (not sure why).

 

# ps -eZ | grep "unconfined_service_t"
system_u:system_r:unconfined_service_t:s0 11379 ? 00:29:50 splunkd
system_u:system_r:unconfined_service_t:s0 11402 ? 00:02:28 splunkd

 

"Advice" seems to be as follows:

"Determine if the functionality provided by the unconfined service is essential for your operations. If it is, you may need to create a custom SELinux policy to confine the service.

Create Custom SELinux Policy: If the service needs to be confined, create a custom SELinux policy.

For the splunkd service, we need to determine if it can be confined without disrupting its functionality. If splunkd requires unconfined access to function correctly, confining it might lead to degraded performance or loss of functionality.
"

This has proven to be very, very difficult, especially as I ultimately need to make this happen using Ansible automation.

Thoughts? Solutions? Anything?

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Builder
3 weeks ago

@mristic 

confining Splunk Forwarder with a custom SELinux policy is extremely challenging because of Splunk's complex architecture.
There is a community project for your ref. #https://github.com/doksu/selinux_policy_for_splunk

Also you can try splunk in permissive mode, colelct denials and build policy with audit2allow

#https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security-enhanced_linux/sec...

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

The github project seems kinda old. Very old.

As far as I remember the modern UF runs... fairly well with SELinux but needs tweaking in order to grant access to specific items. So the audit2allow approach is a fairly proper one.

Reply

tscroggins
Influencer
3 weeks ago

Hi @mristic,

While no specific guidance is available for Splunk Universal Forwarder, Splunk did publish RHEL 7/8-compatible SELinux policies as recently as Splunk Enterprise 9.2.2. You may be able to adapt them to your needs.

See https://docs.splunk.com/Documentation/Splunk/9.2.2/CommonCriteria/InstallSELinux.

https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el7.noarch.tgz

https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el8.noarch.tgz

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...