Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: Splunk Forwarder runs unconfined
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Forwarder runs unconfined
Has anyone managed to create an SELinux policy that confines Splunk Forwarder while not limiting it's functions?
I'm trying to address cis-benchmark "Ensure no unconfined services exist", as splunkd fails the test:
system_u:system_r:unconfined_service_t:s
0 11315 ? 00:00:40 splunkd
In #act, two process instances are seen (not sure why).
# ps -eZ | grep "unconfined_service_t"
system_u:system_r:unconfined_service_t:s0 11379 ? 00:29:50 splunkd
system_u:system_r:unconfined_service_t:s0 11402 ? 00:02:28 splunkd
"Advice" seems to be as follows:
"Determine if the functionality provided by the unconfined service is essential for your operations. If it is, you may need to create a custom SELinux policy to confine the service.
Create Custom SELinux Policy: If the service needs to be confined, create a custom SELinux policy.
For the splunkd service, we need to determine if it can be confined without disrupting its functionality. If splunkd requires unconfined access to function correctly, confining it might lead to degraded performance or loss of functionality.
"
This has proven to be very, very difficult, especially as I ultimately need to make this happen using Ansible automation.
Thoughts? Solutions? Anything?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
confining Splunk Forwarder with a custom SELinux policy is extremely challenging because of Splunk's complex architecture.
There is a community project for your ref. #https://github.com/doksu/selinux_policy_for_splunk
Also you can try splunk in permissive mode, colelct denials and build policy with audit2allow
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The github project seems kinda old. Very old.
As far as I remember the modern UF runs... fairly well with SELinux but needs tweaking in order to grant access to specific items. So the audit2allow approach is a fairly proper one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mristic,
While no specific guidance is available for Splunk Universal Forwarder, Splunk did publish RHEL 7/8-compatible SELinux policies as recently as Splunk Enterprise 9.2.2. You may be able to adapt them to your needs.
See https://docs.splunk.com/Documentation/Splunk/9.2.2/CommonCriteria/InstallSELinux.
https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el7.noarch.tgz
https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el8.noarch.tgz
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
