Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder runs unconfined

mristic
Engager
‎06-29-2025 05:04 PM

Has anyone managed to create an SELinux policy that confines Splunk Forwarder while not limiting it's functions?

I'm trying to address cis-benchmark "Ensure no unconfined services exist", as splunkd fails the test:

system_u:system_r:unconfined_service_t:s
0 11315 ? 00:00:40 splunkd

In #act, two process instances are seen (not sure why).

 

# ps -eZ | grep "unconfined_service_t"
system_u:system_r:unconfined_service_t:s0 11379 ? 00:29:50 splunkd
system_u:system_r:unconfined_service_t:s0 11402 ? 00:02:28 splunkd

 

"Advice" seems to be as follows:

"Determine if the functionality provided by the unconfined service is essential for your operations. If it is, you may need to create a custom SELinux policy to confine the service.

Create Custom SELinux Policy: If the service needs to be confined, create a custom SELinux policy.

For the splunkd service, we need to determine if it can be confined without disrupting its functionality. If splunkd requires unconfined access to function correctly, confining it might lead to degraded performance or loss of functionality.
"

This has proven to be very, very difficult, especially as I ultimately need to make this happen using Ansible automation.

Thoughts? Solutions? Anything?

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎06-29-2025 09:27 PM

@mristic 

confining Splunk Forwarder with a custom SELinux policy is extremely challenging because of Splunk's complex architecture.
There is a community project for your ref. #https://github.com/doksu/selinux_policy_for_splunk

Also you can try splunk in permissive mode, colelct denials and build policy with audit2allow

#https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security-enhanced_linux/sec...

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2025 01:02 AM

The github project seems kinda old. Very old.

As far as I remember the modern UF runs... fairly well with SELinux but needs tweaking in order to grant access to specific items. So the audit2allow approach is a fairly proper one.

Reply

tscroggins
Influencer
‎06-29-2025 05:28 PM

Hi @mristic,

While no specific guidance is available for Splunk Universal Forwarder, Splunk did publish RHEL 7/8-compatible SELinux policies as recently as Splunk Enterprise 9.2.2. You may be able to adapt them to your needs.

See https://docs.splunk.com/Documentation/Splunk/9.2.2/CommonCriteria/InstallSELinux.

https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el7.noarch.tgz

https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el8.noarch.tgz

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...