We upgraded to 8.1.2 and want to use workload manager, workload manager requires systemd. With 8.1.x you can allow the splunk user to stop/start the systemd splunk service, which works fine however it seems to be to broad of a configuration and also allows for stopping/starting other systemd services as well. Is there a way to lock down the polkit rule where it doesn't grant beyond the splunk service? I'll do more research on polkit to see if I can find a way but wondering if others have done this.
sh-4.2$ sudo /apps/splunk/bin/splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user splunk CAUTION: The system has systemd version < 237 and polkit version > 105. With this combination, polkit rule created for this user will enable this user to manage all systemd services.Are you sure you want to continue [y/n]? y Systemd unit file installed at /etc/systemd/system/Splunkd.service. Polkit rules file installed at /etc/polkit-1/rules.d/10-Splunkd.rules. Configured as systemd managed service.
sh-4.2$ sudo su - splunk
splunk@qasshd$ systemctl stop amazon-ssm-agent.service splunk@qasshd$ systemctl status amazon-ssm-agent.service ● amazon-ssm-agent.service - amazon-ssm-agent Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2021-02-10 22:19:39 UTC; 7s ago Process: 1130 ExecStart=/usr/bin/amazon-ssm-agent (code=exited, status=0/SUCCESS) Main PID: 1130 (code=exited, status=0/SUCCESS) splunk@qasshd$ systemctl start amazon-ssm-agent.service splunk@qasshd$ systemctl status amazon-ssm-agent.service ● amazon-ssm-agent.service - amazon-ssm-agent Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-02-10 22:19:55 UTC; 3s ago Main PID: 5087 (amazon-ssm-agen) Memory: 30.6M CGroup: /system.slice/amazon-ssm-agent.service ├─5087 /usr/bin/amazon-ssm-agent └─5101 /usr/bin/ssm-agent-worker splunk@qasshd$