Vulnerability report SPL-144192 seems to have contradicting data in it. It begins by talking about being vulnerable to this specific thing when running init or control scripts as a root user, but later in the report it mentions some specific conditions you must meet to be vulnerable, the first being run init scripts as non-root user.
Soooo...which is it?
How do I know if I'm vulnerable with such contradictory information?
I don't have enough karma points to post links apparently, even to splunks own web servers, but Ive attempted below to post a link in case it lets me...
splunk.com/view/SP-CAAAP3M#MitigationandUpgrades
Hi @chriswilkes33,
Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk
user, command or configuration might change for different version of OS. 😛
After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>
So /etc/init.d/splunk script includes command like for start, stop, restart and status
"/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
"/opt/splunkforwarder/bin/splunk" stop
"/opt/splunkforwarder/bin/splunk" restart
"/opt/splunkforwarder/bin/splunk" status
However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>
by root user at that start, stop, restart and status command looke like below
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "
Now whether you are affected or not, you need to check 2 things
SPLUNK_OS_USER=<user>
lineAnd you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>
by root user, which contains command as below
"/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
"/opt/splunkforwarder/bin/splunk" stop
"/opt/splunkforwarder/bin/splunk" restart
"/opt/splunkforwarder/bin/splunk" status
If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "
I hope this clears.
Thanks,
Harshil
Hi @chriswilkes33,
Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk
user, command or configuration might change for different version of OS. 😛
After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>
So /etc/init.d/splunk script includes command like for start, stop, restart and status
"/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
"/opt/splunkforwarder/bin/splunk" stop
"/opt/splunkforwarder/bin/splunk" restart
"/opt/splunkforwarder/bin/splunk" status
However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>
by root user at that start, stop, restart and status command looke like below
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
/bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "
Now whether you are affected or not, you need to check 2 things
SPLUNK_OS_USER=<user>
lineAnd you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>
by root user, which contains command as below
"/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
"/opt/splunkforwarder/bin/splunk" stop
"/opt/splunkforwarder/bin/splunk" restart
"/opt/splunkforwarder/bin/splunk" status
If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "
I hope this clears.
Thanks,
Harshil
Thanks for the explanation. Makes sense.
Thanks! That sounds reasonable.
Will there be a proper solution by splunk for this problem?
As of now splunk suggested to update /etc/init.d/splunk
as per answer given by me.