Splunk Search

Want to confine splunk process running on servers as required by our audit. How to achieve?

sdubey_splunk
Splunk Employee
Splunk Employee

Issue:
Splunk is running as unconfiged daemon

ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'

splunkd
(Truncated output, I am interested in confining Splunk Process)

We have an audit requirement to confine Splunk process. How to achieve?

Tags (1)
0 Karma

sdubey_splunk
Splunk Employee
Splunk Employee

Background on how things working on Linux:

1.All processes and files are labeled. SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.

2.Fine-grained access control. Stepping beyond traditional UNIX permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a security level.
SELinux policy is administratively-defined and enforced system-wide.

What is the meaning of confining a process? Explain confined.
* When a process is confined, it runs in its own domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited

For those who are interested to know more about SElinux(confined/unconfed process) please read https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_admi....

Solution :
I tried below steps to confine Splunk process. Please find the before and after output below. I tried the exact steps listed below. For information about the commands used below use 'man command' or read https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_admi....

Before:
[root@selinux_policy_for_splunk-master]# ps -eZ| grep splunk
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5039 ? 1-04:37:17 splunkd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5041 ? 00:03:15 splunkd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5285 ? 00:33:43 splunkd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13110 ? 00:00:00 splunkd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13111 ? 00:00:00 splunkd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13112 ? 00:00:00 splunkd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13114 ? 00:00:00 splunkd
[root@selinux_policy_for_splunk-master]# semodule -i splunk.pp
[root@sselinux_policy_for_splunk-master]# restorecon -R /opt/splunk
[root@sselinux_policy_for_splunk-master]# restorecon /etc/init.d/splunk
[root@selinux_policy_for_splunk-master]# /etc/init.d/splunk restart
Restarting splunk (via systemctl): [ OK ]

After:
[root@selinux_policy_for_splunk-master]# ps -eZ| grep splunk
system_u:system_r:splunk_t:s0 13521 ? 00:00:11 splunkd
system_u:system_r:splunk_t:s0 13524 ? 00:00:00 splunkd
system_u:system_r:splunk_t:s0 13725 ? 00:00:00 mongod
system_u:system_r:splunk_t:s0 13821 ? 00:00:00 python
system_u:system_r:splunk_t:s0 13828 ? 00:00:00 python
system_u:system_r:splunk_t:s0 13847 ? 00:00:00 splunkd
system_u:system_r:splunk_t:s0 13861 ? 00:00:01 python
system_u:system_r:splunk_t:s0 13863 ? 00:00:19 java
system_u:system_r:splunk_t:s0 14074 ? 00:00:00 splunkd
system_u:system_r:splunk_t:s0 14075 ? 00:00:00 splunkd

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!