×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
BlueQ
Explorer
Member since: ‎07-09-2024
‎07-11-2024
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎07-09-2024
View All

Re: Running as non-root and still able to read roo...

by in Getting Data In
‎07-10-2024 05:53 PM
‎07-10-2024 05:53 PM
Found it. CAP_DAC_READ_SEARCH means splunk can read anything. Now I have to decide if I want to keep this setting. https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capability/m-p/649047/highlight/true ... View more

Re: Running as non-root and still able to read roo...

by in Getting Data In
‎07-10-2024 03:15 PM
‎07-10-2024 03:15 PM
Hi @gcusello, The funny part is I have the opposite problem. I haven't given the user access to read /var/log/messages yet it seems like splunk still reads them. How do I ask a Linux expert specifically? Do you mean on this forum or elsewhere? Thanks ... View more

Re: Running as non-root and still able to read roo...

by in Getting Data In
‎07-10-2024 03:13 PM
‎07-10-2024 03:13 PM
Hi @inventsekar, I don't want to show the actual results but here you can see there are results. Hope this helps. ... View more

Running as non-root and still able to read root lo...

by in Getting Data In
‎07-09-2024 09:34 PM
‎07-09-2024 09:34 PM
Bit of a reverse error here, splunk is working when it shouldn't. I followed these instructions to run Splunk as non-root - https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Installleastprivileged systemctl stop splunk /opt/splunkforwarder/bin/splunk disable boot-start /opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 -user blueq -group blueq systemctl start splunk Splunk is running as this user and the user cannot view /var/log/messages [root@host1 ~]# ps -ef|grep splunk blueq 137095 1 24 14:22 ? 00:00:00 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd blueq 137134 137095 0 14:22 ? 00:00:00 [splunkd pid=137095] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] root 137154 6813 0 14:22 pts/0 00:00:00 grep --color=auto splunk [root@host1 ~]# ls -l /opt/splunkforwarder/ total 172 drwxr-xr-x. 3 blueq blueq 4096 Jun 25 22:11 bin drwxr-xr-x. 2 blueq blueq 66 Jun 25 22:11 cmake -r--r--r--. 1 blueq blueq 57 Mar 21 09:38 copyright.txt ... [root@host1 ~]# su - blueq Last login: Wed Jul 10 14:24:24 AEST 2024 on pts/0 [blueq@host1 ~]$ ls -l /var/log/messages -rw-------. 1 root root 4898581 Jul 10 14:24 /var/log/messages [blueq@host1 ~]$ cat /var/log/messages cat: /var/log/messages: Permission denied Yet I see no errors in /opt/splunkforwarder/var/log/splunk/splunkd.log and the logs are still uploaded to splunk cloud, why??? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-11-2024 02:19 AM