×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mristic
Engager
Member since: 2 weeks ago
2 weeks ago
Community Statistics
Posts 1
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎06-29-2025
Activity Feed
Topics I've Started
View All

Splunk Forwarder runs unconfined

by in Splunk Enterprise
2 weeks ago
2 weeks ago
Has anyone managed to create an SELinux policy that confines Splunk Forwarder while not limiting it's functions? I'm trying to address cis-benchmark "Ensure no unconfined services exist", as splunkd fails the test: system_u:system_r:unconfined_service_t:s 0 11315 ? 00:00:40 splunkd In #act, two process instances are seen (not sure why).   # ps -eZ | grep "unconfined_service_t" system_u:system_r:unconfined_service_t:s0 11379 ? 00:29:50 splunkd system_u:system_r:unconfined_service_t:s0 11402 ? 00:02:28 splunkd   "Advice" seems to be as follows: "Determine if the functionality provided by the unconfined service is essential for your operations. If it is, you may need to create a custom SELinux policy to confine the service. Create Custom SELinux Policy: If the service needs to be confined, create a custom SELinux policy. For the splunkd service, we need to determine if it can be confined without disrupting its functionality. If splunkd requires unconfined access to function correctly, confining it might lead to degraded performance or loss of functionality. " This has proven to be very, very difficult, especially as I ultimately need to make this happen using Ansible automation. Thoughts? Solutions? Anything?   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
Karma given to