We are deploying the Linux App and Add-on. The client has requested that we enable all input.
The forwarder is running as a splunk user (basic configuration with no permissions modified).
The Linux Add-on has monitors configured for the /etc/ and /var/log directories but the splunk user (by default) does not have permissions to read all the files in those directories.
If I use the setfacl command to add read permissions to files and directories of the /etc/ folder to the splunk group , linux breaks. I can' run any more sudo commands due to permission issues and can't eventually ssh back to the host. I read some articles and people suggest that running a UF as root is a security concert.
What is the best solution for this issue?
I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:
sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*
Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...
I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:
sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*
Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...
You can simplify it into a single command, assuming you want to traverse further than a single level. I usually format my setfacl as I tend to set user, group, other, mask along with multiple specific user/group permissions at the same time.
Items of note:
- -R --recursive
- -b --remove-all
- -k --remove-default
- -m --modify
- As things are being set recursively using an uppercase X
will set x
on directories but not execute on files unless they already have the permission.
- Include -bk
as I like to have a fresh slate when setting File ACLs
- Spaces and lack of are important to the command and formatting.
setfacl -Rbkm \
d:g:splunk:r-X,\
d:m::rwX,\
\
g:splunk:r-X,\
m::rwX,\
-- \
/var/{log,etc}
Why is execute (x) included?
@johnansett - an uppercase " X
" will grant the execute permission on directories allowing you to cd, etc.; however, unlike a lowercase " x
", it only grants execute permissions to files if that permission already exists, otherwise it is ignored. This is a safer option than a blanket +x
in case you inadvertently allow execution to something that shouldn't be such as a plain file which someone could modify into a script.
It could simplify this answer from multiple setfacl
commands to a single command.
My common case is python scripts (lookups) which Splunk requires execute permissions to.
Splunk needs read permission on a directory it will collect data from.
I would recommend adding the ID that Splunk runs as to a group which has read permissions to those logs. Running Splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.
Another option would be to have the logs set to world readable. ie. permissions of 644.
The group that has read permissions over those logs is the root group so I would have to add the splunk user to the root group to resolve this.
Hey MedralaG,
You can try running as a non-root user.
Refer the doc below:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/ConfigureSplunktostartatboottime
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
Let me know if this helps!!
It doesn't , the problem is that I can't get the UF to read files in the /etc/ dorectory of Linux and if I give read permissions to the splunk user that breaks the Linux instance.
setfacl -R -m u:splunk:r /var/log or whatever path splunk needs to be able to read. It is not best practice to run splunk as root
Unfortunately once you do that on the /etc/ directory it breaks linux.