All Apps and Add-ons

Permissions for splunk user on universal forwarder for Linux Add-on

MedralaG
Communicator

We are deploying the Linux App and Add-on. The client has requested that we enable all input.
The forwarder is running as a splunk user (basic configuration with no permissions modified).
The Linux Add-on has monitors configured for the /etc/ and /var/log directories but the splunk user (by default) does not have permissions to read all the files in those directories.

If I use the setfacl command to add read permissions to files and directories of the /etc/ folder to the splunk group , linux breaks. I can' run any more sudo commands due to permission issues and can't eventually ssh back to the host. I read some articles and people suggest that running a UF as root is a security concert.

What is the best solution for this issue?

0 Karma
1 Solution

MedralaG
Communicator

I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*

Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...

View solution in original post

MedralaG
Communicator

I was eventually give a link to an article explaining which commands to run .
Even though the answer is the setfacl command there are some parameters that need to be added for it not to break Linux:

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log
sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log
sudo /usr/bin/setfacl -m "u:splunk:r-x" /etc
sudo /usr/bin/setfacl -m "u:splunk:r--" /etc/*

Everything is explained under the link below:
https://bitbucket.org/SPLServices/splunk_ta_nix/src/c87dc4d8daf412d1cb97b42cc96a2fe80998c695/INSTALL...

twhitehead
New Member

You can simplify it into a single command, assuming you want to traverse further than a single level. I usually format my setfacl as I tend to set user, group, other, mask along with multiple specific user/group permissions at the same time.

Items of note:
- -R --recursive
- -b --remove-all
- -k --remove-default
- -m --modify
- As things are being set recursively using an uppercase X will set x on directories but not execute on files unless they already have the permission.
- Include -bk as I like to have a fresh slate when setting File ACLs
- Spaces and lack of are important to the command and formatting.

setfacl -Rbkm \
d:g:splunk:r-X,\
d:m::rwX,\
\
g:splunk:r-X,\
m::rwX,\
-- \
/var/{log,etc}
0 Karma

johnansett
Communicator

Why is execute (x) included?

0 Karma

twhitehead
New Member

@johnansett - an uppercase " X " will grant the execute permission on directories allowing you to cd, etc.; however, unlike a lowercase " x ", it only grants execute permissions to files if that permission already exists, otherwise it is ignored. This is a safer option than a blanket +x in case you inadvertently allow execution to something that shouldn't be such as a plain file which someone could modify into a script.

It could simplify this answer from multiple setfacl commands to a single command.

My common case is python scripts (lookups) which Splunk requires execute permissions to.

0 Karma

bcyates
Communicator

Splunk needs read permission on a directory it will collect data from.

I would recommend adding the ID that Splunk runs as to a group which has read permissions to those logs. Running Splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.

Another option would be to have the logs set to world readable. ie. permissions of 644.

0 Karma

MedralaG
Communicator

The group that has read permissions over those logs is the root group so I would have to add the splunk user to the root group to resolve this.

0 Karma

deepashri_123
Motivator
0 Karma

MedralaG
Communicator

It doesn't , the problem is that I can't get the UF to read files in the /etc/ dorectory of Linux and if I give read permissions to the splunk user that breaks the Linux instance.

0 Karma

bcyates
Communicator

setfacl -R -m u:splunk:r /var/log or whatever path splunk needs to be able to read. It is not best practice to run splunk as root

0 Karma

MedralaG
Communicator

Unfortunately once you do that on the /etc/ directory it breaks linux.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...