Getting Data In

Running as non-root and still able to read root logs

BlueQ
Explorer

Bit of a reverse error here, splunk is working when it shouldn't.

I followed these instructions to run Splunk as non-root - https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Installleastprivileged

systemctl stop splunk
/opt/splunkforwarder/bin/splunk disable boot-start
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 -user blueq -group blueq
systemctl start splunk

Splunk is running as this user and the user cannot view /var/log/messages

[root@host1 ~]# ps -ef|grep splunk
blueq 137095 1 24 14:22 ? 00:00:00 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
blueq 137134 137095 0 14:22 ? 00:00:00 [splunkd pid=137095] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
root 137154 6813 0 14:22 pts/0 00:00:00 grep --color=auto splunk

[root@host1 ~]# ls -l /opt/splunkforwarder/
total 172
drwxr-xr-x. 3 blueq blueq 4096 Jun 25 22:11 bin
drwxr-xr-x. 2 blueq blueq 66 Jun 25 22:11 cmake
-r--r--r--. 1 blueq blueq 57 Mar 21 09:38 copyright.txt
...

[root@host1 ~]# su - blueq
Last login: Wed Jul 10 14:24:24 AEST 2024 on pts/0

[blueq@host1 ~]$ ls -l /var/log/messages
-rw-------. 1 root root 4898581 Jul 10 14:24 /var/log/messages

[blueq@host1 ~]$ cat /var/log/messages
cat: /var/log/messages: Permission denied

Yet I see no errors in /opt/splunkforwarder/var/log/splunk/splunkd.log and the logs are still uploaded to splunk cloud, why???

Labels (1)
0 Karma
1 Solution

BlueQ
Explorer

Found it. CAP_DAC_READ_SEARCH means splunk can read anything. Now I have to decide if I want to keep this setting.

https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capa...

View solution in original post

0 Karma

BlueQ
Explorer

Found it. CAP_DAC_READ_SEARCH means splunk can read anything. Now I have to decide if I want to keep this setting.

https://community.splunk.com/t5/Installation/Security-issue-Splunk-UF-v9-x-is-re-adding-readall-capa...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BlueQ ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @BlueQ 

when you search, do you get the results?

index=linuxORsomething source=/var/log/messages*

on Splunk, pls show us a search result with the /var/log/messages as events please, thanks. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

BlueQ
Explorer

Hi @inventsekar,

I don't want to show the actual results but here you can see there are results. Hope this helps.

Screenshot from 2024-07-11 08-11-05.png

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BlueQ ,

I'm not a Linux expert so I don't knpow how to do, but you have two solutions:

  • configure ACLs on your servers to permit to not root user to read root files,
  • insert Splunk in the system group to read root logs.

As I said, you should ask the solution to this requirement to a Linux expert.

Ciao.

Giuseppe

0 Karma

BlueQ
Explorer

Hi @gcusello,

The funny part is I have the opposite problem. I haven't given the user access to read /var/log/messages yet it seems like splunk still reads them.

How do I ask a Linux expert specifically? Do you mean on this forum or elsewhere?

Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...