Security

Permissions on /var/log

rmcook84
Explorer

To maintain correct permissions how do you allow for splunk to read /var/log? I keep getting the following error
06-08-2011 16:17:16.355 -0400 WARN FilesystemChangeWatcher - error reading directory "/var/log": Permission denied

I am very reluctant to change /var/log to 640. Any help would be appreciated.

Tags (2)

jawaharas
Motivator

Use ACL command to grant permission to 'splunk' user only.

sudo setfacl -R -m u:splunk:r-x /var/log

bandit
Motivator

I would recommend adding the ID that splunk runs as to a group which has read permissions to those logs. Running splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.

example: the following log has read permissions for the owner root and the group root. Adding the splunk id to the group root should allow the splunk id to read a log with 640 permissions as shown below.
ls -l /var/log/messages
-rw-r----- 1 root root 2500271 Dec 15 15:03 messages

Another option would be to have the log set to world readable. ie. permissions of 644.

Ultimately, you will need to speak to the sys admin as permissions may have higher/lower security levels at different companies.

rmcook84
Explorer

Ok for all future purposes or anyone needing to use splunk without running it as root. You will need to set acls on the /var/log directory. You only need to set read for the splunk user which will still keep you in a very secure setup as long as you keep splunk as a /sbin/nologin account also.

tfpblanchard
Explorer
0 Karma

tfpblanchard
Explorer
0 Karma

mw
Splunk Employee
Splunk Employee

You need to run splunk as the root user in order to read files that only root has access to, as well as to listen on privileged network ports.

0 Karma

bandit
Motivator

For privileged ports, I prefer either a reverse proxy server or an iptables redirect https://www.cyberciti.biz/faq/linux-port-redirection-with-iptables

0 Karma

quixand
Path Finder

I downvoted this post because running any applications as root is considered a severe security risk and most organisations with any sense will laugh at this recommendation. use acls on the host or add the splunk user to a group that has read access

mw
Splunk Employee
Splunk Employee

I don't know of any way to use sudo to only provide read permissions to the splunk process. You could add the splunk user to various groups that have read permission of the files.

0 Karma

rmcook84
Explorer

Could you describe the best way to present access to the splunk account to do this. I would + security would prefer if it ran as splunk. I was thinking possibly make a modification to sudoers but I am unsure if it does a cat or a tail or other to the logs.

0 Karma

rmcook84
Explorer

This is on rhel 5.6

0 Karma

quixand
Path Finder
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!