Splunk Search

default umask for file creation on OS

chicodeme
Communicator

Splunk runs as root so it has access to monitor anything on the system without managing those permissions.
I ran this
find /opt/splunk/ -type d -exec chmod g+s {} \;
The files get created:
-rw------- 1 root splunk filename
I want to have it
-rw-rw---- 1 root splunk filename

Any ideas besides change the root user default umask?

Tags (1)

southeringtonp
Motivator

One option would be to run Splunk as a non-root user, and set the umask on the Splunk account. You would need to make sure all log files are viewable by the Splunk account, of course.

If you do need to run Splunk as root, POSIX ACLs may be your answer. Something like the following:

# Make sure all existing files are group-owned by Splunk. Set the filesystem
# ACL to allow the Splunk group as the default for new files, and set the 
# same ACL on currently existing files.
cd /opt/splunk/etc/apps
sudo setfacl -R -b .
sudo chown -R splunk:splunk .
sudo setfacl -R -d -m g:splunk:rwx .
sudo setfacl -R -m g:splunk:rwx .

# Then repeat the above for /opt/splunk/etc/system/local or other paths as desired.

southeringtonp
Motivator

Agreed that a configurable umask setting in Splunk would be a big plus. (Time to file an ER!).

The distinction with using POSIX ACLs instead of traditional permissions is that you should only have to do it once. If you set the default ACL, I believe that it should inherit down as new files/directories are created by Splunk (Contrast that with the find/chmod approach, which you have to do over and over again as Splunk creates and modifies files in local.)

0 Karma

chicodeme
Communicator

I was looking more for a setting from a Splunk config. Managing Acls is along the same lines as having to manage permissions. Also, I have SunOS, AIX, & Linux to manage. I should have been more specific in my question. Thanks for the feedback though.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...