Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What privileges does the splunk user need on Linux?

markakirkland
Path Finder
‎02-15-2017 09:37 PM

Splunk encouages the practices of least privilege when using the 'splunk' user in a Linux environment.

Based on the following link in Splunk Docs:
docs[dot]splunk[dot]com/Documentation/Splunk/6.5.2/Security/Secureyourserviceaccounts
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Secureyourserviceaccounts

Question: Is there a list of permissions the 'splunk' user will need to have on any folders outside of the $SPLUNK_HOME/ directories?

For example, I have seen posts refer to /udev/random. I have also encountered the occasional permissions issue while in Splunk, resulting in an inability to save and/or modify in a specific folder outside of $SPLUNK_HOME/

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-16-2017 02:19 AM

A Splunk indexer, search head, deployment server, deployer, cluster manager etc should all run quite happily with the default "splunk:splunk" permissions only to the $SPLUNK_HOME/
(if your sticking to the standard TCP ports)

However, the permissions you need for a Universal or Heavy Forwarder will depend on what and how you are collecting data.

In our environment, our splunk servers all run as the splunk limited user. We use IPtables to forward 443 to splunk which means we don't have to run as root for access to the low port numbers.

Our forwarders run with a combination of permissions. In some cases we give the splunk user access to the folders, but in others we run them as root, as this provides the necessary file system log access without having to change system wide permissions. - We take extra care in these cases to make sure that traffic is very tightly controlled to/from these machines, and always use our own certificates and strong passwords

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

starcher
SplunkTrust
SplunkTrust
‎02-16-2017 04:07 AM

Try to never run as root if you can.
https://github.com/MattUebel/splunk_UF_hardening

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-16-2017 02:19 AM

A Splunk indexer, search head, deployment server, deployer, cluster manager etc should all run quite happily with the default "splunk:splunk" permissions only to the $SPLUNK_HOME/
(if your sticking to the standard TCP ports)

However, the permissions you need for a Universal or Heavy Forwarder will depend on what and how you are collecting data.

In our environment, our splunk servers all run as the splunk limited user. We use IPtables to forward 443 to splunk which means we don't have to run as root for access to the low port numbers.

Our forwarders run with a combination of permissions. In some cases we give the splunk user access to the folders, but in others we run them as root, as this provides the necessary file system log access without having to change system wide permissions. - We take extra care in these cases to make sure that traffic is very tightly controlled to/from these machines, and always use our own certificates and strong passwords

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

markakirkland
Path Finder
‎02-16-2017 05:11 AM

Interesting... my recall may be failing me, but, I think I was on an indexer (creating an index via GUI... don't judge me too badly... :D) and trying to save a colddb to a location inside of $SPLUNK_HOME. It's possible that it may have been one directory higher...

Hmmm... maybe I didn't apply the correct permissions after after expanding the .tgz?

Unfortunately, there is no way for me to check, the system I built was only temporary.

Do you have any information on the /udev/random permission?

And, thank you for taking time to help me understand.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-16-2017 05:27 AM

When we first installed Splunk, keen and excited we originally ran it all as root. This meant that we had some permission housekeeping to do when we moved to using the splunk user.
Although if your other indexes were ok, my guess is that 'someone' may have fiddled with the perms in your deployment (I too have seen similar - their entrails are now hung from the ceiling as a reminder to others) 🙂

I have just checked out half a dozen of my servers (amazon, centos6.5, centos7) and all have permissions crw-rw-rw- on /dev/random so I cant see that it should ever be an issue... unless the previous owner of my ceiling decorations had been at your box too! 🙂

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-19-2017 02:14 AM

Hello - If my answer or comments helped you, please accept the answer and upvote. This helps others know that you found a solution, and how it was fixed.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...