Security

termsOfServiceDirectory which web.conf should this stanza be placed in, in a distributed environment. Using btool

swagner1965
Path Finder

I need to make sure the AUP message pops up and is accepted anytime people log into the web interface on search heads. I have this working on a simple single server instance of Splunk. I need it to work on a distributed search head configuration. This is the process that works on single instances with user pw authentication only instead of the smart card authentication we use for our production environment.

  1. Create tos app

    Use web interface and go to manage apps
    Create app, not visible

    from cmd line
    vi ./splunk/etc/apps/tos/tos.conf

  2. Create the html file to hold the DoD Banner text

    vi ./splunk/etc/system/static/46.html

    Insert the banner text
    save using ZZ

    Check ownership and permissions

    chown splunk ./splunk/etc/system/static/46.html
    chgrp splunk ./splunk/etc/system/static/46.html
    chmod 444 ./splunk/etc/system/static/46.html
    
  3. Edit web.conf with vi to point to location of DoD html file

    vi ./splunk/etc/system/local/web.conf

    insert the following stanza:

    [settings]
    
    # Warning and Acceptance Banner
    termsOfServiceDirectory = /opt/splunk/etc/system/static/
    

    save using ZZ
    check ownership and permissions

    chown splunk ./splunk/etc/system/local/web.conf
    chgrp splunk ./splunk/etc/system/local/web.conf
    chmod 600 ./splunk/etc/system/local/web.conf
    
  4. Restart Splunk

    stop splunk
    cd ./splunk/bin/
    ./splunk stop

    wait
    

    restart splunk

    ./splunk start

  5. Log on through web interface to verify success

using btool
./splunk btool web list --debug

I see tons of entries and many web.conf paths that are in the ./splunk/etc/app/...... which one is the relevant one in a distributed system? I tried the ./splunk/etc/system/default. It killed our smart card authentication and did not pop up a banner.

Labels (1)

swagner1965
Path Finder

Hey there, my inbox blew up this morning with all the comments. Thank you. I will try them out this evening when I am back online with work.

woodcock
Esteemed Legend

Put it in the local directory of your tos app here:

$SPLUNK_HOME/etc/apps/tos/local/web.conf

This is also where your tos.conf file should go.

TRex
SplunkTrust
SplunkTrust

This isn't quite right. While the tos app's local directory should be used to house the web.conf and it's termsOfServiceDirectory pointer, and possibly the html file for that terms of service page, the tos.conf file is located under the $SPLUNK_HOME/etc/user context, containing the date of the tos acknowledgement for the individual.
There isn't a traditional tos.conf spec or documentation page, so while it is a .conf file, it doesn't operate in the traditional manner.

0 Karma

woodcock
Esteemed Legend

I Agree with you.

0 Karma

Yorokobi
SplunkTrust
SplunkTrust

Part of the problem I see is that you're not creating the tos app correctly. .conf files need to go into a local/ or default/ directory and there's no need to create a tos.conf.

On a Search Head Cluster Deployer:

mkdir -p etc/shcluster/apps/tos/{default,metadata}
cd etc/shcluster/apps/tos/default

On a single instance:

mkdir -p etc/apps/tos/{default,metadata}
cd etc/apps/tos/default

Create web.conf (yes, you can and should create this file in the tos app. No need to go mucking about in etc/system/local/)

vim web.conf

Add the following two lines

[settings]
termsOfServiceDirectory = $SPLUNK_HOME/etc/apps/tos/default

Create 1.html (also in the tos/default/ directory)

vim 1.html

1.html example contents:

<p>These are the terms of service.</p>

Then restart Splunk. If you're on a SHC, initiate a rolling restart. After the restart completes, you will see the TOS after logging in.

I have tested this on a 7.3.4 SHC with SSO/SAML and a single instance 8.0.2.1 with normal Splunk authentication.

Yorokobi
SplunkTrust
SplunkTrust

You can add an app.conf to the default/ directory to trigger a restart for you, as well:

[install]
is_configured = 1

[ui]
is_visible = 0
label = TOS

[launcher]
author = Me!
description = Terms of Service
version = 1.0

[triggers]
reload.web = simple

But keep in mind that this will cause a restart for every change to web.conf rather than the default behaviour of hitting a REST endpoint that silently applies the change.

Yorokobi
SplunkTrust
SplunkTrust

This solution also lets you filter the results from btool

% splunk btool web list --debug | grep 'tos/'
/opt/splunk/etc/apps/tos/default/web.conf                         [settings]
/opt/splunk/etc/apps/tos/default/web.conf                         termsOfServiceDirectory = $SPLUNK_HOME/etc/apps/tos/default

swagner1965
Path Finder

I am working on seeing if I am allowed to post the btool output. We need to sanitize it due to our security posture here.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...