Security

[systemd] splunk start keeps on asking to enter password

sylim_splunk
Splunk Employee
Splunk Employee

I am running 7.3.3 using systemd and running into issues with running splunk restart as splunk user.
I ran "splunk enable boot-start -systemd-managed 1 -user splunk"
According to the splunk docs in https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/RunSplunkassystemdservice it reads as below;

*You must use sudo to run splunk start|stop|restart commands. If you do not use sudo, you must authenticate. *
I've read several articles below, but it doesn't appear to fix the issue.

[splunk]$ sudo splunk restart
Send restart to systemctl
*
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===**
Authentication is required to manage system services or units.*

I followed the steps below and added the commands to sudoers.

https://answers.splunk.com/answers/724473/major-boot-start-change-with-723-1.html
https://answers.splunk.com/answers/710045/splunk-722-systemd-root-privileges-required-when-s.html

Here's my current systemd script
[root]# cat /etc/systemd/system/Splunkd.service

This unit file replaces the traditional start-up script for systemd

configurations, and is used when enabling boot-start for Splunk on

systemd-based Linux distributions.

[Unit]
Description=Systemd service file for Splunk, generated by 'splunk enable boot-start'
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd
LimitNOFILE=65536
SuccessExitStatus=51 52
RestartPreventExitStatus=51
RestartForceExitStatus=52
User=splunk
Delegate=true
CPUShares=1024
MemoryLimit=7831937024
PermissionsStartOnly=true
ExecStartPost=/bin/bash -c "chown -R 1003:1003 /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R 1003:1003 /sys/fs/cgroup/memory/system.slice/%n"

[Install]
WantedBy=multi-user.target

I also tried adding the following in my /etc/sudoers
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service

Tags (1)
0 Karma
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

Here's what you need to do to achieve what you want,

[root]$visudo "to add the below further to the what you have done earlier"
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk restart
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk stop
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk start

Then, "sudo ./splunk start" or "sudo /opt/splunk/bin/splunk start" will work without requesting password. And still "sudo splunk start" will needs authentication.

To make "sudo splunk start" work passwordless then add /opt/splunk/bin to secure_path.

  • visudo & locate "secure_path", then add "/opt/splunk/bin" to the end. i.e that would look like as below;

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/splunk/bin

Save the change, confirm it has been configured Okay by "$ visudo -c "

Use sudo command to splunk start/stop/restart, such as
$sudo splunk start

If you have concerns about the Security by using secure_path you better use systemctl or just use /opt/splunk/bin/splunk command with full path.

View solution in original post

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

The solution in the linked answer is much more safer to use as leverage the os mechanism to give access to systemd from splunk. (with a little bit of help of a additional script to be more fine grained)

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

Here's what you need to do to achieve what you want,

[root]$visudo "to add the below further to the what you have done earlier"
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service
splunk ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk restart
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk stop
splunk ALL=(root) NOPASSWD: /opt/splunk/bin/splunk start

Then, "sudo ./splunk start" or "sudo /opt/splunk/bin/splunk start" will work without requesting password. And still "sudo splunk start" will needs authentication.

To make "sudo splunk start" work passwordless then add /opt/splunk/bin to secure_path.

  • visudo & locate "secure_path", then add "/opt/splunk/bin" to the end. i.e that would look like as below;

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/splunk/bin

Save the change, confirm it has been configured Okay by "$ visudo -c "

Use sudo command to splunk start/stop/restart, such as
$sudo splunk start

If you have concerns about the Security by using secure_path you better use systemctl or just use /opt/splunk/bin/splunk command with full path.

0 Karma

kringo
Loves-to-Learn

IF YOU NEED TO SET THE USER AS ROOT THEN WHY IS THERE EVEN A **bleep**ING USER?

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

Hmm, The first lines are fine but they require to call sudo
The last 2 lines seems risky.
Adding a sudo sentence that run the splunk binary as root is kind of defeating the whole initial thing of not having splunk run as root
If you are the attacker running as splunk, you could just replace the splunk binary with whatever you want and become easily root....
The proper and secure way is to use to the os way of allowing a unpriviledge process to call systemd, which is policykit.
Unfortunaltely, it is os systemd and policykit dependent and requir some conf but that' perfectly work on at least the RH7/8 + Centos7/8 + AWS2 distributions.
The answer post linked below is pointing at this solution

0 Karma

evinasco08
Explorer

hi,

Did u find the secure solution ??

Regards

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

I agree on your points. That'd be the same, as risky as adding systemctl command to sudo which eventually runs splunk as root, then setuid to splunk..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...