Solved: Is there any reason not to run Splunk as root?

MikeBertelsen · ‎11-10-2014

Trying to create a Data Input on a forwarder using TCP Port 514. Can't do it as the splunk id. No problem creating DI using port 5514.

richgalloway · ‎11-10-2014

Ports 0-1024 are protected. Only root can use them.

To address the question, yes, there are reasons to not run Splunk as root. Company policy may prohibit it. Security best practices say only system processes should run as root. Any program running as root may have a weakness that can be exploited to give an outsider a way into your system. That said, some things (like opening port 514) can only be done by root.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-10-2014

Ports 0-1024 are protected. Only root can use them.

To address the question, yes, there are reasons to not run Splunk as root. Company policy may prohibit it. Security best practices say only system processes should run as root. Any program running as root may have a weakness that can be exploited to give an outsider a way into your system. That said, some things (like opening port 514) can only be done by root.

---
If this reply helps you, Karma would be appreciated.

martin_mueller · ‎11-10-2014

If you have to receive data on 514, consider setting up an iptables entry for 514 to reroute it to a local port >1024 and have non-root Splunk listen to that.

ppablo · ‎11-10-2014

There have been a couple previous questions here on Answer that address this topic such as this post: http://answers.splunk.com/answers/145385/should-we-run-splunk-as-root-or-non-root-user.html

Pretty much the same security issue and best practice that @richgalloway points out.

Is there any reason not to run Splunk as root?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases