Secure your Linux universal forwarder with a least-privileged user
Installing a Splunk universal forwarder on Linux automatically creates a least-privileged user. This is a non-root user with permissions specific to the successful operation of the universal forwarder features and add-ons.
To install the universal forwarder with a least-privileged user, see Install a *nix universal forwarder.
Least-privileged users are created when you install or update any Linux installation packaging format, including, .deb, .rpm, and .tgz. formats.
The least-privileged user possesses AmbientCapabilities that lets the user operate universal forwarder features and common add-ons without permission issues. These capabilities are:
| Capability | Desc | Use |
|---|---|---|
CAP_DAC_READ_SEARCH
|
Bypass file read permission checks and directory read and execute permission checks; | Collects data from files outside of $SPLUNK_HOME
|
CAP_NET_ADMIN
|
Perform various network-related operations:
|
Used by the Stream Forwarder |
CAP_NET_RAW
|
|
Used by the Stream forwarder |
Disable, enable, or change least-privileged user
The least-privileged user is enabled automatically during installation or upgrade. You can manually enable or disable it. To disable it, stop Splunk and run:
[sudo] $SPLUNK_HOME/bin/splunk disable boot-start
This command removed the unit file as well as the startup file. This will remove unit files from both locations:
/usr/lib/systemd/system /etc/systemd/system
To enable or overwrite an existing least-privileged user configuration, run:
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start
This command will grant least-privilege capabilities by default, and the unit file is created in the user level directory.
To change users, you must run this command again.
chown -R splunk:splunk $SPLUNK_HOME
Troubleshooting
JournalD input does not show results
If you are using a dedicated user ID, make sure the splunk user ID is in the correct group when starting Splunk using systemd.
Manually enable a least privilege user
If you encounter an error during installation that prevents the creation of a least-privileged user, you can use the following command to manually create or recreate the default least privileged user:
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1 -user <username> -group <groupname>
This creates a unit file with the following permissions:
######## Added for least privilege mode ######### NoNewPrivileges=yes AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW #############################################
Editing unit files
Splunk software potentially creates two unit files in two locations when you Install the least privileged user on a Linux machine. If you have error messages, you may have to check and edit both files. To locate both files run the following command:
./splunk display boot-start
Error messages
| Error message | Description |
|---|---|
| Cannot create file /usr/lib/systemd/system/SplunkForwarder.service: permission denied. | You must create the unit file manually or the current user does not have permission to create the unit file. |
| Failed to auto-set default user. Please create the unit file manually. | The system cannot find a valid Linux user. |
| Failed to create splunk unit file. Please create the unit file manually | Usually a system error, for example, the system cannot create the folder, create the startup file, or reload systemd. |
Reference
About the unit files created for the least privileged user
Splunk software potentially creates two unit files in different locations when you Install the least-privileged user on a Linux machine.
- If the first unit file is created successfully at installation, no further unit files are created.
- If the first file fails during installation, another file is created on the user level in the local folder.
- If you use the
[sudo] $SPLUNK_HOME/bin/splunk enable boot-startcommand after a least privileged user is created, a new file is created locally. This either creates a new file in the local directory or overwrites any local file that exists. - The local file takes precedence over the system file.
To see your unit files and their location in your environment, you can run Splunk display boot-start.
| /usr/lib/systemd/system | where services are provided by installed packages | This is automatically created during installation, and can be overwritten during upgrade or by running [sudo] $SPLUNK_HOME/bin/splunk enable boot-start
|
| /etc/systemd/system | where system-wide user services are placed by the system administrator | Created when running splunk enable boot-start -systemd-managed 1
|
Reference unit file template
This is an example of a unit file template. You can use it to manually create a unit file.
#This unit file replaces the traditional start-up script for systemd #configurations, and is used when enabling boot-start for Splunk on #systemd-based Linux distributions. [Unit] Description=Systemd service file for Splunk, generated by 'splunk enable boot-start' After=network.target [Service] ######## Added for least privilege mode ######### NoNewPrivileges=yes AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW ############################################# Type=simple Restart=always ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd KillMode=mixed KillSignal=SIGINT TimeoutStopSec=360 LimitNOFILE=65536 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=splunk Group=splunk Delegate=true CPUShares=1024 MemoryLimit=<value> PermissionsStartOnly=true ExecStartPost=/bin/bash -c "chown -R splunker:splunker /sys/fs/cgroup/cpu/system.slice/%n" ExecStartPost=/bin/bash -c "chown -R splunker:splunker /sys/fs/cgroup/memory/system.slice/%n" [Install] WantedBy=multi-user.target
| Advanced configurations for the universal forwarder | Control forwarder access |
This documentation applies to the following versions of Splunk® Universal Forwarder: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10
Download manual
Feedback submitted, thanks!