Splunk® Universal Forwarder

Forwarder Manual

Manage a Linux least-privileged user

Installing a Splunk universal forwarder automatically creates a least-privileged user. This is a non-root user with permissions specific to the successful operation of the universal forwarder features and add-ons.

To install the universal forwarder with a least-privileged user, see Install a Linux universal forwarder.

Least-privileged users are created when you install or update any Linux installation packaging format, including, .deb, .rpm, and .tgz. formats.

The least-privileged user possesses AmbientCapabilities that lets the user operate universal forwarder features and common add-ons without permission issues. These capabilities are:

Capability Desc Use
CAP_DAC_READ_SEARCH Bypass file read permission checks and directory read and execute permission checks; Collects data from files outside of $SPLUNK_HOME


Least privileged user security and performance implications

Least privilege mode is enabled to read any file permission on Linux version 9.0.0 and later.

A non-root or non-admin user that could not access some files before upgrade to least privilege user, may be able to access those files after upgrade in the following situations:

  • You upgrade the universal forwarder from old versions to a least privilege version.
  • Before upgrade, your universal forwarder is running as non-root or non-local admin.
  • Prior to upgrade, you have inputs to monitor a directory with many files, or inputs with scripts to read many files, where users have no permission to access those files

In addition to security issues, this can lead to potential performance issues. Since the universal forwarder is able to read far more files than before, more resources such as CPU, memory, and disk input/output are consumed.

To avoid this, you can disable the "read any file" capability manually. To do this, edit the unit file to remove the CAP_DAC_READ_SEARCH capability.

Disable, enable, or change least-privileged user

The least-privileged user is enabled automatically during installation or upgrade. You can manually enable or disable it. To disable it, stop Splunk and run:

[sudo] $SPLUNK_HOME/bin/splunk disable boot-start

This command removed the unit file as well as the startup file. This will remove unit files from both locations:

/usr/lib/systemd/system
/etc/systemd/system

To enable or overwrite an existing least-privileged user configuration, run:

[sudo] $SPLUNK_HOME/bin/splunk enable boot-start

This command will grant least-privilege capabilities by default, and the unit file is created in the user level directory.

To change users, you must run this command again.

chown -R splunkfwd:splunkfwd $SPLUNK_HOME

Troubleshooting

JournalD input does not show results

If you are using a dedicated user ID, make sure the splunkfwd user ID is in the correct group when starting Splunk using systemd.

Manually enable a least privilege user

If you encounter an error during installation that prevents the creation of a least-privileged user, you can use the following command to manually create or recreate the default least privileged user:

[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1 -user <username> -group <groupname>

This creates a unit file with the following permissions:

######## Added for least privilege mode #########
NoNewPrivileges=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH 
#############################################

Editing unit files

Splunk software potentially creates two unit files in two locations when you Install the least privileged user on a Linux machine. If you have error messages, you may have to check and edit both files. To locate both files run the following command:

 ./splunk display boot-start

Error messages

Error message Description
Cannot create file /etc/systemd/system/SplunkForwarder.service: permission denied. You must create the unit file manually or the current user does not have permission to create the unit file.
Failed to auto-set default user. Please create the unit file manually. The system cannot find a valid Linux user.
Failed to create splunk unit file. Please create the unit file manually Usually a system error, for example, the system cannot create the folder, create the startup file, or reload systemd.

Reference

About the unit files created for the least privileged user

Splunk software potentially creates two unit files in different locations when you Install the least-privileged user on a Linux machine.

  • If the first unit file is created successfully at installation, no further unit files are created.
  • If the first file fails during installation, another file is created on the user level in the local folder.
  • If you use the [sudo] $SPLUNK_HOME/bin/splunk enable boot-start command after a least privileged user is created, a new file is created locally. This either creates a new file in the local directory or overwrites any local file that exists.
  • The local file takes precedence over the system file.

To see your unit files and their location in your environment, you can run Splunk display boot-start.

/usr/lib/systemd/system where services are provided by installed packages This is automatically created during installation, and can be overwritten during upgrade or by running [sudo] $SPLUNK_HOME/bin/splunk enable boot-start
/etc/systemd/system where system-wide user services are placed by the system administrator Created when running splunk enable boot-start -systemd-managed 1

Reference unit file template

This is an example of a unit file template. You can use it to manually create a unit file.

#This unit file replaces the traditional start-up script for systemd
#configurations, and is used when enabling boot-start for Splunk on
#systemd-based Linux distributions.

[Unit]
Description=Systemd service file for Splunk, generated by 'splunk enable boot-start'
After=network.target

[Service]

######## Added for least privilege mode #########
NoNewPrivileges=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH 
#############################################

Type=simple
Restart=always
ExecStartPre=-/bin/bash -c "chown -R splunkfwd:splunkfwd /opt/splunkforwarder
ExecStart=/opt/splunkfwd/bin/splunkfwd_internal_launch_under_systemd
KillMode=mixed
KillSignal=SIGINT
TimeoutStopSec=360
LimitNOFILE=65536
SuccessExitStatus=51 52
RestartPreventExitStatus=51
RestartForceExitStatus=52
User=splunkfwd
Group=splunkfwd
Delegate=true
CPUShares=1024
MemoryLimit=<value>
PermissionsStartOnly=true
ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/memory/system.slice/%n"

[Install]
WantedBy=multi-user.target
Last modified on 06 June, 2024
About management mode for the universal forwarder   Control forwarder access

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters