Manage a Linux least-privileged user
Installing a Splunk universal forwarder automatically creates a least-privileged user. This is a non-root user with permissions specific to the successful operation of the universal forwarder features and add-ons.
To install the universal forwarder with a least-privileged user, see Install a Linux universal forwarder.
Least-privileged users are created when you install or update any Linux installation packaging format, including, .deb, .rpm, and .tgz. formats.
The least-privileged user possesses AmbientCapabilities
that lets the user operate universal forwarder features and common add-ons without permission issues. These capabilities are:
Capability | Desc | Use |
---|---|---|
CAP_DAC_READ_SEARCH
|
Bypass file read permission checks and directory read and execute permission checks; | Collects data from files outside of $SPLUNK_HOME
|
Least privileged user security and performance implications
Least privilege mode is enabled to read any file permission on Linux version 9.0.0 and later.
A non-root or non-admin user that could not access some files before upgrade to least privilege user, may be able to access those files after upgrade in the following situations:
- You upgrade the universal forwarder from old versions to a least privilege version.
- Before upgrade, your universal forwarder is running as non-root or non-local admin.
- Prior to upgrade, you have inputs to monitor a directory with many files, or inputs with scripts to read many files, where users have no permission to access those files
In addition to security issues, this can lead to potential performance issues. Since the universal forwarder is able to read far more files than before, more resources such as CPU, memory, and disk input/output are consumed.
To avoid this, you can disable the "read any file" capability manually. To do this, edit the unit file to remove the CAP_DAC_READ_SEARCH capability.
Disable, enable, or change least-privileged user
The least-privileged user is enabled automatically during installation or upgrade. You can manually enable or disable it. To disable it, stop Splunk and run:
[sudo] $SPLUNK_HOME/bin/splunk disable boot-start
This command removed the unit file as well as the startup file. This will remove unit files from both locations:
/usr/lib/systemd/system /etc/systemd/system
To enable or overwrite an existing least-privileged user configuration, run:
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start
This command will grant least-privilege capabilities by default, and the unit file is created in the user level directory.
To change users, you must run this command again.
chown -R splunkfwd:splunkfwd $SPLUNK_HOME
Troubleshooting
JournalD input does not show results
If you are using a dedicated user ID, make sure the splunkfwd user ID is in the correct group when starting Splunk using systemd.
Manually enable a least privilege user
If you encounter an error during installation that prevents the creation of a least-privileged user, you can use the following command to manually create or recreate the default least privileged user:
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1 -user <username> -group <groupname>
This creates a unit file with the following permissions:
######## Added for least privilege mode ######### NoNewPrivileges=yes AmbientCapabilities=CAP_DAC_READ_SEARCH #############################################
Editing unit files
Splunk software potentially creates two unit files in two locations when you Install the least privileged user on a Linux machine. If you have error messages, you may have to check and edit both files. To locate both files run the following command:
./splunk display boot-start
Error messages
Error message | Description |
---|---|
Cannot create file /etc/systemd/system/SplunkForwarder.service: permission denied. | You must create the unit file manually or the current user does not have permission to create the unit file. |
Failed to auto-set default user. Please create the unit file manually. | The system cannot find a valid Linux user. |
Failed to create splunk unit file. Please create the unit file manually | Usually a system error, for example, the system cannot create the folder, create the startup file, or reload systemd. |
Reference
About the unit files created for the least privileged user
Splunk software potentially creates two unit files in different locations when you Install the least-privileged user on a Linux machine.
- If the first unit file is created successfully at installation, no further unit files are created.
- If the first file fails during installation, another file is created on the user level in the local folder.
- If you use the
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start
command after a least privileged user is created, a new file is created locally. This either creates a new file in the local directory or overwrites any local file that exists. - The local file takes precedence over the system file.
To see your unit files and their location in your environment, you can run Splunk display boot-start
.
/usr/lib/systemd/system | where services are provided by installed packages | This is automatically created during installation, and can be overwritten during upgrade or by running [sudo] $SPLUNK_HOME/bin/splunk enable boot-start
|
/etc/systemd/system | where system-wide user services are placed by the system administrator | Created when running splunk enable boot-start -systemd-managed 1
|
Reference unit file template
This is an example of a unit file template. You can use it to manually create a unit file.
#This unit file replaces the traditional start-up script for systemd #configurations, and is used when enabling boot-start for Splunk on #systemd-based Linux distributions. [Unit] Description=Systemd service file for Splunk, generated by 'splunk enable boot-start' After=network.target [Service] ######## Added for least privilege mode ######### NoNewPrivileges=yes AmbientCapabilities=CAP_DAC_READ_SEARCH ############################################# Type=simple Restart=always ExecStartPre=-/bin/bash -c "chown -R splunkfwd:splunkfwd /opt/splunkforwarder ExecStart=/opt/splunkfwd/bin/splunkfwd_internal_launch_under_systemd KillMode=mixed KillSignal=SIGINT TimeoutStopSec=360 LimitNOFILE=65536 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=splunkfwd Group=splunkfwd Delegate=true CPUShares=1024 MemoryLimit=<value> PermissionsStartOnly=true ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/cpu/system.slice/%n" ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/memory/system.slice/%n" [Install] WantedBy=multi-user.target
About management mode for the universal forwarder | Control forwarder access |
This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!