What is the most secure way to allow a user read access to a log file
January 5, 2022 at 1:23 pm Leave a comment
I am running Splunk Enterprise on a Linux Server in our environment. Our Security Standards , prevents the Splunk from running under root User. In this scenario , we will come across a situation , where we will not be able to read the critical Linux logs like audit , messages , secure etc.
There are several methods to achieve this , But in this post I am using the ACL method.
First , you need to set the acl’s on these files located in the /var/log folder. My Splunk is running under the user splunkadmin
# setfacl -m g:splunkadmin:r /var/log/messages
# setfacl -m g:splunkadmin:r /var/log/secure
# setfacl -m g:splunkadmin:r /var/log/maillog
The above changes will not retain , when the logs are rotated. Thus you need to create postrotate action for these logs to retain the ACL's.
1) Create a text file in the folder /etc/logrotate.d/Splunk_ACLs ( My file name is SplunkACLs).
2) Add the below entries in the file
{
postrotate
/usr/bin/setfacl -m g:splunk:r/var/log/maillog
/usr/bin/setfacl -m g:splunk:r /var/log/messages
/usr/bin/setfacl -m g:splunk:r /var/log/secure
endscript
}
You can verify the ACLS using
#getfacl /var/log/messages
On the other hand , The steps for audit files are different .
Check the current permissions
#ls -l /var/log/audit/audit.log
-rw——- 1 root root 3531590 Jun 1 00:20 /var/log/audit/audit.log
Then edit the auditd.conf file and change the log_group parameter to splunkadmin instead of root.
log_group = splunkadmin
Restart the auditd services
#service auditd restart
You can re-verify the permissions
#ls -l /var/log/audit/audit.log
-rw-r—– 1 root splunkadmin 3532862 Jun 1 00:24 /var/log/audit/audit.log
Source:
https://newbedev.com/what-is-the-most-secure-way-to-allow-a-user-read-access-to-a-log-file
Entry filed under: Linux. Tags: acl, audit, getfacl, Linux, setfacl, splunkadmin.
Hope you like it.. 
Trackback this post | Subscribe to the comments via RSS Feed