Posts tagged ‘setfacl’

What is the most secure way to allow a user read access to a log file

I am running Splunk Enterprise on a Linux Server in our environment. Our Security Standards , prevents the Splunk from running under root User. In this scenario , we will come across a situation , where we will not be able to read the critical Linux logs like audit , messages , secure etc.

There are several methods to achieve this , But in this post I am using the ACL method.

First , you need to set the acl’s on these files located in the /var/log folder. My Splunk is running under the user splunkadmin

# setfacl -m g:splunkadmin:r /var/log/messages
# setfacl -m g:splunkadmin:r /var/log/secure
# setfacl -m g:splunkadmin:r /var/log/maillog

The above changes will not retain , when the logs are rotated. Thus you need to create postrotate action for these logs to retain the ACL's.

1) Create a text file in the folder /etc/logrotate.d/Splunk_ACLs ( My file name is SplunkACLs).
2)  Add the below entries in the file 
        /usr/bin/setfacl -m g:splunk:r/var/log/maillog
        /usr/bin/setfacl -m g:splunk:r /var/log/messages
        /usr/bin/setfacl -m g:splunk:r /var/log/secure

You can verify the ACLS using
#getfacl /var/log/messages

On the other hand , The steps for audit files are different .

Check the current permissions
#ls -l /var/log/audit/audit.log
-rw——- 1 root root 3531590 Jun 1 00:20 /var/log/audit/audit.log

Then edit the auditd.conf file and change the log_group parameter to splunkadmin instead of root.
log_group = splunkadmin

Restart the auditd services
#service auditd restart

You can re-verify the permissions
#ls -l /var/log/audit/audit.log
-rw-r—– 1 root splunkadmin 3532862 Jun 1 00:24 /var/log/audit/audit.log


January 5, 2022 at 1:23 pm Leave a comment



Follow Hope you like it.. on

Blog Stats

  • 54,968 hits

%d bloggers like this: