Re: Using polkit allows for stopping/starting othe...

amartin6 · ‎02-10-2021

We upgraded to 8.1.2 and want to use workload manager, workload manager requires systemd. With 8.1.x you can allow the splunk user to stop/start the systemd splunk service, which works fine however it seems to be to broad of a configuration and also allows for stopping/starting other systemd services as well. Is there a way to lock down the polkit rule where it doesn't grant beyond the splunk service? I'll do more research on polkit to see if I can find a way but wondering if others have done this.

sh-4.2$ sudo /apps/splunk/bin/splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user splunk
CAUTION: The system has systemd version < 237 and polkit version > 105. With this combination, polkit rule created for this user will enable this user to manage all systemd services.Are you sure you want to continue [y/n]? y
Systemd unit file installed at /etc/systemd/system/Splunkd.service.
Polkit rules file installed at /etc/polkit-1/rules.d/10-Splunkd.rules.
Configured as systemd managed service.

sh-4.2$ sudo su - splunk

splunk@qasshd$ systemctl stop amazon-ssm-agent.service
splunk@qasshd$ systemctl status amazon-ssm-agent.service
● amazon-ssm-agent.service - amazon-ssm-agent
Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Wed 2021-02-10 22:19:39 UTC; 7s ago
Process: 1130 ExecStart=/usr/bin/amazon-ssm-agent (code=exited, status=0/SUCCESS)
Main PID: 1130 (code=exited, status=0/SUCCESS)
splunk@qasshd$ systemctl start amazon-ssm-agent.service
splunk@qasshd$ systemctl status amazon-ssm-agent.service
● amazon-ssm-agent.service - amazon-ssm-agent
Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-02-10 22:19:55 UTC; 3s ago
Main PID: 5087 (amazon-ssm-agen)
Memory: 30.6M
CGroup: /system.slice/amazon-ssm-agent.service
├─5087 /usr/bin/amazon-ssm-agent
└─5101 /usr/bin/ssm-agent-worker
splunk@qasshd$

This is our rules file:

/etc/polkit-1/rules.d/10-Splunkd.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
subject.user == "splunk")
{
return polkit.Result.YES;
}
});

svarkhede · ‎10-19-2021

If systemd version is greater than 236 and polkit version is greater than 0.105 then user has access to only Splunk service managed by systemd else it gives access to all the services managed by systemd.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/RunSplunkassystemdservice#:~:text=file%20na...

dwaddle · ‎10-18-2021

Yes, they do. Because RHEL7's systemd and polkit are just OLD and the features you need really aren't there. See https://www.duanewaddle.com/splunk-7-2-2-and-systemd/

amartin6 · ‎10-18-2021

Correct, the older version of polkit is what we discovered

amartin6 · ‎02-10-2021

splunk@qasshd$ rpm -qa systemd
systemd-219-78.el7_9.2.x86_64

amartin6 · ‎02-10-2021

splunk@qasshd$ rpm -qa polkit
polkit-0.112-26.el7.x86_64
splunk@qasshd$

Using polkit allows for stopping/starting other systemd services

administration

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...