Splunk as non-root user by default for UNIX systems.

[JeremieBethmont]

This is an enhancement request.
As part of Splunk Enterprise best practices Splunk should run as 'non-root user'. See official splunk documentation http://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/RunSplunkasadifferentornon-rootuser

Code involved: ~/puppet-splunk/manifests/params.pp

 } else {
    $forwarder_dir = pick($forwarder_installdir, '/opt/splunkforwarder')
    $server_dir    = pick($server_installdir, '/opt/splunk')
    $splunk_user   = 'root'
  }

What are you seeing

splunk runs as "root" user by default. Which is against splunk best practices.

What behaviour did you expect instead

The module should create a non-root user (i.e "splunk" user) and run splunk as it.

[TraGicCode]

Hey @jbethmont ,
Thanks for the enhancement request. Here are a couple things we need to figure out first.

1.) What is the default chosen/selected user for splunk when fresh installed. If this is wrong we should get this fixed up. If the default user on fresh install is not based on splunk best practices I would argue that this should be left alone. I would think the scenario your describing is for advanced users and might be too restrictive for regular users to figure out.

[JeremieBethmont]

@TraGicCode The default user on a fresh install is the user that owns the splunk directory and is used to launch the splunk process. So technically it could be any user. But Splunk has the ability to run scripts as scripted inputs on the system. So for security best practices we don't want Splunk to run as root.

I would recommend then that the module creates a "splunk" user by default that will own the directory and run splunk processes. But definitely not "root" by default".

And for the module not to be "too restrictive", the user should be able to override the 'splunk_user' value.