Hi all - I am sharing this for anyone else interested in running journalbeat as a non-root user. I'm grateful for the attention to security of the elasticsearch team but I think the solar winds compromise is making us all a bit jumpy :).
I'm running journalbeat via the apt package and systemd.
- Create a journalbeat user:
adduser --system --home /var/lib/journalbeat/ journalbeat - Create a systemd journalbeat service override directory:
mkdir /etc/systemd/system/journalbeat.service.d - Add a systemd override file to run the service as the journalbeat user with group perms allowing it to read the journal logs:
printf "[Service]\nUser=journalbeat\nGroup=systemd-journal\n" > /etc/systemd/system/journalbeat.service.d/user.conf - Reload systemd to read the new file:
systemctl daemon-reload - Make your journalbeat config file readable by all users so the journalbeat user can read it:
chmod 644 /etc/journalbeat/journalbeat.yml(I'm assuming your passwords are in your keystore so there is nothing sensitive about this file) - Stop journalbeat service:
systemctl stop journalbeat - Change ownership of all files in
/var/lib/journalbeat:chown -R journalbeat /var/lib/journalbeat - Start journalbeat:
systemctl start journalbeat
I'm also wondering if there is a reason the apt package runs as root instead of taking these steps to run as a non-priviged user?