Hi all - I am sharing this for anyone else interested in running journalbeat as a non-root user. I'm grateful for the attention to security of the elasticsearch team but I think the solar winds compromise is making us all a bit jumpy :).
I'm running journalbeat via the apt package and systemd.
- Create a journalbeat user:
adduser --system --home /var/lib/journalbeat/ journalbeat
- Create a systemd journalbeat service override directory:
mkdir /etc/systemd/system/journalbeat.service.d
- Add a systemd override file to run the service as the journalbeat user with group perms allowing it to read the journal logs:
printf "[Service]\nUser=journalbeat\nGroup=systemd-journal\n" > /etc/systemd/system/journalbeat.service.d/user.conf
- Reload systemd to read the new file:
systemctl daemon-reload
- Make your journalbeat config file readable by all users so the journalbeat user can read it:
chmod 644 /etc/journalbeat/journalbeat.yml
(I'm assuming your passwords are in your keystore so there is nothing sensitive about this file) - Stop journalbeat service:
systemctl stop journalbeat
- Change ownership of all files in
/var/lib/journalbeat
:chown -R journalbeat /var/lib/journalbeat
- Start journalbeat:
systemctl start journalbeat
I'm also wondering if there is a reason the apt package runs as root instead of taking these steps to run as a non-priviged user?