topic Re: Security Question Related to Splunk enterprise in Security

Security Question Related to Splunk enterprise

SakshamGuruji — Sat, 15 Jan 2022 09:09:55 GMT

Should a non authenticated user access this endpoint (POST request) https://localhost:8089/services/template/realize

and create templates , and if no what can the security impact of this

Re: Security Question Related to Splunk enterprise

PickleRick — Sat, 15 Jan 2022 10:05:38 GMT

https://docs.splunk.com/Documentation/Splunk/8.2.4/RESTUM/RESTusing#Authentication_and_authorization

Splunk users must have role or capability-based authorization to use REST endpoints

So you can't call rest api without authenticating yourself (unless you're using splunk free which has no users, roles and authentication).

Re: Security Question Related to Splunk enterprise

SakshamGuruji — Sat, 15 Jan 2022 10:21:59 GMT

So im testing this splunk instance for a client and every REST api endpoint requires auth except the one I mentioned , where I can create templates , now im not sure if I should report this behavior to the client , what are your views?

Thanks

Re: Security Question Related to Splunk enterprise

PickleRick — Sat, 15 Jan 2022 10:51:47 GMT

This doesn't seem to be any of the standard splunk enterprise rest endpoints...

https://docs.splunk.com/Documentation/Splunk/8.2.4/RESTREF/RESTlist

If it's a custom endpoint, hard to say what it does and why it works without auth.