topic Re: How do I limit access to specific events in one index? in Security

How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 11:58:45 GMT

Hi,

I am using OMS add-on. I have one index with one host,source and source type.
Now I want to limit access to specific table like below:-
1. index=idx table=security-----------User1
2. index=idx table=info---------------User2

I am able to create a separate index, but that also causes it to reindex data as one user wants to view all data and not any specific events/table ..So what will be best way to achieve this?

Re: How do I limit access to specific events in one index?

inventsekar — Mon, 26 Nov 2018 12:44:05 GMT

i think you can edit the user1 user2 roles such a way that they have access to the respective tables.

Re: How do I limit access to specific events in one index?

FrankVl — Mon, 26 Nov 2018 13:14:59 GMT

You could do that by creating separate roles and setting Search Filters for each of those. But search filters based on search time extracted fields are basically not secure, as users have control over the search time extractions. See also: http://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Search_filter_format

In general the recommended way to segregate access is by putting data in separate indexes. If you have users that need to access all data, you can do two indexes named like: idx:security and idx:info and then the users that have access to both, can use index=idx*.

Re: How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 13:21:44 GMT

thanks @FrankVl search filters are applicable to host source and sourcetype but not applicable to specific fields like in my case table=security also can you please elaborate about security isssue-" users have control over the search time extractions."

Re: How do I limit access to specific events in one index?

493669 — Mon, 26 Nov 2018 13:35:13 GMT

As per docs it seems I can write in search filters index=indexname table=security but can you please elaborate about security issue...
As from last 2 months i was having only one input which indexing all data without any filter and now the requirement come about limiting access so thinking to use search filters but first want to undersatnd about security issue..

Re: How do I limit access to specific events in one index?

FrankVl — Mon, 26 Nov 2018 13:46:51 GMT

A user could create a knowledge object that overwrites the value of the table field, to get access to all the data.

Re: How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 13:51:20 GMT

Thanks @FrankVI..last question can you please give one example about how can I get access to whole index by editing knowledge objects

Re: How do I limit access to specific events in one index?

FrankVl — Mon, 26 Nov 2018 13:58:03 GMT

If your search filter restricts access based on table=info. I can for instance define a calculated field table for that sourcetype, that just sets table=info, overwriting the actual value, which means the search filter will always match and return all the events, regardless of the original table value.

Re: How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 15:18:34 GMT

Hi @FrankVI, my field name is $table and suppose one role have access to index=abc "$table"=info then what calculated fields (eval expression) give me access to all $table fieldvalues

Re: How do I limit access to specific events in one index?

FrankVl — Mon, 26 Nov 2018 15:25:25 GMT

Like I said: a user could define something like EVAL-$table = "info" , so the field always gets the "info" value (regardless of what was actually in the event). That way the filter will allow all events to go through.

Re: How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 15:42:44 GMT

sorry if I misunderstand but how can user access $table="severity" if user has only access to $table="info"

Re: How do I limit access to specific events in one index?

FrankVl — Mon, 26 Nov 2018 15:48:36 GMT

$table="severity" is just a field extraction defined in Splunk (at search time) right. And those can be overruled by assigning another value to that field. So all the events get $table="info" and as a result the user has access to all the events.

Re: How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 16:08:29 GMT

my bad I have given info just as sample value my actual value is azuredignostic
so one user has access to search string index=abc $table="azuredignostics" then how this user can access $table="Perf" data.
are you saying to create calculated fields? how can i achieve?
yes, $table is extracted at search time using kv_mode=json in props.conf

Re: How do I limit access to specific events in one index?

FrankVl — Mon, 26 Nov 2018 16:11:15 GMT

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields

Re: How do I limit access to specific events in one index?

ips_mandar — Mon, 26 Nov 2018 17:54:27 GMT

i checked this link and it seems in calculated fields I have option host/source/sourcetype to make it as * but in my case I have only 1 host,1 source and 1 sourcetype so I am not able to override $table="azuredignostics"