topic Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible." in Splunk Enterprise Security

Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

10306629 — Mon, 16 Oct 2017 17:17:55 GMT

"Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible. Learn more"

The above is the warning message I am getting after I updated the Splunk ES to 4.7.2. Could someone advice what needs to be done here.

Re: Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

hardikJsheth — Tue, 17 Oct 2017 05:27:28 GMT

The Splunk has introduced number of new roles with latest ES (4.7 and above ) version. The warning is thrown to make user aware of these changes so that he/she can reconfigure access control if required.

You can refer http://docs.splunk.com/Documentation/ES/4.7.0/Install/ConfigureUsersRoles for more information.

Re: Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

maraman_splunk — Tue, 17 Oct 2017 20:33:37 GMT

Hi,

I had the same problem and from what I understand the explanation is as follow :
- ES used to have to change right to authorize.conf but the way it was done was not ideal.
- ES 4.7 migrate the old configuration to a new config which remove the original need.
- the migration script has no way to know that the changes to authorize.conf where done by ES -> don't touch them as they could be legitimate otherwise.
- ES permission checks detect the too open permission and warm about

So the current solution would be to manually go on each app in metadata/local.meta , look for authorize.conf stanza and remove non admin right on it as appropriate to your env.

Hope that helps.

Re: Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

10306629 — Mon, 27 Nov 2017 19:18:00 GMT

Thanks maraman, i have did that but still i am getting these message "Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
could please suggest me any other way to do this..

Re: Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

vicky05ssr04 — Mon, 27 Nov 2017 20:03:11 GMT

hello maraman even I have the same problem, the solution provided seems very appropriate. The trouble is I could see the roles admin, ess_analyst tagged to most of the users. what are the things that still need to checked and how, please let me know.