topic Re: Sendemail command only works with capacility 'admin_all_objects' in Reporting

Sendemail command only works with capacility 'admin_all_objects'

apietersen — Mon, 22 Feb 2021 15:38:59 GMT

Hi,

Since some version (now using 8.1.2) I have trouble to use the 'sendemail' command in a search (dashboard/form) for user that have the standard user-roles. This issue is troubling me for almost 1.5 year now. Of course I am aware of the need to select 'list_settings' but had never a results. When selecting 'admin_all_objects' in the standard user-role is succesful.

But using the 'admin_all_objects' for standard user is nothing but a security breach. That can not be the solution , so what do I miss here?

An why does Splunk not create a special and straightforward capability for this 'sendemail' command?

Ashley Pietersen

Re: Sendemail command only works with capacility 'admin_all_objects'

maraman_splunk — Mon, 22 Feb 2021 16:00:05 GMT

Hi,

it is a known issue that affect some versions and should be fixed as of now

see https://docs.splunk.com/Documentation/Splunk/7.3.7/ReleaseNotes/Fixedissues#Splunk_Enterprise_7.3.7.1

8.1.2 should have the fix I think.

If not the case, please open a support case and have the support investigate with you.

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Mon, 22 Feb 2021 16:09:42 GMT

Thanks maraman_splunk,

Unfortunately Splunk support does not respond ! They advised me earlier to select 'admin_all_objects' to use the command anyway. Because I really need the sendemail for some customer. Since v8.0 the other alternative was the option 'sendresults' but that was also not wokring anymore. Hoped this would solved in next version, but after 8.1.2 I am till struggling with this issue and have my 'door wide open' since because of this.

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Fri, 26 Feb 2021 08:19:42 GMT

last update Wednesday from Splunk support:

"... just want to give you an update about the case, we are still working to find a solution, I engaged additional support to assist us with the issue, as soon as we have more information we will let you know. Please feel free to contact us if you have any questions."

Keep you posted...

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Tue, 02 Mar 2021 14:24:57 GMT

update from support:

-==-=-=-=-
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information. https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues

Let me know if it worked for you.

-==-==-==-

What I did :

On our none-production instance/machine (rather a fresh installation), I did:

Changed my “alert_action.conf” file to this (see below) : (as explained in the document and is less secure as I understand from that document) – named: Workaround
Removed the “Admin_All_Ojects” capability from the Test user-role
No success ☹

[email]

Auth_password = xx

auth_username =xx

from =xx

mailserver = smtp.office365.com:587

sslVersions = *,-ssl2

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Unfortunately no success

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Wed, 03 Mar 2021 08:30:10 GMT

update from splunk support:

-=-=-=-=
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information.

https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues

Let me know if it worked for you.

-=-=-=-=

unfortunately no success yet

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Wed, 03 Mar 2021 08:42:11 GMT

Hi,

It seems to be an issue with a long history in known issues - even from version 6.6 so I understand. What should I do next? Any tips?

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Wed, 03 Mar 2021 16:07:47 GMT

Just installed a complete fresh Splunk instance v8.1.2 from scratch on w2019 - no adjustments made. Only configured the smtp server setting. Tested it with admin account: sendemail works (but this has 'admin_all_objects' as a default capability.

created a test account with standard user-role. (defaults without the 'admin_all_objects' capability). Sendemail does not werk without any visible error, although the search itself results in a timestamp

search in serach&reporting used:

| makeresults
| sendemail to="x.yyyy@aaaaa.bb", from="y.yxxxx@bbbbb.aa"" ,
subject="test-message", sendresults=false inline=true format=raw content_type=html

results in python.log:

Traceback (most recent call last):
File ""D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py"", line 1593, in <module>
results = sendEmail(results, settings, keywords, argvals)
File ""D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py"", line 376, in sendEmail
if ssContent['action.email.sendresults'] or ssContent['action.email.sendpdf'] or ssContent['action.email.sendcsv']:
KeyError: 'action.email.sendpdf'

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Thu, 11 Mar 2021 14:45:05 GMT

Hi Ashley,

Message frome Splunk Support:

.. According to the engineering department, the fix will be released in Splunk 8.1.3. Let me know if it worked for you...

Regards

Re: Sendemail command only works with capacility 'admin_all_objects'

apietersen — Mon, 22 Mar 2021 07:41:10 GMT

This issue was reported by support to be solved in v8.1.3 . Unfortunately this issue is still there in v8.1.3