topic Re: how to keep my rules to myself? in Splunk Search

how to keep my rules to myself?

felipecg — Thu, 08 Oct 2015 19:33:38 GMT

I'd like to know if it's possible to hide my rules from an admin user.

Here's the situation:

I'm not admin, however I can make rules for the Splunk, and I'd like that only could see it.
So, even the administrator can't copy my rules, so I can keep my work just with myself.
If anyone has any idea, I'd appreciate it .

Thank you.

Re: how to keep my rules to myself?

muebel — Thu, 08 Oct 2015 19:46:41 GMT

what do you mean by rules?

Re: how to keep my rules to myself?

felipecg — Thu, 08 Oct 2015 19:53:04 GMT

I meant I get the logs and create alerts, using a specific IP or code, and I'd like that just me could see it, however I'm not the admin. I don't wanna even the admin can access my rules(alerts I've created).

Re: how to keep my rules to myself?

grijhwani — Thu, 08 Oct 2015 20:00:17 GMT

It would defeat the object of being an administrator if the administrator did not have total access to the system.

It also seems very destructive to refuse to collaborate with co-workers, especially those responsible for a service you are using. If I was the administrator I'd be all the more curious about what it was you had to hide.

And no. An administrator can see everything, if they choose to go looking.

Re: how to keep my rules to myself?

felipecg — Thu, 08 Oct 2015 20:01:28 GMT

Any idea how can I do it?
has any possible way?

Re: how to keep my rules to myself?

felipecg — Thu, 08 Oct 2015 20:10:29 GMT

Well I think I didn't explain the situation well.
If u have a company to administrate the Splunk and also have another company which make the rules.
I guess the company which make the rules doesn't want to expose its intelligence, right?
So, those are my rules, i just don't want that another company look at.

Re: how to keep my rules to myself?

felipecg — Thu, 08 Oct 2015 20:19:00 GMT

Actually the company responsible for admin the Splunk is not the same to make the rules. So, the company responsible to create the alerts wants to keep its intelligence.

Re: how to keep my rules to myself?

muebel — Thu, 08 Oct 2015 21:05:16 GMT

Hi felipecg, unfortunately there isn't any way to prevent a user in the admin role from viewing knowledge objects (alerts, searches, views etc). Additionally, any user with root access to the servers running Splunk will be able to view these objects through the config files.

The best you could do would be to load these configs into splunk as needed, and then delete them when not needed. Or maybe gain some obsecurity by creating many such objects.

Let me know if this helps!

Re: how to keep my rules to myself?

felipecg — Thu, 08 Oct 2015 21:20:19 GMT

Well, I would like to hide because the company which admins the splunk it's not the company which makes the rules. I know it's not common.
That's why I'd like to hide it.

Thank you.

Re: how to keep my rules to myself?

Lucas_K — Thu, 08 Oct 2015 22:24:58 GMT

ahh a specific use case.

I think your out of luck honestly. As muebel said, someone with shell access can always get access to the machine and read your configs.

Your alternative could be your own splunk cloud instance 🙂

Re: how to keep my rules to myself?

grijhwani — Thu, 08 Oct 2015 22:25:37 GMT

OK, well I understand your problem, but regardless of the intent or motivation the reality doesn't change. Regardless of the fact someone didn't like my original answer, the fact remains it can't be done.

You can't do it with file permissions, because Splunk as an entirety runs as the same system user (more often than not with sysadmin rights which will override any permissions anyway), and at the application level a user account with administration privileges has total access to everything within the application.

Short of setting up a dedicated Splunk search head administered by the right people, you simply cannot ring-fence the data.

Re: how to keep my rules to myself?

Lucas_K — Thu, 08 Oct 2015 22:28:55 GMT

Which is a fair enough expectation honestly.

No possibility to run your own search head to connect to the existing indexers?

Re: how to keep my rules to myself?

renatobamorim — Fri, 09 Oct 2015 13:09:42 GMT

hey buddy,

I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.

Re: how to keep my rules to myself?

felipecg — Fri, 09 Oct 2015 13:44:54 GMT

Oh Snap! That's a good call.
Thanks for your help.
Also thank you guys for the others ideas.

Re: how to keep my rules to myself?

grijhwani — Sun, 11 Oct 2015 16:46:57 GMT

That doesn't help you, at least not greatly. The search is still going to appear in the logs when it is executed. It only obscures it from direct view in the UI, so again, any administrator will be able to see it with ease if they choose to go looking. It still doesn't provide a total solution.

Re: how to keep my rules to myself?

renatobamorim — Wed, 14 Oct 2015 19:38:25 GMT

Hi, grijhwani

I agree that the search still able to admin, but I think that felipecg want to hide how he detects some anomalies, like SQLi, XSS, Padding Oracle from other firm.

I have a similar scenario here, 1 splunk and 2 rival companies to administrate, its a nightmare.