- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk DB Connect V3.7.0 major security hole?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk DB Connect V3.7.0 major security hole?
I am using Splunk DB Connect V3.7.0 and there seems to be a major security hole?
I want to give some users access to some of the connections/identities. I set the permissions of what they can see, and that works.
BUT
If a user explicitly asks for a connection that they cannot see, they are still allowed to access it?! This cannot be correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I looked in the logs and found:
Audit:[timestamp=04-01-2022 21:26:04.972, user=paul_test, action=search, info=granted , search_id='1648848364.3568_92A9F529-CFA9-4D65-AE92-69A9879F486E', search='| dbxquery connection=gemini_ro query="SELECT * from users LIMIT 1"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Fri Apr 1 17:26:00 2022', apiEndTime='Fri Apr 1 21:26:04 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
This ran successfully, but the user paul_test was not given permission on connection gemini_ro??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have made a new role and given it only certain connections. It looks good, a new user can only see those connections in db connect. However the user can access connections that they cannot ssee and should have no access to, as long as they know the connection name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the security model is defined here https://docs.splunk.com/Documentation/DBX/3.8.0/DeployDBX/Configuresecurityandaccesscontrols
Have you several roles which you are using with DBX identities and connections when you are granting permissions or do you have only one for all connections? Based on above documentation you should have one role per connection if you need restriction based on connection.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank-you for taking the time to respond isoutamo. I have read the instructions again, and know I must be doing something wrong with roles, but cannot see what?
I set up a new role and gave it the same capabilities as db_connect_user, plus search. I assigned a test user to have this new role. (I allowed "Search & Reporting" to be visible to this role).
I set up a DB Connect identity where this role has read capability. I set up a DB Connect connection to a database using this identity.
The test user can access the new connection. However the test user can also access a connection that their role does not have read permission for (connection or identity).
phunte
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
