Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: dbxquery - Major Security Hole?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk DB Connect V3.7.0 major security hole?
I am using Splunk DB Connect V3.7.0 and there seems to be a major security hole?
I want to give some users access to some of the connections/identities. I set the permissions of what they can see, and that works.
BUT
If a user explicitly asks for a connection that they cannot see, they are still allowed to access it?! This cannot be correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I looked in the logs and found:
Audit:[timestamp=04-01-2022 21:26:04.972, user=paul_test, action=search, info=granted , search_id='1648848364.3568_92A9F529-CFA9-4D65-AE92-69A9879F486E', search='| dbxquery connection=gemini_ro query="SELECT * from users LIMIT 1"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Fri Apr 1 17:26:00 2022', apiEndTime='Fri Apr 1 21:26:04 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
This ran successfully, but the user paul_test was not given permission on connection gemini_ro??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have made a new role and given it only certain connections. It looks good, a new user can only see those connections in db connect. However the user can access connections that they cannot ssee and should have no access to, as long as they know the connection name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the security model is defined here https://docs.splunk.com/Documentation/DBX/3.8.0/DeployDBX/Configuresecurityandaccesscontrols
Have you several roles which you are using with DBX identities and connections when you are granting permissions or do you have only one for all connections? Based on above documentation you should have one role per connection if you need restriction based on connection.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank-you for taking the time to respond isoutamo. I have read the instructions again, and know I must be doing something wrong with roles, but cannot see what?
I set up a new role and gave it the same capabilities as db_connect_user, plus search. I assigned a test user to have this new role. (I allowed "Search & Reporting" to be visible to this role).
I set up a DB Connect identity where this role has read capability. I set up a DB Connect connection to a database using this identity.
The test user can access the new connection. However the test user can also access a connection that their role does not have read permission for (connection or identity).
phunte
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
