All Apps and Add-ons

Splunk DB Connect V3.7.0 major security hole?

phunte
Explorer

I am using Splunk DB Connect V3.7.0 and there seems to be a major security hole?

I want to give some users access to some of the connections/identities. I set the permissions of what they can see, and that works.

BUT

If a user explicitly asks for a connection that they cannot see, they are still allowed to access it?! This cannot be correct?

Labels (1)
0 Karma

phunte
Explorer

I looked in the logs and found:

Audit:[timestamp=04-01-2022 21:26:04.972, user=paul_test, action=search, info=granted , search_id='1648848364.3568_92A9F529-CFA9-4D65-AE92-69A9879F486E', search='| dbxquery connection=gemini_ro query="SELECT * from users LIMIT 1"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Fri Apr 1 17:26:00 2022', apiEndTime='Fri Apr 1 21:26:04 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]

This ran successfully, but the user paul_test was not given permission on connection gemini_ro??

0 Karma

phunte
Explorer

I have made a new role and given it only certain connections. It looks good, a new user can only see those connections in db connect. However the user can access connections that they cannot ssee and should have no access to, as long as they know the connection name

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

the security model is defined here https://docs.splunk.com/Documentation/DBX/3.8.0/DeployDBX/Configuresecurityandaccesscontrols

Have you several roles which you are using with DBX identities and connections when you are granting permissions or do you have only one for all connections? Based on above documentation you should have one role per connection if you need restriction based on connection.

r. Ismo

0 Karma

phunte
Explorer

Thank-you for taking the time to respond isoutamo. I have read the instructions again, and know I must be doing something wrong with roles, but cannot see what?

I set up a new role and gave it the same capabilities as db_connect_user, plus search. I assigned a test user to have this new role. (I allowed "Search & Reporting" to be visible to this role).

I set up a DB Connect identity where this role has read capability. I set up a DB Connect connection to a database using this identity.

The test user can access the new connection. However the test user can also access a connection that their role does not have read permission for (connection or identity).

phunte

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...