Solved: Re: how to keep my rules to myself?

felipecg · ‎10-08-2015

I'd like to know if it's possible to hide my rules from an admin user.

Here's the situation:

I'm not admin, however I can make rules for the Splunk, and I'd like that only could see it.
So, even the administrator can't copy my rules, so I can keep my work just with myself.
If anyone has any idea, I'd appreciate it .

Thank you.

renatobamorim · ‎10-09-2015

hey buddy,

I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.

View solution in original post

renatobamorim · ‎10-09-2015

hey buddy,

I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.

felipecg · ‎10-09-2015

Oh Snap! That's a good call.
Thanks for your help.
Also thank you guys for the others ideas.

grijhwani · ‎10-11-2015

That doesn't help you, at least not greatly. The search is still going to appear in the logs when it is executed. It only obscures it from direct view in the UI, so again, any administrator will be able to see it with ease if they choose to go looking. It still doesn't provide a total solution.

renatobamorim · ‎10-14-2015

Hi, grijhwani

I agree that the search still able to admin, but I think that felipecg want to hide how he detects some anomalies, like SQLi, XSS, Padding Oracle from other firm.

I have a similar scenario here, 1 splunk and 2 rival companies to administrate, its a nightmare.

muebel · ‎10-08-2015

Hi felipecg, unfortunately there isn't any way to prevent a user in the admin role from viewing knowledge objects (alerts, searches, views etc). Additionally, any user with root access to the servers running Splunk will be able to view these objects through the config files.

The best you could do would be to load these configs into splunk as needed, and then delete them when not needed. Or maybe gain some obsecurity by creating many such objects.

Let me know if this helps!

felipecg · ‎10-08-2015

Well, I would like to hide because the company which admins the splunk it's not the company which makes the rules. I know it's not common.
That's why I'd like to hide it.

Thank you.

Lucas_K · ‎10-08-2015

ahh a specific use case.

I think your out of luck honestly. As muebel said, someone with shell access can always get access to the machine and read your configs.

Your alternative could be your own splunk cloud instance 🙂

grijhwani · ‎10-08-2015

It would defeat the object of being an administrator if the administrator did not have total access to the system.

It also seems very destructive to refuse to collaborate with co-workers, especially those responsible for a service you are using. If I was the administrator I'd be all the more curious about what it was you had to hide.

And no. An administrator can see everything, if they choose to go looking.

felipecg · ‎10-08-2015

Well I think I didn't explain the situation well.
If u have a company to administrate the Splunk and also have another company which make the rules.
I guess the company which make the rules doesn't want to expose its intelligence, right?
So, those are my rules, i just don't want that another company look at.

felipecg · ‎10-08-2015

Actually the company responsible for admin the Splunk is not the same to make the rules. So, the company responsible to create the alerts wants to keep its intelligence.

Lucas_K · ‎10-08-2015

Which is a fair enough expectation honestly.

No possibility to run your own search head to connect to the existing indexers?

grijhwani · ‎10-08-2015

OK, well I understand your problem, but regardless of the intent or motivation the reality doesn't change. Regardless of the fact someone didn't like my original answer, the fact remains it can't be done.

You can't do it with file permissions, because Splunk as an entirety runs as the same system user (more often than not with sysadmin rights which will override any permissions anyway), and at the application level a user account with administration privileges has total access to everything within the application.

Short of setting up a dedicated Splunk search head administered by the right people, you simply cannot ring-fence the data.

muebel · ‎10-08-2015

what do you mean by rules?

felipecg · ‎10-08-2015

I meant I get the logs and create alerts, using a specific IP or code, and I'd like that just me could see it, however I'm not the admin. I don't wanna even the admin can access my rules(alerts I've created).

felipecg · ‎10-08-2015

Any idea how can I do it?
has any possible way?

how to keep my rules to myself?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life