Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

new install -9.3.2 - sec warning

inventsekar
SplunkTrust
SplunkTrust
‎12-01-2024 03:10 PM

Hi There,
hope u r doing good, thanks for reading. 

1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning:

Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.12/2/2024, 5:40:52 AM

2)  I have noticed this error around 2 or 3 months ago, but as its a simple and low priority / functionality related one, i ignored it.

3) last week as we Splunkers were discussing in our usergroup meeting about this, one of my friend asked - ok, this is a low priority issue for you, but for an organizations infosec perspective this could be a medium/big issue.

4) He suggested me that - the default config files should be configured to keep things in secured fashion(similar to that "zero-trust" security policy), giving a warning message isnt enough, right. i had to agree with him. 

5) Screenshot attached for your note:

newinstall-sec-warning.PNG

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-06-2024 02:25 AM

Hi

as other already said, in company and it’s security point of view this an issue and you definitely should fix it. 
On Splunk Cloud this same warning has been there already (at least) couple of months and also it should fix latest now. 
r. Ismo

0 Karma
Reply

marnall
Motivator
‎12-02-2024 10:46 AM

Yes, this is a security recommendation added recently. As the alert suggests, you can add email domains to your allowedDomainList by going to Server Settings > Email Settings > Email Domains. For example, if you want email alerts to only go to your company email addresses, then you can add your company domain there.

This will restrict your email alerts so that users cannot accidentally or maliciously send data to unauthorized email domains.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-03-2024 05:01 PM

Sure, thanks for your reply @marnall 

>> Yes, this is a security recommendation added recently

 

May i know if you or anybody got some more details about this security recommendation pls, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

dural_yyz
Motivator
‎12-04-2024 06:40 AM

https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notificat...

Right now the domain setting is still listed at 'Optional' for the documentation which obviously hasn't caught up with the default install health checks.  So you wont find the supporting information you are requesting just yet.  But I have been in the security side of corporate life for some time.  Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-04-2024 09:05 AM

>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue.

Precisely @dural_yyz . 

Giving the easy and quick installation methods, proving direct options to upload a log file, assigning default indexes options are too good. The first timers will really like these features.

But, for the "email" functionality with the "default settings" such as "send anything anywhere"... looks bit odd.

It should be like, by default, you can not send anything to any domain. 

The informational note should say that, if you like to send email alerts to outside domain, pls request the Splunk Admins/power users to update the config file abcd.conf thru x y z methods.

Thanks for reading, have a great day 👍🙏🤝

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...