I need to upload sensitive data into Splunk to do my analysis, and I only want myself to be able to see the data. Would the below process ensure that or do I need to take any other steps?
-create a new index "test"
-create a new user role "testuser"
-ensure that all other user roles cannot search that index "test"
-set the new user role "testuser" to only search that index "test"
-assign myself that role "testuser"
-upload my data into that index "test"
A few other questions- my Splunk has LDAP authentication but can I just add the splunk user role "testuser" without LDAP authentication and adding a LDAP authentication step/group for that role? Also- the default for my normal user role is "all internal indexes"- this would not include my new index "test" correct?
In Access control, create a new role in Splunk and give the access permission on that index. Then you can assign this role to only the user you want that index to access.
You cannot achieve this without adding groups in your LDAP strategy. You need to create the group under your LDAP strategy and then map role to the new LDAP group.
Yes, "All internal indexes" does not have access to "test" index.
This step is not necessary
- set the new user role "testuser" to only search that index "test"
Depending on the amount of data, you could use CSVs and/or lookups that were private to an app in order to prevent anyone else from looking at it.
@katzr - You can upload the csv to an app that only you know about, that is private to you. The default permissions setting is generally "private" for anything you upload or create, and you just don't share it so it stays private. Now, technically, admins can touch everything, so it isn't totally private, but there's no reason for an admin to be poking around your app if they have enough real work to do and if you don't do anything to draw their attention to what is in it. Like, don't call your app "Important Secret Stuff" or "Funny Kitty Videos." You could just make three apps (test1 test2 test3) and spend a few days putting a few ad hoc searches in them, set to app-level permissions. When you do your secret stuff, leave them private, so a cursory glance shows the ad hocs but does not show your confidential stuff.
Also, I believe an admin would have to change the permissions on the file before they could actually look, so you would be able to see that the permissions had changed.
I normally create an AD group with a single user. It's messy to create a single AD group for a single index, but in the long term it's less messy than being inconsistent.
Your new index would not be wrapped up into the internal indexes.
Correct, but based on your follow-up comment more than anything.
I recommend that you onboard your secretive index data the same way you would onboard any other index regardless of the amount of people who need access to it or the kind of data it contains.
If you are LDAP enabled, you likely will create a new AD group in AD, create a new index, create the roles in Splunk referencing that AD group, then secure the new index to that role... or some similar order. I would stay away from non AD groups if you are LDAP enabled which you alluded to in the original post. That gets messy.