Security

Restrict a user's ability to write to indexes

w531t4
Path Finder

All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:

index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false

I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.

One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.

Does anyone know how i can restrict a user's ability to write events to an index??

update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6

alanden_splunk
Splunk Employee
Splunk Employee

Do not give the [capability::indexes_edit] permission in authorize.conf

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.

from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities

"indexes_edit Lets the user change any index settings such as file size and memory limits. "

0 Karma

alanden_splunk
Splunk Employee
Splunk Employee

Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.

0 Karma

splunkIT
Splunk Employee
Splunk Employee

There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only

0 Karma

yannK
Splunk Employee
Splunk Employee

I confirm, I tested and the permissions change on[commands/pycollect] or [commands/collect] are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.

yannK
Splunk Employee
Splunk Employee

They are 2 methods to write in a summary index :

  • search with the " | collect" command

    • quick method to disable the collect : change the permissions on the the "collect" command, to allow only power or admin roles to use it, [EDIT] first method not working
  • scheduled search with the option "summary"

w531t4
Path Finder

'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user

yannK
Splunk Employee
Splunk Employee

in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.

0 Karma

w531t4
Path Finder

I like your comment about disabling collect.. how is this done?

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...