Re: Restrict a user's ability to write to indexes

w531t4 · ‎03-25-2014

All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:

index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false

I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.

One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.

Does anyone know how i can restrict a user's ability to write events to an index??

update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6

alanden_splunk · ‎06-04-2018

Do not give the [capability::indexes_edit] permission in authorize.conf

sbrant_splunk · ‎06-04-2018

"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.

from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities

"indexes_edit Lets the user change any index settings such as file size and memory limits. "

alanden_splunk · ‎06-04-2018

Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.

splunkIT · ‎03-16-2018

There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only

yannK · ‎04-04-2014

I confirm, I tested and the permissions change on[commands/pycollect] or [commands/collect] are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.

yannK · ‎03-26-2014

They are 2 methods to write in a summary index :

search with the " | collect" command
- quick method to disable the collect : change the permissions on the the "collect" command, to allow only power or admin roles to use it, [EDIT] first method not working
scheduled search with the option "summary"
- For scheduled summary populating searches, they are already limited to power users (regular users cannot schedule a search by default), you may want to verify the the role capabilities see "schedule_search" http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/Rolesandcapabilities

w531t4 · ‎04-04-2014

'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user

yannK · ‎03-26-2014

in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.

w531t4 · ‎03-26-2014

I like your comment about disabling collect.. how is this done?

Restrict a user's ability to write to indexes

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Restrict a user's ability to write to indexes

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)