Security

Restrict a user's ability to write to indexes

Path Finder

All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:

index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false

I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.

One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.

Does anyone know how i can restrict a user's ability to write events to an index??

update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6

Splunk Employee
Splunk Employee

Do not give the [capability::indexes_edit] permission in authorize.conf

0 Karma

Splunk Employee
Splunk Employee

"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.

from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities

"indexes_edit Lets the user change any index settings such as file size and memory limits. "

0 Karma

Splunk Employee
Splunk Employee

Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.

0 Karma

Splunk Employee
Splunk Employee

There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only

0 Karma

Splunk Employee
Splunk Employee

I confirm, I tested and the permissions change on[commands/pycollect] or [commands/collect] are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.

Splunk Employee
Splunk Employee

They are 2 methods to write in a summary index :

  • search with the " | collect" command

    • quick method to disable the collect : change the permissions on the the "collect" command, to allow only power or admin roles to use it, [EDIT] first method not working
  • scheduled search with the option "summary"

Path Finder

'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user

Splunk Employee
Splunk Employee

in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.

0 Karma

Path Finder

I like your comment about disabling collect.. how is this done?