Security

Set "splunk variable" during scripted authentication (radius)

sdwilkerson
Contributor

In Splunk-4.1.1:

The script scriptedRadius.py is called several times during the login process for various fucntions such as userLogin, getUsersRole.

I have extracted and set variables during the first run (userLogin) but want to make them available when the script runs next for getUsersRole. Is there a good way to save a "Splunk Variable" from the script that would be available at next run?

An alternative would be to write the information out to a tempfile but this seems messy.

Thanks, Sean

Tags (2)
1 Solution

Mick
Splunk Employee
Splunk Employee

Hi Sean,

One solution would be to configure each call to talk to Radius and return the role information required, you could then use cachetiming to make that info persist long enough to be useful for any subsequent authentication calls.

You could also configure your initial call to Radius to add user & role info to a dictionary and then the subsequent calls can just read from there, but you would have to make sure that the dictionary is refreshed on login every time, to account for role changes.

View solution in original post

0 Karma

sdwilkerson
Contributor

We currently have the script writing a temp file for each user during the authentication process. The script call uses the username as a key to find the appropriate file (to help avoid collisions). This is not pretty, and requires now filehandles and cleanup which wouldn't be necessary if a dictionary could be used.

Still looking for a long-term solution.

Thanks, Sean

0 Karma

Mick
Splunk Employee
Splunk Employee

Hi Sean,

One solution would be to configure each call to talk to Radius and return the role information required, you could then use cachetiming to make that info persist long enough to be useful for any subsequent authentication calls.

You could also configure your initial call to Radius to add user & role info to a dictionary and then the subsequent calls can just read from there, but you would have to make sure that the dictionary is refreshed on login every time, to account for role changes.

0 Karma

sdwilkerson
Contributor

Thanks Mick,
Subsequent radius calls is inefficient. Radius unfortunately isn't like an LDAP (or DB) query where you ask for distinct information, you get the entire user_entry with each request then parse out what you want. Although this will work, I think it isn't a great operational solution.

Regarding the persistent dictionary, this was actually the crux of my question. We have tried this a few ways and upon subsequent runs of the script the dictionary is not persistent.
So, what dictionary (or Splunk resource) can we use to make this info persistent?
Thanks,
Sean

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...