Security

Set "splunk variable" during scripted authentication (radius)

sdwilkerson
Contributor

In Splunk-4.1.1:

The script scriptedRadius.py is called several times during the login process for various fucntions such as userLogin, getUsersRole.

I have extracted and set variables during the first run (userLogin) but want to make them available when the script runs next for getUsersRole. Is there a good way to save a "Splunk Variable" from the script that would be available at next run?

An alternative would be to write the information out to a tempfile but this seems messy.

Thanks, Sean

Tags (2)
1 Solution

Mick
Splunk Employee
Splunk Employee

Hi Sean,

One solution would be to configure each call to talk to Radius and return the role information required, you could then use cachetiming to make that info persist long enough to be useful for any subsequent authentication calls.

You could also configure your initial call to Radius to add user & role info to a dictionary and then the subsequent calls can just read from there, but you would have to make sure that the dictionary is refreshed on login every time, to account for role changes.

View solution in original post

0 Karma

sdwilkerson
Contributor

We currently have the script writing a temp file for each user during the authentication process. The script call uses the username as a key to find the appropriate file (to help avoid collisions). This is not pretty, and requires now filehandles and cleanup which wouldn't be necessary if a dictionary could be used.

Still looking for a long-term solution.

Thanks, Sean

0 Karma

Mick
Splunk Employee
Splunk Employee

Hi Sean,

One solution would be to configure each call to talk to Radius and return the role information required, you could then use cachetiming to make that info persist long enough to be useful for any subsequent authentication calls.

You could also configure your initial call to Radius to add user & role info to a dictionary and then the subsequent calls can just read from there, but you would have to make sure that the dictionary is refreshed on login every time, to account for role changes.

0 Karma

sdwilkerson
Contributor

Thanks Mick,
Subsequent radius calls is inefficient. Radius unfortunately isn't like an LDAP (or DB) query where you ask for distinct information, you get the entire user_entry with each request then parse out what you want. Although this will work, I think it isn't a great operational solution.

Regarding the persistent dictionary, this was actually the crux of my question. We have tried this a few ways and upon subsequent runs of the script the dictionary is not persistent.
So, what dictionary (or Splunk resource) can we use to make this info persistent?
Thanks,
Sean

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...