I have got a pentest results with the following :
It was possible to access those endpoints unauthenticated :
https://x.x.x.x/en-US/config
https://x.x.x.x/en-GB/config
https://x.x.x.x/en-US/info
https://x.x.x.x/en-US/paths
https://x.x.x.x/en-us/lists
https://x.x.x.x/en-US/embed
Is it really a vulnerability ? They said that it's config data, not public data so it should not be visible.
How can we remove those endpoints from being reached unauthenticated ?
The pentest is one opinion; yours is another. You know more about Splunk so your opinion should count for more. If you believe the information disclosed is not a problem then you should be able to convince your company to accept that over the pentest results.
The endpoints should be documented in the REST API manual, but that will detail the requests and responses. It won't say "this is not a vulnerability". It's up to you to make that decision.
Is it the REST API though ?
Like I said I was not able to find documentation about those endpoints.
Sounds silly but if you can find it that would great... (and would also be troublesome for me).
I said it should be in the REST API manual, not that it is. If you find an endpoint that is not documented then consider submitting feedback on the API manual so it can be included.
Perhaps your firewall can be used to restrict access to those endpoints. They'll still be open, but the risk will be lower.
The acceptFrom attribute in server.conf may help limit access to the endpoints.
You can try setting requireAuthentication = true in restmap.conf, but I don't know if this will do what you want. Try it on a test system first.
Thanks
requireAuthentication defaults to true anyway so it should not fix my issue.
And I have to keep acceptFrom *
My problem is that I don't find documentation about those endpoints so I am not even sure it's a security issue.
Try the endpoints yourself to see what they return. If you don't like what comes out then it's a security issue. 😀
Yeah I checked those and I am fine with them.
The problem is that according to a pentest, it publicly exposes config data.
So I now need to show that it is actually fine (but not finding docs for that is not helping) or I need to block those URLs.
Looks like it is not possible via configuration and I would really like not having to keep a set of rules on the network devices.