Security

admin can execute custom command even if it haven't access permission in local.meta

Explorer

I create a custom command to decrypt some field. This command should be executable only from a specific role can_decrypt.
I set local.meta in this way:

[commands/decryptuserdata]
access = read : [ candecrypt ], write : [ candecrypt ]
export = system
owner = nobody
version = 6.2.2
modtime = 1491468711.224921000

Why can all users with admin role execute decryptuserdata command?
Do I forget some setting for the command? or Should I remove some capability from the admin role?

Tags (2)
0 Karma

Influencer

As @somesoni2 stated, this is due to the nature of the adminallobjects capability. The only workaround to accomplish what you are looking to do, would be to setup a separate search head with the custom command, and only give accounts to that search head to those that should be able to decrypt the data.

You may want to consider making it a corporate policy that only authorized individuals can execute the command. Then, leverage Splunk's built-in logging to periodically audit who is using it (since all searches executed get logged).

0 Karma

Explorer

Thanks for your reply
As work-around for my problem I would check roles of the current user within custom command.
I use splunk.Intersplunk package to get splunk results in custom commands. How can I get the user is executing the command?

0 Karma

SplunkTrust
SplunkTrust

In one of my search commands, I have used this to get the user executing the search command. (just the portion of the code show below)

dispatch="/var/opt/splunk/var/run/splunk/dispatch"

disjuncts = []

try:
     results, dummyresults, settings = isp.getOrganizedResults()
     sid = settings.get("sid", None)

     p = subprocess.Popen('cat {0}/*{1}*/args.txt'.format(dispatch ,sid) , shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
     for line in p.stdout.readlines():
          if re.match('.*user=.*',line):
              user = line.split('=')[1]
              user = user.rstrip()

Explorer

It works perfectly!! Thank you

0 Karma

SplunkTrust
SplunkTrust

Well that is the whole purpose of having an admin account, isn't it? Admin roles can access and modify all objects in the system, and this is assigned by capability admin_all_objects. If you remove this then basically there are no admins at all.

admin_all_objects   Access and modify any object in the system (user objects, search jobs, etc.). (**Overrides any limits set in the objects.**)
0 Karma

SplunkTrust
SplunkTrust

Hmmmm. This is a data security issue. If an admin has no defined business need to see decrypted information from those fields, then there ought to be a way to turn it off.

On the other hand, an admin may have a defined business need to determine whether the encryption/decryption is working properly, and to debug it if not. If your organization is giving admin access on your system to very many people, then perhaps a derived admin role could be created for the ones which do not have such a business need.

0 Karma

Explorer

I'm agree, this is a data security issue. A splunk admin should not view decrypted business data.
If I create a new semi-admin role without adminallobjects capability, users with this role actually cannot administer splunk because in the setting menu disappear users,system and clustering sections.

0 Karma

SplunkTrust
SplunkTrust

Have you restarted splunk since you made the changes? (Or restarted authentication via Manager > Authentication?)

0 Karma