Re: admin can execute custom command even if it ha...

clagese · ‎04-06-2017

I create a custom command to decrypt some field. This command should be executable only from a specific role can_decrypt.
I set local.meta in this way:

[commands/decryptuserdata]
access = read : [ can_decrypt ], write : [ can_decrypt ]
export = system
owner = nobody
version = 6.2.2
modtime = 1491468711.224921000

Why can all users with admin role execute decryptuserdata command?
Do I forget some setting for the command? or Should I remove some capability from the admin role?

masonmorales · ‎04-07-2017

As @somesoni2 stated, this is due to the nature of the admin_all_objects capability. The only workaround to accomplish what you are looking to do, would be to setup a separate search head with the custom command, and only give accounts to that search head to those that should be able to decrypt the data.

You may want to consider making it a corporate policy that only authorized individuals can execute the command. Then, leverage Splunk's built-in logging to periodically audit who is using it (since all searches executed get logged).

clagese · ‎04-07-2017

Thanks for your reply
As work-around for my problem I would check roles of the current user within custom command.
I use splunk.Intersplunk package to get splunk results in custom commands. How can I get the user is executing the command?

somesoni2 · ‎04-07-2017

In one of my search commands, I have used this to get the user executing the search command. (just the portion of the code show below)

dispatch="/var/opt/splunk/var/run/splunk/dispatch"

disjuncts = []

try:
     results, dummyresults, settings = isp.getOrganizedResults()
     sid = settings.get("sid", None)

     p = subprocess.Popen('cat {0}/*{1}*/args.txt'.format(dispatch ,sid) , shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
     for line in p.stdout.readlines():
          if re.match('.*user=.*',line):
              user = line.split('=')[1]
              user = user.rstrip()

clagese · ‎04-11-2017

It works perfectly!! Thank you

somesoni2 · ‎04-06-2017

Well that is the whole purpose of having an admin account, isn't it? Admin roles can access and modify all objects in the system, and this is assigned by capability admin_all_objects. If you remove this then basically there are no admins at all.

admin_all_objects   Access and modify any object in the system (user objects, search jobs, etc.). (**Overrides any limits set in the objects.**)

DalJeanis · ‎04-06-2017

Hmmmm. This is a data security issue. If an admin has no defined business need to see decrypted information from those fields, then there ought to be a way to turn it off.

On the other hand, an admin may have a defined business need to determine whether the encryption/decryption is working properly, and to debug it if not. If your organization is giving admin access on your system to very many people, then perhaps a derived admin role could be created for the ones which do not have such a business need.

clagese · ‎04-06-2017

I'm agree, this is a data security issue. A splunk admin should not view decrypted business data.
If I create a new semi-admin role without admin_all_objects capability, users with this role actually cannot administer splunk because in the setting menu disappear users,system and clustering sections.

DalJeanis · ‎04-06-2017

Have you restarted splunk since you made the changes? (Or restarted authentication via Manager > Authentication?)

admin can execute custom command even if it haven't access permission in local.meta

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life