Security

admin can execute custom command even if it haven't access permission in local.meta

clagese
Explorer

I create a custom command to decrypt some field. This command should be executable only from a specific role can_decrypt.
I set local.meta in this way:

[commands/decryptuserdata]
access = read : [ can_decrypt ], write : [ can_decrypt ]
export = system
owner = nobody
version = 6.2.2
modtime = 1491468711.224921000

Why can all users with admin role execute decryptuserdata command?
Do I forget some setting for the command? or Should I remove some capability from the admin role?

Tags (2)
0 Karma

masonmorales
Influencer

As @somesoni2 stated, this is due to the nature of the admin_all_objects capability. The only workaround to accomplish what you are looking to do, would be to setup a separate search head with the custom command, and only give accounts to that search head to those that should be able to decrypt the data.

You may want to consider making it a corporate policy that only authorized individuals can execute the command. Then, leverage Splunk's built-in logging to periodically audit who is using it (since all searches executed get logged).

0 Karma

clagese
Explorer

Thanks for your reply
As work-around for my problem I would check roles of the current user within custom command.
I use splunk.Intersplunk package to get splunk results in custom commands. How can I get the user is executing the command?

0 Karma

somesoni2
Revered Legend

In one of my search commands, I have used this to get the user executing the search command. (just the portion of the code show below)

dispatch="/var/opt/splunk/var/run/splunk/dispatch"

disjuncts = []

try:
     results, dummyresults, settings = isp.getOrganizedResults()
     sid = settings.get("sid", None)

     p = subprocess.Popen('cat {0}/*{1}*/args.txt'.format(dispatch ,sid) , shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
     for line in p.stdout.readlines():
          if re.match('.*user=.*',line):
              user = line.split('=')[1]
              user = user.rstrip()

clagese
Explorer

It works perfectly!! Thank you

0 Karma

somesoni2
Revered Legend

Well that is the whole purpose of having an admin account, isn't it? Admin roles can access and modify all objects in the system, and this is assigned by capability admin_all_objects. If you remove this then basically there are no admins at all.

admin_all_objects   Access and modify any object in the system (user objects, search jobs, etc.). (**Overrides any limits set in the objects.**)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Hmmmm. This is a data security issue. If an admin has no defined business need to see decrypted information from those fields, then there ought to be a way to turn it off.

On the other hand, an admin may have a defined business need to determine whether the encryption/decryption is working properly, and to debug it if not. If your organization is giving admin access on your system to very many people, then perhaps a derived admin role could be created for the ones which do not have such a business need.

0 Karma

clagese
Explorer

I'm agree, this is a data security issue. A splunk admin should not view decrypted business data.
If I create a new semi-admin role without admin_all_objects capability, users with this role actually cannot administer splunk because in the setting menu disappear users,system and clustering sections.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Have you restarted splunk since you made the changes? (Or restarted authentication via Manager > Authentication?)

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!