Splunk Enterprise Security

DB Connect App generating data leak issue - each user with db_connect_user role has full access to all indexes

conwaw
Explorer

Hi,

I have installed Splunk Enterprise system with multiple users. Each our user has access only to specified indexes.

In our Searchhead I have installed Splunk DB Connect App. This app include two user roles:

db_connect_admin (with admin permissions)
db_connect_user (with user permission)

To allowed my users (~400 users) use Splunk DB Connect App I have assigned for each user new role - db_connect_user.

After few weeks one of my users discovered that he has full access to all indexes. I was really surprised because till now everything was restricted. I have reviewed all roles and I realised that each user with assigned role db_connect_user has full access to all indexes. This is enterprise system with a lot of indexes with sensitive informations.

Problem is generated by this field (Role -> Indexes -> All non-internal indexes) which cannot be deactivated in GUI (or I do not know how to do it - maybe some one will help here) :

alt text

I have got information from support that this capability cannot be deactivated, which is wrong.

I have deinstalled Splunk DB Connect App - and everything get back to normal.

alt text

I just would like to warn all users, that installation of that addon generating high risk of data leak.

I have opened ticket to support but as I see our discussion going to nowhere...

Maybe some one will be able to help me and tell me how to deactivate in role field "indexes > All non-internal indexes " ???

I`m using latest release of that App and Splunk 8.0.

I appreciate any hints.

Cheers
Konrad

Labels (3)
0 Karma

PavelP
Motivator

Hello @conwaw,

it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...