Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect App generating data leak issue - each user with db_connect_user role has full access to all indexes

conwaw
Explorer
‎05-27-2020 03:08 AM

Hi,

I have installed Splunk Enterprise system with multiple users. Each our user has access only to specified indexes.

In our Searchhead I have installed Splunk DB Connect App. This app include two user roles:

db_connect_admin (with admin permissions)
db_connect_user (with user permission)

To allowed my users (~400 users) use Splunk DB Connect App I have assigned for each user new role - db_connect_user.

After few weeks one of my users discovered that he has full access to all indexes. I was really surprised because till now everything was restricted. I have reviewed all roles and I realised that each user with assigned role db_connect_user has full access to all indexes. This is enterprise system with a lot of indexes with sensitive informations.

Problem is generated by this field (Role -> Indexes -> All non-internal indexes) which cannot be deactivated in GUI (or I do not know how to do it - maybe some one will help here) :

alt text

I have got information from support that this capability cannot be deactivated, which is wrong.

I have deinstalled Splunk DB Connect App - and everything get back to normal.

alt text

I just would like to warn all users, that installation of that addon generating high risk of data leak.

I have opened ticket to support but as I see our discussion going to nowhere...

Maybe some one will be able to help me and tell me how to deactivate in role field "indexes > All non-internal indexes " ???

I`m using latest release of that App and Splunk 8.0.

I appreciate any hints.

Cheers
Konrad

Labels (3)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

PavelP
Motivator
‎05-27-2020 06:52 AM

Hello @conwaw,

it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...