Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DB Connect App generating data leak issue - each user with db_connect_user role has full access to all indexes

conwaw
Explorer
‎05-27-2020 03:08 AM

Hi,

I have installed Splunk Enterprise system with multiple users. Each our user has access only to specified indexes.

In our Searchhead I have installed Splunk DB Connect App. This app include two user roles:

db_connect_admin (with admin permissions)
db_connect_user (with user permission)

To allowed my users (~400 users) use Splunk DB Connect App I have assigned for each user new role - db_connect_user.

After few weeks one of my users discovered that he has full access to all indexes. I was really surprised because till now everything was restricted. I have reviewed all roles and I realised that each user with assigned role db_connect_user has full access to all indexes. This is enterprise system with a lot of indexes with sensitive informations.

Problem is generated by this field (Role -> Indexes -> All non-internal indexes) which cannot be deactivated in GUI (or I do not know how to do it - maybe some one will help here) :

alt text

I have got information from support that this capability cannot be deactivated, which is wrong.

I have deinstalled Splunk DB Connect App - and everything get back to normal.

alt text

I just would like to warn all users, that installation of that addon generating high risk of data leak.

I have opened ticket to support but as I see our discussion going to nowhere...

Maybe some one will be able to help me and tell me how to deactivate in role field "indexes > All non-internal indexes " ???

I`m using latest release of that App and Splunk 8.0.

I appreciate any hints.

Cheers
Konrad

Labels (3)
Preview file
55 KB
Preview file
51 KB
0 Karma
Reply

PavelP
Motivator
‎05-27-2020 06:52 AM

Hello @conwaw,

it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...