Splunk Enterprise Security

DB Connect App generating data leak issue - each user with db_connect_user role has full access to all indexes

conwaw
Explorer

Hi,

I have installed Splunk Enterprise system with multiple users. Each our user has access only to specified indexes.

In our Searchhead I have installed Splunk DB Connect App. This app include two user roles:

db_connect_admin (with admin permissions)
db_connect_user (with user permission)

To allowed my users (~400 users) use Splunk DB Connect App I have assigned for each user new role - db_connect_user.

After few weeks one of my users discovered that he has full access to all indexes. I was really surprised because till now everything was restricted. I have reviewed all roles and I realised that each user with assigned role db_connect_user has full access to all indexes. This is enterprise system with a lot of indexes with sensitive informations.

Problem is generated by this field (Role -> Indexes -> All non-internal indexes) which cannot be deactivated in GUI (or I do not know how to do it - maybe some one will help here) :

alt text

I have got information from support that this capability cannot be deactivated, which is wrong.

I have deinstalled Splunk DB Connect App - and everything get back to normal.

alt text

I just would like to warn all users, that installation of that addon generating high risk of data leak.

I have opened ticket to support but as I see our discussion going to nowhere...

Maybe some one will be able to help me and tell me how to deactivate in role field "indexes > All non-internal indexes " ???

I`m using latest release of that App and Splunk 8.0.

I appreciate any hints.

Cheers
Konrad

Labels (3)
0 Karma

PavelP
Motivator

Hello @conwaw,

it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...