Splunk Enterprise Security

Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

10306629
New Member

"Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible. Learn more"

The above is the warning message I am getting after I updated the Splunk ES to 4.7.2. Could someone advice what needs to be done here.

0 Karma

vicky05ssr04
Engager

hello maraman even I have the same problem, the solution provided seems very appropriate. The trouble is I could see the roles admin, ess_analyst tagged to most of the users. what are the things that still need to checked and how, please let me know.

0 Karma

10306629
New Member

Thanks maraman, i have did that but still i am getting these message "Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
could please suggest me any other way to do this..

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

Hi,

I had the same problem and from what I understand the explanation is as follow :
- ES used to have to change right to authorize.conf but the way it was done was not ideal.
- ES 4.7 migrate the old configuration to a new config which remove the original need.
- the migration script has no way to know that the changes to authorize.conf where done by ES -> don't touch them as they could be legitimate otherwise.
- ES permission checks detect the too open permission and warm about

So the current solution would be to manually go on each app in metadata/local.meta , look for authorize.conf stanza and remove non admin right on it as appropriate to your env.

Hope that helps.

0 Karma

hardikJsheth
Motivator

The Splunk has introduced number of new roles with latest ES (4.7 and above ) version. The warning is thrown to make user aware of these changes so that he/she can reconfigure access control if required.

You can refer http://docs.splunk.com/Documentation/ES/4.7.0/Install/ConfigureUsersRoles for more information.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...