Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Why are users able to view data in index by direct...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We observed a security loophole in Splunk Enterprise Security. We have restricted permission on "Y" index in Splunk to "X" role participants only. Other members, except team X, are not able to view data in that index when they are running query (index="Y") but when someone from x team forwards the search link after running query index="Y" to other team, they are able to view data in that index. I believe the reason is when they share the search link they are sharing sid associated with that search, which is why security is bypassed.
Can someone please help us to understand why this is happening?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The confusing part is in regards to exactly what Splunk is sharing when you use the sharing link. Splunk is sharing the results of a particular search job, not the underlying data. Basically, it allows another user to view the results that you saw when you ran a given search. This doesn't mean the that user you send the link to can even run the search themselves. Thus, someone who views the results from the shared job might get no results if they tell Splunk to try to rerun the search since they might not have access to the indexes.
Effectively, it is kind of like exporting the results page to PDF and sending it to someone who doesn't have access to the indexes. The user still sees the results even though they have no access to the data directly.
When you click the share link on the search Splunk modifies the search job in two ways:
- Sets read permissions to everyone (since it doesn't know who you are sending the search results too)
- Updates the job lifetime so the results won't get deleted for 7 days
Note that the share search dialog tries to make this apparent by indicating:
The job's lifetime has been extended to 7 days and read permissions have been set to Everyone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The confusing part is in regards to exactly what Splunk is sharing when you use the sharing link. Splunk is sharing the results of a particular search job, not the underlying data. Basically, it allows another user to view the results that you saw when you ran a given search. This doesn't mean the that user you send the link to can even run the search themselves. Thus, someone who views the results from the shared job might get no results if they tell Splunk to try to rerun the search since they might not have access to the indexes.
Effectively, it is kind of like exporting the results page to PDF and sending it to someone who doesn't have access to the indexes. The user still sees the results even though they have no access to the data directly.
When you click the share link on the search Splunk modifies the search job in two ways:
- Sets read permissions to everyone (since it doesn't know who you are sending the search results too)
- Updates the job lifetime so the results won't get deleted for 7 days
Note that the share search dialog tries to make this apparent by indicating:
The job's lifetime has been extended to 7 days and read permissions have been set to Everyone.
Thanks for the Memories! Splunk University, .conf25, and our Community
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
