We observed a security loophole in Splunk Enterprise Security. We have restricted permission on "Y" index in Splunk to "X" role participants only. Other members, except team X, are not able to view data in that index when they are running query (index="Y") but when someone from x team forwards the search link after running query index="Y" to other team, they are able to view data in that index. I believe the reason is when they share the search link they are sharing sid associated with that search, which is why security is bypassed.
Can someone please help us to understand why this is happening?
The confusing part is in regards to exactly what Splunk is sharing when you use the sharing link. Splunk is sharing the results of a particular search job, not the underlying data. Basically, it allows another user to view the results that you saw when you ran a given search. This doesn't mean the that user you send the link to can even run the search themselves. Thus, someone who views the results from the shared job might get no results if they tell Splunk to try to rerun the search since they might not have access to the indexes.
Effectively, it is kind of like exporting the results page to PDF and sending it to someone who doesn't have access to the indexes. The user still sees the results even though they have no access to the data directly.
When you click the share link on the search Splunk modifies the search job in two ways:
Sets read permissions to everyone (since it doesn't know who you are sending the search results too)
Updates the job lifetime so the results won't get deleted for 7 days
Note that the share search dialog tries to make this apparent by indicating:
The job's lifetime has been extended to 7 days and read permissions have been set to Everyone.