Splunk Search

Restrict search to a role using a search restriction is not working

MLGSPLUNK
Path Finder

Hi All.

I have a local instance on my laptop for demo purposes, so no complex deployment on this machine.

I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches.

I then create a role named "role1":

1. Inheritance: none

2. Capabilities:  run_collect, run_mcollect, schedule_rtsearch, search 

3. Indexes: main

4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event1) - If tested, this spl correctly returns the results I want the role to be able to search on

5. Resources: Nothing changed

 

I then save the role and assign it to the demo user. I also restarted splunk as docs says.

When I login with demo user, I can see all the events and is not filtering by the restrictions of its role.

Any clue on this?

Thanks!

Labels (2)
0 Karma
1 Solution

MLGSPLUNK
Path Finder

No response yet, still investigating on the issue.

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Which kind of instance you have (trial, dev, full, ....)?
Some of those have  restrictions for which kind of users they have.

r. Ismo

MLGSPLUNK
Path Finder

I have a full license, and followed the docs to the heart as usual.

At now I only am using two users: admin and the restricted one.

As stated on my initial post, no role has been inherited for the demo user.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you share your authorize and authentication conf files? 

MLGSPLUNK
Path Finder

authentication.conf @isoutamo 

# Version 8.0.1
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file configures authentication.

[authentication]
authType = Splunk
passwordHashAlgorithm = SHA512-crypt

# Note: the caching specified in this stanza only applies to scripted authentication.
# If you are using scripted authentication, you can override these cache timing values in
# your $SPLUNK_HOME\etc\system\local\authentication.conf
[cacheTiming]
userLoginTTL = 0
getUserInfoTTL = 10s
getUsersTTL = 10s

[secrets]
filename =
namespace = splunk

[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
expirePasswordDays = 90
expireAlertDays = 15
expireUserAccounts = false
forceWeakPasswordChange = false
lockoutUsers = true
lockoutAttempts = 5
lockoutThresholdMins = 5
lockoutMins = 30
enablePasswordHistory = false
passwordHistoryCount = 24
constantLoginTime = 0
verboseLoginFailMsg = true

 

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Those seems to be the default versions, what we need to check are those in .../etc/system/local

and even better if you could get output of cmd “splunk btool authentication list —debug” and same for authorize config.

MLGSPLUNK
Path Finder

Ok, my bad...they are really short @isoutamo 

 

authentication.conf

[splunk_auth]
minPasswordLength=8
minPasswordUppercase=0
minPasswordLowercase=0
minPasswordSpecial=0
minPasswordDigit=0

 

authorize.conf


[role_user_no_privileges]
accelerate_search = disabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
search = enabled
srchFilter = (index::main) AND (sourcetype::cepsa) AND (eventtype::deposito1)
srchIndexesAllowed = main
srchMaxTime = 8640000

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

try to change srchFilter = (index::main) to srchFilter = (index=main) ....

At least in earlier versions that was so. 
r. Ismo

0 Karma

MLGSPLUNK
Path Finder

Hi @isoutamo 

 

Changed to  (index=main) with no avail, still not working. Checked and updated the splunk version to 8.0.5 and its not working on latest either.

 

My guess is that this is a bug or something else is missing. Do you know how we can submit a bug to splunk so they can elaborate on? My other colleages at splunk team are clueless about the issue as well, and no info on internet differs of the method we are using.

 

Thanks for your insights @isoutamo !

0 Karma

isoutamo
SplunkTrust
SplunkTrust

you should log to their support portal. This needs that you have valid entitlement and it has connected to your splunk.com account. If you haven’t that then you could ask someone else (who have those) to do it.

 

splunk.com -> support -> support portal Or something similar on top of page.

MLGSPLUNK
Path Finder

Yeah, we have that at the company. 

Will post and will reply here as soon as I have more input.

Thanks!

0 Karma

MLGSPLUNK
Path Finder

No response yet, still investigating on the issue.

0 Karma

MLGSPLUNK
Path Finder

Hi all.

It seems that there was an issue with the license of Splunk I was using. After the license change, I restarted everything and it worked fine.

 

Thanks all for the input.

0 Karma

MLGSPLUNK
Path Finder

Debug resutls @isoutamo 

 

[authentication]
authType = Splunk
passwordHashAlgorithm = SHA512-crypt
[cacheTiming]
getUserInfoTTL = 10s
getUsersTTL = 10s
userLoginTTL = 0
[secrets]
filename =
namespace = splunk
[splunk_auth]
constantLoginTime = 0
enablePasswordHistory = false
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = false
forceWeakPasswordChange = false
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = true
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = true

0 Karma

MLGSPLUNK
Path Finder

Someone suggested this could be a bug on Splunk 8.0.1.

Is this confirmed as a bug?

0 Karma

MLGSPLUNK
Path Finder

Authorize.conf @isoutamo 

# Version 8.0.1
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# commented out capabilities that are registered by their own components.
# leaving here for educational purposes.

# This file creates roles and sets granular access controls.

# These stanzas list all the capabilities in the system
[capability::accelerate_datamodel]
[capability::admin_all_objects]
[capability::edit_tokens_settings]
[capability::change_authentication]
[capability::change_own_password]
[capability::list_storage_passwords]
[capability::delete_by_keyword]
[capability::edit_bookmarks_mc]
[capability::edit_deployment_client]
[capability::list_deployment_client]
[capability::edit_deployment_server]
[capability::list_deployment_server]
[capability::edit_cmd]
[capability::edit_upload_and_index]
[capability::edit_tcp_stream]
[capability::list_dist_peer]
[capability::edit_dist_peer]
[capability::edit_forwarders]
[capability::edit_indexerdiscovery]
[capability::edit_httpauths]
[capability::edit_indexer_cluster]
[capability::edit_input_defaults]
[capability::install_apps]
[capability::edit_local_apps]
[capability::edit_authentication_extensions]
[capability::edit_monitor]
[capability::edit_restmap]
[capability::edit_roles]
[capability::edit_roles_grantable]
[capability::edit_scripted]
[capability::edit_search_server]
[capability::edit_search_head_clustering]
[capability::edit_search_concurrency_all]
[capability::edit_search_concurrency_scheduled]
[capability::edit_search_scheduler]
[capability::edit_search_schedule_priority]
[capability::edit_search_schedule_window]
[capability::list_pipeline_sets]
[capability::list_search_scheduler]
[capability::list_introspection]
[capability::list_settings]
[capability::list_metrics_catalog]
[capability::edit_tokens_all]
[capability::edit_tokens_own]
[capability::list_tokens_own]
[capability::edit_server]
[capability::edit_sourcetypes]
[capability::edit_splunktcp]
[capability::edit_splunktcp_ssl]
[capability::edit_splunktcp_token]
[capability::edit_statsd_transforms]
[capability::edit_metric_schema]
[capability::edit_tcp]
[capability::edit_udp]
[capability::edit_telemetry_settings]
[capability::edit_user]
[capability::edit_view_html]
[capability::edit_web_settings]
[capability::get_metadata]
[capability::get_typeahead]
[capability::get_diag]
[capability::indexes_edit]
[capability::input_file]
[capability::license_edit]
[capability::license_tab]
[capability::license_view_warnings]
[capability::list_forwarders]
[capability::list_indexerdiscovery]
[capability::list_httpauths]
[capability::list_indexer_cluster]
[capability::list_inputs]
[capability::list_search_head_clustering]
[capability::output_file]
[capability::request_remote_tok]
[capability::rest_apps_management]
[capability::rest_apps_view]
[capability::rest_properties_get]
[capability::rest_properties_set]
[capability::restart_splunkd]
[capability::restart_reason]
[capability::rtsearch]
[capability::run_debug_commands]
[capability::schedule_search]
[capability::metric_alerts]
[capability::schedule_rtsearch]
[capability::search]
[capability::use_file_operator]
[capability::accelerate_search]
[capability::list_accelerate_search]
[capability::run_multi_phased_searches]
[capability::embed_report]
[capability::pattern_detect]
[capability::edit_token_http]
[capability::web_debug]
[capability::export_results_is_visible]
[capability::edit_server_crl]
[capability::search_process_config_refresh]
[capability::dispatch_rest_to_indexers]
[capability::refresh_application_licenses]
[capability::edit_encryption_key_provider]
[capability::never_lockout]
[capability::never_expire]
[capability::list_health]
[capability::edit_health]
[capability::request_pstacks]
[capability::edit_watchdog]
[capability::list_workload_pools]
[capability::edit_workload_pools]
[capability::select_workload_pools]
[capability::list_workload_rules]
[capability::edit_workload_rules]
[capability::run_collect]
[capability::run_mcollect]
[capability::list_tokens_all]
[capability::upload_lookup_files]
[capability::apps_restore]
[capability::apps_backup]
[capability::edit_metrics_rollup]
[capability::list_cascading_plans]
[capability::run_msearch]
[capability::delete_messages]

[capability::edit_win_eventlogs]
[capability::edit_win_wmiconf]
[capability::edit_win_regmon]
[capability::edit_modinput_winhostmon]
[capability::edit_modinput_winnetmon]
[capability::edit_modinput_winprintmon]
[capability::edit_modinput_perfmon]
[capability::edit_modinput_admon]
[capability::list_win_localavailablelogs]
[capability::list_pdfserver]
[capability::write_pdfserver]

################################################################
################################################################
[default]
# ==== Subsumed roles ====
# ==== Capabilities ====
schedule_rtsearch = enabled
run_collect = enabled
run_mcollect = enabled
# ==== Other settings ====
srchDiskQuota = 100
srchJobsQuota = 3
rtSrchJobsQuota = 6
srchMaxTime = 100days
cumulativeSrchJobsQuota = 50
cumulativeRTSrchJobsQuota = 100
srchFilterSelecting = true


################################################################
################################################################
[role_user]
# ==== Subsumed roles ====
# ==== Capabilities ====
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
upload_lookup_files = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
list_accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
list_tokens_own = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
delete_messages = enabled
# ==== Other settings ====
srchIndexesAllowed = *
srchIndexesDefault = main


################################################################
################################################################
[role_can_delete]
# ==== Subsumed roles ====
# ==== Capabilities ====
delete_by_keyword = enabled
# ==== Other settings ====
cumulativeSrchJobsQuota = 0
cumulativeRTSrchJobsQuota = 0
deleteIndexesAllowed = *


################################################################
################################################################
[role_power]
# ==== Subsumed roles ====
importRoles = user
# ==== Capabilities ====
schedule_search = enabled
metric_alerts = enabled
embed_report = enabled
rtsearch = enabled
edit_sourcetypes = enabled
edit_statsd_transforms = enabled
search_process_config_refresh = enabled
# ==== Other settings ====
srchIndexesAllowed = *
srchIndexesDefault = main
srchDiskQuota = 500
srchJobsQuota = 10
rtSrchJobsQuota = 20
cumulativeSrchJobsQuota = 100
cumulativeRTSrchJobsQuota = 200

################################################################
################################################################
[role_admin]
# ==== Subsumed roles ====
importRoles = power;user
# ==== Capabilities ====
accelerate_datamodel = enabled
admin_all_objects = enabled
edit_tokens_settings = enabled
change_authentication = enabled
edit_bookmarks_mc = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
list_search_head_clustering = enabled
dispatch_rest_to_indexers = enabled
edit_authentication_extensions = enabled
edit_cmd = enabled
edit_upload_and_index = enabled
edit_tcp_stream = enabled
list_dist_peer = enabled
edit_dist_peer = enabled
edit_restmap = enabled
edit_forwarders = enabled
edit_indexerdiscovery = enabled
edit_httpauths = enabled
edit_indexer_cluster = enabled
edit_input_defaults = enabled
edit_local_apps = enabled
edit_monitor = enabled
edit_tokens_own = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_concurrency_all = enabled
edit_search_head_clustering = enabled
edit_search_server = enabled
edit_search_scheduler = enabled
edit_search_schedule_priority = enabled
edit_tokens_all = enabled
list_tokens_all = enabled
list_indexer_cluster = enabled
list_pipeline_sets = enabled
list_search_scheduler = enabled
list_settings = enabled
edit_server = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_splunktcp_token = enabled
edit_tcp = enabled
edit_udp = enabled
edit_telemetry_settings = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
get_diag = enabled
indexes_edit = enabled
install_apps = enabled
license_edit = enabled
license_tab = enabled
license_view_warnings = enabled
refresh_application_licenses = enabled
list_forwarders = enabled
list_indexerdiscovery = enabled
list_httpauths = enabled
rest_apps_management = enabled
restart_splunkd = enabled
restart_reason = enabled
run_debug_commands = enabled
edit_token_http = enabled
web_debug = enabled
edit_server_crl = enabled
list_storage_passwords = enabled
edit_encryption_key_provider = enabled
never_lockout = enabled
never_expire = enabled
list_health = enabled
edit_health = enabled
apps_restore = enabled
apps_backup = enabled
edit_workload_pools = enabled
list_workload_pools = enabled
select_workload_pools = enabled
edit_workload_rules = enabled
list_workload_rules = enabled
edit_metric_schema = enabled
edit_metrics_rollup = enabled
list_cascading_plans = enabled
edit_win_eventlogs = enabled
edit_win_wmiconf = enabled
edit_win_regmon = enabled
edit_modinput_winhostmon = enabled
edit_modinput_winnetmon = enabled
edit_modinput_winprintmon = enabled
edit_modinput_perfmon = enabled
edit_modinput_admon = enabled
list_win_localavailablelogs = enabled
list_pdfserver = enabled
write_pdfserver = enabled
run_msearch = enabled

# ==== Other settings ====
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400

################################################################
################################################################
[role_splunk-system-role]
# ==== Subsumed roles ====
importRoles = admin
# ==== Capabilities ====
# ==== Other settings ====


################################################################
################################################################
[tokens_auth]
expiration = never
disabled = true

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...