Splunk Search

Role based data masking in splunk 6.0.1?

Contributor

Hi,

I need to know is it role based data masking is possible in 6.0.1? If yes then please let me know what are the possible ways.

And below are some methods which i already gone through:

1. Creating separate index for masked data.
2. Index time masking which I don't need to use. Because the fields masked should be able to view by some groups/roles.

In any other ways if it is possible to mask values for only certain user. Please let me know It would be a great help.. Thanks...

1 Solution

SplunkTrust
SplunkTrust

I don't think there's any way of forcing role-based searchtime data masking. Thinking about the search performance implications, there would be endless pitfalls.

You can however make indextime masking convenient for role-based use. Say you have two roles, myusers and myusersmasked. Set up pairs of indexes called myindex and myindexmasked, and set visibilities by roles accordingly. Index cleartext data into one index, masked data into the other. Make all searches refer to the indexes by index=myindex* rather than specifying one or the other explicitly. Then, whenever a user runs such a search, he will be provided with cleartext or masked data according to his role.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@krish3, @salem34, @venkatpotru, SED/anonymization can be applied at search time. However, as @martin_mueller has mentioned will have definite impact to search query performance. Following is a simple run anywhere example which Masks a portion of email if the logged-in user is Non-Admin otherwise displays the complete email (i.e. for admin users). The token can be set and applied to all existing searches where-ever required.

alt text
PS: This example has been created on logic similar to one of my previous answers to enable/disable controls in a Dashboard based on logged in user's role: https://answers.splunk.com/answers/575377/can-i-restrict-permissions-for-the-text-box-drilld.html

<dashboard>
  <label>Apply SED based on Role</label>
  <init>
    <set token="tokApplySedOnEmail">rex field=email mode=sed "s/([^\@]+)(\@.*)/XXXX\2/g"</set>
    <set token="tokRole">user</set>
  </init>
  <!-- Independent Query to find logged in User Role and set tokens accordingly -->
 <search id="baseUserRolesRESTSearch">
   <query>| rest splunk_server=local /services/authentication/current-context 
| table roles
| search roles="admin"
     </query>
     <done>
       <!-- For Non-Admin SED should be used to anonymize email -->
       <condition match="$job.resultCount$==0">
         <set token="tokApplySedOnEmail">rex field=email mode=sed "s/([^\@]+)(\@.*)/XXXX\2/g"</set>
         <set token="tokRole">user</set>
       </condition>
       <!-- For Admin no SED-->
       <condition>
         <!-- comment() macro creates a comment in SPL. Refer to documentation https://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches#Using_the_comment_m....
         PS: If comment macro has not been created/made global in the Search app in Splunk, this macro will throw permission error.-->
         <set token="tokApplySedOnEmail">`comment("DO NOT MASK EMAIL")`</set>
         <set token="tokRole">admin</set>
       </condition>
   </done>
 </search>
  <row>
    <panel>
      <title>Email Address Based On Role</title>
      <table>
        <title>$tokRole$ - $tokApplySedOnEmail$</title>
        <search>
          <query>| makeresults
| eval email="someone@somwhere.com"
| $tokApplySedOnEmail$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

PS: I have tested the code by changing independent search filter from | search roles="admin" to | search NOT roles="admin". However, the same should be tested with two different roles and role name should be as per your need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SplunkTrust
SplunkTrust

That's a nice UI gimmick, but it's not secure. Anyone could run a different search and see the whole data.

New Member

Thanks for the inputs @niketnilay and @martin_mueller

0 Karma

New Member

Is there a better option in 7.1.1? or in 7.1.1 also, only solution is to set up two indexes for same field, one with masked data and other with unmasked data, each with different role access?

0 Karma

SplunkTrust
SplunkTrust

If you want security for your data and individual searching, different indexes is the way to go. If you just want a dashboard to look nice without actual security you can go niket's way. If you want low privilege users to get a limited view into high privilege data you can give them prepared saved searches that run as a higher privilege owner.

SplunkTrust
SplunkTrust

I don't think there's any way of forcing role-based searchtime data masking. Thinking about the search performance implications, there would be endless pitfalls.

You can however make indextime masking convenient for role-based use. Say you have two roles, myusers and myusersmasked. Set up pairs of indexes called myindex and myindexmasked, and set visibilities by roles accordingly. Index cleartext data into one index, masked data into the other. Make all searches refer to the indexes by index=myindex* rather than specifying one or the other explicitly. Then, whenever a user runs such a search, he will be provided with cleartext or masked data according to his role.

View solution in original post

0 Karma

Path Finder

Im just wondering whether there is still no way to do that at search time in splunk 6.6x - having 20gb of daily logs to anonymize makes the double index path quite painful when it comes to license fees. I start playing around with collect command searches to write out the masked raw data to a summary index but i dont think that this solution is very stable as you have to build a mechanism to avoid duplicates and guarantee ongoing events.
Any other ideas?

0 Karma

SplunkTrust
SplunkTrust

That could be a concern if you're the one paying for the license, yeah... have you considered using clever summary indexing after the first indexing rather than cloning before the first indexing?

Contributor

Hi martin,

I agree with your point but what my concern is indexing same data twice might need us to pay more for license.. 🙂

0 Karma