Splunk Search

how to keep my rules to myself?

felipecg
Explorer

I'd like to know if it's possible to hide my rules from an admin user.

Here's the situation:

I'm not admin, however I can make rules for the Splunk, and I'd like that only could see it.
So, even the administrator can't copy my rules, so I can keep my work just with myself.
If anyone has any idea, I'd appreciate it .

Thank you.

Tags (2)
1 Solution

renatobamorim
Explorer

hey buddy,

I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.

View solution in original post

renatobamorim
Explorer

hey buddy,

I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.

felipecg
Explorer

Oh Snap! That's a good call.
Thanks for your help.
Also thank you guys for the others ideas.

0 Karma

grijhwani
Motivator

That doesn't help you, at least not greatly. The search is still going to appear in the logs when it is executed. It only obscures it from direct view in the UI, so again, any administrator will be able to see it with ease if they choose to go looking. It still doesn't provide a total solution.

0 Karma

renatobamorim
Explorer

Hi, grijhwani

I agree that the search still able to admin, but I think that felipecg want to hide how he detects some anomalies, like SQLi, XSS, Padding Oracle from other firm.

I have a similar scenario here, 1 splunk and 2 rival companies to administrate, its a nightmare.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi felipecg, unfortunately there isn't any way to prevent a user in the admin role from viewing knowledge objects (alerts, searches, views etc). Additionally, any user with root access to the servers running Splunk will be able to view these objects through the config files.

The best you could do would be to load these configs into splunk as needed, and then delete them when not needed. Or maybe gain some obsecurity by creating many such objects.

Let me know if this helps!

felipecg
Explorer

Well, I would like to hide because the company which admins the splunk it's not the company which makes the rules. I know it's not common.
That's why I'd like to hide it.

Thank you.

0 Karma

Lucas_K
Motivator

ahh a specific use case.

I think your out of luck honestly. As muebel said, someone with shell access can always get access to the machine and read your configs.

Your alternative could be your own splunk cloud instance 🙂

alt text

grijhwani
Motivator

It would defeat the object of being an administrator if the administrator did not have total access to the system.

It also seems very destructive to refuse to collaborate with co-workers, especially those responsible for a service you are using. If I was the administrator I'd be all the more curious about what it was you had to hide.

And no. An administrator can see everything, if they choose to go looking.

felipecg
Explorer

Well I think I didn't explain the situation well.
If u have a company to administrate the Splunk and also have another company which make the rules.
I guess the company which make the rules doesn't want to expose its intelligence, right?
So, those are my rules, i just don't want that another company look at.

felipecg
Explorer

Actually the company responsible for admin the Splunk is not the same to make the rules. So, the company responsible to create the alerts wants to keep its intelligence.

0 Karma

Lucas_K
Motivator

Which is a fair enough expectation honestly.

No possibility to run your own search head to connect to the existing indexers?

0 Karma

grijhwani
Motivator

OK, well I understand your problem, but regardless of the intent or motivation the reality doesn't change. Regardless of the fact someone didn't like my original answer, the fact remains it can't be done.

You can't do it with file permissions, because Splunk as an entirety runs as the same system user (more often than not with sysadmin rights which will override any permissions anyway), and at the application level a user account with administration privileges has total access to everything within the application.

Short of setting up a dedicated Splunk search head administered by the right people, you simply cannot ring-fence the data.

0 Karma

muebel
SplunkTrust
SplunkTrust

what do you mean by rules?

0 Karma

felipecg
Explorer

I meant I get the logs and create alerts, using a specific IP or code, and I'd like that just me could see it, however I'm not the admin. I don't wanna even the admin can access my rules(alerts I've created).

0 Karma

felipecg
Explorer

Any idea how can I do it?
has any possible way?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...