I tried to raise a case but the support portal wouldn't play ball.
We've found several problems with SoS on Windows, specifically the Security Health Check dashboard.
The module closes in the XML are in the wrong place. Hence the drop-down value you select gets thrown away and isn't used to filter the results of securityinfo.py. We fixed it and that bit works OK now.
It's a very strange strategy anyway. The XML is supposed to set a filter of one of the splunk servers. securityinfo.py reports on all servers it knows about, then the XML filters the results. Kinda like doing a full table scan then a select...
securityinfo.py doesn't know anything about splunk_server_cache.csv so has a wrong idea of what the splunk servers are anyway. It is now supported to customise splunk_server_cache.csv but the python script doesn't look at it.
securityinfo.py is borked. The run as root test is not implemented on windows, so the value being returned is 'Undefined'. This raises a red traffic light unnecessarily which may have the effect of confusing or upsetting end users. Should return 'false' and that's what we've done here, so that bit works OK too.
securityinfo.py doesn't return correct values for whether splunk web ssl is enabled. Or at least, it has a bet each way and returns two rows, one that says true, the other that says false. This may be a side effect of our architecture, which is two search heads, one running PCI and one ES, which are peered to the indexer but not to each other. This is supposed to be supported by SoS but plainly isn't completely.
What this code should do is use the drop-down you select in the XML as a parameter to the script, to get the security info from just one server. However, we weren't able to fix this because the code is pretty obfuscated, and it isn't really clear how it does anything at all. For instance, having set sos_server (incorrectly) it doesn't seem to do anything with it.
There must be some implicit or hidden stuff going on.
PS if anyone knows what the 'Raise Case' support page will accept as a valid phone number, this would be good to know. I tried around a dozen variations, including Support's own number as given on the page, and it didn't like any of them nor would it give me a hint.
... View more