Splunk Search

Role based data masking in splunk 6.0.1?

krish3
Contributor

Hi,

I need to know is it role based data masking is possible in 6.0.1? If yes then please let me know what are the possible ways.

And below are some methods which i already gone through:

1. Creating separate index for masked data.
2. Index time masking which I don't need to use. Because the fields masked should be able to view by some groups/roles.

In any other ways if it is possible to mask values for only certain user. Please let me know It would be a great help.. Thanks...

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I don't think there's any way of forcing role-based searchtime data masking. Thinking about the search performance implications, there would be endless pitfalls.

You can however make indextime masking convenient for role-based use. Say you have two roles, myusers and myusers_masked. Set up pairs of indexes called myindex and myindex_masked, and set visibilities by roles accordingly. Index cleartext data into one index, masked data into the other. Make all searches refer to the indexes by index=myindex* rather than specifying one or the other explicitly. Then, whenever a user runs such a search, he will be provided with cleartext or masked data according to his role.

View solution in original post

0 Karma

niketn
Legend

@krish3, @salem34, @venkatpotru, SED/anonymization can be applied at search time. However, as @martin_mueller has mentioned will have definite impact to search query performance. Following is a simple run anywhere example which Masks a portion of email if the logged-in user is Non-Admin otherwise displays the complete email (i.e. for admin users). The token can be set and applied to all existing searches where-ever required.

alt text
PS: This example has been created on logic similar to one of my previous answers to enable/disable controls in a Dashboard based on logged in user's role: https://answers.splunk.com/answers/575377/can-i-restrict-permissions-for-the-text-box-drilld.html

<dashboard>
  <label>Apply SED based on Role</label>
  <init>
    <set token="tokApplySedOnEmail">rex field=email mode=sed "s/([^\@]+)(\@.*)/XXXX\2/g"</set>
    <set token="tokRole">user</set>
  </init>
  <!-- Independent Query to find logged in User Role and set tokens accordingly -->
 <search id="baseUserRolesRESTSearch">
   <query>| rest splunk_server=local /services/authentication/current-context 
| table roles
| search roles="admin"
     </query>
     <done>
       <!-- For Non-Admin SED should be used to anonymize email -->
       <condition match="$job.resultCount$==0">
         <set token="tokApplySedOnEmail">rex field=email mode=sed "s/([^\@]+)(\@.*)/XXXX\2/g"</set>
         <set token="tokRole">user</set>
       </condition>
       <!-- For Admin no SED-->
       <condition>
         <!-- comment() macro creates a comment in SPL. Refer to documentation https://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches#Using_the_comment_m....
         PS: If comment macro has not been created/made global in the Search app in Splunk, this macro will throw permission error.-->
         <set token="tokApplySedOnEmail">`comment("DO NOT MASK EMAIL")`</set>
         <set token="tokRole">admin</set>
       </condition>
   </done>
 </search>
  <row>
    <panel>
      <title>Email Address Based On Role</title>
      <table>
        <title>$tokRole$ - $tokApplySedOnEmail$</title>
        <search>
          <query>| makeresults
| eval email="someone@somwhere.com"
| $tokApplySedOnEmail$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

PS: I have tested the code by changing independent search filter from | search roles="admin" to | search NOT roles="admin". However, the same should be tested with two different roles and role name should be as per your need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller
SplunkTrust
SplunkTrust

That's a nice UI gimmick, but it's not secure. Anyone could run a different search and see the whole data.

venkatpotru
New Member

Thanks for the inputs @niketnilay and @martin_mueller

0 Karma

venkatpotru
New Member

Is there a better option in 7.1.1? or in 7.1.1 also, only solution is to set up two indexes for same field, one with masked data and other with unmasked data, each with different role access?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you want security for your data and individual searching, different indexes is the way to go. If you just want a dashboard to look nice without actual security you can go niket's way. If you want low privilege users to get a limited view into high privilege data you can give them prepared saved searches that run as a higher privilege owner.

martin_mueller
SplunkTrust
SplunkTrust

I don't think there's any way of forcing role-based searchtime data masking. Thinking about the search performance implications, there would be endless pitfalls.

You can however make indextime masking convenient for role-based use. Say you have two roles, myusers and myusers_masked. Set up pairs of indexes called myindex and myindex_masked, and set visibilities by roles accordingly. Index cleartext data into one index, masked data into the other. Make all searches refer to the indexes by index=myindex* rather than specifying one or the other explicitly. Then, whenever a user runs such a search, he will be provided with cleartext or masked data according to his role.

0 Karma

salem34
Path Finder

Im just wondering whether there is still no way to do that at search time in splunk 6.6x - having 20gb of daily logs to anonymize makes the double index path quite painful when it comes to license fees. I start playing around with collect command searches to write out the masked raw data to a summary index but i dont think that this solution is very stable as you have to build a mechanism to avoid duplicates and guarantee ongoing events.
Any other ideas?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That could be a concern if you're the one paying for the license, yeah... have you considered using clever summary indexing after the first indexing rather than cloning before the first indexing?

krish3
Contributor

Hi martin,

I agree with your point but what my concern is indexing same data twice might need us to pay more for license.. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...