Security

Restrict a user's ability to write to indexes

w531t4
Path Finder

All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:

index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false

I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.

One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.

Does anyone know how i can restrict a user's ability to write events to an index??

update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6

alanden_splunk
Splunk Employee
Splunk Employee

Do not give the [capability::indexes_edit] permission in authorize.conf

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.

from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities

"indexes_edit Lets the user change any index settings such as file size and memory limits. "

0 Karma

alanden_splunk
Splunk Employee
Splunk Employee

Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.

0 Karma

splunkIT
Splunk Employee
Splunk Employee

There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only

0 Karma

yannK
Splunk Employee
Splunk Employee

I confirm, I tested and the permissions change on[commands/pycollect] or [commands/collect] are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.

yannK
Splunk Employee
Splunk Employee

They are 2 methods to write in a summary index :

  • search with the " | collect" command

    • quick method to disable the collect : change the permissions on the the "collect" command, to allow only power or admin roles to use it, [EDIT] first method not working
  • scheduled search with the option "summary"

w531t4
Path Finder

'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user

yannK
Splunk Employee
Splunk Employee

in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.

0 Karma

w531t4
Path Finder

I like your comment about disabling collect.. how is this done?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...