Security

PCI application permissions

jambajuice
Communicator

The PCI application searches seem to have the permissions for all of the searches and views set to global. What config file(s) do I have to modify to restrict them to the PCI app? Doing it thru the GUI will take forever

Thx.

Tags (2)

Lionel
Splunk Employee
Splunk Employee

It is currently not possible to do that.

For PCI Suite, all the Apps need to appear at the Global level and changing this will negatively affect the PCIComplianceSuite (which is acting as Master Apps).

You could set up two different instances (if you are OK with splitting your data) or two different Search Heads (if you want to keep your data centralized) , one for all logs and one for PCI logs.

jambajuice
Communicator

So in the default.meta for one of those apps, is it not possible to change the "export = system" to something like "export = PCIComplianceSuite"? Is it possible to export the app to anything other than system?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

They are in the app's metadata\*.meta files.

0 Karma

jambajuice
Communicator

The PCI App is broken up into a dozen or so applications and the data is summarized and presented through the PCIComplianceSuite application. How can I modify the default.meta file to stop all of the searches and views from appearing in every application without breaking the PCIComplianceSuite app? Otherwise it's going to take a lifetime to do make those changes on a search by search basis.

0 Karma

jambajuice
Communicator

When I modify permissions for some searches in the GUI, the local.meta looks like this:

[savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router]
access = read : [ * ], write : [ admin ]
export = none
owner = nobody

[savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router%20-%20Summary%20Gen]
access = read : [ * ], write : [ admin ]
export = none
owner = nobody

[savedsearches/PCI%201.1.5%20-%20Trend%20Blocked%20Communication%20-%20Summary%20Gen]
access = read : [ * ], write : [ admin ]
export = none
owner = nobody

0 Karma

jambajuice
Communicator

Here is what I see in the PCI app as an example.

In the PCI-Requirement1 folder, there is a default.meta and a local.meta file.

The default.meta looks like this:

[/nobody/PCI-Requirement1]
access = read : [ * ], write : [ admin ]
export = system

[/nobody/PCI-Requirement1/eventtypes]
export = system

[/nobody/PCI-Requirement1/indexes]
export = system

[/nobody/PCI-Requirement1/prefs]
export = system

[/nobody/PCI-Requirement1/props]
export = system

[/nobody/PCI-Requirement1/savedsearches]
export = system

[/nobody/PCI-Requirement1/tags]
export = system

[/nobody/PCI-Requirement1/transforms

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...