I'd tried to get this fixed previously but it hasn't so i'm posting this here to get it some visibility.
There is an inadvertent security issue that is included with this app. The issue in that users can see ALL data across every index by default! It will bypass all your local authorize settings.
By default the expected installation behaviour would be that you'd install the app and then add in the db connect roles (ie. db_connect_user) to your existing authorize role definitions so users can use it.
If you do not review the default ones included with this app your users will be able to access more indexers that you actually expect.
In splunk_app_db_connect/default/authorize.conf it has the following
[role_db_connect_user]
importRoles=user
By default the splunk user role (/opt/splunk/etc/default/authorize.conf) has "srchIndexesAllowed = *".
The thing I didn't know was that even if you have a local/authorize.conf with a different importRoles line it does NOT replace that existing default one rather the importedroles are joined together.
This means that to remove this security issue you need to make sure that the app does NOT have the line "importRoles=user" in ANY file within the app.
The fix is to just comment out the importroles line in splunk_app_db_connect/default/authorize.conf
!!!DO NOT CREATE AND EDIT A LOCAL ONE AS IT WILL NOT FIX IT!!!
The thing to remember is that this issue will reoccur EVERY TIME you upgrade this app. So it needs to be done every time an upgrade is performed.
↧