Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

SPL safeguards for risky commands

The Splunk platform contains search processing language (SPL) safeguards to warn you when you might unknowingly run a search in Splunk Web that has commands that might be either a security or a performance risk. If a search command that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.

In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.

This warning alerts you to the possibility of either a significant impact to performance or unauthorized actions by a malicious user. Unauthorized actions include:

  • Copying or transferring data, a practice known as data exfiltration
  • Deleting data
  • Overwriting data

A possible scenario when this might occur in the Search app involves a malicious person creating a search that includes commands that exfiltrate or destroy data. The malicious person then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious person hopes the user will use the link, and the search will run.

A potential scenario in a dashboard might involve a malicious person creating or editing a dashboard to include searches that contain commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load the dashboard which runs the searches with the risky commands.

Some search commands do not pose security risks, but Splunk includes them in the list of risky commands because of their impact on performance. The rules are the same. When a search contains the risky command, the Splunk platform raises a warning to advise of the potential performance effects of the command.

Commands that trigger SPL safeguards

Here is the list of search commands in that are classified as risky. Splunk considers these commands risky because, if used incorrectly, they can pose a security risk or you can potentially lose data by running the commands.

New capabilities can limit access to some custom and potentially risky commands

In versions 8.2.2107 and higher of Splunk Cloud Platform and 9.0.0 and higher of Splunk Enterprise, new capabilities have been added that, in certain cases, you must grant explicitly to be able to run custom and potentially risky commands. The "user" and "power" roles receive the capabilities automatically, but if you are a user that does not hold one of these roles either directly or through a role inheritance, you must assign the capabilities to roles that the user does hold. The following table shows the new capabilities and the actions that they grant:

Capability What it lets you do
run_sendalert Lets users run the sendalert command
run_dump Lets users run the dump command
run_custom_command Lets users run any custom search command. For more information on custom commands, see Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal.

For the full list of capabilities, see Define roles on the Splunk platform with capabilities.

Actions in the warning dialog box

Instead of running the search immediately, the Splunk platform analyzes the search or dashboard for risky commands. If the platform identifies one or more risky commands in a search, a warning dialog box appears. If the platform identifies one or more risky commands in a dashboard, the warning appears automatically, or you must click the error icon to invoke the dialog box.

Search

With the Search warning dialog box, you have the option to cancel, run, or investigate the search.

Cancel
Closes the warning dialog box. The search does not run and Splunk Web removes the search from the Search bar. If you close the dialog box by clicking the Close button (X), it is the same action as clicking Cancel.
Run
Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.
Investigate
Displays the search in the Search bar so that you can review the SPL. Use this option to copy the syntax of the search. Send a copy of the search, along with any information about the source of the link, to your system administrator.

Dashboards

The Dashboards warning dialog box prompts you to accept or reject the risk of running the query with the risky command. The workflow of the dialog box depends on what dashboard component connects to the search that triggers the safeguard.

  • Inputs and visualizations with risky commands do not run automatically. You must click the error icon to invoke the warning modal to run the search.
  • Risky searches that are not associated with inputs or visualizations will automatically display the warning dialog box.

With the Dashboards warning dialog box, you have the option to cancel or run the search.

Cancel
Closes the warning dialog box. The search does not run.
Run Query Anyway
Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.

Risky chained searches

If the Splunk platform identifies a risky command within a chained search, you must resolve each chained search that extends the risky command, even if only one of the searches within the chain contains a risk.

For example, a chain search has a safe base search, but one risky search out of two:

base search + risky chain search 1 + chain search 2

Although only risky chain search 1 poses a risk, chain search 2 also triggers a warning dialog box because it extends the risk of risky chain search 1. In this scenario, you can safely run chain search 2 to reach the warning dialog box for risky chain search 1 and decide to run or cancel risky chain search 1.

For more details about chained searches, see Create a chain search.

Deactivate SPL safeguards

You can deactivate SPL safeguards, if necessary, to prevent the "risky search" warning from appearing when you run searches that the Splunk Platform classifies as risky. When you deactivate SPL safeguards, the Splunk platform runs searches that contain risky commands and does not alert you to the fact that the commands in the search are risky. This can potentially cause problems with search performance. You can turn off the warning for a specific command, or for all of the risky commands.

Deactivate SPL safeguards on Splunk Cloud Platform

On Splunk Cloud Platform, if you want to deactivate SPL safeguards, use the Splunk Support portal to open a support case.

Deactivate SPL safeguards on Splunk Enterprise

On Splunk Enterprise only, you can disable SPL safeguards by modifying configuration files. The web.conf and commands.conf configuration files control whether or not the safeguards are active. You can edit these files to disable the risky SPL command warning dialog box. The configuration file that you use depends on the type of command for which you want to disable safeguards.

It is not possible to use Splunk Web to disable SPL safeguards.

Deactivate SPL safeguards on Splunk Enterprise for all commands

Use the following procedure when you want to disable SPL safeguards entirely.

  1. Use a text editor to open the web.conf configuration file located in the $SPLUNK_HOME/etc/system/default directory.
  2. Find the command check settings within the web.conf configuration file and copy the setting stanza.
    1. For the Search page, find the enable_risky_command_check setting stanza.
    2. For dashboards, find the enable_risky_command_check_dashboard setting stanza.
  3. Locate and open the $SPLUNK_HOME/etc/system/local/web.conf configuration file. If this file does not exist, create it.
  4. If you had to create the configuration file in the previous step, add the [settings] stanza header as the first line of the file.
  5. Paste the copied setting stanza into the $SPLUNK_HOME/etc/system/local/web.conf file.
  6. Change the enable_risky_command_check or enable_risky_command_check_dashboard setting values from true to false:
    1. For the Search page, setting the value to false disables SPL safeguards for all searches in the deployment. If you've set the Search page to false, and dashboards remain true, SPL safeguards are still active on the dashboards but are not active on the Search page.
    2. For dashboards, setting the value to false turns off the warning for all dashboards in the deployment. If you've set dashboards to false, and the Search page remains true, SPL safeguards are still active on the Search page but are not active on the dashboards.
  7. Save the web.conf file and close it.
  8. Restart Splunk Enterprise.

Deactivate SPL safeguards on Splunk Enterprise for a specific built-in command

If you have to disable SPL safeguards, it is more secure to turn off the warnings for a subset of commands than it is for all commands.

Use this procedure when you want to disable SPL safeguards for one or more specific built-in commands. For commands that Splunk has designated as risky, this is the only option to deactivate the built-in commands individually.

You can deactivate built-in commands either in the global context, or within the context of an app.

  1. Open the $SPLUNK_HOME/etc/system/local/commands.conf configuration file for editing. If this file does not exist, create it.
  2. Add a stanza for the command for which you want to deactivate SPL safeguards.
  3. On the next line beneath this stanza, add the line is_risky = false. For example, if you wanted to disable SPL safeguards for the outputlookup file, your entry looks like the following:
    [outputlookup]
    is_risky = false
    
  4. Save the commands.conf configuration file and close it.
  5. Restart Splunk Enterprise.

Deactivate SPL safeguards on Splunk Enterprise for a custom command that uses Python

Some custom search commands use the Python language to complete their tasks, and usually exist within the context of an app. These custom commands use a slightly different process to disable SPL safeguards.

  1. Open the $SPLUNK_HOME/etc/apps/<app name>/local/commands.conf configuration file for editing. If this file does not exist, create it.
  2. Add a stanza for the command for which you want to deactivate SPL safeguards.
  3. On the next line beneath this stanza, add the line is_risky = false. For example, if you wanted to disable SPL safeguards for the runshellscript file, your entry looks like the following:
    [runshellscript]
    is_risky = false
    
  4. Save the commands.conf configuration file and close it.
  5. Restart Splunk Enterprise.

See also

In the Splunk Enterprise Admin Manual:

About configuration files
The commands.conf configuration file specification
The web.conf configuration file specification
How to edit a configuration file
Last modified on 10 February, 2023
Manage data integrity   Some best practices for your servers and operating system

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters