Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk Operator: password appears in process table #1320

Open
freedge opened this issue Apr 12, 2024 · 2 comments
Open

Splunk Operator: password appears in process table #1320

freedge opened this issue Apr 12, 2024 · 2 comments
Labels
enhancement New feature or request spike-2.8

Comments

@freedge
Copy link

freedge commented Apr 12, 2024

Please select the type of request

Bug

Tell us more

Describe the request
code such as

splunk-operator/pkg/splunk/enterprise/searchheadcluster.go

Line 368 in dafc9d3

command := fmt.Sprintf("/opt/splunk/bin/splunk cmd splunkd rest --noauth POST /services/admin/users/admin 'password=%s'", nsAdminSecret)

executes a process with a password given as argument. The password appears in the process table and is recorded by auditing tools

Expected behavior
processes should not be forked with a password as argument

Splunk setup on K8S

  • Details of the Splunk setup on the K8s cluster.

Reproduction/Testing steps

  • Steps to reproduce the bug. For an enhancement or feature request, please provide steps to test.

K8s environment

  • Useful information about the K8S environment being used. Eg. version of K8s, kind of K8s cluster etc..

Proposed changes(optional)

  • Proposed change, if any.

K8s collector data(optional)

Additional context(optional)

Logs as captured by stackrox

splunk cmd splunkd rest --noauth POST /services/admin/users/admin password=...
splunkd rest --noauth POST /services/admin/users/admin password=...
@akondur akondur added the enhancement New feature or request label Apr 29, 2024
@akondur
Copy link
Collaborator

akondur commented Apr 29, 2024

Hi @freedge , we are currently assessing all possible solutions. Is a password change via REST API an acceptable solution?

@freedge
Copy link
Author

freedge commented Apr 29, 2024

if you mean replacing the spawning of a process that is called with a password given as argument (and a possible command injection if the user provided password contains a ' ?) by some go code that calls the same API, then yes it fixes the problem.
Though it would be probably a good idea for users to also have a way to securely call the api with "splunk cmd splunkd rest" in a secure fashion, so maybe the password can be provided from a file or from stdin (something like supporting reading the parameters from a file given after a @ symbol, etc.)
It would be great also to warn users that, if they use this splunk cmd as documented (or curl -u as documented in the page you link), there is a security issue with the command (such as for example, curl does:)

On systems where it works, curl hides the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same system as they still are visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request spike-2.8
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kumarajeet @freedge @jryb @akondur @vivekr-splunk @michal-tatusko-splunk