Splunk Operator: password appears in process table

[freedge]

Please select the type of request

Bug

Tell us more

Describe the request code such as https://github.com/splunk/splunk-operator/blob/dafc9d3dbbd45fff7322daa13550af35527ef921/pkg/splunk/enterprise/searchheadcluster.go#L368 executes a process with a password given as argument. The password appears in the process table and is recorded by auditing tools

Expected behavior processes should not be forked with a password as argument

Splunk setup on K8S

• Details of the Splunk setup on the K8s cluster.

Reproduction/Testing steps

• Steps to reproduce the bug. For an enhancement or feature request, please provide steps to test.

K8s environment

• Useful information about the K8S environment being used. Eg. version of K8s, kind of K8s cluster etc..

Proposed changes(optional)

• Proposed change, if any.

K8s collector data(optional)

• Please provide data collected from the K8s collectors, if any.

Additional context(optional)

Logs as captured by stackrox

splunk cmd splunkd rest --noauth POST /services/admin/users/admin password=...
splunkd rest --noauth POST /services/admin/users/admin password=...

[akondur]

Hi @freedge , we are currently assessing all possible solutions. Is a password change via REST API an acceptable solution?

[freedge]

if you mean replacing the spawning of a process that is called with a password given as argument (and a possible command injection if the user provided password contains a ' ?) by some go code that calls the same API, then yes it fixes the problem. Though it would be probably a good idea for users to also have a way to securely call the api with "splunk cmd splunkd rest" in a secure fashion, so maybe the password can be provided from a file or from stdin (something like supporting reading the parameters from a file given after a @ symbol, etc.) It would be great also to warn users that, if they use this splunk cmd as documented (or curl -u as documented in the page you link), there is a security issue with the command (such as for example, curl does:)

On systems where it works, curl hides the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same system as they still are visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.