splunk / splunk-operator

Splunk Operator for Kubernetes
Other
210 stars 115 forks source link

Splunk Operator: password appears in process table #1320

Open freedge opened 7 months ago

freedge commented 7 months ago

Please select the type of request

Bug

Tell us more

Describe the request code such as https://github.com/splunk/splunk-operator/blob/dafc9d3dbbd45fff7322daa13550af35527ef921/pkg/splunk/enterprise/searchheadcluster.go#L368 executes a process with a password given as argument. The password appears in the process table and is recorded by auditing tools

Expected behavior processes should not be forked with a password as argument

Splunk setup on K8S

Reproduction/Testing steps

K8s environment

Proposed changes(optional)

K8s collector data(optional)

Additional context(optional)

Logs as captured by stackrox

splunk cmd splunkd rest --noauth POST /services/admin/users/admin password=...
splunkd rest --noauth POST /services/admin/users/admin password=...
akondur commented 6 months ago

Hi @freedge , we are currently assessing all possible solutions. Is a password change via REST API an acceptable solution?

freedge commented 6 months ago

if you mean replacing the spawning of a process that is called with a password given as argument (and a possible command injection if the user provided password contains a ' ?) by some go code that calls the same API, then yes it fixes the problem. Though it would be probably a good idea for users to also have a way to securely call the api with "splunk cmd splunkd rest" in a secure fashion, so maybe the password can be provided from a file or from stdin (something like supporting reading the parameters from a file given after a @ symbol, etc.) It would be great also to warn users that, if they use this splunk cmd as documented (or curl -u as documented in the page you link), there is a security issue with the command (such as for example, curl does:)

On systems where it works, curl hides the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same system as they still are visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.