安全运营 -- splunk restapi 最小权限

0x00 背景

最小化权限原则，为每个功能，每个账户分配最小的权限。

0x01 实践

只需要7个 capability:

You'll need to add certain capabilities to that user or that users's role(s).
[capability::rest_apps_management]
* Lets a user edit settings for entries and categories in the Python remote
  apps handler.
* See restmap.conf.spec for more information.
 
[capability::rest_apps_view]
* Lets a user list various properties in the Python remote apps handler.
* See restmap.conf.spec for more info
 
[capability::rest_properties_get]
* Lets a user get information from the services/properties endpoint.
 
[capability::rest_properties_set]
* Lets a user edit the services/properties endpoint.
 
[capability::rest_access_server_endpoints]
* Lets a user run the 'rest' command and access 'services/server/' endpoints.
 
[capability::dispatch_rest_to_indexers]
* Lets a user dispatch the REST search command to indexers.

[capability::search]

* Lets a user run a search.

0x02 reference 

https://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf

restmap.conf - Splunk Documentation