You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

430 lines
13 KiB

5 months ago
# Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# commented out capabilities that are registered by their own components.
# leaving here for educational purposes.
# This file creates roles and sets granular access controls.
# These stanzas list all the capabilities in the system
[capability::accelerate_datamodel]
[capability::admin_all_objects]
[capability::edit_own_objects]
[capability::edit_tokens_settings]
[capability::change_authentication]
[capability::change_audit]
[capability::change_own_password]
[capability::edit_storage_passwords]
[capability::list_storage_passwords]
[capability::delete_by_keyword]
[capability::edit_bookmarks_mc]
[capability::edit_deployment_client]
[capability::list_deployment_client]
[capability::edit_deployment_server]
[capability::list_deployment_server]
[capability::edit_cmd]
[capability::edit_upload_and_index]
[capability::edit_tcp_stream]
[capability::list_dist_peer]
[capability::edit_dist_peer]
[capability::edit_forwarders]
[capability::edit_indexerdiscovery]
[capability::edit_httpauths]
[capability::edit_indexer_cluster]
[capability::edit_input_defaults]
[capability::install_apps]
[capability::edit_local_apps]
[capability::edit_authentication_extensions]
[capability::edit_monitor]
[capability::edit_restmap]
[capability::edit_roles]
[capability::edit_roles_grantable]
[capability::edit_scripted]
[capability::edit_search_server]
[capability::edit_search_head_clustering]
[capability::edit_search_concurrency_all]
[capability::edit_search_concurrency_scheduled]
[capability::edit_search_scheduler]
[capability::edit_search_schedule_priority]
[capability::edit_search_schedule_window]
[capability::list_pipeline_sets]
[capability::list_search_scheduler]
[capability::list_introspection]
[capability::list_settings]
[capability::list_metrics_catalog]
[capability::edit_tokens_all]
[capability::edit_tokens_own]
[capability::list_tokens_own]
[capability::list_tokens_scs]
[capability::edit_server]
[capability::edit_user_seed]
[capability::edit_field_filter]
[capability::view_field_filter]
[capability::edit_sourcetypes]
[capability::edit_splunktcp]
[capability::edit_splunktcp_ssl]
[capability::edit_splunktcp_token]
[capability::edit_statsd_transforms]
[capability::edit_metric_schema]
[capability::edit_tcp]
[capability::edit_udp]
[capability::edit_telemetry_settings]
[capability::edit_user]
[capability::list_all_users]
[capability::list_all_roles]
[capability::edit_view_html]
[capability::edit_web_settings]
[capability::get_metadata]
[capability::get_typeahead]
[capability::get_diag]
[capability::indexes_edit]
[capability::input_file]
[capability::license_edit]
[capability::license_read]
[capability::license_tab]
[capability::license_view_warnings]
[capability::list_all_objects]
[capability::list_forwarders]
[capability::list_indexerdiscovery]
[capability::list_httpauths]
[capability::list_indexer_cluster]
[capability::list_inputs]
[capability::list_search_head_clustering]
[capability::output_file]
[capability::request_remote_tok]
[capability::rest_apps_management]
[capability::rest_apps_view]
[capability::rest_properties_get]
[capability::rest_properties_set]
[capability::restart_splunkd]
[capability::restart_reason]
[capability::rtsearch]
[capability::run_commands_ignoring_field_filter]
[capability::run_debug_commands]
[capability::run_walklex]
[capability::schedule_search]
[capability::metric_alerts]
[capability::schedule_rtsearch]
[capability::search]
[capability::accelerate_search]
[capability::list_accelerate_search]
[capability::embed_report]
[capability::pattern_detect]
[capability::list_token_http]
[capability::edit_token_http]
[capability::web_debug]
[capability::export_results_is_visible]
[capability::edit_server_crl]
[capability::search_process_config_refresh]
[capability::dispatch_rest_to_indexers]
[capability::refresh_application_licenses]
[capability::edit_encryption_key_provider]
[capability::never_lockout]
[capability::never_expire]
[capability::list_health]
[capability::list_health_subset]
[capability::edit_health]
[capability::edit_health_subset]
[capability::request_pstacks]
[capability::edit_watchdog]
[capability::list_workload_pools]
[capability::edit_workload_pools]
[capability::select_workload_pools]
[capability::list_workload_rules]
[capability::edit_workload_rules]
[capability::list_workload_policy]
[capability::edit_workload_policy]
[capability::run_collect]
[capability::run_mcollect]
[capability::list_tokens_all]
[capability::upload_lookup_files]
[capability::upload_mmdb_files]
[capability::create_external_lookup]
[capability::edit_external_lookup]
[capability::apps_restore]
[capability::apps_backup]
[capability::edit_metrics_rollup]
[capability::list_cascading_plans]
[capability::list_remote_output_queue]
[capability::list_remote_input_queue]
[capability::run_msearch]
[capability::delete_messages]
[capability::edit_log_alert_event]
[capability::edit_global_banner]
[capability::fsh_manage]
[capability::fsh_search]
[capability::edit_kvstore]
[capability::use_remote_proxy]
[capability::edit_manager_xml]
[capability::run_dump]
[capability::run_sendalert]
[capability::run_custom_command]
[capability::list_ingest_rulesets]
[capability::edit_ingest_rulesets]
[capability::capture_ingest_events]
[capability::merge_buckets]
[capability::read_internal_libraries_settings]
[capability::edit_web_features]
[capability::rest_access_server_endpoints]
[capability::edit_certificates]
[capability::list_certificates]
[capability::edit_spl2_permissions]
################################################################
################################################################
[default]
# ==== Subsumed roles ====
# ==== Capabilities ====
schedule_rtsearch = enabled
run_collect = enabled
run_mcollect = enabled
edit_own_objects = enabled
list_all_objects = enabled
# ==== Other settings ====
srchDiskQuota = 100
srchJobsQuota = 3
rtSrchJobsQuota = 6
srchMaxTime = 100days
cumulativeSrchJobsQuota = 50
cumulativeRTSrchJobsQuota = 100
srchFilterSelecting = true
################################################################
################################################################
[role_user]
# ==== Subsumed roles ====
# ==== Capabilities ====
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
upload_lookup_files = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
list_accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
list_tokens_own = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
delete_messages = enabled
run_dump = enabled
run_sendalert = enabled
run_custom_command = enabled
rest_access_server_endpoints = enabled
# ==== Other settings ====
srchIndexesAllowed = *
srchIndexesDefault = main
################################################################
################################################################
[role_can_delete]
# ==== Subsumed roles ====
# ==== Capabilities ====
delete_by_keyword = enabled
# ==== Other settings ====
cumulativeSrchJobsQuota = 0
cumulativeRTSrchJobsQuota = 0
deleteIndexesAllowed = *
################################################################
################################################################
[role_power]
# ==== Subsumed roles ====
importRoles = user
# ==== Capabilities ====
schedule_search = enabled
metric_alerts = enabled
embed_report = enabled
rtsearch = enabled
edit_sourcetypes = enabled
edit_statsd_transforms = enabled
search_process_config_refresh = enabled
edit_log_alert_event = enabled
run_msearch = enabled
run_dump = enabled
run_sendalert = enabled
run_custom_command = enabled
rest_access_server_endpoints = enabled
view_field_filter = enabled
run_commands_ignoring_field_filter = enabled
# ==== Other settings ====
srchIndexesAllowed = *
srchIndexesDefault = main
srchDiskQuota = 500
srchJobsQuota = 10
rtSrchJobsQuota = 20
cumulativeSrchJobsQuota = 100
cumulativeRTSrchJobsQuota = 200
################################################################
################################################################
[role_admin]
# ==== Subsumed roles ====
importRoles = power;user
# ==== Capabilities ====
accelerate_datamodel = enabled
admin_all_objects = enabled
edit_tokens_settings = enabled
change_authentication = enabled
change_audit = enabled
edit_bookmarks_mc = enabled
create_external_lookup = enabled
edit_external_lookup = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
list_search_head_clustering = enabled
dispatch_rest_to_indexers = enabled
edit_authentication_extensions = enabled
edit_cmd = enabled
edit_upload_and_index = enabled
edit_tcp_stream = enabled
list_dist_peer = enabled
edit_dist_peer = enabled
edit_field_filter = enabled
view_field_filter = enabled
edit_restmap = enabled
edit_forwarders = enabled
edit_indexerdiscovery = enabled
edit_httpauths = enabled
edit_indexer_cluster = enabled
edit_input_defaults = enabled
list_introspection = enabled
edit_local_apps = enabled
edit_monitor = enabled
edit_tokens_own = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_concurrency_all = enabled
edit_search_head_clustering = enabled
edit_search_server = enabled
edit_search_scheduler = enabled
edit_search_schedule_priority = enabled
edit_tokens_all = enabled
list_tokens_all = enabled
edit_certificates = enabled
list_certificates = enabled
edit_spl2_permissions = enabled
list_indexer_cluster = enabled
list_pipeline_sets = enabled
list_search_scheduler = enabled
list_settings = enabled
edit_server = enabled
edit_user_seed = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_splunktcp_token = enabled
edit_tcp = enabled
edit_udp = enabled
edit_telemetry_settings = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
get_diag = enabled
indexes_edit = enabled
install_apps = enabled
license_edit = enabled
license_tab = enabled
license_view_warnings = enabled
refresh_application_licenses = enabled
list_forwarders = enabled
list_indexerdiscovery = enabled
list_httpauths = enabled
rest_apps_management = enabled
restart_splunkd = enabled
restart_reason = enabled
run_debug_commands = enabled
list_token_http = enabled
edit_token_http = enabled
web_debug = enabled
search_process_config_refresh = enabled
edit_server_crl = enabled
edit_storage_passwords = enabled
list_storage_passwords = enabled
edit_encryption_key_provider = enabled
never_lockout = enabled
never_expire = enabled
list_health = enabled
edit_health = enabled
apps_restore = enabled
apps_backup = enabled
fsh_manage = enabled
fsh_search = enabled
edit_workload_pools = enabled
list_workload_pools = enabled
select_workload_pools = enabled
edit_workload_rules = enabled
list_workload_rules = enabled
list_workload_policy = enabled
edit_workload_policy = enabled
edit_metric_schema = enabled
edit_metrics_rollup = enabled
list_cascading_plans = enabled
list_remote_output_queue = enabled
list_remote_input_queue = enabled
list_ingest_rulesets = enabled
edit_ingest_rulesets = enabled
capture_ingest_events = enabled
edit_log_alert_event = enabled
edit_global_banner = enabled
read_internal_libraries_settings = enabled
edit_web_features = enabled
edit_kvstore = enabled
upload_mmdb_files = enabled
use_remote_proxy = enabled
edit_manager_xml = enabled
merge_buckets = enabled
# ==== Other settings ====
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchTimeEarliest = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400
################################################################
################################################################
[role_splunk-system-role]
# ==== Subsumed roles ====
importRoles = admin
# ==== Capabilities ====
# ==== Other settings ====
################################################################
################################################################
[tokens_auth]
expiration = +30d
ephemeralExpiration = +1h
disabled = false

Powered by BW's shoe-string budget.