Splunk Enterprise is connected to various data input sources, indexers, and search heads over a network, and hence, it is very important to harden the security of Splunk Enterprise. Taking necessary steps for Splunk Enterprise Security (SES) can mitigate risk and reduce attacks from hackers.
The following are ways to secure the Splunk Enterprise deployment:
Setting up user authentication and creating and managing user access by assigning roles. Splunk has a built-in system for user authentication and to assign roles. Along with the built-in system, it provides integration with the Lightweight Directory Access Protocol (LDAP). Splunk can be integrated with an active directory and can be used as a centralized authentication system for authentication and to assign roles. Splunk Enterprise 6.3 has been introduced with additional authentication using the Security Assertion Markup Language (SAML). Splunk Enterprise can be enabled for single sign-ons using SAML, which was explained in detail in the previous section of the chapter.
Use Secure Socket Layer (SSL) for secure communication of Splunk deployment. Splunk provides, by default, certificates and keys that can be used to enable SSL communication to provide encryption and data compression while communicating with different components of Splunk deployment. It secures the communication between browsers, Splunk Web, and data sent from forwarders to indexers. Splunk provisions to use your own certificates and keys to secure the communication of Splunk deployment components.
Keep Splunk installation updated with the latest security patches and updates. Splunk continuously keeps on fixing bugs and comes up with updates on Splunk Enterprise. Splunk releases the bug fix report that has a complete description about the fixes that were updated in the next release. If there are any security-related fixes, Splunk Enterprise deployment should apply that security patch/bug fix so as to make sure that Splunk Enterprise is secure from outside threats. Continuous auditing of Splunk configuration files and Splunk audit events will result in secure Splunk deployment.
We will see how to enable HTTPS from the Splunk Web console for all communications happening via Splunk's web channel. On enabling HTTPS, Splunk will not be able to listen over the HTTP connection, and this is the time when Splunk can be configured to either listen to HTTP or HTTPS communications only!
The following are the steps to enable HTTPS via the Splunk Web console:
Access the Splunk Web console via a web browser by typing the IP address followed by the port number.
For example,
http://IPAddress:Portorhttp://localhost:8000. Here,8000is a default web access port of Splunk Enterprise.Go to System Menu | System Settings.
Click on the radio button to enable HTTPS. Splunk is configured to use default certificates when HTTPS is enabled. The default configuration is available at
$SPLUNK_HOME\etc\auth\web.conf:[settings] enableSplunkWebSSL = true privKeyPath = etc\auth\splunkweb\privkey.pem #Path of Default Private Key caCertPath = etc\auth\splunkweb\cert.pem #Path of Default Certificate Path
We'll now configure Splunk Web with your own certificate and private key. We are talking about securing Splunk, so the default private key and default certificate provided by Splunk Enterprises should be changed for better authentication and security.
Certificates can be self-signed or can be purchased from third-part vendors. Once you have the certificate and private key, the following procedure is to be followed for the changes to take effect.
In our explanation, let's say the certificate filename is TestCertificate.pem and the private key is
TestPrivateKey.key. The following are a series of steps to configure Splunk Web with a certificate and private key:
Copy
TestCertificate.pemandTestPrivateKey.keyto$SPLUNK_HOME\etc\auth\splunkweb\Do not overwrite or delete the existing certificate located at
$SPLUNK_HOME\etc\auth\splunkweb\, as the certificates are generated on every restart, and any changes made on this certificate and key will be resetConfigure
web.conflocated at$SPLUNK_HOME\etc\system\localas follows:[settings] enableSplunkWebSSL = true privKeyPath = etc\auth\splunkweb\TestPrivateKey.key caCertPath = etc\auth\splunkweb\TestCertificate.pem
Splunk needs to be restarted for the newer settings to take effect, and after the restart of Splunk Server, Splunk Web will be available only via HTTPS URL, that is, https://localhost:8000.
Configure
inputs.conf located at $SPLUNK_HOME\etc\system\local\ of the indexer, as mentioned in the following code block. In this example, port number 9000 is to be configured on the indexer:
[SSL] rootCA = $SPLUNK_HOME\etc\auth\cacert.pem #Path of default Key serverCert = $SPLUNK_HOME\etc\auth\server.pem #Path of default Certificate password = password [splunktcp-ssl:9000] disabled=0
The Splunk forwarder needs to be configured to forward using the secure certificate and key. To configure the outputs.conf forwarder located at $SPLUNK_HOME\etc\system\local, place the following code block as in the following mentioned code block. In this example, 192.168.1.10 is the IP address of the indexer that was configured in the previous instance:
[tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = 192.168.1.10:9000 sslVerifyServerCert = false sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem sslCertPath = $SPLUNK_HOME\etc\auth\server.pem sslPassword = password
Similar to the previous section, even in the indexer and forwarder, the certificates and private keys can be copied to their respective folders. The path of the certificate and private key can be configured in their respective config files. Splunk must be restarted for the settings to take effect.
Splunk has an in built feature of encrypting configuration files via SSH. Splunk for its first start up, creates a file named splunk.secret, which contains a secret key that is used to encrypt authentication information in configuration files.
The following is the list of information that is encrypted via the splunk.secret key:
web.conf: This refers to SSL passwords of every instanceauthentication.conf: This refers to the LDAP password; if deployment is LDAP integratedinputs.conf: This refers to SSL passwordsoutputs.conf: This refers to SSL passwords
When Splunk starts and if it detects a clear-text password in any of the preceding configuration files, it creates a configuration in the equivalent local folder with the encrypted password.
In a clustered and distributed environment, when Splunk is deployed on multiple servers, a secure password mechanism of encryption can be very useful to ensure consistency across the deployment.
To apply the same settings of a secret key to all the instances, users just need to configure all the changes in the configuration files and restart Splunk to ensure that the splunk.secret file is updated with the latest information.
Once you have the updated file, just copy the splunk.secret file to all the other instances and restart the instance, and you will have the same settings you applied to all the instances.
Splunk can be configured for high security with an access control list. Using an access control list, various restrictions on the basis of IP address to various components of Splunk deployment can be applied.
The server.conf and inputs.conf can be edited or modified to specify which IP address should be allowed and which should be restricted for various communications within the Splunk deployment.
In server.conf and inputs.conf, the [accept from] block can be added to allow communication only from a specific IP address. For example, to instruct a node to accept communication from a specific IP address, edit the [httpserver] block in server.conf; likewise, to restrict TCP communication using SSL to a specific IP address, edit the [tcp-ssl] block in inputs.conf.
Similarly, various communications of Splunk Web, forwarder, and indexers can be restricted or allowed only from a specific IP address, and thus, security can be enhanced using the access control list features of Splunk Enterprise 6.3.