Scribd
Upload
2K views2 pages

Securing Splunk Cheatsheet

splunk cheat sheet

Uploaded by

donna.nix
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views2 pages

Securing Splunk Cheatsheet

splunk cheat sheet

Uploaded by

donna.nix
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Securing Splunk® Cheat Sheet V1.0 https://www.aplura.

com/cheatsheets

Universal Rules for Securing Splunk


* Change the password for admin Use SSL/TLS on:
* Run Splunk with the appropriate user account * Web Interface (443/8443/tcp)
* Exercise caution when setting permissions for Splunk user * Deployment Server (8089/tcp) - replace default certs
* Disable port 8089/tcp on Universal Forwarders * Splunk data ports (9997/9998/tcp)
* Use a host firewall * Splunk-to-Splunk (8089/tcp) - replace default certs
* Backup $SPLUNK_HOME/etc/* on a regular basis
* Replace the default certificates

Run Splunk as the `splunk` user Universal Forwarders - Remove Default Bindings
Splunk binds to all available network interfaces by default on
*nix
port 8089/tcp. Universal Forwarders are not required to use
* $SPLUNK_HOME should be owned by splunk this port for normal operations. Override the default behavior
and configure Splunk to bind to the local loopback address.
CLI: chown -R splunk:splunk /opt/splunk/
server.conf
* $SPLUNK_HOME/etc/splunk-launch.conf should be owned [httpServer]
disableDefaultPort = true
by root
CLI: chown root: $SPLUNK_HOME/etc/splunk- [httpServerListener:127.0.0.1:8089]
ssl = true
launch.conf
Windows Windows
Reset permissions in $SPLUNK_HOME
Windows
CLI: icacls.exe “Splunk\*” /q /c /t /reset
Running Splunk as Local System is preferable to using
named account. Only use a domain-based account if there
OSX is a well established process for changing service account
The DMG install does NOT go into `/opt` by default. Instead, passwords on a regular basis.
Splunk is installed into `/Applications/`. The DMG install also Domain-based accounts will need elevated permissions to
does not create a splunk user. utilize some Windows inputs (particularly on Domain
Controllers), negating the advantages of a named service
account over Local System.
Linux - Create a rule to redirect Splunk Traffic
firewalld:
firewall-cmd --set-default-zone=public
firewall-cmd --zone=public --add-forward- port=port=443:proto=tcp:toport=8000 —permanent
firewall-cmd --reload
iptables
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
Windows
netsh advfirewall firewall add rule name="Allow Inbound to Splunk Web" dir=in \
action=allow protocol=TCP localport=443
Solaris
Solaris SMF requires a change to the service manifest to add read-all privileges to the splunk user account
CLI:
svccfg -s splunkforwarder setprop start/privileges = astring: \
"basic,net_privaddr,file_dac_read,file_dac_search"
svcadm refresh splunkforwarder

Provided by Aplura, LLC. Splunk Consulting and Application Development Services. sales@aplura.com https://www.aplura.com
Splunk ia a registered trademark of Splunk, Inc.
v2.1.5
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. Many Solutions, One Goal.
SSL(TLS) for Splunk Cheat Sheet
SSL Checklist Certificate Checklist
1. Create/Procure SSL Certificates 1. Commercial SSL cert or cert from enterprise CA
2. Secure the Web UI (port 443/tcp) 2. Cert for each Splunk indexer
3. Secure the indexers (port 9997|9998/tcp) 3. One cert for ALL UFs
4. Secure inter-Splunk communications (8089/tcp) 4. Cert for inter-Splunk communications

Secure Splunk Web


Create a folder in $SPLUNK_HOME/etc/auth/ for your certs, “mycerts” for example.
web.conf
[settings]
serverCert = etc/auth/mycerts/SplunkWeb.pem The file may also contain root and intermediate certificates, if
required.
sslVersions = “tls1.2”

Secure Splunk Indexer Inputs


inputs.conf
[SSL]
serverCert = <path>
sslPassword = <password>
sslVersions = “tls1.2”
requireClientCert = true | false
sslCommonNameToCheck = <commonName1>, ... 'requireClientCert' setting must be set to true.

Forwarder Outputs
Note: Use 9997 for non-encrypted traffic and 9998 for encrypted. This will simplify the transition to SSL.
outputs.conf
[tcpout:<your SSL output group>]
server = <your_indexer1>:9998, <your_indexer2>:9998
sslPassword = <password>
clientCert = <path> The full path to the client SSL certificate in PEM format.
sslVersions = “tls1.2”
requireClientCert = true | false
sslCommonNameToCheck = <commonName1>, ... 'requireClientCert' setting must be set to true.
References
https://wiki.splunk.com/images/f/fb/SplunkTrustApril-SSLipperySlopeRevisited.pdf
http://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL

Provided by Aplura, LLC. Splunk Consulting and Application Development Services. sales@aplura.com https://www.aplura.com

Splunk ia a registered trademark of Splunk, Inc. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
Many Solutions, One Goal.
v2.1.5

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy