Hardening standards
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Hardening standards
Splunk recommends using the following standards to harden your Splunk instances. Following these standards will reduce Splunk's attack surface and mitigate the risk and impact of most vulnerabilities.
Service accounts
- Practice the principle of least privilege by running Splunk as an unprivileged user rather than a privileged account such as root or Administrator.
- On unix or linux, use the "splunk" user that is created via the PKG or RPM packages, or create your own user that only has privilege and ownership over $SPLUNK_HOME
- On Windows, the local system context is often the best choice. However, if you require communication to occur via a windows communication channel (e.g. WMI), use an account with restricted access.
Splunk components
- Disable all unnecessary Splunk components
- For single-server Splunk deployments:
- Splunk forwarders should not run Splunk Web and should not be configured to receive data on TCP or UDP ports or from other Splunk instances
- For multi-server Splunk deployments:
- Splunk search heads should not receive data on TCP or UDP ports or from other Splunk instances
- Splunk indexers in a distributed search environment should not run Splunk Web if users are not logging in to them to search
- Splunk forwarders should not run Splunk Web and should not be configured to receive data on TCP or UDP ports or from other Splunk instances
- For single-server Splunk deployments:
Network access
- Do not place Splunk on a network segment that is Internet-facing (i.e. Splunk should not be accessible directly via the Internet)
- Remote users will still be able to access Splunk via a Virtual Private Network
- Use a host-based firewall to restrict access to Splunk's web, management, and data ports
- End users and administrators will need to access Splunk Web (TCP port 8000 by default)
- Search heads will need to access their search peers on the Splunk management port (TCP port 8089 by default)
- Deployment clients will need to access the deployment server on the Splunk management port (TCP port 8089 by default)
- Forwarders will need to access the Splunk index server's data port (TCP port 9997 by default)
- Remote CLI calls use the Splunk management port. Consider restricting this port to local calls only via a host firewall.
- In most cases, it is not recommended to allow access to Splunk forwarders on any port
- Install Splunk on an isolated network segment that only trustworthy machines can access
- Do not permit Splunk access to the Internet unless access to Splunkbase or inline documentation is a requirement
Operating System
- Splunk strongly recommends hardening the operating system of all Splunk servers
- If your organization does not have internal hardening standards, Splunk recommends the CIS hardening benchmarks
- At the very least, limit shell/command line access to your Splunk servers
Availability and reliability
- Configure redundant instances of Splunk, both indexing a copy of the same data
- Back up Splunk data and configurations on a regular basis
- Execute a periodic recovery test by attempting to restore Splunk from backup
Physical security
- Secure physical access to all Splunk servers
- Ensure that end users of Splunk practice sound physical and endpoint security
- Set a short time-out for user sessions in Splunk Web via Manager
Confidentiality and integrity
- Use SSL encryption on Splunk's web, management, and data ports
Authentication
- Upon installing Splunk, change the default "admin" password the first time that you log in
- Do not use the default root certificate or server certificates that ship with Splunk
- Either generate a unique root certificate and self-signed server certificates, use your enterprise root certificate authority, or use a third-party certificate authority
- Make sure that you back up the private keys in a secure location
- Use SSL authentication between forwarders and indexers
- Use LDAP or other third-party systems to control authentication to Splunk
- When using LDAP, make sure that your LDAP implementation enforces:
- Strong password requirements for length and complexity
- A low incorrect attempt threshold for password lockout
- When using LDAP, make sure that your LDAP implementation enforces:
Authorization
- Protect access to Splunk features and data by using Splunk's role-based access control
- Practice the principle of least privilege by only granting access to features and data based on business justification
- Use an approval process to validate access requests to Splunk features and data
Auditing
- Perform a periodic review of Splunk's access and audit logs
- Perform a periodic review of the Splunk server's audit and security logs
Configuration management
- Use a configuration management tool such as subversion to provide version control for Splunk configurations
- Integrate Splunk configuration changes into your existing change management framework
- Configure Splunk to monitor its own configuration files and alert on changes
Client browser
- Use a current version of a supported browser such as Firefox or Internet Explorer
- Use a client-side JavaScript blocker such as noscript on Firefox or Internet Explorer 8 Filters to help protect against XSS, XSRF, and similar exploits
- Ensure that users have the latest version of Flash installed
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.