How to secure and harden your Splunk platform instance

Use this checklist as a roadmap to help you secure your Splunk platform installation and protect your data.

Set up authenticated users and manage user access on the Splunk platform

You can harden a Splunk platform deployment by carefully managing who can access the deployment at a given time.

• Set up users and configure roles and capabilities to control user access. See About configuring role-based user access.
• Configure user authentication with one of the following methods:
  • The native Splunk authentication scheme. See Set up native Splunk authentication.
  • Splunk platform authentication tokens, which are based on the native authentication scheme. Tokens let you provide access to the instance through web requests to Representational State Transfer (REST) endpoints. See Set up authentication with tokens.
  • The Lightweight Directory Access Protocol (LDAP) authentication scheme. See Set up user authentication with LDAP.
  • The Security Assertion Markup Language (SAML) authentication scheme. See Configure single sign-on with SAML.

Additional hardening options for Splunk Enterprise only

If you run a Splunk Enterprise deployment, you have the following additional options to secure the deployment:

• Administrator credentials provide unrestricted access to a Splunk platform instance and must be the first thing you change and secure. See Create secure administrator credentials.
• Access control lists prevent unauthorized user access to your Splunk platform instance. See Use Access Control Lists.
• Splunk Enterprise has the following additional authentication options:
  • Single sign-on with multi-factor authentication (MFA) using Duo MFA. See About multi factor authentication with Duo Security.
  • Single sign-on using a reverse proxy. See About single sign-on using a reverse proxy server.
  • A scripted authentication API for use with an external authentication system, such as Pluggable Authentication Modules (PAM) or Remote Access Dial-In User Server (RADIUS). See Set up user authentication with external systems.
  • Authentication using a common access card.

Use certificates and encryption to secure communications for your Splunk Enterprise configuration

Splunk Enterprise comes with a set of default certificates and keys that demonstrate encryption. Where possible, acquire and deploy your own certificates and configure them to secure Splunk Enterprise communications. See Introduction to securing the Splunk platform with TLS. You can activate and use the Splunk Assist service to gain insight into your certificate usage and configurations. See Introduction to Splunk Assist to learn more about the service.

Harden your Splunk Enterprise instances to reduce vulnerability and risk

• Secure communication within indexer clusters and search head clusters. See Secure your indexer clusters and search head clusters.
• Ensure that credentials in a distributed deployment are consistent across individual instances. See Deploy secure passwords across multiple servers.
• Confirm that the credentials and access levels for the accounts that run Splunk Enterprise are secure. See Secure your service accounts.
• Where possible, limit access to the app key value store (KV store) network port on any Splunk Enterprise instances. See Harden your KV store port.
• Disable automatic chart recovery in the analytics workspace. See Charts in the Splunk Analytics Workspace in the Splunk Analytics Workspace Using the Splunk Analytics Workspace manual.

Audit your Splunk Enterprise instance regularly

Audit events provide information about what has changed in your Splunk platform instance configuration. It gives you the where and when, as well as the identity of who implemented the change.

• Audit your system regularly to monitor user and administrator access, as well as other activities that could tip you off to unsafe practices or security breaches.
• Keep an eye on activities within your Splunk platform deployment, such as searches or configuration changes. You can use this information for compliance reporting, troubleshooting, and attribution during incidence response.
• Audit events are especially useful in distributed Splunk Enterprise configurations for detecting configuration and access control changes across many Splunk Enterprise instances. To learn more, see Audit Splunk Enterprise activity.
• Use the file system-based monitoring available out of the box on most Splunk-supported operating systems. For more information about monitoring, see Monitor Files and Directories in the Getting Data In Manual.