Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure data protection

Splunk includes a number of solutions to verify the integrity of your IT data, including tamper detection, and data masking. These solutions should be implemented in addition to your existing security controls.

Tamper detection

The Splunk App for Enterprise Security includes three mechanisms for tamper detection: event hashing, audit event signing, and IT data signing.

Event hashing

Event hashing detects if events have been tampered with sometime between index time and search time.

By default, Enterprise Security enables event hashing of notable events generated by search-time correlations. Each notable event will be assessed for modification when viewed from within the Incident Review dashboard. The following icons show the status of the notable events:

Ess-redExclamationPoint.png Tampered! The event hash does not match and the notable event has been tampered with.

Ess-greenCheckMark.png Valid! The event hash matches and the notable event has not been tampered with.

To enable hashing for other events based on host, source, or source type:

1. Open the file $SPLUNK_HOME/etc/system/local/audit.conf in a text editor, or create a new file if it does not exist.

2. Look for or create the [eventHashing] stanza.

3. For each host, source type, or source for which you want to enable hashing, create a new filterSpec stanza. Place the filterSpec stanza after the eventHashing stanza. You can use any name for the filter. The following shows the syntax, with the parts you must edit:

   [filterSpec:event_whitelist:filterName1]
   <host|sourcetype|source>=name

Example: To create a filter named nessusWhiteList that hashes all events with sourcetype nessus:

  [filterSpec:event_whitelist:nessusWhiteList]
  sourcetype=nessus

4. Edit or create the eventHashing stanza and add each filter:

   [eventHashing]
   filters=filter1,filter2,nessusWhiteList

5. Restart Splunk.

Audit event signing

Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. The audit processor applies a sequence number ID to the event, then creates a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of numbers and find out if your data has been tampered with.

Audit event signing is configured in the auditTrail stanza in audit.conf. See "How audit event signing works" in the Splunk core documentation for details of how to generate a public/private key pair and enable audit event signing.

Once you have set up audit signing, you can view the Splunk audit events using the `audit_validation` macro:

`audit_validation`

IT data signing

IT data signing applies a digital signature to blocks of IT events in order to verify the integrity of the data at search time and identify gaps in the data (if someone deleted log messages). IT data signing is configured in indexes.conf by setting blockSignSize to a value greater than zero. IT data signing can be configured per index (encrypt all events for an index) or globally (for all indexes). Note that increasing the block size decreases the number of times that Splunk has to encrypt events and thus reduces the performance impact to Splunk. See "IT data signing" in the Splunk core documentation for more information.

To verify data that has been digitally signed:

1. Click the down arrow next to the event in any search window.

Ess-ITDataSigning.png

2. Select Show Source.
Splunk will display all of the source data for the block containing that event. The top of the view source page will display a message indicating whether the source data was validated or not. No message is displayed if data signing is disabled.

Note: Enabling data signing will cause a decrease in overall search and index performance.

Data masking

Some data sources may provide IT data containing sensitive information that should not be available within Splunk. This may include passwords, credit cards numbers, name, emails or other personally identifiable information. Splunk can replace the sensitive data at index time, preventing it from being seen. See "Anonymize data" in the Splunk documentation for more information.

Last modified on 14 August, 2013
PREVIOUS
Configure threat lists
  NEXT
Configure the search head

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters