Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

FIPS compliance

With the 5.2.1 and higher releases, can be deployed in a Federal Information Processing Standard (FIPS) compliant mode.

In order for a security application such as to be considered FIPS compliant it must meet the standards specified by the National Institute of Standards and Technology (NIST) in the standard FIPS 140-2.

differences for FIPS

When deployed in FIPS compliant mode, there are differences in 5.2.1 from earlier releases.

  • Support for MD5 hashing is disabled.
  • Python 2 support is disabled.
  • In FIPS compliant mode:
    • on CentOS 7.x, Red Hat Enterprise Linux 7.x, or Amazon Linux 2, installs and uses OpenSSL 1.1.
    • on Red Hat Enterprise Linux 8.x, uses the system's version of OpenSSL.
      You are responsible for ensuring your system's version of OpenSSL is FIPS compliant. Search for "Enabling FIPS Mode" in the Security Guide on redhat.com.
  • uses a FIPS compliant version of Python 3 which does not support disallowed hashing methods.

Prerequisites for deploying in FIPS compliant mode

If you need to adhere to the FIPS standard, you must prepare your environment for FIPS compliance before deploying .

Operating System

You must use a supported operating system in FIPS mode:

  • Red Hat Enterprise Linux 7.6 through 7.9
  • Red Hat Enterprise Linux 8.0 and any of the minor versions of 8.
  • CentOS 7.6 through 7.9
  • Amazon Linux 2

You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:

Clustering and external services

When you deploy either a cluster or a instance with external services:

  • Each cluster node or external service must be deployed on a FIPS compliant operating system.
  • Each external service, such as PostgreSQL, Splunk Enterprise, your load balancer, and file share file system must be in FIPS compliant mode.

Limitations

Deploying in FIPS compliant mode has the following limitations:

  • Only new deployments can be created. Upgrades from non-FIPS deployments to FIPS deployments is not possible.
  • Only unprivileged deployments are supported.
  • You can not disable FIPS mode. Once deployed in FIPS compliant mode, the choice cannot be undone nor can the deployment be downgraded to a non-FIPS mode.

Apps

Not all apps have been validated for FIPS compliance.

When you attempt to install a new app, or configure an asset for an installed app that is not validated as FIPS compliant, a warning message will be displayed. You may still install apps, but their actions may fail for FIPS related constraints such as disallowed TLS certificate signing or hashing algorithms, or unsupported Python versions.

Updated apps are released on Splunkbase and the Phantom Community Portal. You can always check to see if an app has been updated for FIPS compliance.

How to determine if is in FIPS compliant mode

In order to determine if your deployment is in FIPS compliant mode, you can either check the user interface, or use a REST API.

Check FIPS compliant status in the user interface

Use the user interface to check FIPS status.

  1. From the Home menu, select Administration.
  2. Select About.

If the deployment is in FIPS compliant mode, the FIPS enabled line will read "Yes".

Check FIPS compliant status with the REST API

Use the REST API to determine whether or not a deployment is in FIPS compliant mode.

Send query using the /rest/system_settings?sections=["fips"] API. The response is a JSON body of the ["fips"] section of the system settings. If the "enabled" is true, then FIPS compliant mode is enabled.

{
    "fips": {
        "enabled": true
    }
}
Last modified on 20 December, 2023
ports and endpoints   Install using the Amazon Marketplace Image

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.5.0, 6.0.0, 6.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters