About securing Splunk Software
As soon as you set up and begin using your new Splunk Software installation or upgrade, you should perform a few additional steps to ensure that your data is secure. Taking the proper steps to secure Splunk Software reduces its attack surface and mitigates the risk and impact of most vulnerabilities.
Set up authenticated users and manage user access by assigning roles
Set up users and use roles to control access.
- Secure your Admin password and use it only for administration tasks.
- Configure users and strictly manage roles, and therefore access levels:
- Splunk's own built-in system, described in "Set up user authentication with Splunk's built-in system."
- LDAP, described in "Set up user authentication with LDAP."
- A scripted authentication API for use with an external authentication system, such as PAM or RADIUS, described in "Set up user authentication with external systems."
- Use roles and capabilities to manage and restrict access.
Use certificates and encryption to secure communications for your Splunk configuration
Splunk software comes with a set of default certificates and keys that, when enabled, provide encryption and data compression. You can also use your own certificates and keys to secure communications between your browser and Splunk Web as well as data sent from forwarders to a receiver, such as an indexer.
Under certain conditions, you can also secure communications in distributed search environments, configuration data sent to clients by a deployment server, and communications from Splunk Web to splunkd.
For more information about securing communications with SSL, see "About securing Splunk with SSL" in this manual.
Harden your Splunk instances to reduce vulnerability and risk
- You can set passwords across multiple servers to ensure consistent authentication.
- Use the Splunk Enterprise Access Control Lists (ACLs) to limit the IP addresses that can access various parts of your networks.
Audit your system regularly to keep an eye on user and admin access, as well as other activities
Keep an eye on activities within Splunk (such as searches or configuration changes). Auditing provides visibility of system activities. You can you can use this information for compliance reporting, troubleshooting, and attribution during incidence response.
You can use the file system-based monitoring available out of the box on most Splunk-supported operating systems.
For more information about monitoring, see "Monitor Files and Directories" in the Getting Data In manual.
- Audit events
Audit events are generated whenever anyone accesses any of your Splunk instances -- including any searches, configuration changes or administrative activities. Each audit event contains information that shows you what changed where and when and who implemented the change. Audit events are especially useful in distributed Splunk configurations for detecting configuration and access control changes across many Splunk Servers.
To learn more, see "Audit Splunk Enterprise activity" in this manual.
Ways you can secure Splunk Enterprise
Install Splunk Enterprise securely
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14