Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Securing Splunk Enterprise with FIPS

FIPS uses government-certified versions of some algorithms to meet regulatory guidelines. It should not be considered a security enhancement by itself and may potentially make your system slower. Enable FIPS if it is a regulatory requirement for your environment.

Splunk Enterprise and the Universal Forwarder use an embedded FIPS 140-2-validated cryptographic module (Certificate #2398 Module Version fips-2.0.12) running on various platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines.

Before you begin

Keep the following in mind:

  • Though FIPS is disabled by default, you must enable before initial startup.
  • FIPS is automatically enabled if you are running Splunk software on a Linux machine with a kernel in FIPS mode.
  • The FIPS module disables the use of some cryptographic algorithms in the instance of Python that Splunk software uses to run apps (such as MD5 and RC4). Make sure that any apps you intend to run are certified to run in FIPS mode and do not have dependencies on these algorithms.

Enable FIPS

Make sure to enable FIPS mode with your initial Splunk installation. If you install without FIPS mode enabled, you cannot upgrade it to a FIPS version and must install a new version.

To enable FIPS:

1. Before you start Splunk Enterprise for the first time, edit $SPLUNK_HOME/etc/splunk-launch.conf to add the following line:

SPLUNK_FIPS=1

2. When you start Splunk software for the first time, it will run in FIPS mode.

Use indexes with FIPS enabled

Running Splunk in FIPS mode does not alter indexed data in any way. You can copy indexes between FIPS and non-FIPS indexers.

Troubleshoot FIPS

  • If you are in FIPS mode and your usual RSA encrypted private keys do not work, they might be incompatible with FIPS. To mitigate this issue, you can convert your PEM private key to PKCS#8 format to make them compatible.
  • Once you install Splunk software without FIPS mode enabled, you cannot enable FIPS mode. If you require FIPS compliance, be sure your initial Splunk installation is FIPS-enabled. To change to a version running FIPS mode, reinstall Splunk with FIPS mode turned on.
  • If you have problems running a Splunk app, check that it is certified to run in FIPS mode and doesn't have dependencies on cryptographic algorithms disabled by FIPS (such as md5 and rc4).
PREVIOUS
Secure your admin account
  NEXT
Secure Splunk Enterprise on your network

This documentation applies to the following versions of Splunk® Enterprise: 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters