Securing Splunk Enterprise with FIPS
FIPS uses government-certified versions of some algorithms to meet regulatory guidelines. It should not be considered a security enhancement by itself and may potentially make your system slower. Enable FIPS if it is a regulatory requirement for your environment.
Splunk Enterprise and the Universal Forwarder use an embedded FIPS 140-2-validated cryptographic module (Certificate #2398 Module Version fips-2.0.12) running on various platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines.
- The certificate is listed on the NIST site here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2398.
- The consolidated validation certificate can be viewed here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/FIPS140ConsolidatedCertList0054.pdf .
Before you begin
Keep the following in mind:
- Though FIPS is disabled by default, you must enable before initial startup.
- FIPS is automatically enabled if you are running Splunk software on a Linux machine with a kernel in FIPS mode.
- The FIPS module disables the use of some cryptographic algorithms in the instance of Python that Splunk software uses to run apps (such as MD5 and RC4). Make sure that any apps you intend to run are certified to run in FIPS mode and do not have dependencies on these algorithms.
Make sure to enable FIPS mode with your initial Splunk installation. If you install without FIPS mode enabled, you cannot upgrade it to a FIPS version and must install a new version.
To enable FIPS:
1. Before you start Splunk Enterprise for the first time, edit
$SPLUNK_HOME/etc/splunk-launch.conf to add the following line:
2. When you start Splunk software for the first time, it will run in FIPS mode.
Use indexes with FIPS enabled
Running Splunk in FIPS mode does not alter indexed data in any way. You can copy indexes between FIPS and non-FIPS indexers.
- If you are in FIPS mode and your usual RSA encrypted private keys do not work, they might be incompatible with FIPS. To mitigate this issue, you can convert your PEM private key to PKCS#8 format to make them compatible.
- Once you install Splunk software without FIPS mode enabled, you cannot enable FIPS mode. If you require FIPS compliance, be sure your initial Splunk installation is FIPS-enabled. To change to a version running FIPS mode, reinstall Splunk with FIPS mode turned on.
- If you have problems running a Splunk app, check that it is certified to run in FIPS mode and doesn't have dependencies on cryptographic algorithms disabled by FIPS (such as md5 and rc4).
Secure your admin account
Secure Splunk Enterprise on your network
This documentation applies to the following versions of Splunk® Enterprise: 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10