Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Some best practices for your servers and operating system

Operating System

To maximize security, harden the operating system on all computers where you run Splunk software.

  • If your organization does not have internal hardening standards, consult the CIS hardening benchmarks.
  • As a minimum, limit shell/command line access to your Splunk servers.

Splunk

  • Configure redundant Splunk instances, both indexing a copy of the same data.
  • Backup Splunk data and configurations, regularly.
  • Execute a periodic recovery test by attempting to restore Splunk Enterprise from backup.
  • Verify your Splunk download using a hash function such as MD5 to compare the hashes. For example:

./openssl dgst md5 <filename-splunk-downloaded.zip>

Client browser

  • Use a current version of a supported browser, such as Firefox or Chrome.
  • Use a client-side JavaScript blocker such as noscript on Firefox or Internet Explorer 8 Filters to help protect against XSS, XSRF, and similar exploits.
  • Ensure that users have the latest Flash version installed.

Physical security

  • Secure physical access to all Splunk servers.
  • Ensure that Splunk end users practice sound physical and endpoint security.
    • Set a short time-out for Splunk Web user sessions. See Configure timeouts for more information.

More opportunities to secure your configuration

  • Use a configuration management tool, such as subversion, to provide version control for Splunk configurations.
  • Integrate Splunk configuration changes into your existing change management framework.
  • Configure Splunk Enterprise to monitor its own configuration files and alert on changes.
Last modified on 09 June, 2021
Harden the network port that App Key Value Store uses   Password best practices for administrators

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters