Splunk® Enterprise

Securing Splunk Enterprise with Common Criteria

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About Common Criteria for Splunk Enterprise

Common Criteria mode is supported for Splunk Enterprise as a single instance on a single machine; it is not supported for distributed environments.

Splunk Enterprise supports Common Criteria on the following platform:

  • Red Hat Enterprise Linux Server release 6.5 (Santiago)
  • x86_64 architecture (tested on Intel(R) Xeon(R) CPU E3-1220 v3)
  • Security-Enhanced Linux (SELInux) with policy version 24.

For more information about Splunk Enterprise Common Criteria compliance, see National Information Assurance Partnership - Compliant Product - Splunk Enterprise version 7.3.

Splunk Enterprise provides a special SELinux splunk-selinux.rpm download that is designed to work specifically with Splunk Enterprise in Common Criteria mode. This manual describes how to configure and work with Splunk Enterprise in Common Criteria mode.:

Only the external ports, connections, and logs provided by the SElinux and Splunk Enterprise configuration detailed in this manual are supported.

Splunk Enterprise supports the Splunk splunk-selinux.rpm download, no other versions are supported at this time.

Use this manual to perform specific Common Criteria for Splunk tasks on the SELinux platform (using the provided .rpm). For more information about using SELinux with this manual, see About working with SELinux.

Common Criteria Evaluation

The Common Criteria mode was tested with a specific Federal Information Processing Standards (FIPS) 104-2 certified cryptographic module that comes with Splunk. The use of other cryptographic engines was not evaluated nor tested during the Common Criteria evaluation of the TOE.

There are several administrative functions that may be considered security functions that do not fall into the scope of the evaluation. The following is a list of specific administrator security functions that were tested during the Common Criteria evaluation:

  • Ability to enable/disable the transmission of any information describing the system's hardware, software, or configuration. Specifically, this is done by configuring email alerts about system activity that the TOE can send.
  • Ability to enable/disable the TOE's TLS mutual authentication implementation.
  • Ability to configure the supported TLS ciphersuites.
  • Ability to check the TOE version.

Prerequisites

  1. Red Hat Subscription Manager should be enabled and properly configured. You can install packages by running yum install <package>. Point to repository locations (internal/external) as needed.
  2. SELinux should be in "Enforcing" mode, running targeted policy, and policy version 24. Check the current status and configuration of SELinux. The system needs to be configured to boot with SELinux in Enforcing mode. To do this either:
    • Open the file /etc/selinux/config and make sure SELINUX= is set to SELINUX=enforcing.
    • Run getenforce and look for the resultenforced. If SELinux is not in Enforcing mode, run the command setenforce 1.
    • Open the grub configuration file /etc/grub.conf. Ensure there is no mention of selinux in this file. Some individuals will disable SELinux by adding the line selinux=disbled to the kernel arguments, this should never be present.
  3. Splunk leverages Python provided by RHEL (/usr/bin/python) for the GNOME keyring. Ensure the Python version matches with the following version. 
    $ /usr/bin/python --version
Python 2.6.6
  4. Make sure GNOME keyring and Python system dependencies are installed:
    • yum install gnome-keyring-devel
    • yum install gnome-python2-gnomekeyring
  5. The RdRand (jtulak/RdRand) package should be installed: - Download the .rpm from: https://centos.pkgs.org/6/epel-x86_64/RdRand-2.0.0-1.el6.x86_64.rpm.html - yum install RdRand-2.0.0-1.el6.x86_64.rpm
  6. 2 x additional LUKS encrypted partitions should be available (for $SPLUNK_HOME and $SPLUNK_ETC). For instructions on setting up LUKS encryption, see:
  7. Create a "splunk" user: 
    useradd splunk

    If a "splunk" user already exists, make sure its home directory points to /home/splunk by checking /etc/passwd file. If not, modify the user to change its home directory. 

    usermod -m -d /home/splunk splunk
Last modified on 11 February, 2021
  NEXT
About working with SELinux on a Common Criteria-compliant Splunk Enterprise instance

This documentation applies to the following versions of Splunk® Enterprise: 7.3.3, 7.3.4

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters