About Common Criteria for Splunk Enterprise
Common Criteria mode is supported for Splunk Enterprise as a single instance on a single machine; it is not supported for distributed environments.
Splunk Enterprise supports Common Criteria on the following platform:
- Red Hat Enterprise Linux Server release 6.5 (Santiago)
- x86_64 architecture (tested on Intel(R) Xeon(R) CPU E3-1220 v3)
- Security-Enhanced Linux (SELInux) with policy version 24.
For more information about Splunk Enterprise Common Criteria compliance, see National Information Assurance Partnership - Compliant Product - Splunk Enterprise version 7.3.
Splunk Enterprise provides a special SELinux splunk-selinux.rpm
download that is designed to work specifically with Splunk Enterprise in Common Criteria mode. This manual describes how to configure and work with Splunk Enterprise in Common Criteria mode.:
- How to install
splunk-selinux.rpm
for Splunk Enterprise Common Criteria. - How to configure a single instance of Splunk to run safely in Common Criteria mode.
- How to add custom policiesports, and logs to a running instance of Splunk Enterprise in Common Criteria mode.
Only the external ports, connections, and logs provided by the SElinux and Splunk Enterprise configuration detailed in this manual are supported.
Splunk Enterprise supports the Splunk splunk-selinux.rpm
download, no other versions are supported at this time.
Use this manual to perform specific Common Criteria for Splunk tasks on the SELinux platform (using the provided .rpm). For more information about using SELinux with this manual, see About working with SELinux.
Common Criteria Evaluation
The Common Criteria mode was tested with a specific Federal Information Processing Standards (FIPS) 104-2 certified cryptographic module that comes with Splunk. The use of other cryptographic engines was not evaluated nor tested during the Common Criteria evaluation of the TOE.
There are several administrative functions that may be considered security functions that do not fall into the scope of the evaluation. The following is a list of specific administrator security functions that were tested during the Common Criteria evaluation:
- Ability to enable/disable the transmission of any information describing the system's hardware, software, or configuration. Specifically, this is done by configuring email alerts about system activity that the TOE can send.
- Ability to enable/disable the TOE's TLS mutual authentication implementation.
- Ability to configure the supported TLS ciphersuites.
- Ability to check the TOE version.
Prerequisites
- Red Hat Subscription Manager should be enabled and properly configured. You can install packages by running
yum install <package>
. Point to repository locations (internal/external) as needed. - SELinux should be in "Enforcing" mode, running targeted policy, and policy version 24. Check the current status and configuration of SELinux. The system needs to be configured to boot with SELinux in
Enforcing
mode. To do this either:- Open the file
/etc/selinux/config
and make sureSELINUX=
is set toSELINUX=enforcing
. - Run
getenforce
and look for the resultenforced
. If SELinux is not in Enforcing mode, run the commandsetenforce 1
. - Open the grub configuration file
/etc/grub.conf
. Ensure there is no mention of selinux in this file. Some individuals will disable SELinux by adding the lineselinux=disbled
to the kernel arguments, this should never be present.
- Open the file
- Splunk leverages Python provided by RHEL (/usr/bin/python) for the GNOME keyring. Ensure the Python version matches with the following version.
$ /usr/bin/python --version Python 2.6.6
- Make sure GNOME keyring and Python system dependencies are installed:
yum install gnome-keyring-devel
yum install gnome-python2-gnomekeyring
- The RdRand (jtulak/RdRand) package should be installed:
- Download the .rpm from: https://centos.pkgs.org/6/epel-x86_64/RdRand-2.0.0-1.el6.x86_64.rpm.html
-
yum install RdRand-2.0.0-1.el6.x86_64.rpm
- 2 x additional LUKS encrypted partitions should be available (for $SPLUNK_HOME and $SPLUNK_ETC). For instructions on setting up LUKS encryption, see:
- Create a "splunk" user:
useradd splunk
If a "splunk" user already exists, make sure its home directory points to
/home/splunk
by checking /etc/passwd file. If not, modify the user to change its home directory.usermod -m -d /home/splunk splunk
About working with SELinux on a Common Criteria-compliant Splunk Enterprise instance |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.3, 7.3.4
Feedback submitted, thanks!