Best practices for hardening Splunk Enterprise servers and the operating systems they use
Following are some best practices that can help you ensure that your Splunk Enterprise systems have the highest level of security at all levels.
To maximize security, harden the operating system on all computers where you run Splunk Enterprise.
- If your organization does not have internal hardening standards, see the CIS hardening benchmarks.
- At a minimum, limit access to shell and command prompts on any machine that runs Splunk components.
- Configure redundant Splunk Enterprise instances, with each performing indexing duties on the same data.
- Perform regular backups of all your Splunk Enterprise configurations and index data.
- Develop and execute a disaster recovery plan, where possible. The plan should include the ability to periodically recover your Splunk Enterprise environment from a backup.
- When you install or upgrade Splunk Enterprise, verify that the Splunk download is authentic by using a hash function such as Message Digest 5 (MD5) to compare the hashes of the download file with what Splunk provides. For example:
./openssl dgst md5 <filename-splunk-downloaded.zip>
- Use a current version of a supported browser, such as Firefox or Chrome.
- Ensure only authorized personnel have physical access to the machines that run Splunk Enterprise. If possible, lock servers in a data center or well-ventilated server room with limited access.
- Ensure that the users who access the Splunk Enterprise instance practice sound physical and endpoint security.
- Set a short time-out for Splunk Web user sessions. See Configure timeouts for more information.
More opportunities to secure your configuration
- To ensure that your can retain configuration changes in your Splunk Enterprise deployment, use a configuration management tool, such as git, to provide version control for Splunk configurations.
- Integrate Splunk Enterprise configuration changes into your existing change management framework.
- Configure Splunk Enterprise to monitor its own configuration files and provide alerts on changes.
Harden the network port that App Key Value Store uses
Use network access control lists to protect your deployment
This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10
Feedback submitted, thanks!