Splunk® Enterprise

Securing Splunk Enterprise with Common Criteria

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install the Common Criteria-compliant Splunk Enterprise and SELinux policy packages

Use this topic to install the packages that you need to run a Splunk Enterprise instance that is compliant with the Common Criteria Recognition Agreement (CCRA). This procedure involves installing a specific version of Splunk Enterprise and the appropriate SELinux policy package, and installing the appropriate keys and certificates.

Prerequisites for installing Splunk Enterprise in Common Criteria mode

Confirm that you have met the prerequisites described in About this manual. Otherwise, the following steps might not work as you expect.

Perform all of these steps on the machine which is to run the Common Criteria-compliant Splunk Enterprise instance.

To ensure that your Splunk Enterprise configuration is Common Criteria-compliant, do not start Splunk Enterprise until you have performed all of the steps in this topic. Skipping steps can lead to a non-Common Critera-compliant installation, even if you perform the steps later.

Install Splunk Enterprise

  1. Download and install Splunk Enterprise version 9.0.4 or higher as the 'root' user. 
    yum install splunk-xxxxxxxx-x86_64.rpm
  2. Move the Splunk Enterprise configuration files from their default location to the /etc/opt/splunk directory: 
    mv /opt/splunk/etc /etc/opt/splunk
export SPLUNK_ETC=/etc/opt/splunk
  3. Provide the cryptographic keys and certificates that you need for your Splunk Enterprise installation. Splunk does not generate these keys and certificates for you. You can use the openssl tool or any other tools to generate them. Generate the keys and certificates, then place them in the following locations. You might need to create the directories. The private.pem file must be an encrypted private key that has a passphrase for protection.
    Key file name Location
    private.pem /etc/opt/splunk/auth/distServerKeys
    /etc/opt/splunk/auth/audit
    trusted.pem /etc/opt/splunk/auth/distServerKeys
    public.pem /etc/opt/splunk/auth/audit

Install the Splunk SELinux .rpm file

  1. Download the SELinux policy file for Common Criteria: This .rpm file contains SELinux policies that let you configure and run Splunk Enterprise in Common Criteria mode.
  2. Install the file using the yum package manager: 
    yum install splunk-selinux-<version>.rpm

Create scripts to start and stop Splunk Enterprise in Common Criteria mode

  1. Create the following scripts in /home/splunk to start and stop Splunk Enterprise:
    run_dbus.sh 
    #!/bin/bash

OUTPUT=$( runcon -t splunk_dbusd_t  -r system_r dbus-daemon --session --print-pid --print-address  --fork )

echo $OUTPUT > /tmp/dbus-address

export DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)
export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)
export PATH=/usr/bin:$PATH

echo $DBUS_SESSION_BUS_ADDRESS
echo $DBUS_SESSION_BUS_PID

    stop_dbus.sh 

    #!/bin/bash

export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)

kill $DBUS_SESSION_BUS_PID

    run_splunk.sh 

    #!/bin/bash

export DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)
export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)
export PATH=/usr/bin:$PATH

. /opt/splunk/bin/setSplunkEnv
runcon -u system_u -t splunk_t -r system_r splunk start

    stop_splunk.sh 

    #!/bin/bash

export DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)
export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)
export PATH=/usr/bin:$PATH

. /opt/splunk/bin/setSplunkEnv
runcon -t splunk_t -r system_r splunk stop
  2. Run the following commands as the root user to ensure that the scripts have the correct SELinux file contexts: 
    chown splunk:splunk /home/splunk/*
chcon -u system_u -r object_r  -t initrc_exec_t /home/splunk/run_*
chcon -u system_u -r object_r  -t initrc_exec_t /home/splunk/stop_*
chmod 755 /home/splunk/run_* /home/splunk/stop_*
chcon -u system_u -r object_r -t splunk_usr_t /home/splunk

Update a Common Criteria-compliant Splunk Enterprise instance

Under CCRA guidelines, certified products may be updated with patches and still be considered Common Criteria-certified configurations.

If Splunk Enterprise has a network connection, it automatically checks to see if an update is available and notifies users on the login screen if one exists. It does not download the update automatically.

  1. Click the update URL in Splunk Web. Splunk Web redirects you to the authorized Splunk customer portal site.
  2. Log into the Splunk portal.
  3. Download the .rpm package to the underlying platform.
  4. Using the root user, install the package using the rpm package manager.

Splunk provides a public key that is installed to .rpm in the evaluated configuration. You can then run rpm -K to verify the update against the installed public key prior to installation. See Install Splunk Securely in the Splunk Enterprise Installation Manual.

Last modified on 30 March, 2023
About working with SELinux on a Common Criteria-compliant Splunk Enterprise instance   Configure Splunk Enterprise for Common Criteria

This documentation applies to the following versions of Splunk® Enterprise: 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters