Splunk® Enterprise

Securing Splunk Enterprise with Common Criteria

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About Common Criteria for Splunk Enterprise

Splunk has certified specific versions of Splunk Enterprise to comply with the Common Criteria Recognition Arrangement (CCRA, also known as "Common Criteria"), which consists of the Common Criteria Information Technology Security Evaluation (CC) and the companion Common Methodology for Information Technology Security Evaluation (CEM). Splunk Enterprise instances that operate in compliance with the CCRA run in what is called Common Criteria mode.

Splunk Enterprise supports Common Criteria mode as a single instance on a single machine. There is no support for Common Criteria in distributed environments.

Splunk Enterprise supports Common Criteria on the following platforms only:

  • Red Hat Enterprise Linux Server release versions 7.9 (Maipo) and 8.2 (Ootpa)
  • x86_64 architecture (tested on Intel Xeon E5-2630 v4 (Broadwell))
  • Security-Enhanced Linux (SELInux) enabled.

For more information about Splunk Enterprise Common Criteria compliance, see National Information Assurance Partnership - Compliant Product - Splunk Enterprise version 9.0.4.

Splunk Enterprise provides a special SELinux policy package download, splunk-selinux.rpm, that works specifically with Splunk Enterprise when it runs in Common Criteria mode.

Splunk supports only the external ports, connections, and logs that the SELinux and Splunk Enterprise configurations provide in this manual. It supports only the splunk-selinux.rpm download that it provides as a download. There is no support for other versions, ports, connections, or policies at this time.

Use this manual to perform specific Common Criteria for Splunk Enterprise tasks on the SELinux platform using the provided policy file. For more information about using SELinux with this manual, see About working with SELinux.

Common Criteria Evaluation

The Common Criteria mode was tested with a specific Federal Information Processing Standards (FIPS) 104-2 certified cryptographic module that comes with Splunk. The National Information Assurance Partnership (NIAP) did not evaluate or test the use of other cryptographic engines during the Common Criteria evaluation of the target of evaluation (TOE).

There are several administrative functions that might be considered security functions which do not fall into the scope of the evaluation. The following is a list of specific administrator security functions that NIAP tested during the Common Criteria evaluation:

  • Ability to enable/disable the transmission of any information describing the system hardware, software, or configuration. Specifically, this is done by configuring email alerts about system activity that the TOE can send.
  • Ability to enable/disable the TOE transport layer security (TLS) mutual authentication implementation.
  • Ability to configure the supported TLS cipher suites.
  • Ability to check the TOE version.

Prerequisites to running Splunk Enterprise in Common Criteria Mode

Confirm the following prerequisites are in place on the machine that is to run the Common Criteria-compliant version of Splunk Enterprise.

  1. You must run the Common Criteria version of Splunk Enterprise on Red Hat Enterprise Linux versions 7.9 or 8.2 only.
  2. You must enable and properly configure Red Hat Subscription Manager. You can install packages by running the yum package manager. As part of using yum, you can point to internal or external repository locations as needed.
  3. Confirm that SELinux runs in "Enforcing" mode, and that it runs targeted policy. Check the current status and configuration of SELinux. The system must be configured to boot with SELinux in Enforcing mode. To accomplish this, do one of the following:
    • Open the file /etc/selinux/config and confirm that SELINUX= is set to SELINUX=enforcing.
    • From a shell prompt, run the getenforce command and look for the resultenforced.
      • If SELinux is not in Enforcing mode, run the command setenforce 1.
    • Open the grub system boot configuration configuration file, located at /etc/grub.conf. Confirm that there is no mention of SELinux in this file. Some individuals might disable SELinux by adding the line selinux=disabled to the kernel arguments, and this should never be present.
  4. Splunk Enterprise uses the Python interpreter that Red Hat Enterprise Linux provides for the GNOME keyring. Typically, the interpreter exists at /usr/bin/python. Confirm the Python version matches with the following version.
    $ /usr/bin/python --version
    Python 3.7.11
    
  5. Confirm that the system dependencies for both GNOME keyring and Python are available. Use the following yum command:
    • yum install gnome-keyring-devel
  6. Install the RdRand (jtulak/RdRand) package:
    • Download the package from the pkgs.org website. Confirm that you download the correct version for your version of Red Hat Enterprise Linux.
    • After you download the package, use the following yum command to install it:
    yum install RdRand-xxxxxx.x86_64.rpm
  7. Set up at least two Linux Unified Key Setup (LUKS)-encrypted disk partitions on the machine that is to run the Common Criteria-compliant version of Splunk Enterprise. These partitions house the following components of Splunk Enterprise:
    • The main installation directory - $SPLUNK_HOME
    • The configuration directory - $SPLUNK_ETC
    For instructions on setting up LUKS disk encryption, see the following pages:
  8. Create a "splunk" user:
    useradd splunk

    If a "splunk" user already exists, confirm that its home directory points to /home/splunk. If it does not, modify the user to change its home directory.

    usermod -m -d /home/splunk splunk
Last modified on 12 April, 2024
  About working with SELinux on a Common Criteria-compliant Splunk Enterprise instance

This documentation applies to the following versions of Splunk® Enterprise: 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters