Some best practices for your servers and operating system
The most secure Splunk platform instance or deployment is one in which all of the computers that support the deployment are also secured, with up-to-date software patches, network configurations that limit access, and user accounts that have permissions that are limited in scope.
To maximize security, harden the operating system on all computers where you run Splunk software.
- If your organization does not have internal hardening standards, consult the CIS hardening benchmarks.
- As a minimum, limit shell or command line access to your Splunk platform instances.
- Configure redundant Splunk platform instances, both indexing a copy of the same data.
- Backup Splunk data and configurations regularly.
- Execute a periodic recovery test by attempting to restore Splunk Enterprise from backup.
- Verify your Splunk download using a hash function such as Message Digest 5 (MD5) to compare the hashes.
- Use a current version of a supported browser, such as Firefox or Chrome. Don't use older browsers as they are more susceptible to insertion attacks by malicious parties.
- Where possible, use filters to help protect against XSS, XSRF, and similar exploits.
- Where possible, secure physical access to all Splunk platform instances.
- Ensure that Splunk end users practice sound physical and endpoint security.
- Set a short time-out for Splunk Web user sessions. See Configure timeouts for more information.
- In organizations where users don't use Splunk Web, disable Splunk Web entirely on instances that don't need it.
More opportunities to secure your configuration
- Use Splunk Enterprise to track changes to configuration files at the filesystem level. The auditing capability includes the tracking of .conf files, as well as their underlying stanzas and setting-value pairs, to improve root cause analysis and auditing. See Configuration file auditing in the Troubleshooting Manual
- Use a configuration management tool to provide version control for Splunk configurations.
- Integrate Splunk configuration changes into your existing change management framework.
SPL safeguards for risky commands
Troubleshoot Splunk forwarder TCP tokens
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1