How to secure and harden your Splunk platform instance

Use the checklist in this topic as a roadmap to help you secure your Splunk platform installation and protect your data.

Set up authenticated users and manage user access on the Splunk platform

You can harden a Splunk platform deployment by carefully managing who can access the deployment at a given time.

• Set up users and configure roles and capabilities to control user access. See About configuring role-based user access.
• Configure user authentication with one of the following methods:
  • The native Splunk authentication scheme. See Set up user authentication with Splunk's built-in system.
  • Splunk platform authentication tokens, which are based on the native authentication scheme. Tokens let you provide access to the instance through web requests to Representational State Transfer (REST) endpoints. See Set up authentication with tokens.
  • The Lightweight Directory Access Protocol (LDAP) authentication scheme. See Set up user authentication with LDAP.
  • Single Sign on with Security Assertion Markup Language

Additional hardening options for Splunk Enterprise and forwarding tier infrastructure only

• Administrator credentials provide unrestricted access to a Splunk platform instance and should be the first thing you change and secure. See Secure your Admin password.
• Access control lists prevent unauthorized user access to your Splunk platform instance. See Use Access Control Lists.
• Splunk Enterprise has the following additional authentication options:
  • Single sign-on with multi-factor authentication (MFA)
  • Proxy Single Sign-on
  • Reverse-proxy Single Sign-on with Apache
  • A scripted authentication API for use with an external authentication system, such as Pluggable Authentication Modules (PAM) or Remote Access Dial-In User Server (RADIUS). See Set up user authentication with external systems.

Use certificates and encryption to secure communications for your Splunk Enterprise configuration

Splunk manages Splunk Cloud Platform securely, including its transport layer security (TLS) certificates within the deployment. You don't need to worry about certificates or configurations if you only use SCP or you forward data to SCP.

If you want to secure your SCP forwarding tier infrastructure, or you run Splunk Enterprise in any manner, then you must manage these certificates yourself.

Splunk Enterprise and the universal forwarder come with a set of default certificates and keys that demonstrate encryption. Where possible, deploy your own certificates and configure them to secure Splunk Enterprise and local forwarding communications on the instances that you manage. See Introduction to securing the Splunk platform with TLS.

Harden your Splunk Enterprise instances to reduce vulnerability and risk

• Secure communication within indexer clusters and search head clusters. See Secure your indexer clusters and search head clusters.
• Ensure that credentials in a distributed deployment are consistent across individual instances. See Deploy secure passwords across multiple servers.
• Confirm that the credentials and access levels for the accounts that run Splunk Enterprise are secure. See Secure your service accounts.
• Where possible, limit access to the app key value store network port on any Splunk Enterprise instances. See Harden your KV store port.
• Disable automatic chart recovery in the analytics workspace. See Charts in the Splunk Analytics Workspace in the Splunk Analytics Workspace Using the Splunk Analytics Workspace manual.

Audit your Splunk Enterprise instance regularly

Audit events provide information about what has changed in your Splunk platform instance configuration. It gives you the where and when, as well as the identity of who implemented the change.

• Audit your system regularly to monitor user and administrator access, as well as other activities that could tip you off to unsafe practices or security breaches.
• Keep an eye on activities within your Splunk platform deployment, such as searches or configuration changes. You can use this information for compliance reporting, troubleshooting, and attribution during incidence response.
• Audit events are especially useful in distributed Splunk Enterprise configurations for detecting configuration and access control changes across many Splunk Enterprise instances. To learn more, see Audit Splunk Enterprise activity.
• Use the file system-based monitoring available out of the box on most Splunk-supported operating systems. For more information about monitoring, see Monitor Files and Directories in the Getting Data In Manual.