Best Practices in Protecting Splunk Enterprise

Splunk Enterprise helps companies collect, analyze, and act upon the data generated by their technology infrastructure, security systems and business applications. Customers use Splunk software to achieve operational visibility into critical information technology assets and drive operational performance and business results.

Splunk Apps enhance and extend the Splunk platform and deliver a user experience tailored to typical tasks and roles. Most customers make use of one or more of the 1000+ Apps available in Splunkbase.

While end-users are the main consumers of Apps, App installation requires full administrator access. We strongly discourage customers from granting this access to any user other than designated administrators.

Beyond restricting admin privileges, we recommend adopting the standard deployment and operation practices described briefly below and detailed in the Splunk Enterprise documentation and Securing Splunk section.

Protect your Splunk Instance

• Treat your Splunk administrator accounts like any other Administrator or root account in your network.
• Make sure to change the default user name and password on all Splunk software components and set a minimum password length.
• Use accounts other than root to run Splunk Enterprise and Universal Forwarders.
• Use non-administrator accounts for normal daily tasks such as searching and reporting.
• Configure individual host firewalls to the minimum necessary network exposure.
• Configure SSL/TLS to protect critical network communication paths.
• Inventory local accounts and role capabilities on all Splunk components and remove unnecessary users.

List Users: $SPLUNK_HOME/bin/splunk list user

List Roles: $SPLUNK_HOME/bin/splunk btool authorize list

• Review the specific capabilities assigned to use role.

• Backup Splunk Enterprise configurations on a regular basis.

Monitor your Splunk Instance

• Review administrative access using audit logs.

• Review consolidated _audit and _internal logs from your forwarders.

• Consider using third party file monitoring solutions such as Tripwire to regularly review changes in Splunk configuration.

Splunk also has an Application Certification Program as part of Splunkbase.  Customers can choose to use only apps that have been reviewed for technical settings including security.

If you find or suspect a vulnerability in Splunk Enterprise, we’ll be glad to investigate! Let us know via the Splunk Security Portal or submission form.

----------------------------------------------------
Thanks!
Thomas Chimento